Salt state for setting up Let's Encrypt with Nginx

lets-encrypt-nginx.sls

nginx:
  pkg.installed: []
  service.running:
  - reload: true

# SSL setup via letsencrypt, based on the following article:
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
letsencrypt:
  pkg.installed: []

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048:
  cmd.run:
  - creates: /etc/ssl/certs/dhparam.pem

/etc/nginx/snippets/letsencrypt-wellknown.conf:
  file.managed:
  - watch_in:
    - service: nginx
  - contents: |
      location ~ /.well-known {
          allow all;
          root /var/www/html;
      }

/etc/nginx/snippets/ssl-params.conf:
  file.managed:
  - watch_in:
    - service: nginx
  - contents: |
      # from https://cipherli.st/
      # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
      ssl_ecdh_curve secp384r1;
      ssl_session_cache shared:SSL:10m;
      ssl_session_tickets off;
      ssl_stapling on;
      ssl_stapling_verify on;
      resolver 8.8.8.8 8.8.4.4 valid=300s;
      resolver_timeout 5s;
      # Disable preloading HSTS for now.  You can use the commented out header line that includes
      # the "preload" directive if you understand the implications.
      #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
      add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
      add_header X-Frame-Options DENY;
      add_header X-Content-Type-Options nosniff;

      ssl_dhparam /etc/ssl/certs/dhparam.pem;

letsencrypt-renewal-crontab:
  cron.present:
  - name: /usr/bin/letsencrypt renew >> /var/log/letsencrypt-renew.log
  - user: root
  - identifier: letsencrypt-renewal
  - minute: 10
  - hour: 8
  - daymonth: "*"
  - month: "*"
  - dayweek: 1

nginx-reload-crontab:
  cron.present:
  - name: /bin/systemctl reload nginx
  - user: root
  - identifier: nginx-reload
  - minute: 15
  - hour: 8
  - daymonth: "*"
  - month: "*"
  - dayweek: 1

sample-vhost.sls

{% set server_name = 'test.example.com' %}

# SSL configuration snippet
/etc/nginx/snippets/ssl-{{ server_name }}.conf:
  file.managed:
  - watch_in:
    - service: nginx
  - contents: |
      ssl_certificate /etc/letsencrypt/live/{{ server_name }}/fullchain.pem;
      ssl_certificate_key /etc/letsencrypt/live/{{ server_name }}/privkey.pem;


# Sample virtual host configuration
/etc/nginx/conf.d/example.conf
  file.managed:
  - requires:
    - pkg: nginx
  - watch_in:
    - service: nginx

  - contents: |
      # [Managed by SaltStack]
      #
      # To edit, update <nginx.example-server> state.
      #
      server {
          listen 80;
          listen [::]:80;
          server_name {{ server_name }}
          include snippets/letsencrypt-wellknown.conf;
      
          return 301 https://$server_name$request_uri;
      }

      server {
          listen 443 ssl;
          listen [::]:443 ssl;
          server_name {{ server_name }}
      
          include snippets/letsencrypt-wellknown.conf;
          include snippets/ssl-{{ server_name }}.conf;
          include snippets/ssl-params.conf;
      
          location / {
            # ... 
          }
      }