kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 37 Pull Requests 1 Projects 1 Activity

Create a nginx_certbot_site resource to remove duplication 

It creates a folder, the nginx vhost for certbot and HTTP redirects, and
also runs certbot and recreates the nginx vhost that includes the TLS
cert
This commit is contained in:
Greg 2019-03-15 19:03:28 +01:00
parent b30dcab4da
commit 17f1b2a20a
23 changed files with 152 additions and 302 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb
View File

@ -119,13 +119,6 @@ end
include_recipe 'kosmos-nginx'
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
recursive true
action :create
end
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
source 'nginx_conf_hubot.erb'
owner node["nginx"]["user"]
@ -138,13 +131,7 @@ template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
end
nginx_site express_domain do
enable true
action :enable
end
unless node.chef_environment == "development"
execute "letsencrypt cert for #{express_domain}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
end
end
nginx_certbot_site express_domain

13
site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.erb
View File

@ -5,19 +5,6 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
server localhost:<%= @express_port %>;
}
server {
listen 80;
server_name <%= @server_name %>;
# For Let's Encrypt ACME verification
location /.well-known {
root "/var/www/<%= @server_name %>";
}
location / {
return 301 https://$host$request_uri;
}
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl http2;

20
site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
View File

@ -94,14 +94,7 @@ unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
include_recipe 'kosmos-nginx'
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
recursive true
action :create
end
include_recipe "kosmos-nginx"
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
source 'nginx_conf_hubot.erb'
@ -115,15 +108,8 @@ unless node.chef_environment == "development"
end
nginx_site express_domain do
enable true
action :enable
end
# FIXME This doesn't actually work on the first run. Apparently nginx is not
# reloaded after adding the vhost or sth, because it does work on the second
# run.
execute "letsencrypt cert for #{express_domain}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
end
nginx_certbot_site express_domain
end

19
site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
View File

@ -5,24 +5,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
server localhost:<%= @express_port %>;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
listen 80;
server_name <%= @server_name %>;
# For Let's Encrypt ACME verification
location /.well-known {
root "/var/www/<%= @server_name %>";
}
location / {
return 301 https://$host$request_uri;
}
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
<% end -%>
server_name <%= @server_name %>;
@ -37,8 +23,7 @@ server {
proxy_http_version 1.1;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}
<% end -%>

1
site-cookbooks/kosmos-ipfs/attributes/default.rb
View File

@ -4,5 +4,6 @@
# FIXME api_port should come from the ipfs cookbook/attributes
# It has nothing to do with nginx
node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"

50
site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
View File

@ -2,61 +2,39 @@
# Cookbook Name:: kosmos-ipfs
# Recipe:: letsencrypt
#
# Copyright 2017, Kosmos
# Copyright 2019, Kosmos
#
# All rights reserved - Do Not Redistribute
#
# nginx config to generate a Let's Encrypt cert
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
end
include_recipe "kosmos-nginx"
root_directory = "/var/www/#{node["kosmos-ipfs"]["nginx"]["domain"]}"
domain = node["kosmos-ipfs"]["nginx"]["domain"]
directory "#{root_directory}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
template "#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}" do
source "nginx_conf_#{node["kosmos-ipfs"]["nginx"]["domain"]}.erb"
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_#{domain}.erb"
owner 'www-data'
mode 0640
variables server_name: node["kosmos-ipfs"]["nginx"]["domain"],
root_directory: root_directory,
ssl_cert: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/privkey.pem",
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
ipfs_external_api_port: 5444
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port']
notifies :reload, 'service[nginx]', :delayed
end
nginx_site node["kosmos-ipfs"]["nginx"]["domain"] do
enable true
nginx_site domain do
action :enable
end
nginx_certbot_site domain
unless node.chef_environment == "development"
include_recipe "firewall"
firewall_rule 'ipfs_api' do
port 5444
port node['kosmos-ipfs']['nginx']['external_api_port']
protocol :tcp
command :allow
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{node["kosmos-ipfs"]["nginx"]["domain"]}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{node["kosmos-ipfs"]["nginx"]["domain"]} -n"
only_if do
File.exist?("#{node['nginx']['dir']}/sites-enabled/#{node["kosmos-ipfs"]["nginx"]["domain"]}") &&
!File.exist?("/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem")
end
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}]", :delayed
end
end

23
site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
View File

@ -2,24 +2,13 @@ upstream _ipfs {
server localhost:<%= @ipfs_api_port %>;
}
# Used by Let's Encrypt (certbot in webroot mode)
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
listen 80;
server_name <%= @server_name %>;
location /.well-known {
root "<%= @root_directory %>";
}
location / {
return 301 https://$host$request_uri;
}
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @ipfs_external_api_port %> ssl http2;
<% else -%>
listen 80;
<% end -%>
<% else -%>
server {
listen <%= @ipfs_external_api_port %>;
<% end -%>
server_name <%= @server_name %>;
@ -45,8 +34,6 @@ server {
proxy_pass http://_ipfs/api/v0/object/data;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}

6
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@ -91,12 +91,6 @@ application mastodon_path do
vapid_public_key: mastodon_credentials['vapid_public_key']
end
directory "#{mastodon_path}/public/.well-known" do
owner node['nginx']['user']
group node['nginx']['group']
recursive true
end
bundle_install do
user "mastodon"
deployment true

39
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@ -2,7 +2,7 @@
# Cookbook Name:: kosmos-mastodon
# Recipe:: nginx
#
# Copyright 2017, Kosmos
# Copyright 2019, Kosmos
#
# All rights reserved - Do Not Redistribute
#
@ -12,35 +12,26 @@ server_name = node["kosmos-mastodon"]["server_name"]
include_recipe "kosmos-nginx"
directory "/var/www/mastodon/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
recursive true
action :create
end
template "#{node['nginx']['dir']}/sites-available/mastodon" do
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_mastodon.erb'
owner 'www-data'
mode 0640
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
puma_port: node["kosmos-mastodon"]["puma_port"],
server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
mastodon_path: mastodon_path
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
puma_port: node["kosmos-mastodon"]["puma_port"],
server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
mastodon_path: mastodon_path
notifies :reload, 'service[nginx]', :delayed
end
nginx_site 'mastodon' do
enable true
# Legacy vhost
nginx_site "mastodon" do
action :disable
end
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
execute "letsencrypt cert for #{server_name}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" }
notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately
end
nginx_site server_name do
action :enable
end
nginx_certbot_site server_name

12
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
View File

@ -3,18 +3,6 @@ map $http_upgrade $connection_upgrade {
'' close;
}
server {
listen 80;
listen [::]:80;
server_name <%= @server_name %>;
access_log "/var/log/nginx/mastodon.access.log";
error_log "/var/log/nginx/mastodon.error.log";
location /.well-known { root "/var/www/mastodon"; }
location / { return 301 https://$host$request_uri; }
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

28
site-cookbooks/kosmos-mediawiki/recipes/default.rb
View File

@ -11,6 +11,8 @@ include_recipe 'apt'
include_recipe 'ark'
include_recipe 'composer'
server_name = 'wiki.kosmos.org'
# FIXME: For now run the update script manually after updating:
#
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
@ -19,10 +21,10 @@ node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_di
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
node.override['mediawiki']['language_code'] = 'en'
node.override['mediawiki']['server_name'] = 'wiki.kosmos.org'
node.override['mediawiki']['server_name'] = server_name
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
protocol = node.chef_environment == "development" ? "http" : "https"
node.override['mediawiki']['server'] = "#{protocol}://#{node['mediawiki']['server_name']}"
node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
@ -59,22 +61,13 @@ include_recipe "mediawiki"
include_recipe "kosmos-nginx"
include_recipe "mediawiki::nginx"
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
execute "letsencrypt cert for wiki.kosmos.org" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end
end
ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
template "#{node['nginx']['dir']}/sites-available/mediawiki" do
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source "nginx.conf.erb"
variables(
docroot: node['mediawiki']['webdir'],
server_name: node['mediawiki']['server_name'],
server_name: server_name,
ssl_cert: ssl_cert,
ssl_key: ssl_key
)
@ -82,10 +75,17 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
notifies :reload, "service[nginx]", :delayed
end
# Legacy vhost
nginx_site 'mediawiki' do
enable true
action :disable
end
nginx_site server_name do
action :enable
end
nginx_certbot_site server_name
#
# Extensions
#

20
site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb
View File

@ -1,21 +1,6 @@
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
listen 80;
server_name <%= @server_name %>;
access_log /var/log/nginx/<%= @server_name %>.access.log;
error_log /var/log/nginx/<%= @server_name %>.error.log;
location /.well-known {
root <%= @docroot %>;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl;
<% end -%>
server_name <%= @server_name %>;
access_log /var/log/nginx/<%= @server_name %>.access.log;
@ -38,9 +23,8 @@ server {
fastcgi_param HTTP_PROXY "";
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}
<% end -%>

49
site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb Normal file
View File

@ -0,0 +1,49 @@
resource_name :nginx_certbot_site
property :domain, String, name_property: true
# pass it if the site name is not the same as the hostname, for example for the
# different parity services running on different ports
property :site, String
action :create do
include_recipe "kosmos-nginx"
domain = new_resource.domain
site = new_resource.site || domain
root_directory = "/var/www/#{domain}"
directory "#{root_directory}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
template "#{node['nginx']['dir']}/sites-available/#{domain}_certbot" do
source "nginx_conf_certbot.erb"
cookbook "kosmos-nginx"
owner node["nginx"]["user"]
mode 0640
variables server_name: domain,
root_directory: root_directory
notifies :reload, 'service[nginx]', :delayed
end
nginx_site "#{domain}_certbot" do
action :enable
end
include_recipe "kosmos-base::letsencrypt"
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{domain}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
end
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{site}]", :delayed
end
end

11
site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb Normal file
View File

@ -0,0 +1,11 @@
# Used by Let's Encrypt (certbot in webroot mode)
server {
listen 80;
server_name <%= @server_name %>;
location /.well-known {
root "<%= @root_directory %>";
}
location / {
return 301 https://$host$request_uri;
}
}

39
site-cookbooks/kosmos-parity/recipes/letsencrypt.rb
View File

@ -1,39 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: letsencrypt
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe "kosmos-base::letsencrypt"
hostname = node['kosmos-parity']['hostname']
directory "/var/www/#{hostname}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
template "#{node['nginx']['dir']}/sites-available/#{hostname}" do
source 'nginx_conf_parity_letsencrypt.erb'
owner 'www-data'
mode 0640
variables server_name: hostname,
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site "#{hostname}" do
action :enable
end
execute "letsencrypt cert for #{hostname}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end

10
site-cookbooks/kosmos-parity/resources/node.rb
View File

@ -108,10 +108,6 @@ action :enable do
end
if rpc_proxy_port
unless node.chef_environment == "development"
include_recipe "kosmos-parity::letsencrypt"
end
include_recipe "kosmos-nginx"
hostname = node['kosmos-parity']['hostname']
@ -129,8 +125,12 @@ action :enable do
notifies :reload, 'service[nginx]', :delayed
end
nginx_site "#{parity_service}" do
nginx_site parity_service do
action :enable
end
nginx_certbot_site hostname do
site parity_service
end
end
end

4
site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb
View File

@ -15,10 +15,6 @@ server {
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
location /.well-known {
root "/var/www/<%= @parity_service %>";
}
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;

13
site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity_letsencrypt.erb
View File

@ -1,13 +0,0 @@
# Generated by Chef
server {
listen 80; # For Let's Encrypt
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
location /.well-known {
root "/var/www/<%= @server_name %>";
}
}

1
site-cookbooks/kosmos-wordpress/attributes/default.rb Normal file
View File

@ -0,0 +1 @@
node.default["kosmos-wordpress"]["nginx"]["domain"] = "blog.kosmos.org"

24
site-cookbooks/kosmos-wordpress/recipes/nginx.rb
View File

@ -34,23 +34,15 @@ include_recipe "kosmos-nginx"
include_recipe "wordpress::app"
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
server_name = node['wordpress']['server_name']
execute "letsencrypt cert for blog.kosmos.org" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n"
not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end
end
ssl_cert = "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem"
ssl_key = "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem"
template "#{node['nginx']['dir']}/sites-available/wordpress" do
ssl_cert = "/etc/letsencrypt/live/#{server_name}/fullchain.pem"
ssl_key = "/etc/letsencrypt/live/#{server_name}/privkey.pem"
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source "nginx.conf.erb"
variables(
docroot: node['wordpress']['dir'],
server_name: node['wordpress']['server_name'],
server_name: server_name,
server_aliases: node['wordpress']['server_aliases'],
server_port: node['wordpress']['server_port'],
ssl_cert: ssl_cert,
@ -60,6 +52,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do
notifies :reload, "service[nginx]", :delayed
end
nginx_site 'wordpress' do
enable true
nginx_site server_name do
action :enable
end
nginx_certbot_site server_name

7
site-cookbooks/sockethub/attributes/default.rb
View File

@ -1,3 +1,4 @@
node.default['sockethub']['port'] = '10551'
node.default['sockethub']['external_port'] = '10550'
node.default['sockethub']['revision'] = 'v2.0.5'
node.default['sockethub']['port'] = '10551'
node.default['sockethub']['external_port'] = '10550'
node.default['sockethub']['revision'] = 'v2.0.5'
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'

37
site-cookbooks/sockethub/recipes/proxy.rb
View File

@ -2,14 +2,12 @@
# Cookbook Name:: sockethub
# Recipe:: proxy
#
# Copyright 2015-2017, Kosmos
# Copyright 2015-2019, Kosmos
#
# All rights reserved - Do Not Redistribute
#
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
include_recipe "firewall"
firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i
@ -19,36 +17,27 @@ unless node.chef_environment == "development"
end
include_recipe 'kosmos-nginx'
server_name = node['sockethub']['nginx']['server_name']
directory "/var/www/sockethub" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
template "#{node['nginx']['dir']}/sites-available/sockethub" do
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_sockethub.erb'
owner 'www-data'
mode 0640
variables sockethub_port: node['sockethub']['port'],
sockethub_external_port: node['sockethub']['external_port'],
server_name: 'sockethub.kosmos.org',
ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
execute "letsencrypt cert for sockethub.kosmos.org" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n"
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end
# Legacy vhost
nginx_site "sockethub" do
action :disable
end
nginx_site 'sockethub' do
enable true
nginx_site server_name do
action :enable
end
nginx_certbot_site server_name

11
site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
View File

@ -8,12 +8,10 @@ map $http_upgrade $connection_upgrade {
'' close;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
listen 80; # For Let's Encrypt
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @sockethub_external_port %> ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
<% end -%>
server_name <%= @server_name %>;
@ -23,10 +21,6 @@ server {
# We might need real ETags, disable those for now
gzip off;
location /.well-known {
root "/var/www/sockethub";
}
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
@ -38,8 +32,7 @@ server {
proxy_set_header Connection $connection_upgrade;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}
<% end -%>