From bd9f23facf43df40a481aa07732600d7512a86dc Mon Sep 17 00:00:00 2001
From: Jesse Luehrs <doy@tozt.net>
Date: Sun, 5 Nov 2017 21:56:01 -0500
Subject: nginx config

---
 modules/nginx/files/mime.types.paste | 57 ++++++++++++++++++++++++++++++++++++
 modules/nginx/files/nginx.conf       | 16 ++++++++++
 modules/nginx/files/ssl              | 11 +++++++
 modules/nginx/manifests/config.pp    | 19 ++++++++++++
 modules/nginx/manifests/init.pp      |  7 +++++
 modules/nginx/manifests/install.pp   |  5 ++++
 modules/nginx/manifests/service.pp   |  5 ++++
 modules/nginx/manifests/site.pp      | 15 ++++++++++
 8 files changed, 135 insertions(+)
 create mode 100644 modules/nginx/files/mime.types.paste
 create mode 100644 modules/nginx/files/nginx.conf
 create mode 100644 modules/nginx/files/ssl
 create mode 100644 modules/nginx/manifests/config.pp
 create mode 100644 modules/nginx/manifests/install.pp
 create mode 100644 modules/nginx/manifests/service.pp
 create mode 100644 modules/nginx/manifests/site.pp

(limited to 'modules/nginx')

diff --git a/modules/nginx/files/mime.types.paste b/modules/nginx/files/mime.types.paste
new file mode 100644
index 0000000..a32e153
--- /dev/null
+++ b/modules/nginx/files/mime.types.paste
@@ -0,0 +1,57 @@
+types {
+    image/gif                             gif;
+    image/jpeg                            jpeg jpg;
+
+    image/png                             png;
+    image/tiff                            tif tiff;
+    image/x-icon                          ico;
+    image/x-jng                           jng;
+    image/x-ms-bmp                        bmp;
+
+    application/java-archive              jar war ear;
+    application/mac-binhex40              hqx;
+    application/msword                    doc;
+    application/pdf                       pdf;
+    application/postscript                ps eps ai;
+    application/rtf                       rtf;
+    application/vnd.ms-excel              xls;
+    application/vnd.ms-powerpoint         ppt;
+    application/vnd.wap.wmlc              wmlc;
+    application/x-cocoa                   cco;
+    application/x-java-archive-diff       jardiff;
+    application/x-java-jnlp-file          jnlp;
+    application/x-makeself                run;
+    application/x-pilot                   prc pdb;
+    application/x-rar-compressed          rar;
+    application/x-redhat-package-manager  rpm;
+    application/x-sea                     sea;
+    application/x-shockwave-flash         swf;
+    application/x-stuffit                 sit;
+    application/x-xpinstall               xpi;
+    application/zip                       zip;
+
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;
+
+    application/octet-stream              bin exe dll;
+    application/octet-stream              deb;
+    application/octet-stream              dmg;
+    application/octet-stream              eot;
+    application/octet-stream              iso img;
+    application/octet-stream              msi msp msm;
+
+    audio/midi                            mid midi kar;
+    audio/mpeg                            mp3;
+    audio/x-realaudio                     ra;
+
+    video/3gpp                            3gpp 3gp;
+    video/mpeg                            mpeg mpg;
+    video/quicktime                       mov;
+    video/x-flv                           flv;
+    video/x-mng                           mng;
+    video/x-ms-asf                        asx asf;
+    video/x-ms-wmv                        wmv;
+    video/x-msvideo                       avi;
+}
+# vim:ft=nginx
diff --git a/modules/nginx/files/nginx.conf b/modules/nginx/files/nginx.conf
new file mode 100644
index 0000000..895330e
--- /dev/null
+++ b/modules/nginx/files/nginx.conf
@@ -0,0 +1,16 @@
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    sendfile           on;
+    gzip               on;
+    keepalive_timeout  65;
+
+    include /etc/nginx/sites-enabled/*;
+}
diff --git a/modules/nginx/files/ssl b/modules/nginx/files/ssl
new file mode 100644
index 0000000..f6a7f77
--- /dev/null
+++ b/modules/nginx/files/ssl
@@ -0,0 +1,11 @@
+ssl                        on;
+ssl_certificate            /etc/letsencrypt/live/tozt.net/fullchain.pem;
+ssl_certificate_key        /etc/letsencrypt/live/tozt.net/privkey.pem;
+ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers                'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_dhparam                /etc/nginx/dhparam.pem;
+ssl_prefer_server_ciphers  on;
+ssl_stapling               on;
+ssl_stapling_verify        on;
+
+# vim:ft=nginx
diff --git a/modules/nginx/manifests/config.pp b/modules/nginx/manifests/config.pp
new file mode 100644
index 0000000..42b5f99
--- /dev/null
+++ b/modules/nginx/manifests/config.pp
@@ -0,0 +1,19 @@
+class nginx::config {
+  file {
+    "/etc/nginx/sites-available":
+      ensure => directory;
+    "/etc/nginx/sites-enabled":
+      ensure => directory;
+    "/etc/nginx/ssl":
+      source => 'puppet:///modules/nginx/ssl';
+    "/etc/nginx/mime.types.paste":
+      source => 'puppet:///modules/nginx/mime.types.paste';
+    "/etc/nginx/nginx.conf":
+      source => 'puppet:///modules/nginx/nginx.conf';
+  }
+
+  exec { 'openssl dhparam -out /etc/nginx/dhparam.pem 4096':
+    path => '/usr/bin',
+    creates => '/etc/nginx/dhparam.pem';
+  }
+}
diff --git a/modules/nginx/manifests/init.pp b/modules/nginx/manifests/init.pp
index e3e6b70..505c847 100644
--- a/modules/nginx/manifests/init.pp
+++ b/modules/nginx/manifests/init.pp
@@ -1,2 +1,9 @@
 class nginx {
+  include certbot
+
+  include nginx::install
+  include nginx::config
+  include nginx::service
+
+  nginx::install -> nginx::config -> nginx::service
 }
diff --git a/modules/nginx/manifests/install.pp b/modules/nginx/manifests/install.pp
new file mode 100644
index 0000000..680b0ab
--- /dev/null
+++ b/modules/nginx/manifests/install.pp
@@ -0,0 +1,5 @@
+class nginx::install {
+  package { ['nginx', 'openssl']:
+    ensure => installed;
+  }
+}
diff --git a/modules/nginx/manifests/service.pp b/modules/nginx/manifests/service.pp
new file mode 100644
index 0000000..bd09c64
--- /dev/null
+++ b/modules/nginx/manifests/service.pp
@@ -0,0 +1,5 @@
+class nginx::service {
+  service { 'nginx':
+    ensure => running;
+  }
+}
diff --git a/modules/nginx/manifests/site.pp b/modules/nginx/manifests/site.pp
new file mode 100644
index 0000000..dc25bb3
--- /dev/null
+++ b/modules/nginx/manifests/site.pp
@@ -0,0 +1,15 @@
+define nginx::site($content=undef, $source=undef, $enabled=true) {
+  include nginx
+
+  file { "/etc/nginx/sites-available/$name":
+    source => $source,
+    content => $content;
+  }
+
+  if $enabled {
+    file { "/etc/nginx/sites-enabled/$name":
+      ensure => link,
+      target => "../sites-available/$name";
+    }
+  }
+}
-- 
cgit v1.2.3-54-g00ecf