Greg Karékinian
parent
3da46705ba
commit
0aaf3f3b55
File diff suppressed because one or more lines are too long
@ -47,23 +47,13 @@ end
|
||||
include_recipe "mediawiki"
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "mediawiki::nginx"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org')
|
||||
|
||||
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt"
|
||||
file ssl_cert_path do
|
||||
content data_bag_item['ssl_cert']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
end
|
||||
|
||||
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
|
||||
file ssl_key_path do
|
||||
content data_bag_item['ssl_key']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
execute "letsencrypt cert for wiki.kosmos.org" do
|
||||
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node["mediawiki"]["docroot_dir"]} -d wiki.kosmos.org"
|
||||
cwd "/usr/local/letsencrypt"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
||||
@ -71,8 +61,8 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
||||
variables(
|
||||
docroot: node['mediawiki']['webdir'],
|
||||
server_name: node['mediawiki']['server_name'],
|
||||
ssl_cert: ssl_cert_path,
|
||||
ssl_key: ssl_key_path
|
||||
ssl_cert: "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
|
||||
)
|
||||
action :create
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
|
||||
@ -11,6 +11,7 @@ node.set_unless['php-fpm']['pools'] = []
|
||||
|
||||
include_recipe "php-fpm::configure"
|
||||
include_recipe 'php-fpm::repository' unless node['php-fpm']['skip_repository_install']
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
if node['php-fpm']['package_name'].nil?
|
||||
if platform_family?("rhel")
|
||||
@ -62,22 +63,11 @@ include_recipe "kosmos-nginx"
|
||||
|
||||
include_recipe "wordpress::app"
|
||||
|
||||
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org')
|
||||
|
||||
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt"
|
||||
file ssl_cert_path do
|
||||
content data_bag_item['ssl_cert']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
end
|
||||
|
||||
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
|
||||
file ssl_key_path do
|
||||
content data_bag_item['ssl_key']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
execute "letsencrypt cert for blog.kosmos.org" do
|
||||
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org"
|
||||
cwd "/usr/local/letsencrypt"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
||||
@ -87,8 +77,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
||||
server_name: node['wordpress']['server_name'],
|
||||
server_aliases: node['wordpress']['server_aliases'],
|
||||
server_port: node['wordpress']['server_port'],
|
||||
ssl_cert: ssl_cert_path,
|
||||
ssl_key: ssl_key_path
|
||||
ssl_cert: "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem"
|
||||
)
|
||||
action :create
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
|
||||
@ -1,6 +1,8 @@
|
||||
server {
|
||||
listen 80;
|
||||
listen <%= @server_port %> ssl;
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @server_port %> ssl spdy;
|
||||
<% end -%>
|
||||
server_name <%= @server_name %> <%= @server_aliases.join(" ") %>;
|
||||
|
||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
||||
@ -29,6 +31,8 @@ server {
|
||||
fastcgi_param SCRIPT_FILENAME <%= @docroot %>$fastcgi_script_name;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
@ -7,6 +7,8 @@
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
firewall_rule 'sockethub' do
|
||||
port node['sockethub']['external_port'].to_i
|
||||
protocol :tcp
|
||||
@ -15,23 +17,13 @@ end
|
||||
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
data_bag_item = Chef::EncryptedDataBagItem.load('certificates', 'wildcard_kosmos_org')
|
||||
|
||||
ssl_cert_path = "/etc/ssl/private/wildcard.kosmos.org.crt"
|
||||
file ssl_cert_path do
|
||||
content data_bag_item['ssl_cert']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
directory "/var/www/sockethub" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
end
|
||||
|
||||
ssl_key_path = "/etc/ssl/private/wildcard.kosmos.org.key"
|
||||
file ssl_key_path do
|
||||
content data_bag_item['ssl_key']
|
||||
mode 0600
|
||||
owner 'www-data'
|
||||
sensitive true
|
||||
end
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
@ -40,11 +32,18 @@ template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
||||
variables sockethub_port: node['sockethub']['port'],
|
||||
sockethub_external_port: node['sockethub']['external_port'],
|
||||
server_name: 'sockethub.kosmos.org',
|
||||
ssl_cert: ssl_cert_path,
|
||||
ssl_key: ssl_key_path
|
||||
ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
execute "letsencrypt cert for sockethub.kosmos.org" do
|
||||
command "./letsencrypt-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org"
|
||||
cwd "/usr/local/letsencrypt"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site 'sockethub' do
|
||||
enable true
|
||||
end
|
||||
|
||||
@ -9,8 +9,11 @@ map $http_upgrade $connection_upgrade {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80; # For Let's Encrypt
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @sockethub_external_port %> ssl spdy;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
@ -20,6 +23,10 @@ server {
|
||||
# We might need real ETags, disable those for now
|
||||
gzip off;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/sockethub";
|
||||
}
|
||||
|
||||
location / {
|
||||
# an HTTP header important enough to have its own Wikipedia entry:
|
||||
# http://en.wikipedia.org/wiki/X-Forwarded-For
|
||||
@ -50,6 +57,8 @@ server {
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user