kunsi/bundlewrap
1
0
Fork 0
Code Issues 2 Pull requests 1 Releases Activity
bundlewrap/bundles/nginx/items.py
Franzi 1fbc08f74b
All checks were successful
bundlewrap/pipeline/head This commit looks good
Details
bundles/nginx: add a default security.txt to all vhosts
2021-06-03 18:57:25 +02:00

173 lines
4.9 KiB
Python
Raw Blame History

from datetime import datetime, timedelta
if node.has_bundle('pacman'):
package = 'pkg_pacman:nginx'
username = 'http'
else:
package = 'pkg_apt:nginx'
username = 'www-data'
directories = {
'/etc/nginx/sites': {
'purge': True,
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/security.txt.d': {
'purge': True,
},
'/etc/nginx/ssl': {
'purge': True,
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/var/www': {},
}
files = {
'/etc/nginx/nginx.conf': {
'content_type': 'mako',
'context': {
'username': username,
**node.metadata['nginx'],
},
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/fastcgi.conf': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/stub_status': {
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/etc/nginx/sites/000-port80.conf': {
'source': 'port80.conf',
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/usr/local/share/icinga/plugins/check_nginx_status': {
'mode': '0755',
},
}
if node.has_bundle('pacman'):
files['/etc/systemd/system/nginx.service.d/bundlewrap.conf'] = {
'source': 'arch-override.conf',
'triggers': {
'action:systemd-reload',
'svc_systemd:nginx:restart',
},
}
actions = {
'nginx-generate-dhparam': {
'command': 'openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048',
'unless': 'test -f /etc/ssl/certs/dhparam.pem',
},
}
svc_systemd = {
'nginx': {
'needs': {
'action:nginx-generate-dhparam',
package,
},
},
}
now = datetime.now()
in_three_months = now + timedelta(days=90)
default_security_expiry = in_three_months.strftime('%Y-%m-%d') + 'T00:00:00.000Z'
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
if not 'domain' in config:
config['domain'] = vhost
security_txt_enabled = False
if (
node.metadata.get('nginx/security.txt/enabled', True) and
config.get('security.txt', {}).get('enabled', True)
):
security_txt_enabled = True
files[f'/etc/nginx/security.txt.d/{vhost}'] = {
'source': 'security.txt',
'content_type': 'mako',
'context': {
'domain': config['domain'],
'expiry': default_security_expiry,
'proto': 'https' if config.get('ssl', 'letsencrypt') else 'http',
'vhost': config.get('security.txt', node.metadata.get('nginx/security.txt', {})),
},
}
files[f'/etc/nginx/sites/{vhost}'] = {
'source': 'site_template',
'content_type': 'mako',
'context': {
'php_version': node.metadata.get('php/version', ''),
'security_txt': security_txt_enabled,
'vhost': vhost,
**config,
},
'needs': set(),
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:restart',
},
}
if not 'webroot' in config:
directories[f'/var/www/{vhost}'] = {}
if node.has_bundle('zfs'):
directories[f'/var/www/{vhost}']['needs'] = {
'bundle:zfs',
}
directories[f'/var/www/{vhost}'].update(config.get('webroot_config', {}))
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
elif config.get('ssl', 'letsencrypt'):
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
'content_type': 'mako',
'source': 'ssl_template',
'context': {
'domain': config['ssl'],
},
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:reload',
},
}
files[f'/etc/nginx/ssl/{vhost}.key'] = {
'content': repo.vault.decrypt_file('ssl/{}.key.pem.vault'.format(config['ssl'])),
'mode': '0600',
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:reload',
},
}
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
Reference in a new issue View git blame Copy permalink