Create a nginx_certbot_site resource to remove duplication
It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
This commit is contained in:
parent
b30dcab4da
commit
17f1b2a20a
|
@ -119,13 +119,6 @@ end
|
|||
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
||||
source 'nginx_conf_hubot.erb'
|
||||
owner node["nginx"]["user"]
|
||||
|
@ -138,13 +131,7 @@ template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
|||
end
|
||||
|
||||
nginx_site express_domain do
|
||||
enable true
|
||||
action :enable
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
execute "letsencrypt cert for #{express_domain}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
|
||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
|
||||
end
|
||||
end
|
||||
nginx_certbot_site express_domain
|
||||
|
|
|
@ -5,19 +5,6 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
|
|||
server localhost:<%= @express_port %>;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
# For Let's Encrypt ACME verification
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @server_name %>";
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen 443 ssl http2;
|
||||
|
|
|
@ -94,14 +94,7 @@ unless node.chef_environment == "development"
|
|||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
include_recipe 'kosmos-nginx'
|
||||
|
||||
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
||||
source 'nginx_conf_hubot.erb'
|
||||
|
@ -115,15 +108,8 @@ unless node.chef_environment == "development"
|
|||
end
|
||||
|
||||
nginx_site express_domain do
|
||||
enable true
|
||||
action :enable
|
||||
end
|
||||
|
||||
# FIXME This doesn't actually work on the first run. Apparently nginx is not
|
||||
# reloaded after adding the vhost or sth, because it does work on the second
|
||||
# run.
|
||||
execute "letsencrypt cert for #{express_domain}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
|
||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
|
||||
end
|
||||
nginx_certbot_site express_domain
|
||||
end
|
||||
|
|
|
@ -5,24 +5,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
|
|||
server localhost:<%= @express_port %>;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
# For Let's Encrypt ACME verification
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @server_name %>";
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen 443 ssl http2;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
|
@ -37,8 +23,7 @@ server {
|
|||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -4,5 +4,6 @@
|
|||
# FIXME api_port should come from the ipfs cookbook/attributes
|
||||
# It has nothing to do with nginx
|
||||
node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
|
||||
node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
|
||||
|
||||
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
|
||||
|
|
|
@ -2,61 +2,39 @@
|
|||
# Cookbook Name:: kosmos-ipfs
|
||||
# Recipe:: letsencrypt
|
||||
#
|
||||
# Copyright 2017, Kosmos
|
||||
# Copyright 2019, Kosmos
|
||||
#
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
# nginx config to generate a Let's Encrypt cert
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
root_directory = "/var/www/#{node["kosmos-ipfs"]["nginx"]["domain"]}"
|
||||
domain = node["kosmos-ipfs"]["nginx"]["domain"]
|
||||
|
||||
directory "#{root_directory}/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
recursive true
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}" do
|
||||
source "nginx_conf_#{node["kosmos-ipfs"]["nginx"]["domain"]}.erb"
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_#{domain}.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: node["kosmos-ipfs"]["nginx"]["domain"],
|
||||
root_directory: root_directory,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/privkey.pem",
|
||||
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
|
||||
ipfs_external_api_port: 5444
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
|
||||
ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port']
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site node["kosmos-ipfs"]["nginx"]["domain"] do
|
||||
enable true
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "firewall"
|
||||
firewall_rule 'ipfs_api' do
|
||||
port 5444
|
||||
port node['kosmos-ipfs']['nginx']['external_api_port']
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||
# has been generated before. The renew cron will take care of renewing
|
||||
execute "letsencrypt cert for #{node["kosmos-ipfs"]["nginx"]["domain"]}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{node["kosmos-ipfs"]["nginx"]["domain"]} -n"
|
||||
only_if do
|
||||
File.exist?("#{node['nginx']['dir']}/sites-enabled/#{node["kosmos-ipfs"]["nginx"]["domain"]}") &&
|
||||
!File.exist?("/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem")
|
||||
end
|
||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}]", :delayed
|
||||
end
|
||||
end
|
||||
|
|
|
@ -2,24 +2,13 @@ upstream _ipfs {
|
|||
server localhost:<%= @ipfs_api_port %>;
|
||||
}
|
||||
|
||||
# Used by Let's Encrypt (certbot in webroot mode)
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
location /.well-known {
|
||||
root "<%= @root_directory %>";
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @ipfs_external_api_port %> ssl http2;
|
||||
<% else -%>
|
||||
listen 80;
|
||||
<% end -%>
|
||||
<% else -%>
|
||||
server {
|
||||
listen <%= @ipfs_external_api_port %>;
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
|
@ -45,8 +34,6 @@ server {
|
|||
proxy_pass http://_ipfs/api/v0/object/data;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
|
|
@ -91,12 +91,6 @@ application mastodon_path do
|
|||
vapid_public_key: mastodon_credentials['vapid_public_key']
|
||||
end
|
||||
|
||||
directory "#{mastodon_path}/public/.well-known" do
|
||||
owner node['nginx']['user']
|
||||
group node['nginx']['group']
|
||||
recursive true
|
||||
end
|
||||
|
||||
bundle_install do
|
||||
user "mastodon"
|
||||
deployment true
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
# Cookbook Name:: kosmos-mastodon
|
||||
# Recipe:: nginx
|
||||
#
|
||||
# Copyright 2017, Kosmos
|
||||
# Copyright 2019, Kosmos
|
||||
#
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
|
@ -12,35 +12,26 @@ server_name = node["kosmos-mastodon"]["server_name"]
|
|||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
directory "/var/www/mastodon/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
recursive true
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/mastodon" do
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_mastodon.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
||||
puma_port: node["kosmos-mastodon"]["puma_port"],
|
||||
server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||
mastodon_path: mastodon_path
|
||||
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
||||
puma_port: node["kosmos-mastodon"]["puma_port"],
|
||||
server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||
mastodon_path: mastodon_path
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site 'mastodon' do
|
||||
enable true
|
||||
# Legacy vhost
|
||||
nginx_site "mastodon" do
|
||||
action :disable
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
execute "letsencrypt cert for #{server_name}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" }
|
||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately
|
||||
end
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
|
|
@ -3,18 +3,6 @@ map $http_upgrade $connection_upgrade {
|
|||
'' close;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log "/var/log/nginx/mastodon.access.log";
|
||||
error_log "/var/log/nginx/mastodon.error.log";
|
||||
|
||||
location /.well-known { root "/var/www/mastodon"; }
|
||||
location / { return 301 https://$host$request_uri; }
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
|
|
@ -11,6 +11,8 @@ include_recipe 'apt'
|
|||
include_recipe 'ark'
|
||||
include_recipe 'composer'
|
||||
|
||||
server_name = 'wiki.kosmos.org'
|
||||
|
||||
# FIXME: For now run the update script manually after updating:
|
||||
#
|
||||
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
|
||||
|
@ -19,10 +21,10 @@ node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_di
|
|||
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
|
||||
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
|
||||
node.override['mediawiki']['language_code'] = 'en'
|
||||
node.override['mediawiki']['server_name'] = 'wiki.kosmos.org'
|
||||
node.override['mediawiki']['server_name'] = server_name
|
||||
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
|
||||
protocol = node.chef_environment == "development" ? "http" : "https"
|
||||
node.override['mediawiki']['server'] = "#{protocol}://#{node['mediawiki']['server_name']}"
|
||||
node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
|
||||
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
|
||||
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
||||
|
||||
|
@ -59,22 +61,13 @@ include_recipe "mediawiki"
|
|||
include_recipe "kosmos-nginx"
|
||||
include_recipe "mediawiki::nginx"
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
execute "letsencrypt cert for wiki.kosmos.org" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
end
|
||||
ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
|
||||
ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
|
||||
template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source "nginx.conf.erb"
|
||||
variables(
|
||||
docroot: node['mediawiki']['webdir'],
|
||||
server_name: node['mediawiki']['server_name'],
|
||||
server_name: server_name,
|
||||
ssl_cert: ssl_cert,
|
||||
ssl_key: ssl_key
|
||||
)
|
||||
|
@ -82,10 +75,17 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
|||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
# Legacy vhost
|
||||
nginx_site 'mediawiki' do
|
||||
enable true
|
||||
action :disable
|
||||
end
|
||||
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
||||
#
|
||||
# Extensions
|
||||
#
|
||||
|
|
|
@ -1,21 +1,6 @@
|
|||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
||||
error_log /var/log/nginx/<%= @server_name %>.error.log;
|
||||
|
||||
location /.well-known {
|
||||
root <%= @docroot %>;
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen 443 ssl;
|
||||
<% end -%>
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
||||
|
@ -38,9 +23,8 @@ server {
|
|||
fastcgi_param HTTP_PROXY "";
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
resource_name :nginx_certbot_site
|
||||
|
||||
property :domain, String, name_property: true
|
||||
# pass it if the site name is not the same as the hostname, for example for the
|
||||
# different parity services running on different ports
|
||||
property :site, String
|
||||
|
||||
action :create do
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = new_resource.domain
|
||||
site = new_resource.site || domain
|
||||
root_directory = "/var/www/#{domain}"
|
||||
|
||||
directory "#{root_directory}/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
recursive true
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}_certbot" do
|
||||
source "nginx_conf_certbot.erb"
|
||||
cookbook "kosmos-nginx"
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
root_directory: root_directory
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site "#{domain}_certbot" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||
# has been generated before. The renew cron will take care of renewing
|
||||
execute "letsencrypt cert for #{domain}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
|
||||
only_if do
|
||||
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
|
||||
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
|
||||
end
|
||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{site}]", :delayed
|
||||
end
|
||||
end
|
|
@ -0,0 +1,11 @@
|
|||
# Used by Let's Encrypt (certbot in webroot mode)
|
||||
server {
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
location /.well-known {
|
||||
root "<%= @root_directory %>";
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: letsencrypt
|
||||
#
|
||||
# Copyright 2017, Kosmos
|
||||
#
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
hostname = node['kosmos-parity']['hostname']
|
||||
|
||||
directory "/var/www/#{hostname}/.well-known/acme-challenge" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
recursive true
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{hostname}" do
|
||||
source 'nginx_conf_parity_letsencrypt.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: hostname,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site "#{hostname}" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
execute "letsencrypt cert for #{hostname}" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
|
@ -108,10 +108,6 @@ action :enable do
|
|||
end
|
||||
|
||||
if rpc_proxy_port
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-parity::letsencrypt"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
hostname = node['kosmos-parity']['hostname']
|
||||
|
@ -129,8 +125,12 @@ action :enable do
|
|||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site "#{parity_service}" do
|
||||
nginx_site parity_service do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site hostname do
|
||||
site parity_service
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -15,10 +15,6 @@ server {
|
|||
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @parity_service %>";
|
||||
}
|
||||
|
||||
location / {
|
||||
# Increase number of buffers. Default is 8
|
||||
proxy_buffers 1024 8k;
|
||||
|
|
|
@ -1,13 +0,0 @@
|
|||
# Generated by Chef
|
||||
server {
|
||||
listen 80; # For Let's Encrypt
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @server_name %>";
|
||||
}
|
||||
}
|
|
@ -0,0 +1 @@
|
|||
node.default["kosmos-wordpress"]["nginx"]["domain"] = "blog.kosmos.org"
|
|
@ -34,23 +34,15 @@ include_recipe "kosmos-nginx"
|
|||
|
||||
include_recipe "wordpress::app"
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
server_name = node['wordpress']['server_name']
|
||||
|
||||
execute "letsencrypt cert for blog.kosmos.org" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
end
|
||||
|
||||
ssl_cert = "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem"
|
||||
ssl_key = "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem"
|
||||
template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
||||
ssl_cert = "/etc/letsencrypt/live/#{server_name}/fullchain.pem"
|
||||
ssl_key = "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source "nginx.conf.erb"
|
||||
variables(
|
||||
docroot: node['wordpress']['dir'],
|
||||
server_name: node['wordpress']['server_name'],
|
||||
server_name: server_name,
|
||||
server_aliases: node['wordpress']['server_aliases'],
|
||||
server_port: node['wordpress']['server_port'],
|
||||
ssl_cert: ssl_cert,
|
||||
|
@ -60,6 +52,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
|||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site 'wordpress' do
|
||||
enable true
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
node.default['sockethub']['port'] = '10551'
|
||||
node.default['sockethub']['external_port'] = '10550'
|
||||
node.default['sockethub']['revision'] = 'v2.0.5'
|
||||
node.default['sockethub']['port'] = '10551'
|
||||
node.default['sockethub']['external_port'] = '10550'
|
||||
node.default['sockethub']['revision'] = 'v2.0.5'
|
||||
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
|
||||
|
|
|
@ -2,14 +2,12 @@
|
|||
# Cookbook Name:: sockethub
|
||||
# Recipe:: proxy
|
||||
#
|
||||
# Copyright 2015-2017, Kosmos
|
||||
# Copyright 2015-2019, Kosmos
|
||||
#
|
||||
# All rights reserved - Do Not Redistribute
|
||||
#
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
include_recipe "firewall"
|
||||
firewall_rule 'sockethub' do
|
||||
port node['sockethub']['external_port'].to_i
|
||||
|
@ -19,36 +17,27 @@ unless node.chef_environment == "development"
|
|||
end
|
||||
|
||||
include_recipe 'kosmos-nginx'
|
||||
server_name = node['sockethub']['nginx']['server_name']
|
||||
|
||||
directory "/var/www/sockethub" do
|
||||
owner node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
action :create
|
||||
recursive true
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables sockethub_port: node['sockethub']['port'],
|
||||
sockethub_external_port: node['sockethub']['external_port'],
|
||||
server_name: 'sockethub.kosmos.org',
|
||||
ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
|
||||
server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
execute "letsencrypt cert for sockethub.kosmos.org" do
|
||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n"
|
||||
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
# Legacy vhost
|
||||
nginx_site "sockethub" do
|
||||
action :disable
|
||||
end
|
||||
|
||||
nginx_site 'sockethub' do
|
||||
enable true
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
|
|
@ -8,12 +8,10 @@ map $http_upgrade $connection_upgrade {
|
|||
'' close;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
listen 80; # For Let's Encrypt
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @sockethub_external_port %> ssl http2;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
|
@ -23,10 +21,6 @@ server {
|
|||
# We might need real ETags, disable those for now
|
||||
gzip off;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/sockethub";
|
||||
}
|
||||
|
||||
location / {
|
||||
# Increase number of buffers. Default is 8
|
||||
proxy_buffers 1024 8k;
|
||||
|
@ -38,8 +32,7 @@ server {
|
|||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue