From c4330f866b568338afd2b60f41e3b438f5fb12af Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Mon, 1 Jun 2020 10:52:52 +0200
Subject: [PATCH] bundles/nginx: add deployment of vhost configs

---
 bundles/nginx/files/site_template | 25 +++++++++++++++++++++++++
 bundles/nginx/items.py            | 16 ++++++++++++++++
 bundles/nginx/metadata.py         | 13 +++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 bundles/nginx/files/site_template

diff --git a/bundles/nginx/files/site_template b/bundles/nginx/files/site_template
new file mode 100644
index 0000000..6517ce0
--- /dev/null
+++ b/bundles/nginx/files/site_template
@@ -0,0 +1,25 @@
+server {
+    server_name ${domain};
+    root ${webroot if webroot else '/var/www/{}/'.format(domain)};
+    index ${index if index else 'index.html index.htm'};
+
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
+    ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    add_header Strict-Transport-Security "max-age=31104000; preload";
+    add_header X-Frame-Options "DENY";
+
+% if extras:
+<%include file="extras/${node.name}/${domain}" />
+% endif
+}
diff --git a/bundles/nginx/items.py b/bundles/nginx/items.py
index 754231b..947a651 100644
--- a/bundles/nginx/items.py
+++ b/bundles/nginx/items.py
@@ -21,3 +21,19 @@ svc_systemd = {
         },
     },
 }
+
+for domain, config in node.metadata.get('nginx', {}).get('vhosts', {}).items():
+    files['/etc/nginx/sites/{}'.format(domain)] = {
+        'source': 'site_template',
+        'content_type': 'mako',
+        'context': {
+            'domain': domain,
+            **config
+        },
+        'needs': {
+            'action:letsencrypt_update_certificates',
+        },
+        'triggers': {
+            'svc_systemd:nginx:restart',
+        },
+    }
diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index 0da8995..b3c2e5e 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -24,3 +24,16 @@ def defaults(metadata):
             'worker_connections': 1000,
         },
     }, DEFAULTS, DONE
+
+
+@metadata_processor
+def letsencrypt(metadata):
+    if not node.has_bundle('letsencrypt'):
+        return metadata, DONE
+
+    le = metadata.setdefault('letsencrypt', {}).setdefault('domains', {})
+
+    for domain in metadata.get('nginx', {}).get('vhosts', {}).keys():
+        le[domain] = set()
+
+    return metadata, RUN_ME_AGAIN