kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Initial Let's Encrypt setup for Kosmos subdomains

Browse Source 
Refs #6
This commit is contained in:
Greg Karékinian 2016-05-06 16:41:06 +02:00
parent 3da46705ba
commit 0aaf3f3b55
6 changed files with 46 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
data_bags/certificates/wildcard_kosmos_org.json
View File

File diff suppressed because one or more lines are too long

26
site-cookbooks/kosmos-mediawiki/recipes/default.rb
View File

@ -47,23 +47,13 @@ end
include_recipe "mediawiki" include_recipe "mediawiki"
include_recipe "kosmos-nginx" include_recipe "kosmos-nginx"
include_recipe "mediawiki::nginx" include_recipe "mediawiki::nginx"
include_recipe "kosmos-base::letsencrypt"
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org') execute "letsencrypt cert for wiki.kosmos.org" do
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node["mediawiki"]["docroot_dir"]} -d wiki.kosmos.org"
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt" cwd "/usr/local/letsencrypt"
file ssl_cert_path do not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
content data_bag_item['ssl_cert'] notifies :reload, "service[nginx]", :delayed
mode 0600
owner 'www-data'
sensitive true
end
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
file ssl_key_path do
content data_bag_item['ssl_key']
mode 0600
owner 'www-data'
sensitive true
end end
template "#{node['nginx']['dir']}/sites-available/mediawiki" do template "#{node['nginx']['dir']}/sites-available/mediawiki" do
@ -71,8 +61,8 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
variables( variables(
docroot: node['mediawiki']['webdir'], docroot: node['mediawiki']['webdir'],
server_name: node['mediawiki']['server_name'], server_name: node['mediawiki']['server_name'],
ssl_cert: ssl_cert_path, ssl_cert: "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem",
ssl_key: ssl_key_path ssl_key: "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
) )
action :create action :create
notifies :reload, "service[nginx]", :delayed notifies :reload, "service[nginx]", :delayed

26
site-cookbooks/kosmos-wordpress/recipes/nginx.rb
View File

@ -11,6 +11,7 @@ node.set_unless['php-fpm']['pools'] = []
include_recipe "php-fpm::configure" include_recipe "php-fpm::configure"
include_recipe 'php-fpm::repository' unless node['php-fpm']['skip_repository_install'] include_recipe 'php-fpm::repository' unless node['php-fpm']['skip_repository_install']
include_recipe "kosmos-base::letsencrypt"
if node['php-fpm']['package_name'].nil? if node['php-fpm']['package_name'].nil?
if platform_family?("rhel") if platform_family?("rhel")
@ -62,22 +63,11 @@ include_recipe "kosmos-nginx"
include_recipe "wordpress::app" include_recipe "wordpress::app"
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org') execute "letsencrypt cert for blog.kosmos.org" do
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org"
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt" cwd "/usr/local/letsencrypt"
file ssl_cert_path do not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
content data_bag_item['ssl_cert'] notifies :reload, "service[nginx]", :delayed
mode 0600
owner 'www-data'
sensitive true
end
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
file ssl_key_path do
content data_bag_item['ssl_key']
mode 0600
owner 'www-data'
sensitive true
end end
template "#{node['nginx']['dir']}/sites-available/wordpress" do template "#{node['nginx']['dir']}/sites-available/wordpress" do
@ -87,8 +77,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do
server_name: node['wordpress']['server_name'], server_name: node['wordpress']['server_name'],
server_aliases: node['wordpress']['server_aliases'], server_aliases: node['wordpress']['server_aliases'],
server_port: node['wordpress']['server_port'], server_port: node['wordpress']['server_port'],
ssl_cert: ssl_cert_path, ssl_cert: "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem",
ssl_key: ssl_key_path ssl_key: "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem"
) )
action :create action :create
notifies :reload, "service[nginx]", :delayed notifies :reload, "service[nginx]", :delayed

6
site-cookbooks/kosmos-wordpress/templates/default/nginx.conf.erb
View File

@ -1,6 +1,8 @@
server { server {
listen 80; listen 80;
listen <%= @server_port %> ssl; <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @server_port %> ssl spdy;
<% end -%>
server_name <%= @server_name %> <%= @server_aliases.join(" ") %>; server_name <%= @server_name %> <%= @server_aliases.join(" ") %>;
access_log /var/log/nginx/<%= @server_name %>.access.log; access_log /var/log/nginx/<%= @server_name %>.access.log;
@ -29,6 +31,8 @@ server {
fastcgi_param SCRIPT_FILENAME <%= @docroot %>$fastcgi_script_name; fastcgi_param SCRIPT_FILENAME <%= @docroot %>$fastcgi_script_name;
} }
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
<% end -%>
} }

33
site-cookbooks/sockethub/recipes/proxy.rb
View File

@ -7,6 +7,8 @@
# All rights reserved - Do Not Redistribute # All rights reserved - Do Not Redistribute
# #
include_recipe "kosmos-base::letsencrypt"
firewall_rule 'sockethub' do firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i port node['sockethub']['external_port'].to_i
protocol :tcp protocol :tcp
@ -15,23 +17,13 @@ end
include_recipe 'kosmos-nginx' include_recipe 'kosmos-nginx'
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org') directory "/var/www/sockethub" do
owner node["nginx"]["user"]
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt" group node["nginx"]["group"]
file ssl_cert_path do action :create
content data_bag_item['ssl_cert']
mode 0600
owner 'www-data'
sensitive true
end end
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key" include_recipe 'kosmos-nginx'
file ssl_key_path do
content data_bag_item['ssl_key']
mode 0600
owner 'www-data'
sensitive true
end
template "#{node['nginx']['dir']}/sites-available/sockethub" do template "#{node['nginx']['dir']}/sites-available/sockethub" do
source 'nginx_conf_sockethub.erb' source 'nginx_conf_sockethub.erb'
@ -40,11 +32,18 @@ template "#{node['nginx']['dir']}/sites-available/sockethub" do
variables sockethub_port: node['sockethub']['port'], variables sockethub_port: node['sockethub']['port'],
sockethub_external_port: node['sockethub']['external_port'], sockethub_external_port: node['sockethub']['external_port'],
server_name: 'sockethub.kosmos.org', server_name: 'sockethub.kosmos.org',
ssl_cert: ssl_cert_path, ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
ssl_key: ssl_key_path ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
notifies :reload, 'service[nginx]', :delayed notifies :reload, 'service[nginx]', :delayed
end end
execute "letsencrypt cert for sockethub.kosmos.org" do
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org"
cwd "/usr/local/letsencrypt"
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end
nginx_site 'sockethub' do nginx_site 'sockethub' do
enable true enable true
end end

9
site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
View File

@ -9,8 +9,11 @@ map $http_upgrade $connection_upgrade {
} }
server { server {
listen 80; # For Let's Encrypt
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @sockethub_external_port %> ssl spdy; listen <%= @sockethub_external_port %> ssl spdy;
add_header Strict-Transport-Security "max-age=15768000"; add_header Strict-Transport-Security "max-age=15768000";
<% end -%>
server_name <%= @server_name %>; server_name <%= @server_name %>;
@ -20,6 +23,10 @@ server {
# We might need real ETags, disable those for now # We might need real ETags, disable those for now
gzip off; gzip off;
location /.well-known {
root "/var/www/sockethub";
}
location / { location / {
# an HTTP header important enough to have its own Wikipedia entry: # an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For # http://en.wikipedia.org/wiki/X-Forwarded-For
@ -50,6 +57,8 @@ server {
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Origin' '*';
} }
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
<% end -%>
} }