move the pythonexpress domain files

Author: vigneshsarma

Vagrantfile

@@ -27,7 +27,7 @@ Vagrant.configure(2) do |config|
 
   config.vm.define "wye" do |machine|
     machine.vm.network "forwarded_port", guest: 80, host: 8082
-    machine.vm.hostname = "pythonexpress.in"
+    machine.vm.hostname = "pythonexpress.org"
   end
 
   config.vm.provision "shell",

salt/roots/pythonexpress/beta.pythonexpress.in.conf

@@ -0,0 +1,12 @@
+server {
+    listen 80;
+
+    server_name beta.pythonexpress.org www.pythonexpress.org;
+    location /.well-known/acme-challenge/ {
+        root /var/www/html/pythonexpress.org/;
+    }
+
+    location / {
+        rewrite ^/(.*) https://pythonexpress.org/$1 permanent;
+    }
+}

salt/roots/pythonexpress/init.sls

@@ -0,0 +1,55 @@
+{% set ssl = pillar['pythonexpress']['ssl'] %}
+
+/var/www/html/pythonexpress.org/:
+  file.directory
+
+/etc/nginx/sites-available/pythonexpress.org.conf:
+  file.managed:
+    - source: salt://pythonexpressin/pythonexpress.org.conf
+    - template: jinja
+    - require:
+        - file: nginx_config_folders
+    - defaults:
+      ssl: {{ ssl }}
+
+/etc/nginx/sites-available/beta.pythonexpress.in.conf:
+  file.managed:
+    - source: salt://pythonexpressin/beta.pythonexpress.in.conf
+    - template: jinja
+    - require:
+        - file: nginx_config_folders
+
+/etc/nginx/sites-enabled/pythonexpress.org.conf:
+  file.symlink:
+    - target: /etc/nginx/sites-available/pythonexpress.org.conf
+    - require:
+        - file: /etc/nginx/sites-available/pythonexpress.org.conf
+
+/etc/nginx/sites-enabled/beta.pythonexpress.in.conf:
+  file.symlink:
+    - target: /etc/nginx/sites-available/beta.pythonexpress.in.conf
+    - require:
+        - file: /etc/nginx/sites-available/beta.pythonexpress.in.conf
+
+nginx_pythonexpress_dir:
+  file.directory:
+    - names:
+        - /etc/nginx/sites-available/pythonexpress.org/
+        - /etc/nginx/sites-available/pythonexpress.org/upstreams/
+    - require:
+        - file: nginx_config_folders
+
+{% if ssl['on'] %}
+/etc/ssl/pythonexpress.org.crt:
+  file.managed:
+    - contents_pillar: pythonexpress:ssl:cert
+
+/etc/ssl/pythonexpress.org.key:
+  file.managed:
+    - contents_pillar: pythonexpress:ssl:key
+
+/etc/nginx/sites-available/pythonexpress.org.with_ssl.conf:
+  file.managed:
+    - source: salt://pythonexpressin/pythonexpress.org.with_ssl.conf
+
+{% endif %}

salt/roots/pythonexpress/pythonexpress.org.conf

@@ -0,0 +1,45 @@
+include /etc/nginx/sites-available/pythonexpress.org/upstreams/*.conf;
+
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=old:60m;
+server_tokens off;
+
+server {
+    listen 80;
+
+    # deny illegal host headers
+    if ($host !~* ^(pythonexpress.org|www.pythonexpress.org)$ ) {
+       return 444;
+    }
+
+    server_name pythonexpress.org;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html/pythonexpress.org/;
+    }
+
+    location = /robots.txt {
+        return 200 "User-agent: * Disallow:";
+    }
+
+    # {% if not ssl['on'] %}
+    # include /etc/nginx/sites-available/pythonexpress.org/*.conf;
+    # {% else %}
+    # location / {
+    #     rewrite ^/(.*) https://pythonexpress.org/$1 permanent;
+    # }
+    # {% endif %}
+}
+
+{% if ssl['on'] %}
+server {
+    include /etc/nginx/sites-available/pythonexpress.org.with_ssl.conf;
+
+    server_name pythonexpress.org;
+
+    location = /robots.txt {
+        return 200 "User-agent: * Disallow:";
+    }
+
+    include /etc/nginx/sites-available/pythonexpress.org/*.conf;
+}
+{% endif %}

salt/roots/pythonexpress/pythonexpress.org.with_ssl.conf

@@ -0,0 +1,30 @@
+listen 443 ssl;
+
+# deny illegal host headers
+if ($host !~* ^(pythonexpress.org|www.pythonexpress.org)$ ) {
+   return 444;
+}
+
+# force https-redirects
+if ($scheme = http) {
+    rewrite ^(.*) https://$server_name$1 permanent;
+}
+
+ssl_certificate /etc/ssl/pythonexpress.org.crt;
+ssl_certificate_key /etc/ssl/pythonexpress.org.key;
+
+# Recomended settings form
+# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+ssl_prefer_server_ciphers on;
+ssl_session_cache shared:SSL:10m;
+
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.4.4 8.8.8.8 valid=300s;
+resolver_timeout 10s;
+
+#add_header Strict-Transport-Security max-age=63072000;
+add_header X-Content-Type-Options nosniff;