Create version 0.1.0 of the cookbook.

 ---
 driver:
   name: ec2
+  aws_ssh_key_id: cfe_stg_20160222
+  security_group_ids: ["sg-7f6fda18"]
+  region: us-west-2
+  availability_zone: b
+  subnet_id: subnet-d530d8b1
+  instance_type: t2.micro
+  associate_public_ip: true
+  require_chef_omnibus: true
+  shared_credentials_profile: earth
 
 provisioner:
   name: chef_solo
 
 platforms:
   - name: ubuntu-14.04
-  - name: centos-7.1
+    driver:
+      image_id: ami-3d2cce5d
+    transport:
+      username: ubuntu
+      ssh_key: ~/.ssh/cfe_stg_20160222.pem
 
 suites:
   - name: default

-Copyright (C) 2016 YOUR_NAME
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-All rights reserved - Do Not Redistribute
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "{}"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2016 Chromedia Far East, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

 # cfe-nginx-php-fpm-cookbook
 
-TODO: Enter the cookbook description here.
+Installs PHP5-FPM, Nginx, Postfix, and MariaDB client on a server. Also sets up webserver configs for all virtual servers, including TLS and basic auth.
+
+Can also auto-generate config files for certain site types, such as Wordpress, etc. (right now it's just Wordpress).
 
 ## Supported Platforms
 
-TODO: List your supported platforms.
+Ubuntu 14.04
 
 ## Attributes
 
@@ -16,11 +18,47 @@ TODO: List your supported platforms.
     <th>Default</th>
   </tr>
   <tr>
-    <td><tt>['cfe-nginx-php-fpm']['bacon']</tt></td>
+    <td><tt>['cfe-nginx-php-fpm']['php_fastcgi_socket']</tt></td>
+    <td>String</td>
+    <td>The socket used by PHP-FPM. Set to boolean false to disable PHP-FPM.</td>
+    <td><tt>'127.0.0.1:9000'</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['postfix']['email_domain']</tt></td>
+    <td>String</td>
+    <td>Email domain to be used by Postfix.</td>
+    <td><tt>''</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_robots']</tt></td>
+    <td>Boolean</td>
+    <td>Whether to log crawler access in Nginx.</td>
+    <td><tt>false</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_hidden']</tt></td>
     <td>Boolean</td>
-    <td>whether to include bacon</td>
+    <td>Whether to log attempted accesses to hidden files/folders in Nginx.</td>
     <td><tt>true</tt></td>
   </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_static']</tt></td>
+    <td>Boolean</td>
+    <td>Whether to log accesses to static files in Nginx.</td>
+    <td><tt>false</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types']</tt></td>
+    <td>Array</td>
+    <td>An array of strings denoting the file extensions of what will be considered static files by Nginx with regards to logging (see previous attribute).</td>
+    <td><tt>(see default attribute file)</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['cfe-nginx-php-fpm']['nginx']['sites']</tt></td>
+    <td>Array/Hash</td>
+    <td>Values that define the virtual servers to be hosted by Nginx.</td>
+    <td><tt>(see default attribute file)</tt></td>
+  </tr>
 </table>
 
 ## Usage
@@ -32,11 +70,11 @@ Include `cfe-nginx-php-fpm` in your node's `run_list`:
 ```json
 {
   "run_list": [
-    "recipe[cfe-nginx-php-fpm::default]"
+    "recipe[cfe-nginx-php-fpm]"
   ]
 }
 ```
 
 ## License and Authors
 
-Author:: YOUR_NAME (<YOUR_EMAIL>)
+Author:: Earth U. (<sysadmin@chromedia.com>)

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Attribute:: default
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# The socket used PHP-FPM. If false, fastcgi is not used.
+# Examples:
+#   '127.0.0.1:9000'
+#   '/var/run/php-fpm.sock'
+#   false
+default['cfe-nginx-php-fpm']['php_fastcgi_socket'] = '127.0.0.1:9000'
+
+# Setting 'update_cacert' to true will get the latest cacert from
+# http://curl.haxx.se/ca/cacert.pem and use that as CAFile for postfix.
+default['cfe-nginx-php-fpm']['postfix']['update_cacert'] = true
+default['cfe-nginx-php-fpm']['postfix']['email_domain']  = 'example.com'
+
+# If your php-fpm pool is not named 'www', then delete
+# the default one 'www' automatically installed by php-fpm
+default['cfe-nginx-php-fpm']['php-fpm']['delete_pool_www'] = true
+
+default['cfe-nginx-php-fpm']['nginx']['inc_dir'] =
+  "#{node['nginx']['dir']}/sites-available/include"
+default['cfe-nginx-php-fpm']['nginx']['priv_dir'] =
+  "#{node['nginx']['dir']}/private"
+
+default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_robots']   = false
+default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_hidden']   = true
+default['cfe-nginx-php-fpm']['nginx']['restriction_file']['log_static']   = false
+default['cfe-nginx-php-fpm']['nginx']['restriction_file']['static_types'] = %w{
+  js css ogg ogv svg svgz eot otf woff mp4 ttf rss atom
+  jpg jpeg gif png ico zip tgz gz rar bz2
+  doc xls exe ppt tar mid midi wav bmp rtf
+}
+
+default['cfe-nginx-php-fpm']['nginx']['sites'] = [
+  {
+    :server_name => 'example.com',
+    :aliases => ['www.example.com'],
+    :doc_root => '/var/www/example.com',
+    :index => 'index.php',
+
+    # Access log options as one long string. Default: false
+    #:access_log_options => '<some options>'
+
+    # Whether to include a default virtual server named '_' or not.
+    # If there is more than one server given in this 'sites' array,
+    # 'catch_all' value will always be overriden to 'false'.
+    # Default: true
+    #:catch_all => true
+
+    # Necessary values for SSL/TLS setup. Default: :ssl => false
+    #:ssl => {
+    #  :cert => '[contents of chain cert here]',
+    #  :key => '[contents of cert private key here]',
+    #  :dh_modulus => 2048,
+    #  :self_signed => false,
+    #  :hsts_max_age => '15758000',
+    #  :hsts_include_subdomains => true
+    #}
+
+    # Necessary values for Basic Auth setup. Default: :auth => false
+    #:auth => {
+    #  :msg => 'Restricted Area. Please authenticate.',
+    #  :users => {
+    #    'example_user' => 'secretpassword123'
+    #  }
+    #}
+
+    # An array of strings that will be included as statements in the main
+    # nginx config file for this server. Default: []
+    #:custom_statements => []
+
+    # Enumerates the different site types this server supports.
+    # Possible elements of :types are (only :type is mandatory):
+    #   {
+    #     :type => 'basic',
+    #     :subpath => ''
+    #   }
+    #   {
+    #     :type => 'wordpress',
+    #     :subpath => '',
+    #     :fastcgi_intercept_errors => false,
+    #     :loginpage_statements => [] # An array of strings to be 
+    #                                 # written on the config for the
+    #                                 # /wp-login.php and /wp-admin pages.
+    #   }
+    :types => [ { :type => 'basic' } ]
+  }
+]
+
+#
+# php-fpm cookbook
+#
+default['php-fpm']['user']  = node['nginx']['user']
+default['php-fpm']['group'] = node['nginx']['group']
+
+default['php-fpm']['skip_repository_install'] = true
+default['php-fpm']['pools'] = [
+  # Most likely, just use one pool for all PHP needs.
+  # (But there are exceptions, of course)
+  {
+    :name   => 'example_pool',
+    :enable => true,
+    :listen => node['cfe-nginx-php-fpm']['php_fastcgi_socket'],
+
+    :user   => node['nginx']['user'],
+    :group  => node['nginx']['group'],
+
+    :max_requests => 500,
+    :max_children => 50,
+
+    :access_log           => false,
+    :catch_workers_output => 'no',
+    #:access_log           => true,
+    #:catch_workers_output => 'yes',
+
+    :process_manager => value_for_platform(
+      'ubuntu' => {
+        '10.04' => 'dynamic'
+      },
+      'default' => 'ondemand'
+    ),
+
+    # Only used if process_manager is 'dynamic':
+    :start_servers     => 5,
+    :min_spare_servers => 5,
+    :max_spare_servers => 35,
+
+    :php_options => {
+      'php_admin_value[cgi.fix_pathinfo]' => '0',
+      'php_admin_value[expose_php]'       => 'Off',
+      'php_value[upload_max_filesize]'    => '5M',
+      'php_value[post_max_size]'          => '10M'
+    }
+  }
+]
+
+#
+# mariadb cookbook
+#
+default['mariadb']['install']['type']    = 'package'
+default['mariadb']['install']['version'] = '5.5'
+
+#
+# postfix cookbook
+#
+default['postfix']['main']['myorigin'] = '$mydomain'
+default['postfix']['main']['myhostname'] =
+  node['cfe-nginx-php-fpm']['postfix']['email_domain']
+default['postfix']['main']['mydomain'] =
+  node['cfe-nginx-php-fpm']['postfix']['email_domain']
+default['postfix']['main']['mydestination'] =
+  ['localhost.localdomain', 'localhost']
+
+#
+# nginx cookbook
+#
+default['nginx']['version']              = '1.9.14'
+default['nginx']['install_method']       = 'package'
+default['nginx']['package_name']         = 'nginx'
+default['nginx']['repo_source']          = 'nginx'
+default['nginx']['upstream_repository']  =
+  'http://nginx.org/packages/mainline/ubuntu'
+# Set pid file initially in accordance with Ubuntu 14.04 
+# nginx package's pid file. Otherwise, it fails to restart.
+default['nginx']['pid']                  = '/var/run/nginx.pid'
+default['nginx']['default_site_enabled'] = false
+default['nginx']['client_max_body_size'] = '10m'
+default['nginx']['event']                = 'epoll'
+default['nginx']['worker_processes']     = 'auto'
+default['nginx']['worker_connections']   = 1_024
+default['nginx']['keepalive_timeout']    = 15
+default['nginx']['keepalive_requests']   = 200
+default['nginx']['disable_access_log']   = false
+default['nginx']['server_tokens']        = 'off'
+default['nginx']['gzip_comp_level']      = '5'
+default['nginx']['extra_configs']        = {
+  'reset_timedout_connection' => 'on'
+}

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Definition:: php_ext
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# Install a PHP extension
+
+define :php_ext, :action => :install do
+  # Update these lists as needed.
+  rhel_only = [
+    'xml',
+    'mbstring'
+  ]
+  debian_enmod_required = [
+    'mcrypt'
+  ]
+
+  case node['platform_family']
+  when 'rhel', 'fedora'
+    package "php-#{params[:name]}" do
+      action params[:action]
+    end
+
+  when 'debian'
+    unless rhel_only.include?(params[:name])
+      package "php5-#{params[:name]}" do
+        action params[:action]
+      end
+
+      if debian_enmod_required.include?(params[:name])
+        execute "php5enmod #{params[:name]}" do
+          notifies :restart, 'service[php-fpm]', :immediately
+        end
+      end
+    end
+  end
+end

 name             'cfe-nginx-php-fpm'
-maintainer       'YOUR_NAME'
-maintainer_email 'YOUR_EMAIL'
-license          'All rights reserved'
-description      'Installs/Configures cfe-nginx-php-fpm'
-long_description 'Installs/Configures cfe-nginx-php-fpm'
+maintainer       'Chromedia Far East, Inc.'
+maintainer_email 'sysadmin@chromedia.com'
+license          'Apache License'
+description      'Simplifies setup of Nginx+PHP-FPM in Chromedia.'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
+
+{
+  'php-fpm' => '0.7.5',
+  'mariadb' => '0.2.12',
+  'postfix' => '3.6.2',
+  'nginx'   => '2.7.6'
+}.each { |cb, ver| depends cb, '~> ' + ver }
+
+supports 'ubuntu', '>= 14.04'

 #
+# Author:: Earth U (<sysadmin@chromedia.com>)
 # Cookbook Name:: cfe-nginx-php-fpm
 # Recipe:: default
 #
-# Copyright (C) 2016 YOUR_NAME
+# Copyright 2016, Chromedia Far East, Inc.
 #
-# All rights reserved - Do Not Redistribute
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Recipe:: mariadb_client
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe 'mariadb::client'

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Recipe:: nginx
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe 'nginx'
+
+attribs  = node['cfe-nginx-php-fpm']['nginx']
+inc_dir  = attribs['inc_dir']
+priv_dir = attribs['priv_dir']
+
+[ inc_dir, priv_dir ].each do |ndir|
+  directory ndir do
+    recursive true
+  end
+end
+
+# The restrictions.conf file containing default rules for virtual servers.
+path_rest = "#{inc_dir}/restrictions.conf"
+template path_rest do
+  action :create_if_missing
+  mode   0644
+  variables(
+    :log_robots   => attribs['restriction_file']['log_robots'],
+    :log_hidden   => attribs['restriction_file']['log_hidden'],
+    :log_static   => attribs['restriction_file']['log_static'],
+    :static_types => attribs['restriction_file']['static_types']
+  )
+end
+
+# Some basic "include" files for PHP
+path_bpf = "#{inc_dir}/inc_basic_php_fastcgi"
+template path_bpf do
+  mode 0644
+  variables(
+    :socket => node['cfe-nginx-php-fpm']['php_fastcgi_socket']
+  )
+  only_if { node['cfe-nginx-php-fpm']['php_fastcgi_socket'] }
+end
+
+catch_all_def_false = attribs['sites'].length > 1
+
+attribs['sites'].each do |site|
+
+  if site.is_a?(Array)
+    site_sname = site[0]
+    site = site[1]
+  else
+    site_sname = site[:server_name]
+  end
+
+  site_index    = site[:index] || 'index.php'
+  site_aliases  = site[:aliases] || []
+  site_doc_root = site[:doc_root] || ''
+  site_index    = site[:index] || 'index.html'
+  site_ssl      = site[:ssl] || false
+  site_auth     = site[:auth] || false
+  site_alo      = site[:access_log_options] || false
+  site_cs       = site[:custom_statements] || []
+
+  site_types = ( site[:types] || [] ).uniq { |e| e[:type] }
+
+  temp_catch_all = site.has_key?(:catch_all) ? site[:catch_all] : true
+  site_catch_all = catch_all_def_false ? false : temp_catch_all
+
+  path_crt     = "#{priv_dir}/#{site_sname}.crt"
+  path_key     = "#{priv_dir}/#{site_sname}.key"
+  path_pass    = "#{priv_dir}/#{site_sname}.htpasswd"
+  path_dhparam = "#{priv_dir}/#{site_sname}.dhparam"
+
+  # If TLS/SSL is enabled, create necessary files
+  if site_ssl
+    if site_ssl[:cert].nil?
+      Chef::Log.error('Missing SSL certificate')
+      raise 'Missing SSL certificate'
+    end
+
+    if site_ssl[:key].nil?
+      Chef::Log.error('Missing SSL key file')
+      raise 'Missing SSL key file'
+    end
+
+    file path_crt do
+      mode      0644
+      content   site_ssl[:cert]
+      sensitive true
+      action    :create_if_missing
+    end
+
+    file path_key do
+      mode      0644
+      content   site_ssl[:key]
+      sensitive true
+      action    :create_if_missing
+    end
+
+    dh_modulus = site_ssl[:dh_modulus] || 2048
+    execute "openssl dhparam -out #{path_dhparam} #{dh_modulus}" do
+      not_if { ::File.exist?(path_dhparam) }
+    end
+  end
+
+  # If basic auth is enabled, create htaccess file
+  if site_auth
+    site_auth[:users].each do |auser, apass|
+      execute "Generate #{path_pass}" do
+        command   "printf \"#{auser}:"\
+                  "$( openssl passwd -apr1 '#{apass}' )"\
+                  "\\n\" >> #{path_pass}"
+        action    :run
+        sensitive true
+        not_if    { ::File.exist?(path_pass) }
+      end
+    end
+  end
+
+  site_includes = []
+
+  # Create necessary include files for each type of this site
+  site_types.each do |stype|
+    stype_subpath = stype[:subpath] || ''
+
+    case stype[:type]
+    # BASIC PHP SITE
+    when 'basic'
+      template "#{inc_dir}/inc_type_basic_#{site_sname}" do
+        source 'inc_type_basic.erb'
+        mode   0644
+        action :create_if_missing
+        variables(
+          :index             => site_index,
+          :subpath           => stype_subpath,
+          :basic_php_fastcgi => path_bpf
+        )
+      end
+      site_includes.push("#{inc_dir}/inc_type_basic_#{site_sname}")
+
+    # STANDARD WORDPRESS SITE
+    when 'wordpress'
+      template "#{inc_dir}/inc_type_wordpress_#{site_sname}" do
+        source 'inc_type_wordpress.erb'
+        mode   0644
+        action :create_if_missing
+        variables(
+          :index                    => site_index,
+          :subpath                  => stype_subpath,
+          :basic_php_fastcgi        => path_bpf,
+          :loginpage_statements     => stype[:loginpage_statements] || [],
+          :fastcgi_intercept_errors => stype[:fastcgi_intercept_errors] || false
+        )
+      end
+      site_includes.push("#{inc_dir}/inc_type_wordpress_#{site_sname}")
+
+    else
+      Chef::Log.error("Unknown site type: #{stype[:type]}")
+      raise 'Missing SSL key file'
+    end
+  end
+
+  # Create the main config file for this site
+  template "#{node['nginx']['dir']}/sites-available/#{site_sname}" do
+    source   'nginx_site.conf.erb'
+    action   :create_if_missing
+    mode     0644
+    notifies :restart, 'service[nginx]'
+    variables(
+      :server_name => site_sname,
+      :aliases     => site_aliases,
+      :doc_root    => site_doc_root,
+      :index       => site_index,
+      :ssl         => site_ssl,
+      :auth        => site_auth,
+
+      :access_log_options => site_alo,
+      :catch_all          => site_catch_all,
+
+      :path_crt     => path_crt,
+      :path_key     => path_key,
+      :path_pass    => path_pass,
+      :path_dhparam => path_dhparam,
+      :path_rest    => path_rest,
+
+      :includes          => site_includes,
+      :custom_statements => site_cs
+    )
+  end
+
+  nginx_site site_sname do
+    enable true
+  end
+end

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Recipe:: php-fpm
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package 'openssl'
+include_recipe 'php-fpm'
+
+# For Ubuntu 14.04 Upstart bug where PHP service does not respond
+# well to the reload command.
+# (Or maybe just delete /etc/init.d/php5-fpm?)
+if node['platform'] == 'ubuntu' and node['platform_version'].to_f == 14.04
+  file '/etc/init/php5-fpm.override' do
+    content "reload signal USR2\n"
+    action  :create_if_missing
+  end
+end
+
+if node['cfe-nginx-php-fpm']['php-fpm']['delete_pool_www']
+  www = "#{node['php-fpm']['pool_conf_dir']}/www.conf"
+  file 'delete_pool_www' do
+    path     www
+    action   :delete
+    only_if  { ::File.exist?(www) }
+    notifies :restart, 'service[php-fpm]'
+  end
+end
+
+# Some default PHP extensions
+php_ext 'mysql'
+php_ext 'cli'
+php_ext 'curl' do
+  action :upgrade
+end

+#
+# Author:: Earth U (<sysadmin@chromedia.com>)
+# Cookbook Name:: cfe-nginx-php-fpm
+# Recipe:: postfix
+#
+# Copyright 2016, Chromedia Far East, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe 'postfix'
+
+remote_file node['postfix']['cafile'] do
+  source  'http://curl.haxx.se/ca/cacert.pem'
+  action  :create
+  only_if { node['cfe-nginx-php-fpm']['postfix']['update_cacert'] }
+end

+# Generated by Chef
+#
+
+# No need to enable this if PHP and Nginx share the same filesystem
+#fastcgi_index index.php;
+
+# You should have "cgi.fix_pathinfo = 0;" in php.ini
+fastcgi_split_path_info ^(.+\.php)(/.+)$;
+include fastcgi_params;
+fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+
+<% socket = @socket[0] == '/' ? "unix:#{@socket}" : @socket -%>
+fastcgi_pass <%= socket %>;

+<%
+subp = @subpath ? @subpath.gsub(/^\/+|\/$|\s/, '') : ''
+subp = subp.length > 0 ? "#{subp}/" : subp
+-%>
+# Generated by Chef
+#
+# A basic PHP site config.
+
+# Pass all .php files onto a php-fpm/php-fcgi server.
+#location ~ [^/]\.php(/|$) {
+# Customized location directive to account for URL subpathing:
+location ~ ^/<%= subp %>.+\.php(/|$) {
+    try_files $uri =404;
+
+    # Enable only if implementing custom error pages
+    #fastcgi_intercept_errors on;
+
+    include <%= @basic_php_fastcgi %>;
+}
+
+location ~ ^/<%= subp %> {
+    try_files $uri $uri/ /<%= subp %><%= @index %>?$args;
+}

+<%
+subp = @subpath ? @subpath.gsub(/^\/+|\/$|\s/, '') : ''
+subp = subp.length > 0 ? "#{subp}/" : subp
+-%>
+# Generated by Chef
+#
+# WordPress single blog rules.
+# Designed to be included in any server {} block.
+
+# Add trailing slash to */wp-admin requests.
+rewrite /<%= subp %>wp-admin$ $scheme://$host$uri/ permanent;
+
+# Deny access to any files with a .php extension in the uploads directory
+# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
+location ~* /<%= subp %>(.+/)*(?:uploads|files)/.*\.php$ {
+    deny all;
+}
+
+<% if @loginpage_statements.length > 0 -%>
+location ~ ^/<%= subp %>(wp-admin|wp-login\.php) {
+<%   @loginpage_statements.each do |statement| -%>
+    <%= statement %>
+<%   end -%>
+
+    location ~ ^/<%= subp %>.+\.php(/|$) {
+        try_files $uri =404;
+
+<% if @fastcgi_intercept_errors -%>
+        # Enable if implementing custom error pages
+        fastcgi_intercept_errors on;
+
+<% end -%>
+        include <%= @basic_php_fastcgi %>;
+    }
+}
+
+<% end -%>
+# Pass all PHP files to the fastcgi proxy
+location ~ ^/<%= subp %>.+\.php(/|$) {
+    try_files $uri =404;
+
+<% if @fastcgi_intercept_errors -%>
+    # Enable if implementing custom error pages
+    fastcgi_intercept_errors on;
+
+<% end -%>
+    include <%= @basic_php_fastcgi %>;
+}
+
+location ~ ^/<%= subp %> {
+    try_files $uri $uri/ /<%= subp %><%= @index %>?$args;
+}

+# Generated by Chef
+#
+<% 
+servers = [@server_name]
+@aliases.each do |aname|
+  servers << aname
+end
+servers.uniq!
+
+if @catch_all
+-%>
+server {
+    listen      80 default_server;
+    server_name _;
+    return      444;
+}
+
+<%
+end
+if @ssl
+  if @catch_all
+-%>
+server {
+    listen      443 default_server;
+    server_name _;
+    return      444;
+}
+
+<%
+  end
+-%>
+server {
+    listen 80;
+    server_name <%= servers.join(' ') %>;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl;
+
+    ssl_certificate <%= @path_crt %>;
+    ssl_certificate_key <%= @path_key %>;
+<%   unless @ssl[:self_signed] -%>
+
+    # Modern cipher suite:
+    #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
+    # Medium compatibility cipher suite (compatible with IE7 WinXP):
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_session_cache shared:SSL:10m;
+    ssl_dhparam <%= @path_dhparam %>;
+<%   end -%>
+
+<%
+  hsts = "max-age=#{@ssl[:hsts_max_age]};"
+  hsts << 'includeSubDomains;' if @ssl[:hsts_include_subdomains]
+-%>
+    add_header Strict-Transport-Security "<%= hsts %>";
+<%
+else
+-%>
+server {
+    listen 80;
+
+<%
+end
+-%>
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+
+    server_name <%= servers.join(' ') %>;
+
+    root <%= @doc_root %>;
+    index <%= @index %>;
+
+<% if @auth -%>
+    auth_basic "<%= @auth[:msg] %>";
+    auth_basic_user_file <%= @path_pass %>;
+
+<% end -%>
+    access_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.access.log<% if @access_log_options %> <%= @access_log_options %><% end %>;
+    error_log <%= node['nginx']['log_dir'] %>/<%= @server_name %>.error.log;
+
+    include <%= @path_rest %>;
+<% @includes.each do |inc| -%>
+    include <%= inc %>;
+<% end -%>
+
+<% @custom_statements.each do |sm| -%>
+    <%= sm %>
+<% end -%>
+}

+# Generated by Chef
+#
+# Global restrictions configuration file.
+# Designed to be included in any server {} block.
+location = /favicon.ico {
+    log_not_found off;
+    access_log off;
+}
+
+location = /robots.txt {
+    allow all;
+<% unless @log_robots -%>
+    access_log off;
+    log_not_found off;
+<% end -%>
+}
+
+# Deny all attempts to access hidden files and folders
+location ~ (^|/)\. {
+    deny all;
+<% unless @log_hidden -%>
+    access_log off;
+    log_not_found off;
+<% end -%>
+}
+
+# Directives to send expires headers and (probably?) turn off 404 error logging.
+location ~* ^.+\.(<%= @static_types.join('|') %>)$ {
+    expires max;
+<% unless @log_static -%>
+    access_log off;
+    log_not_found off;
+<% end -%>
+}