Rename roots to states

This commit renames the roots directory to states because it contains salt states.
2016-01-31 21:16:14 +01:00 · 2016-01-31 21:16:14 +01:00 · 3fd146215f
commit 3fd146215f
parent cade234963
34 changed files with 0 additions and 0 deletions
--- a/states/webserver/init.sls
+++ b/states/webserver/init.sls
@ -0,0 +1,50 @@
+include:
+  - nginx
+
+/etc/nginx/conf.d/logformat.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-logformat.conf
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+
+{% set ssldir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
+
+generate-dhparam-nginx:
+  cmd.run:
+    - name: openssl dhparam -out {{ ssldir }}/dhparams.pem 2048
+    - umask: 022
+    - user: root
+    - group: root
+    - creates: {{ ssldir }}/dhparams.pem
+    - require_in:
+      - file: /etc/nginx/conf.d/ssl.conf
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/conf.d/ssl.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-ssl.conf
+    - template: jinja
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
+
+/etc/nginx/snippets/security.conf:
+  file.managed:
+    - user: root
+    - group: root
+    - mode: 0644
+    - source: salt://webserver/nginx-security.conf
+    - require:
+      - pkg: nginx
+    - watch_in:
+      - service: nginx
--- a/states/webserver/nginx-logformat.conf
+++ b/states/webserver/nginx-logformat.conf
@ -0,0 +1,4 @@
+log_format main '$remote_addr - $remote_user [$time_local]  '
+                '$server_name '
+                '"$request" $status $body_bytes_sent '
+                '"$http_referer" "$http_user_agent"';
--- a/states/webserver/nginx-security.conf
+++ b/states/webserver/nginx-security.conf
@ -0,0 +1,19 @@
+# Security - Basic configuration
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+        expires max;
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Deny access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
--- a/states/webserver/nginx-ssl.conf
+++ b/states/webserver/nginx-ssl.conf
@ -0,0 +1,15 @@
+# Default TLS settings
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers kEECDH+AESGCM:kEECDH+AES:kEECDH:EDH+AESGCM:kEDH+AES:kEDH:AESGCM:ALL:!LOW:!EXP:!MD5:!aNULL:!eNULL:!RC4:!DSS;
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+
+ssl_dhparam {{ salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') }}/dhparams.pem;
+
+# OCSP stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+
+# use Google's DNS
+resolver 8.8.8.8;
+resolver_timeout 5s;
--- a/states/webserver/sslcert.macros.sls
+++ b/states/webserver/sslcert.macros.sls
@ -0,0 +1,30 @@
+{%- macro key_cert(domain_name) %}
+{% set nginx_ssl_keydir = salt['pillar.get']('nginx:sslkeydir', '/etc/nginx/ssl/private') %}
+{% set nginx_ssl_certdir = salt['pillar.get']('nginx:sslcertdir', '/etc/nginx/ssl/certs') %}
+{% set keyfile = nginx_ssl_keydir + '/' + domain_name + '.key.pem' %}
+{% set certfile = nginx_ssl_certdir + '/' + domain_name + '.crt.pem' %}
+
+{{ keyfile }}:
+  rsa_key.valid_key:
+    - bits: {{ salt['pillar.get']('nginx:keylength:' + domain_name, 2048) }}
+    - require:
+      - file: {{ nginx_ssl_keydir }}
+    - require_in:
+      - file: /etc/nginx/sites-available/{{ domain_name }}
+      - service: nginx
+
+{{ certfile }}:
+  cmd.run:
+    - name: openssl req -new -x509 -key {{ keyfile }} -subj '/CN={{ domain_name }}' -days 730 -out {{ certfile }}
+    - require:
+      - rsa_key: {{ keyfile }}
+    - creates: {{ certfile }}
+  x509_certificate.valid_certificate:
+    - require:
+      - file: {{ nginx_ssl_certdir }}
+      - cmd: {{ certfile }}
+      - pkg: python-m2crypto
+    - require_in:
+      - file: /etc/nginx/sites-available/{{ domain_name }}
+      - service: nginx
+{% endmacro %}