Greg Karékinian
@@ -7,6 +7,8 @@
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
firewall_rule 'sockethub' do
|
||||
port node['sockethub']['external_port'].to_i
|
||||
protocol :tcp
|
||||
@@ -15,23 +17,13 @@ end
|
||||
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org')
|
||||
|
||||
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt"
|
||||
file ssl_cert_path do
|
||||
content data_bag_item['ssl_cert']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
directory "/var/www/sockethub" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
end
|
||||
|
||||
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
|
||||
file ssl_key_path do
|
||||
content data_bag_item['ssl_key']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
end
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
@@ -40,11 +32,18 @@ template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
||||
variables sockethub_port: node['sockethub']['port'],
|
||||
sockethub_external_port: node['sockethub']['external_port'],
|
||||
server_name: 'sockethub.kosmos.org',
|
||||
ssl_cert: ssl_cert_path,
|
||||
ssl_key: ssl_key_path
|
||||
ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
execute "letsencrypt cert for sockethub.kosmos.org" do
|
||||
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org"
|
||||
cwd "/usr/local/letsencrypt"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site 'sockethub' do
|
||||
enable true
|
||||
end
|
||||
|
||||
@@ -9,8 +9,11 @@ map $http_upgrade $connection_upgrade {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80; # For Let's Encrypt
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @sockethub_external_port %> ssl spdy;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
@@ -20,6 +23,10 @@ server {
|
||||
# We might need real ETags, disable those for now
|
||||
gzip off;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/sockethub";
|
||||
}
|
||||
|
||||
location / {
|
||||
# an HTTP header important enough to have its own Wikipedia entry:
|
||||
# http://en.wikipedia.org/wiki/X-Forwarded-For
|
||||
@@ -50,6 +57,8 @@ server {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user