Add initial Vagrant/Saltstack setup

This commit adds an initial Vagrant and Saltstack setup that reuses the
same configuration as that of the gva repository. The LDAP server itself
is not configured yet.

salt/roots/webserver/init.sls

@@ -0,0 +1,50 @@
+include:
+  - nginx
+
+/etc/nginx/conf.d/logformat.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-logformat.conf
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+
+{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
+
+generate-dhparam-nginx:
+  cmd.run:
+    - name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048
+    - umask: 022
+    - user: root
+    - group: root
+    - creates: {{ ssldir }}/dhparams.pem
+    - require_in:
+      - file: /etc/nginx/conf.d/ssl.conf
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/conf.d/ssl.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-ssl.conf
+    - template: jinja
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/snippets/security.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-security.conf
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx

salt/roots/webserver/nginx-logformat.conf

@@ -0,0 +1,4 @@
+log_format main '$remote_addr - $remote_user [$time_local]  '
+                '$server_name '
+                '"$request" $status $body_bytes_sent '
+                '"$http_referer" "$http_user_agent"';

salt/roots/webserver/nginx-security.conf

@@ -0,0 +1,19 @@
+# Security - Basic configuration
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+        expires max;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }

salt/roots/webserver/nginx-ssl.conf

@@ -0,0 +1,15 @@
+# Default TLS settings
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+
+ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}/dhparams.pem;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# use Google's DNS
+resolver 8.8.8.8;
+resolver_timeout 5s;

salt/roots/webserver/sslcert.macros.sls

@@ -0,0 +1,30 @@
+{%- macro key_cert(domain_name) %}
+{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %}
+{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
+{% set keyfile = nginx_ssl_keydir + '/' + domain_name + '.key.pem' %}
+{% set certfile = nginx_ssl_certdir + '/' + domain_name + '.crt.pem' %}
+
+{{ keyfile }}:
+  rsa_key.valid_key:
+    - bits: {{ salt['pillar.get']('nginx:keylength:' + domain_name, 2048) }}
+    - require:
+      - file: {{ nginx_ssl_keydir }}
+    - require_in:
+      - file: /etc/nginx/sites-available/{{ domain_name }}
+      - service: nginx
+
+{{ certfile }}:
+  cmd.run:
+    - name: openssl req -new -x509 -key {{ keyfile }} -subj '/CN={{ domain_name }}' -days 730 -out {{ certfile }}
+    - require:
+      - rsa_key: {{ keyfile }}
+    - creates: {{ certfile }}
+  x509_certificate.valid_certificate:
+    - require:
+      - file: {{ nginx_ssl_certdir }}
+      - cmd: {{ certfile }}
+      - pkg: python-m2crypto
+    - require_in:
+      - file: /etc/nginx/sites-available/{{ domain_name }}
+      - service: nginx
+{% endmacro %}