Page MenuHomeDevCentral

D2999.id7657.diff
No OneTemporary

D2999.id7657.diff

diff --git a/Makefile b/Makefile
--- a/Makefile
+++ b/Makefile
@@ -31,18 +31,24 @@
# Build targets - repository
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-repo: roles/webserver-content/init.sls .git/hooks/pre-commit
+repo: roles/webserver-content/init.sls \
+ roles/webserver-core/nginx/files/ocsp-ca-certs.pem \
+ .git/hooks/pre-commit
roles/webserver-content/init.sls:
tmpfile=`mktemp /tmp/make-rOPS-generate-webcontent-index.XXXXXX` ; \
utils/generate-webcontent-index.py > "$$tmpfile" ;\
${MV} "$$tmpfile" roles/webserver-content/init.sls
+roles/webserver-core/nginx/files/ocsp-ca-certs.pem:
+ utils/generate-ocsp-bundle.sh > roles/webserver-core/nginx/files/ocsp-ca-certs.pem
+
.git/hooks/pre-commit:
pre-commit install
clean-repo:
${RM} roles/webserver-content/init.sls .git/hooks/pre-commit
+ ${RM} roles/webserver-core/nginx/files/ocsp-ca-certs.pem
# -------------------------------------------------------------
# Build targets - API
diff --git a/roles/paas-docker/nginx/config.sls b/roles/paas-docker/nginx/config.sls
--- a/roles/paas-docker/nginx/config.sls
+++ b/roles/paas-docker/nginx/config.sls
@@ -9,34 +9,6 @@
{% from "map.jinja" import dirs with context %}
{% set containers = pillar.get('docker_containers', {}) %}
-# -------------------------------------------------------------
-# Base folder
-#
-# :: general configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/nginx/nginx.conf:
- file.managed:
- - source: salt://roles/paas-docker/nginx/files/nginx.conf
-
-nginx_dhparams:
- cmd.run:
- - name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 2048
- - creates: {{ dirs.etc }}/nginx/dhparams.pem
-
-# -------------------------------------------------------------
-# includes folder
-#
-# :: general configuration
-# :: application-specific code
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/nginx/includes:
- file.recurse:
- - source: salt://roles/paas-docker/nginx/files/includes
- - dir_mode: 755
- - file_mode: 644
-
# -------------------------------------------------------------
# vhosts folder
#
diff --git a/roles/paas-docker/nginx/files/includes/cors-open b/roles/paas-docker/nginx/files/includes/cors-open
deleted file mode 100644
--- a/roles/paas-docker/nginx/files/includes/cors-open
+++ /dev/null
@@ -1,54 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Description: nginx CORS configuration
-# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
-# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
-# License: Trivial work, not eligible for copyright.
-# Source file: roles/paas-docker/nginx/files/includes/cors-open
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-# -------------------------------------------------------------
-# OPTIONS
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'OPTIONS') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Max-Age' 1728000;
- add_header 'Content-Type' 'text/plain; charset=utf-8';
- add_header 'Content-Length' 0;
-
- return 204;
- }
-
- # -------------------------------------------------------------
- # GET
- # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'GET') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-}
-
-# -------------------------------------------------------------
-# POST
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-if ($request_method = 'POST') {
- add_header 'Access-Control-Allow-Origin' '*';
- add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
- add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
- add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
-}
diff --git a/roles/paas-docker/nginx/files/includes/geo_nasqueron b/roles/paas-docker/nginx/files/includes/geo_nasqueron
deleted file mode 100644
--- a/roles/paas-docker/nginx/files/includes/geo_nasqueron
+++ /dev/null
@@ -1,24 +0,0 @@
-geo $nasqueron_server {
- default 0;
-
- # Dreadnought
- 51.255.124.8/30 1;
-
- # Ysul
- 163.172.49.16 1;
- 212.83.187.132 1;
-
- # WindRiver
- 51.159.18.59 1;
-
- # CloudHugger
- 188.165.200.229 1;
-
- # Docker containers
- 172.17.0.0/16 1;
-}
-
-map $nasqueron_server $not_a_nasqueron_server {
- default 0;
- 0 1;
-}
diff --git a/roles/paas-docker/nginx/files/includes/letsencrypt b/roles/paas-docker/nginx/files/includes/letsencrypt
deleted file mode 100644
--- a/roles/paas-docker/nginx/files/includes/letsencrypt
+++ /dev/null
@@ -1,20 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/paas-docker/nginx/files/includes/letsencrypt
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
- location /.well-known/acme-challenge {
- default_type text/plain;
- root /srv/letsencrypt/www;
- }
diff --git a/roles/paas-docker/nginx/files/includes/tls b/roles/paas-docker/nginx/files/includes/tls
deleted file mode 100644
--- a/roles/paas-docker/nginx/files/includes/tls
+++ /dev/null
@@ -1,28 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2017-04-03
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/paas-docker/nginx/files/includes/tls
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-listen 443 ssl http2;
-listen [::]:443 ssl http2;
-keepalive_timeout 70;
-
-ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:10m;
-ssl_session_tickets off;
-
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
-ssl_dhparam /etc/nginx/dhparams.pem;
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf b/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
deleted file mode 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
-# Description: Get SSL certificates from Let's encrypt
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/includes/letsencrypt.conf
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
- location /.well-known/acme-challenge {
- allow all;
-
- default_type text/plain;
- root /var/letsencrypt-auto;
- }
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf b/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
deleted file mode 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# -------------------------------------------------------------
-# Eglide — nginx configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Eglide
-# Created: 2016-07-26
-# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/nginx.conf
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-# -------------------------------------------------------------
-# Server configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-worker_processes 1;
-
-events {
- worker_connections 1024;
-}
-
-# -------------------------------------------------------------
-# HTTP configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-http {
- include mime.types;
- default_type text/plain;
-
- server_names_hash_bucket_size 128;
-
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- sendfile on;
- keepalive_timeout 65;
- gzip on;
-
- include vhosts/*.conf;
-}
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params b/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params
deleted file mode 100644
--- a/roles/shellserver/web-hosting/files/eglide/nginx/ssl_params
+++ /dev/null
@@ -1,15 +0,0 @@
- #Enable https
- listen 443 ssl http2;
- listen [2001:470:1f13:896:0:c0de:15:11fe]:443 ssl http2;
-
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:50m;
- ssl_session_tickets off;
-
- ssl_protocols TLSv1.2;
- ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
- ssl_prefer_server_ciphers on;
-
- add_header Strict-Transport-Security max-age=15768000;
- ssl_stapling on;
- ssl_stapling_verify on;
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
rename from roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
rename to roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
@@ -4,7 +4,7 @@
# Project: Eglide
# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000.conf
+# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/000-fallback.conf
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
rename from roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
rename to roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
--- a/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
+++ b/roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
@@ -4,7 +4,7 @@
# Project: Eglide
# Created: 2016-07-26
# License: Trivial work, not eligible to copyright
-# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-eglide.org.conf
+# Source file: roles/shellserver/web-hosting/files/eglide/nginx/vhosts/001-server.conf
# -------------------------------------------------------------
#
# <auto-generated>
@@ -33,12 +33,11 @@
### SSL
###
- include includes/letsencrypt.conf;
+ include includes/letsencrypt;
- include ssl_params;
+ include includes/tls;
ssl_certificate /etc/letsencrypt/live/www.eglide.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.eglide.org/privkey.pem;
- ssl_trusted_certificate /etc/letsencrypt/live/www.eglide.org/chain.pem;
###
### Main site
diff --git a/roles/webserver-core/map.jinja b/roles/webserver-core/map.jinja
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/map.jinja
@@ -0,0 +1,21 @@
+{% set options = salt["grains.filter_by"]({
+ "Debian": {
+ "www_user": "nobody",
+ "www_group": "",
+ },
+ "FreeBSD": {
+ "www_user": "www",
+ "www_group": "web",
+ },
+ "RedHat": {
+ "www_user": "nginx",
+ "www_group": "",
+ "pid_path": "/run/nginx.pid",
+ }
+}, default="Debian") %}
+
+{% if salt["node.has_role"]("paas-docker") %}
+{% set certbot_dir = "/srv/letsencrypt/www" %}
+{% else %}
+{% set certbot_dir = "/var/letsencrypt-auto" %}
+{% endif %}
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -6,6 +6,19 @@
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
+{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+
+# -------------------------------------------------------------
+# Base configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.etc }}/nginx/nginx.conf:
+ file.managed:
+ - source: salt://roles/webserver-core/nginx/files/nginx.conf
+ - template: jinja
+ - context:
+ nginx_dir: {{ dirs.etc }}/nginx
+ nginx_options: {{ options }}
# -------------------------------------------------------------
# includes folder
@@ -20,6 +33,39 @@
- source: salt://roles/webserver-core/nginx/files/includes
- dir_mode: 755
- file_mode: 644
+ - template: jinja
+ - context:
+ nginx_dir: {{ dirs.etc }}/nginx
+ nginx_options: {{ options }}
+ certbot_dir: {{ certbot_dir }}
+
+# -------------------------------------------------------------
+# Parameters for Diffie-Hellman
+#
+# Some ciphers still require DH exchange. They contain "DHE" in
+# the name, e.g. DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+webserver_core_nginx_dh:
+ cmd.run:
+ - name: openssl dhparam -out {{ dirs.etc }}/nginx/dhparams.pem 4096
+ - creates: {{ dirs.etc }}/nginx/dhparams.pem
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To allow nginx to verify TLS certificate presented by CA
+# when it makes requests to the CRL, a bundle of CA certificates
+# should be available.
+#
+# To generate the bundle file on this repository, use `make`.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/usr/local/share/certs/ocsp-ca-certs.pem:
+ file.managed:
+ - source: salt://roles/webserver-core/nginx/files/ocsp-ca-certs.pem
+ - makedirs: True
+ - mode: 644
# -------------------------------------------------------------
# vhost folder
diff --git a/roles/webserver-legacy/nginx/files/includes/cors-open b/roles/webserver-core/nginx/files/includes/cors-open
rename from roles/webserver-legacy/nginx/files/includes/cors-open
rename to roles/webserver-core/nginx/files/includes/cors-open
--- a/roles/webserver-legacy/nginx/files/includes/cors-open
+++ b/roles/webserver-core/nginx/files/includes/cors-open
@@ -1,12 +1,12 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: CORS :: open policy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: nginx CORS configuration
# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/cors-open
+# Source file: roles/webserver-core/nginx/files/includes/cors-open
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/webserver-legacy/nginx/files/includes/cors-open-no-cache b/roles/webserver-core/nginx/files/includes/cors-open-no-cache
rename from roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
rename to roles/webserver-core/nginx/files/includes/cors-open-no-cache
--- a/roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
+++ b/roles/webserver-core/nginx/files/includes/cors-open-no-cache
@@ -1,12 +1,12 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: CORS + no cache :: open policy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# Description: nginx CORS configuration
# Reference: Michiel Kalkman, "Wide open nginx CORS configuration",
# https://michielkalkman.com/snippets/nginx-cors-open-configuration/
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/cors-open-no-cache
+# Source file: roles/webserver-core/nginx/files/includes/cors-open-no-cache
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/webserver-core/nginx/files/includes/fastcgi_params b/roles/webserver-core/nginx/files/includes/fastcgi_params
--- a/roles/webserver-core/nginx/files/includes/fastcgi_params
+++ b/roles/webserver-core/nginx/files/includes/fastcgi_params
@@ -1,8 +1,6 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: FastCGI
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2017-11-19
# Project: Nasqueron
# Description: nginx FastCGI configuration
# License: Trivial work, not eligible for copyright.
diff --git a/roles/webserver-core/nginx/files/includes/geo_nasqueron b/roles/webserver-core/nginx/files/includes/geo_nasqueron
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/nginx/files/includes/geo_nasqueron
@@ -0,0 +1,43 @@
+# -------------------------------------------------------------
+# nginx :: configuration :: geo :: Nasqueron servers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Source file: roles/webserver-core/nginx/files/includes/geo_nasqueron
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+geo $nasqueron_server {
+ default 0;
+
+ # Dreadnought
+ 51.255.124.8/30 1;
+
+ # Ysul
+ 163.172.49.16 1;
+ 212.83.187.132 1;
+
+ # WindRiver
+ 51.159.18.59 1;
+
+ # CloudHugger
+ 188.165.200.229 1;
+
+ # Drake private network
+ 172.27.27.0/24 1;
+
+ # Docker containers
+ 172.17.0.0/16 1;
+ 172.18.0.0/16 1;
+ 172.21.0.0/16 1;
+}
+
+map $nasqueron_server $not_a_nasqueron_server {
+ default 0;
+ 0 1;
+}
diff --git a/roles/webserver-legacy/nginx/files/includes/letsencrypt b/roles/webserver-core/nginx/files/includes/letsencrypt
rename from roles/webserver-legacy/nginx/files/includes/letsencrypt
rename to roles/webserver-core/nginx/files/includes/letsencrypt
--- a/roles/webserver-legacy/nginx/files/includes/letsencrypt
+++ b/roles/webserver-core/nginx/files/includes/letsencrypt
@@ -1,11 +1,10 @@
# -------------------------------------------------------------
-# Configuration for Let's encrypt nginx
+# nginx :: configuration :: Let's Encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
+# Project: Nasqueron
# Description: Get SSL certificates from Let's encrypt
# License: Trivial work, not eligible for copyright.
-# Source file: roles/webserver-legacy/nginx/files/includes/letsencrypt
+# Source file: roles/webserver-core/nginx/files/includes/letsencrypt
# -------------------------------------------------------------
#
# <auto-generated>
@@ -16,6 +15,8 @@
# </auto-generated>
location /.well-known/acme-challenge {
+ allow all;
+
default_type text/plain;
- root /var/letsencrypt-auto;
+ root {{ certbot_dir }};
}
diff --git a/roles/paas-docker/nginx/files/includes/proxy_params b/roles/webserver-core/nginx/files/includes/proxy_params
rename from roles/paas-docker/nginx/files/includes/proxy_params
rename to roles/webserver-core/nginx/files/includes/proxy_params
--- a/roles/paas-docker/nginx/files/includes/proxy_params
+++ b/roles/webserver-core/nginx/files/includes/proxy_params
@@ -1,12 +1,10 @@
# -------------------------------------------------------------
-# Configuration for Nasqueron web sites
+# nginx :: configuration :: proxy
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2018-03-16
# Project: Nasqueron
# Description: nginx proxy configuration
# License: Trivial work, not eligible for copyright.
-# Source file: roles/paas-docker/nginx/files/includes/proxy_params
+# Source file: roles/webserver-core/nginx/files/includes/proxy_params
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/roles/webserver-core/nginx/files/includes/tls b/roles/webserver-core/nginx/files/includes/tls
--- a/roles/webserver-core/nginx/files/includes/tls
+++ b/roles/webserver-core/nginx/files/includes/tls
@@ -1,11 +1,20 @@
# -------------------------------------------------------------
-# Configuration for nginx TLS
+# nginx :: configuration :: TLS
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2016-01-05
+# Project: Nasqueron
+# Description: Compatible TLS configuration for most clients
+# Strategy: nginx 1.22.1, intermediate config, OpenSSL 1.1.1o
+# See also: https://ssl-config.mozilla.org/
# License: Trivial work, not eligible for copyright.
# Source file: roles/webserver-core/nginx/files/includes/tls
# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
listen 443 ssl http2;
listen [::]:443 ssl http2;
@@ -13,9 +22,45 @@
keepalive_timeout 70;
ssl_session_timeout 1d;
-ssl_session_cache shared:SSL:50m;
+ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
-ssl_protocols TLSv1.2;
-ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
-ssl_prefer_server_ciphers on;
+ssl_dhparam {{ nginx_dir }}/dhparam.pem;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# -------------------------------------------------------------
+# HSTS - HTTP Strict Transport Security
+#
+# As we provide a Let's Encrypt certificate for all our services,
+# browser should be instructed to connect directly to HTTPS.
+#
+# This is low risk, as the browser only honour this request
+# as soon as it successfully connected to HTTPS without any
+# certificate issue.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# -------------------------------------------------------------
+# OCSP - Online Certificate Status Protocol
+#
+# To improve TLS handshake speed, and to help protecting the
+# privacy of the users connecting here, as there isn't any need
+# for them to connect to the CRL anymore, OSCP is enabled.
+#
+# The parameter `ssl_trusted_certificate` points to a bundle
+# of CA certificates, currently containing Let's Encrypt
+# intermediate and root certificates. If *any* certificate
+# is issued by another CA, their certificates must be added
+# to the bundle too.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /usr/local/share/certs/ocsp-ca-certs.pem
+
+resolver 127.0.0.1;
diff --git a/roles/paas-docker/nginx/files/nginx.conf b/roles/webserver-core/nginx/files/nginx.conf
rename from roles/paas-docker/nginx/files/nginx.conf
rename to roles/webserver-core/nginx/files/nginx.conf
--- a/roles/paas-docker/nginx/files/nginx.conf
+++ b/roles/webserver-core/nginx/files/nginx.conf
@@ -1,9 +1,8 @@
# -------------------------------------------------------------
-# Configuration for Docker PaaS front-end nginx
+# nginx :: configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Author: Sébastien Santoro aka Dereckson
-# Created: 2020-02-18
-# Source file: roles/paas-docker/nginx/files/nginx.conf
+# Project: Nasqueron
+# Source file: roles/webserver-core/nginx/files/nginx.conf
# -------------------------------------------------------------
#
# <auto-generated>
@@ -13,12 +12,13 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-user nginx;
+user {{ nginx_options["www_user"] }} {{ nginx_options["www_group"] }};
worker_processes auto;
error_log /var/log/nginx/error.log;
-pid /run/nginx.pid;
-include /usr/share/nginx/modules/*.conf;
+{% if "pid_path" in nginx_options %}
+pid {{ nginx_options["pid_path"] }};
+{% endif %}
events {
worker_connections 1024;
@@ -42,7 +42,7 @@
server_names_hash_bucket_size 128;
include mime.types;
- default_type application/octet-stream;
+ default_type text/plain;
map $http_upgrade $connection_upgrade {
default upgrade;
@@ -50,9 +50,9 @@
}
# Base
- include /etc/nginx/vhosts/000-fallback.conf;
- include /etc/nginx/vhosts/001-server.conf;
+ include vhosts/000-fallback.conf;
+ include vhosts/001-server.conf;
- # Services hosted in containers
- include /etc/nginx/vhosts/*/*.conf;
+ # Services hosted
+ include vhosts/*/*.conf;
}
diff --git a/roles/webserver-core/nginx/files/ocsp-ca-certs.pem b/roles/webserver-core/nginx/files/ocsp-ca-certs.pem
new file mode 100644
--- /dev/null
+++ b/roles/webserver-core/nginx/files/ocsp-ca-certs.pem
@@ -0,0 +1,151 @@
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICxjCCAk2gAwIBAgIRALO93/inhFu86QOgQTWzSkUwCgYIKoZIzj0EAwMwTzEL
+MAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNo
+IEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDIwHhcNMjAwOTA0MDAwMDAwWhcN
+MjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5j
+cnlwdDELMAkGA1UEAxMCRTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQkXC2iKv0c
+S6Zdl3MnMayyoGli72XoprDwrEuf/xwLcA/TmC9N/A8AmzfwdAVXMpcuBe8qQyWj
++240JxP2T35p0wKZXuskR5LBJJvmsSGPwSSB/GjMH2m6WPUZIvd0xhajggEIMIIB
+BDAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFFrz7Sv8NsI3eblSMOpUb89V
+yy6sMB8GA1UdIwQYMBaAFHxClq7eS0g7+pL4nozPbYupcjeVMDIGCCsGAQUFBwEB
+BCYwJDAiBggrBgEFBQcwAoYWaHR0cDovL3gyLmkubGVuY3Iub3JnLzAnBgNVHR8E
+IDAeMBygGqAYhhZodHRwOi8veDIuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYG
+Z4EMAQIBMA0GCysGAQQBgt8TAQEBMAoGCCqGSM49BAMDA2cAMGQCMHt01VITjWH+
+Dbo/AwCd89eYhNlXLr3pD5xcSAQh8suzYHKOl9YST8pE9kLJ03uGqQIwWrGxtO3q
+YJkgsTgDyj2gJrjubi1K9sZmHzOa25JK1fUpE8ZwYii6I4zPPS/Lgul/
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAIp5IlCr5SxSbO7Pf8lC3WIwDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQCzKNx3KdPnkb7ztwoAx/vyVQslImNTNq/pCCDfDa8oPs3Gq1e2naQlGaXS
+Mm1Jpgi5xy+hm5PFIEBrhDEgoo4wYCVg79kaiT8faXGy2uo/c0HEkG9m/X2eWNh3
+z81ZdUTJoQp7nz8bDjpmb7Z1z4vLr53AcMX/0oIKr13N4uichZSk5gA16H5OOYHH
+IYlgd+odlvKLg3tHxG0ywFJ+Ix5FtXHuo+8XwgOpk4nd9Z/buvHa4H6Xh3GBHhqC
+VuQ+fBiiCOUWX6j6qOBIUU0YFKAMo+W2yrO1VRJrcsdafzuM+efZ0Y4STTMzAyrx
+E+FCPMIuWWAubeAHRzNl39Jnyk2FAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFDadPuCxQPYnLHy/jZ0xivZUpkYmMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCJbu5CalWO+H+Az0lmIG14DXmlYHQE
+k26umjuCyioWs2icOlZznPTcZvbfq02YPHGTCu3ctggVDULJ+fwOxKekzIqeyLNk
+p8dyFwSAr23DYBIVeXDpxHhShvv0MLJzqqDFBTHYe1X5X2Y7oogy+UDJxV2N24/g
+Z8lxG4Vr2/VEfUOrw4Tosl5Z+1uzOdvTyBcxD/E5rGgTLczmulctHy3IMTmdTFr0
+FnU0/HMQoquWQuODhFqzMqNcsdbjANUBwOEQrKI8Sy6+b84kHP7PtO+S4Ik8R2k7
+ZeMlE1JmxBi/PZU860YlwT8/qOYToCHVyDjhv8qutbf2QnUl3SV86th2I1QQE14s
+0y7CdAHcHkw3sAEeYGkwCA74MO+VFtnYbf9B2JBOhyyWb5087rGzitu5MTAW41X9
+DwTeXEg+a24tAeht+Y1MionHUwa4j7FB/trN3Fnb/r90+4P66ZETVIEcjseUSMHO
+w6yqv10/H/dw/8r2EDUincBBX3o9DL3SadqragkKy96HtMiLcqMMGAPm0gti1b6f
+bnvOdr0mrIVIKX5nzOeGZORaYLoSD4C8qvFT7U+Um6DMo36cVDNsPmkF575/s3C2
+CxGiCPQqVxPgfNSh+2CPd2Xv04lNeuw6gG89DlOhHuoFKRlmPnom+gwqhz3ZXMfz
+TfmvjrBokzCICA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICxjCCAkygAwIBAgIQTtI99q9+x/mwxHJv+VEqdzAKBggqhkjOPQQDAzBPMQsw
+CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg
+R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw0y
+NTA5MTUxNjAwMDBaMDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
+eXB0MQswCQYDVQQDEwJFMjB2MBAGByqGSM49AgEGBSuBBAAiA2IABCOaLO3lixmN
+YVWex+ZVYOiTLgi0SgNWtU4hufk50VU4Zp/LbBVDxCsnsI7vuf4xp4Cu+ETNggGE
+yBqJ3j8iUwe5Yt/qfSrRf1/D5R58duaJ+IvLRXeASRqEL+VkDXrW3qOCAQgwggEE
+MA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQUbZkq9U0C6+MRwWC6km+NPS7x
+6kQwHwYDVR0jBBgwFoAUfEKWrt5LSDv6kviejM9ti6lyN5UwMgYIKwYBBQUHAQEE
+JjAkMCIGCCsGAQUFBzAChhZodHRwOi8veDIuaS5sZW5jci5vcmcvMCcGA1UdHwQg
+MB4wHKAaoBiGFmh0dHA6Ly94Mi5jLmxlbmNyLm9yZy8wIgYDVR0gBBswGTAIBgZn
+gQwBAgEwDQYLKwYBBAGC3xMBAQEwCgYIKoZIzj0EAwMDaAAwZQIxAPJCN9qpyDmZ
+tX8K3m8UYQvK51BrXclM6WfrdeZlUBKyhTXUmFAtJw4X6A0x9mQFPAIwJa/No+KQ
+UAM1u34E36neL/Zba7ombkIOchSgx1iVxzqtFWGddgoG+tppRPWhuhhn
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
+MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
+DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
+ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
+wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
+LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
+4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
+bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
+sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
+Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
+FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
+SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
+PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
+TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
+SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
+c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
++tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
+ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
+b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
+U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
+MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
+5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
+9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
+WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
+he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
+Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIEYDCCAkigAwIBAgIQB55JKIY3b9QISMI/xjHkYzANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yMDA5MDQwMDAwMDBa
+Fw0yNTA5MTUxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5l
+dCBTZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgy
+MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0H
+ttwW+1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7
+AlF9ItgKbppbd9/w+kHsOdx1ymgHDB/qo4HlMIHiMA4GA1UdDwEB/wQEAwIBBjAP
+BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR8Qpau3ktIO/qS+J6Mz22LqXI3lTAf
+BgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQw
+IgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wJwYDVR0fBCAwHjAc
+oBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzAiBgNVHSAEGzAZMAgGBmeBDAEC
+ATANBgsrBgEEAYLfEwEBATANBgkqhkiG9w0BAQsFAAOCAgEAG38lK5B6CHYAdxjh
+wy6KNkxBfr8XS+Mw11sMfpyWmG97sGjAJETM4vL80erb0p8B+RdNDJ1V/aWtbdIv
+P0tywC6uc8clFlfCPhWt4DHRCoSEbGJ4QjEiRhrtekC/lxaBRHfKbHtdIVwH8hGR
+Ib/hL8Lvbv0FIOS093nzLbs3KvDGsaysUfUfs1oeZs5YBxg4f3GpPIO617yCnpp2
+D56wKf3L84kHSBv+q5MuFCENX6+Ot1SrXQ7UW0xx0JLqPaM2m3wf4DtVudhTU8yD
+ZrtK3IEGABiL9LPXSLETQbnEtp7PLHeOQiALgH6fxatI27xvBI1sRikCDXCKHfES
+c7ZGJEKeKhcY46zHmMJyzG0tdm3dLCsmlqXPIQgb5dovy++fc5Ou+DZfR4+XKM6r
+4pgmmIv97igyIintTJUJxCD6B+GGLET2gUfA5GIy7R3YPEiIlsNekbave1mk7uOG
+nMeIWMooKmZVm4WAuR3YQCvJHBM8qevemcIWQPb1pK4qJWxSuscETLQyu/w4XKAM
+YXtX7HdOUM+vBqIPN4zhDtLTLxq9nHE+zOH40aijvQT2GcD5hq/1DhqqlWvvykdx
+S2McTZbbVSMKnQ+BdaDmQPVkRgNuzvpqfQbspDQGdNpT2Lm4xiN9qfgqLaSCpi4t
+EcrmzTFYeYXmchynn9NM0GbQp7s=
+-----END CERTIFICATE-----
diff --git a/roles/webserver-core/nginx/init.sls b/roles/webserver-core/nginx/init.sls
--- a/roles/webserver-core/nginx/init.sls
+++ b/roles/webserver-core/nginx/init.sls
@@ -7,3 +7,4 @@
include:
- .software
+ - .config
diff --git a/utils/generate-ocsp-bundle.sh b/utils/generate-ocsp-bundle.sh
new file mode 100755
--- /dev/null
+++ b/utils/generate-ocsp-bundle.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# rOPS — generate OCSP bundle with CA certificates
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Let's encrypt
+#
+# Active certificates:
+# - Let’s Encrypt R3 - signed by ISRG Root X1
+# - Let’s Encrypt E1 - signed by ISRG Root X2
+#
+# Disaster recovery certificates:
+# - Let’s Encrypt R4 - signed by ISRG Root X1
+# - Let’s Encrypt E2 - signed by ISRG Root X2
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+curl -sS https://letsencrypt.org/certs/lets-encrypt-r3.pem
+curl -sS https://letsencrypt.org/certs/lets-encrypt-e1.pem
+
+curl -sS https://letsencrypt.org/certs/lets-encrypt-r4.pem
+curl -sS https://letsencrypt.org/certs/lets-encrypt-e2.pem
+
+curl -sS https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
+curl -sS https://letsencrypt.org/certs/isrg-root-x2-cross-signed.pem

File Metadata

Mime Type
text/plain
Expires
Mon, Nov 18, 01:26 (20 h, 26 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2250039
Default Alt Text
D2999.id7657.diff (39 KB)

Event Timeline