From 73cc11f0182031268b0aea2ec16449e8f48df244 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Floure?= Date: Tue, 6 Jul 2021 17:14:14 +0200 Subject: [PATCH] Replace __recycledcloud_nginx by __nginx (merged into cdist-contrib) --- type/__recycledcloud_lists/manifest | 4 +- type/__recycledcloud_nginx/man.rst | 40 ----- type/__recycledcloud_nginx/manifest | 76 -------- type/__recycledcloud_nginx/parameter/optional | 5 - .../files/301-to-https | 4 - .../files/generic.conf.sh | 37 ---- type/__recycledcloud_nginx_vhost/files/hsts | 1 - .../files/index.html | 12 -- .../files/static.conf.sh | 13 -- .../files/to-https.conf.sh | 25 --- .../gencode-remote | 26 --- type/__recycledcloud_nginx_vhost/man.rst | 83 --------- type/__recycledcloud_nginx_vhost/manifest | 162 ------------------ .../parameter/boolean | 4 - .../parameter/default/index | 1 - .../parameter/optional | 4 - type/__recycledcloud_wordpress/manifest | 2 +- 17 files changed, 3 insertions(+), 496 deletions(-) delete mode 100644 type/__recycledcloud_nginx/man.rst delete mode 100644 type/__recycledcloud_nginx/manifest delete mode 100644 type/__recycledcloud_nginx/parameter/optional delete mode 100644 type/__recycledcloud_nginx_vhost/files/301-to-https delete mode 100755 type/__recycledcloud_nginx_vhost/files/generic.conf.sh delete mode 100644 type/__recycledcloud_nginx_vhost/files/hsts delete mode 100644 type/__recycledcloud_nginx_vhost/files/index.html delete mode 100755 type/__recycledcloud_nginx_vhost/files/static.conf.sh delete mode 100755 type/__recycledcloud_nginx_vhost/files/to-https.conf.sh delete mode 100644 type/__recycledcloud_nginx_vhost/gencode-remote delete mode 100644 type/__recycledcloud_nginx_vhost/man.rst delete mode 100644 type/__recycledcloud_nginx_vhost/manifest delete mode 100644 type/__recycledcloud_nginx_vhost/parameter/boolean delete mode 100644 type/__recycledcloud_nginx_vhost/parameter/default/index delete mode 100644 type/__recycledcloud_nginx_vhost/parameter/optional diff --git a/type/__recycledcloud_lists/manifest b/type/__recycledcloud_lists/manifest index 06f2554..f17a454 100644 --- a/type/__recycledcloud_lists/manifest +++ b/type/__recycledcloud_lists/manifest @@ -9,7 +9,7 @@ fi DOMAIN=$(cat "${__object:?}/parameter/domain") export DOMAIN -__recycledcloud_nginx "$DOMAIN" \ +__nginx "$DOMAIN" \ --config - <<- EOF location / { uwsgi_pass unix:/run/mailman3-web/uwsgi.sock; @@ -52,7 +52,7 @@ export LDAP_SERVER_URI LDAP_BIND_DN LDAP_BIND_PASSWORD LDAP_USER_BASE_DN \ # Install mailman3 and related mail services. __package python3-ldap __package python3-django-auth-ldap -require="__recycledcloud_nginx/$DOMAIN __package/python3-ldap \ +require="__nginx/$DOMAIN __package/python3-ldap \ __package/python3-django-auth-ldap" __package mailman3-full # Install & configure MTA. diff --git a/type/__recycledcloud_nginx/man.rst b/type/__recycledcloud_nginx/man.rst deleted file mode 100644 index b1de718..0000000 --- a/type/__recycledcloud_nginx/man.rst +++ /dev/null @@ -1,40 +0,0 @@ -cdist-type__recycledcloud_nginx(7) -=================================== - -NAME ----- -cdist-type__recycledcloud_nginx - Serve web content with NGINX - - -DESCRIPTION ------------ -Leverages `__recycledcloud_nginx_vhost` to serve web content. - -REQUIRED PARAMETERS -------------------- -domain - Domain name to be served. - -OPTIONAL PARAMETERS -------------------- -config - Custom NGINX logic, templated within a standard `server` section with - `server_name` and TLS parameters set. Defaults to simple static hosting. - -altdomains - Alternative domain names for this vhost and related TLS certificate. - -uacme-hookscript - Custom hook passed to the __uacme_obtain type: useful to integrate the - dns-01 challenge with third-party DNS providers. - -AUTHORS -------- -Timothée Floure - -COPYING -------- -Copyright \(C) 2020 Joachim Desroches. You can redistribute it -and/or modify it under the terms of the GNU General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. diff --git a/type/__recycledcloud_nginx/manifest b/type/__recycledcloud_nginx/manifest deleted file mode 100644 index 75db7cd..0000000 --- a/type/__recycledcloud_nginx/manifest +++ /dev/null @@ -1,76 +0,0 @@ -#!/bin/sh - -os="$(cat "${__global:?}"/explorer/os)" -case "$os" in - alpine) - nginx_user=nginx - nginx_certdir=/etc/nginx/ssl - ;; - debian|ubuntu) - nginx_user=www-data - nginx_certdir=/etc/nginx/ssl - ;; - *) - echo "This type does not support $os yet. Aborting." >&2; - exit 1; - ;; -esac - -if [ -f "${__object:?}/parameter/domain" ]; -then - domain="$(cat "${__object:?}/parameter/domain")" -else - domain="${__object_id:?}" -fi - -altdomains= -if [ -f "${__object:?}/parameter/altdomains" ]; -then - altdomains="$(cat "${__object:?}/parameter/altdomains")" -fi - -set_custom_uacme_hookscript= -if [ -f "${__object:?}/parameter/uacme-hookscript" ]; -then - uacme_hookscript="$(cat "${__object:?}/parameter/uacme-hookscript")" - set_custom_uacme_hookscript="--hookscript $uacme_hookscript" -fi - -# Deploy simple HTTP vhost, allowing to serve ACME challenges. -__recycledcloud_nginx_vhost "301-to-https-$domain" \ - --domain "$domain" --altdomains "$altdomains" --to-https - -# Obtaining TLS cert. -cert_ownership=$nginx_user -if [ -f "${__object:?}/parameter/force-cert-ownership-to" ]; then - cert_ownership=$(cat "${__object:?}/parameter/force-cert-ownership-to") -fi - -__uacme_account -# shellcheck disable=SC2086 -require="__recycledcloud_nginx_vhost/301-to-https-$domain __uacme_account" \ - __uacme_obtain "$domain" \ - --altdomains "$altdomains" \ - $set_custom_uacme_hookscript \ - --owner "$cert_ownership" \ - --install-key-to "$nginx_certdir/$domain/privkey.pem" \ - --install-cert-to "/$nginx_certdir/$domain/fullchain.pem" \ - --renew-hook "service nginx reload" - -# Deploy HTTPS nginx vhost. -if [ -f "${__object:?}/parameter/config" ]; then - if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; then - nginx_logic="${__object:?}/stdin" - else - nginx_logic="${__object:?}/parameter/config" - fi - - mkdir -p "${__object:?}/files" - cat "$nginx_logic" > "${__object:?}/files/config" - - require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ - --altdomains "$altdomains" --config "${__object:?}/files/config" -else - require="__uacme_obtain/$domain" __recycledcloud_nginx_vhost "$domain" \ - --altdomains "$altdomains" -fi diff --git a/type/__recycledcloud_nginx/parameter/optional b/type/__recycledcloud_nginx/parameter/optional deleted file mode 100644 index 1a5fb95..0000000 --- a/type/__recycledcloud_nginx/parameter/optional +++ /dev/null @@ -1,5 +0,0 @@ -config -domain -altdomains -uacme-hookscript -force-cert-ownership-to diff --git a/type/__recycledcloud_nginx_vhost/files/301-to-https b/type/__recycledcloud_nginx_vhost/files/301-to-https deleted file mode 100644 index 2675732..0000000 --- a/type/__recycledcloud_nginx_vhost/files/301-to-https +++ /dev/null @@ -1,4 +0,0 @@ -# Redirect request to this page in HTTPS. -location / { - return 301 https://$host$request_uri; -} diff --git a/type/__recycledcloud_nginx_vhost/files/generic.conf.sh b/type/__recycledcloud_nginx_vhost/files/generic.conf.sh deleted file mode 100755 index 13e36aa..0000000 --- a/type/__recycledcloud_nginx_vhost/files/generic.conf.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/sh -# Template for static NGINX hosting. - -echo 'server {' - -# Listen -cat <<- EOF - listen ${LPORT:?} $TLS; - listen [::]:${LPORT:?} $TLS; -EOF - -# Name -echo "server_name ${DOMAIN:?} $ALTDOMAINS;" - -# ACME challenges. -cat << EOF -location /.well-known/acme-challenge/ { - alias ${ACME_CHALLENGE_DIR:?}; -} -EOF - -if [ -n "$TLS" ]; -then - if [ -n "$HSTS" ]; - then - echo 'include snippets/hsts;' - fi - - cat <<- EOF - ssl_certificate ${NGINX_CERTDIR:?}/${DOMAIN:?}/fullchain.pem; - ssl_certificate_key ${NGINX_CERTDIR:?}/${DOMAIN:?}/privkey.pem; - EOF -fi - -echo "${NGINX_LOGIC:?}" - -echo '}' diff --git a/type/__recycledcloud_nginx_vhost/files/hsts b/type/__recycledcloud_nginx_vhost/files/hsts deleted file mode 100644 index 7e4a854..0000000 --- a/type/__recycledcloud_nginx_vhost/files/hsts +++ /dev/null @@ -1 +0,0 @@ -add_header Strict-Transport-Security "max-age=31536000" always; diff --git a/type/__recycledcloud_nginx_vhost/files/index.html b/type/__recycledcloud_nginx_vhost/files/index.html deleted file mode 100644 index bcadf4d..0000000 --- a/type/__recycledcloud_nginx_vhost/files/index.html +++ /dev/null @@ -1,12 +0,0 @@ - - - - - - cdist configured! - - - You have successfully configured a vhost with - cdist. You can now upload content! - - diff --git a/type/__recycledcloud_nginx_vhost/files/static.conf.sh b/type/__recycledcloud_nginx_vhost/files/static.conf.sh deleted file mode 100755 index 363f228..0000000 --- a/type/__recycledcloud_nginx_vhost/files/static.conf.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/sh -# Template for static NGINX hosting. - -NGINX_LOGIC="$(cat << EOF - location / { - root ${NGINX_WEBROOT:?}/${DOMAIN:?}; - index index.html; - } -EOF -)" -export NGINX_LOGIC - -"${__type:?}/files/generic.conf.sh" diff --git a/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh b/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh deleted file mode 100755 index 77dd45b..0000000 --- a/type/__recycledcloud_nginx_vhost/files/to-https.conf.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/sh -# Template for HTTPS redirection. - -echo 'server {' - -# Listen -cat <<- EOF - listen ${LPORT:?}; - listen [::]:${LPORT:?}; -EOF - -# Name -echo "server_name ${DOMAIN:?} $ALTDOMAINS;" - -# ACME challenges. -cat << EOF -location /.well-known/acme-challenge/ { - alias ${ACME_CHALLENGE_DIR:?}; -} -EOF - -# HTTPS redirection. -echo 'include snippets/301-to-https;' - -echo '}' diff --git a/type/__recycledcloud_nginx_vhost/gencode-remote b/type/__recycledcloud_nginx_vhost/gencode-remote deleted file mode 100644 index d634d83..0000000 --- a/type/__recycledcloud_nginx_vhost/gencode-remote +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -os="$(cat "${__global:?}"/explorer/os)" - -case "$os" in - alpine) - reload_hook="service nginx --ifstopped start;\ - service nginx --ifstarted reload" - ;; - debian|ubuntu|*) - reload_hook="systemctl reload-or-restart nginx" - ;; -esac - -# Check configuration and reload if valid. -# TODO: only check if configuration was changed (= listen for __file's -# messages). -cat << EOF -if nginx -t; then - $reload_hook -else - echo "NGINX configuration is invalid. Exiting." >2& - nginx -t >2& - exit 1 -fi -EOF diff --git a/type/__recycledcloud_nginx_vhost/man.rst b/type/__recycledcloud_nginx_vhost/man.rst deleted file mode 100644 index 28767d7..0000000 --- a/type/__recycledcloud_nginx_vhost/man.rst +++ /dev/null @@ -1,83 +0,0 @@ -cdist-type__nginx_vhost(7) -=================================== - -NAME ----- -cdist-type__nginx_vhost - Have nginx serve content for a virtual host - - -DESCRIPTION ------------ -This type setups up nginx with reasonable defaults and creates a vhost to be -served, optionally with TLS certificates obtained from the Let's Encrypt CA -through the ACME HTTP-01 challenge-response mechanism. - -By default, if no rules are specified, then the vhost will serve as-is the -contents of the `WEBROOT/foo.com` directory, where WEBROOT is -determined depending on the OS, adhering as close to `hier(7)` as possible. - -NGINX expects files in the vhost to be served to be at least readable by the -`USER` group, that it creates if it does not exist. It is recommended to have -the user owning the files to be someone else, and the files beeing -group-readable but not writeable. - -Finally, if TLS is not disabled, then this type makes nginx expect the -fullchain certificate and the private key in -`CERTDIR/domain/{fullchain,privkey}.pem`. - -+------------------+---------+-------------------+-----------------------------+ -| Operating System | USER | WEBROOT | CERTDIR | -+==================+=========+===================+=============================+ -| Alpine Linux | `nginx` | `/srv/www/` | `/etc/nginx/ssl/` | -+------------------+---------+-------------------+-----------------------------+ -| Arch Linux | `www` | `/srv/www/` | `/etc/nginx/ssl/` | -+------------------+---------+-------------------+-----------------------------+ -| FreeBSD | `www` | `/usr/local/www/` | `/usr/local/etc/nginx/ssl/` | -+------------------+---------+-------------------+-----------------------------+ - -OPTIONAL PARAMETERS -------------------- - -config - A custom configuration file for the vhost, inserted in a server section - populated with `server_name` and TLS parameters unless `--standalone-config` - is specified. Can be specified either as a file path, or if the value of this - flag is '-', then the configuration is read from stdin. - -domain - The domain this server will respond to. If this is omitted, then the - `__object_id` is used. - -lport - The port to which we listen. If this is omitted, the defaults of `80` for - HTTP and `443` for HTTPS are used. - -altdomains - Alternative domain names for this vhost. - -BOOLEAN PARAMETERS ------------------- - -no-hsts - Do not use HSTS pinning. - -no-tls - Do not serve over HTTPS. - -to-https - Ignore --config flag and redirect to HTTPS. Implies --no-tls. - -standalone-config - Insert the content of - -AUTHORS -------- -Joachim Desroches -Timothée Floure - -COPYING -------- -Copyright \(C) 2020 Joachim Desroches. You can redistribute it -and/or modify it under the terms of the GNU General Public License as -published by the Free Software Foundation, either version 3 of the -License, or (at your option) any later version. diff --git a/type/__recycledcloud_nginx_vhost/manifest b/type/__recycledcloud_nginx_vhost/manifest deleted file mode 100644 index 3e7b913..0000000 --- a/type/__recycledcloud_nginx_vhost/manifest +++ /dev/null @@ -1,162 +0,0 @@ -#!/bin/sh -# -# 2020 Joachim Desroches -# -# This file is part of cdist. -# -# cdist is free software: you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation, either version 3 of the License, or -# (at your option) any later version. -# -# cdist is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with cdist. If not, see . -# -# Create NGINX vhosts - -os="$(cat "${__global:?}"/explorer/os)" -mkdir -p "${__object:?}/files" - -case "$os" in - alpine) - __package nginx - - nginx_confdir="/etc/nginx" - install_reqs="__package/nginx" - - require="$install_reqs" __start_on_boot nginx - - export NGINX_SITEDIR="$nginx_confdir/conf.d" - export NGINX_CERTDIR="$nginx_confdir/ssl" - export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" - export NGINX_WEBROOT="/var/www" - export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/" - ;; - debian|ubuntu) - __package nginx - - nginx_confdir="/etc/nginx" - install_reqs="__package/nginx" - - export NGINX_SITEDIR="$nginx_confdir/sites-enabled" - export NGINX_CERTDIR="$nginx_confdir/ssl" - export NGINX_SNIPPETSDIR="$nginx_confdir/snippets" - export NGINX_WEBROOT="/var/www" - export ACME_CHALLENGE_DIR="$NGINX_WEBROOT/.well-known/acme-challenge/" - ;; - *) - echo "This type does not support $os yet. Aborting." >&2; - exit 1; -esac - -# Domain -if [ -f "${__object:?}/parameter/domain" ]; -then - DOMAIN="$(cat "${__object:?}/parameter/domain")" -else - DOMAIN="${__object_id:?}" -fi -export DOMAIN - -ALTDOMAINS= -if [ -f "${__object:?}/parameter/altdomains" ]; -then - ALTDOMAINS="$(cat "${__object:?}/parameter/altdomains")" -fi -export ALTDOMAINS - -# Use TLS ? -if [ -f "${__object:?}/parameter/no-tls" ]; -then - TLS= - echo "WARNING: you have disabled TLS for vhost $DOMAIN" >&2 -else - TLS=ssl -fi -export TLS - -# Use HSTS ? -if [ -f "${__object:?}/parameter/no-hsts" ]; -then - HSTS= -else - HSTS=true -fi -export HSTS - -# Redirect to HTTPS ? -if [ -f "${__object:?}/parameter/to-https" ]; -then - TO_HTTPS=true -else - TO_HTTPS= -fi -export HSTS - -# Port to listen on -if [ -f "${__object:?}/parameter/lport" ]; -then - LPORT="$(cat "${__object:?}/parameter/lport")" -else - if [ -n "$TLS" ] && [ -z "$TO_HTTPS" ]; - then - LPORT=443 - else - LPORT=80 - fi -fi -export LPORT - -# Server definition -if [ -n "$TO_HTTPS" ]; -then - # Ignore configuration, simply serve ACME challenge and redirect to HTTPS. - "${__type:?}/files/to-https.conf.sh" > "${__object:?}/files/vhost.conf" - vhost_conf="${__object:?}/files/vhost.conf" -elif [ -f "${__object:?}/parameter/config" ]; -then - # Extract nginx config from type parameter. - if [ "$(cat "${__object:?}/parameter/config")" = "-" ]; - then - vhost_partial="${__object:?}/stdin" - else - vhost_partial=$(cat "${__object:?}/parameter/config") - fi - - # Either use config as-in or template it in generic vhost structure. - if [ -f "${__object:?}/parameter/standalone-config" ]; then - vhost_conf=$vhost_partial - else - NGINX_LOGIC=$(cat "$vhost_partial") "${__type:?}/files/generic.conf.sh" \ - > "${__object:?}/files/vhost.conf" - - vhost_conf="${__object:?}/files/vhost.conf" - fi -else - # Default to simple static configuration. - "${__type:?}/files/static.conf.sh" > "${__object:?}/files/vhost.conf" - vhost_conf="${__object:?}/files/vhost.conf" - - require="$install_reqs" __directory "$NGINX_WEBROOT/$DOMAIN" - require="__directory$NGINX_WEBROOT/$DOMAIN" \ - __file "$NGINX_WEBROOT/$DOMAIN/index.html" --state exists \ - --source "${__type:?}/files/index.html" \ - --mode 0644 -fi - -# Install snippets. -require="$install_reqs" __directory "$NGINX_SNIPPETSDIR" -for snippet in hsts 301-to-https; do - require="__directory/$NGINX_SNIPPETSDIR" __file \ - "$NGINX_SNIPPETSDIR/$snippet" --source "${__type:?}/files/$snippet" -done - -# Install vhost. -require="$install_reqs" __file "$NGINX_SITEDIR/$__object_id.conf" \ - --source "$vhost_conf" \ - --mode 0644 diff --git a/type/__recycledcloud_nginx_vhost/parameter/boolean b/type/__recycledcloud_nginx_vhost/parameter/boolean deleted file mode 100644 index aa06036..0000000 --- a/type/__recycledcloud_nginx_vhost/parameter/boolean +++ /dev/null @@ -1,4 +0,0 @@ -no-tls -no-hsts -to-https -standalone-config diff --git a/type/__recycledcloud_nginx_vhost/parameter/default/index b/type/__recycledcloud_nginx_vhost/parameter/default/index deleted file mode 100644 index d5b7a40..0000000 --- a/type/__recycledcloud_nginx_vhost/parameter/default/index +++ /dev/null @@ -1 +0,0 @@ -index.html index.htm diff --git a/type/__recycledcloud_nginx_vhost/parameter/optional b/type/__recycledcloud_nginx_vhost/parameter/optional deleted file mode 100644 index 9c47616..0000000 --- a/type/__recycledcloud_nginx_vhost/parameter/optional +++ /dev/null @@ -1,4 +0,0 @@ -domain -config -altdomains -lport diff --git a/type/__recycledcloud_wordpress/manifest b/type/__recycledcloud_wordpress/manifest index 94edeca..a5c9531 100644 --- a/type/__recycledcloud_wordpress/manifest +++ b/type/__recycledcloud_wordpress/manifest @@ -51,7 +51,7 @@ require="__recycledcloud_mysql" __mysql_database wordpress \ __package nginx # shellcheck disable=SC2086 -require="__package/nginx" __recycledcloud_nginx "$nginx_domain" \ +require="__package/nginx" __nginx "$nginx_domain" \ $altdomains \ --config - <<- EOF root /var/www/wordpress;