diff --git a/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb b/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb index 26dcf84..9647c8b 100644 --- a/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb +++ b/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb @@ -119,13 +119,6 @@ end include_recipe 'kosmos-nginx' -directory "/var/www/#{express_domain}/.well-known/acme-challenge" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - recursive true - action :create -end - template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do source 'nginx_conf_hubot.erb' owner node["nginx"]["user"] @@ -138,13 +131,7 @@ template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do end nginx_site express_domain do - enable true + action :enable end -unless node.chef_environment == "development" - execute "letsencrypt cert for #{express_domain}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" - not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" } - notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately - end -end +nginx_certbot_site express_domain diff --git a/site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.erb index c2449a1..112b0ba 100644 --- a/site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.erb @@ -5,19 +5,6 @@ upstream _express_<%= @server_name.gsub(".", "_") %> { server localhost:<%= @express_port %>; } -server { - listen 80; - server_name <%= @server_name %>; - - # For Let's Encrypt ACME verification - location /.well-known { - root "/var/www/<%= @server_name %>"; - } - location / { - return 301 https://$host$request_uri; - } -} - server { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen 443 ssl http2; diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index 55f4875..0d651a5 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -94,14 +94,7 @@ unless node.chef_environment == "development" include_recipe "kosmos-base::letsencrypt" - include_recipe 'kosmos-nginx' - - directory "/var/www/#{express_domain}/.well-known/acme-challenge" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - recursive true - action :create - end + include_recipe "kosmos-nginx" template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do source 'nginx_conf_hubot.erb' @@ -115,15 +108,8 @@ unless node.chef_environment == "development" end nginx_site express_domain do - enable true + action :enable end - # FIXME This doesn't actually work on the first run. Apparently nginx is not - # reloaded after adding the vhost or sth, because it does work on the second - # run. - execute "letsencrypt cert for #{express_domain}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" - not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" } - notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately - end + nginx_certbot_site express_domain end diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index c2449a1..a143bcd 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -5,24 +5,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> { server localhost:<%= @express_port %>; } +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { - listen 80; - server_name <%= @server_name %>; - - # For Let's Encrypt ACME verification - location /.well-known { - root "/var/www/<%= @server_name %>"; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen 443 ssl http2; add_header Strict-Transport-Security "max-age=15768000"; - <% end -%> server_name <%= @server_name %>; @@ -37,8 +23,7 @@ server { proxy_http_version 1.1; } - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - <% end -%> } +<% end -%> diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index d871e3a..5d595f0 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -4,5 +4,6 @@ # FIXME api_port should come from the ipfs cookbook/attributes # It has nothing to do with nginx node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 +node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org" diff --git a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb index 22b8d0e..39e6255 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb @@ -2,61 +2,39 @@ # Cookbook Name:: kosmos-ipfs # Recipe:: letsencrypt # -# Copyright 2017, Kosmos +# Copyright 2019, Kosmos # # All rights reserved - Do Not Redistribute # -# nginx config to generate a Let's Encrypt cert - -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" -end include_recipe "kosmos-nginx" -root_directory = "/var/www/#{node["kosmos-ipfs"]["nginx"]["domain"]}" +domain = node["kosmos-ipfs"]["nginx"]["domain"] -directory "#{root_directory}/.well-known/acme-challenge" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - action :create - recursive true -end - -template "#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}" do - source "nginx_conf_#{node["kosmos-ipfs"]["nginx"]["domain"]}.erb" +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf_#{domain}.erb" owner 'www-data' mode 0640 - variables server_name: node["kosmos-ipfs"]["nginx"]["domain"], - root_directory: root_directory, - ssl_cert: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/privkey.pem", - ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'], - ipfs_external_api_port: 5444 + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'], + ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'] notifies :reload, 'service[nginx]', :delayed end -nginx_site node["kosmos-ipfs"]["nginx"]["domain"] do - enable true +nginx_site domain do + action :enable end +nginx_certbot_site domain + unless node.chef_environment == "development" include_recipe "firewall" firewall_rule 'ipfs_api' do - port 5444 + port node['kosmos-ipfs']['nginx']['external_api_port'] protocol :tcp command :allow end - - # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert - # has been generated before. The renew cron will take care of renewing - execute "letsencrypt cert for #{node["kosmos-ipfs"]["nginx"]["domain"]}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{node["kosmos-ipfs"]["nginx"]["domain"]} -n" - only_if do - File.exist?("#{node['nginx']['dir']}/sites-enabled/#{node["kosmos-ipfs"]["nginx"]["domain"]}") && - !File.exist?("/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem") - end - notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}]", :delayed - end end diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index f2321a2..00ce7b9 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -2,24 +2,13 @@ upstream _ipfs { server localhost:<%= @ipfs_api_port %>; } -# Used by Let's Encrypt (certbot in webroot mode) +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { - listen 80; - server_name <%= @server_name %>; - location /.well-known { - root "<%= @root_directory %>"; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen <%= @ipfs_external_api_port %> ssl http2; - <% else -%> - listen 80; - <% end -%> +<% else -%> +server { + listen <%= @ipfs_external_api_port %>; +<% end -%> server_name <%= @server_name %>; @@ -45,8 +34,6 @@ server { proxy_pass http://_ipfs/api/v0/object/data; } - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - <% end -%> } diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 760c78f..74a8790 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -91,12 +91,6 @@ application mastodon_path do vapid_public_key: mastodon_credentials['vapid_public_key'] end - directory "#{mastodon_path}/public/.well-known" do - owner node['nginx']['user'] - group node['nginx']['group'] - recursive true - end - bundle_install do user "mastodon" deployment true diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 6c83aff..6572817 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -2,7 +2,7 @@ # Cookbook Name:: kosmos-mastodon # Recipe:: nginx # -# Copyright 2017, Kosmos +# Copyright 2019, Kosmos # # All rights reserved - Do Not Redistribute # @@ -12,35 +12,26 @@ server_name = node["kosmos-mastodon"]["server_name"] include_recipe "kosmos-nginx" -directory "/var/www/mastodon/.well-known/acme-challenge" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - recursive true - action :create -end - -template "#{node['nginx']['dir']}/sites-available/mastodon" do +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_mastodon.erb' owner 'www-data' mode 0640 - variables streaming_port: node["kosmos-mastodon"]["streaming_port"], - puma_port: node["kosmos-mastodon"]["puma_port"], - server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", - mastodon_path: mastodon_path + variables streaming_port: node["kosmos-mastodon"]["streaming_port"], + puma_port: node["kosmos-mastodon"]["puma_port"], + server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", + mastodon_path: mastodon_path notifies :reload, 'service[nginx]', :delayed end -nginx_site 'mastodon' do - enable true +# Legacy vhost +nginx_site "mastodon" do + action :disable end -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - execute "letsencrypt cert for #{server_name}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n" - not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" } - notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately - end +nginx_site server_name do + action :enable end + +nginx_certbot_site server_name diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index fe52260..297c858 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -3,18 +3,6 @@ map $http_upgrade $connection_upgrade { '' close; } -server { - listen 80; - listen [::]:80; - server_name <%= @server_name %>; - - access_log "/var/log/nginx/mastodon.access.log"; - error_log "/var/log/nginx/mastodon.error.log"; - - location /.well-known { root "/var/www/mastodon"; } - location / { return 301 https://$host$request_uri; } -} - server { listen 443 ssl http2; listen [::]:443 ssl http2; diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb index 9a3a8db..a80a3e1 100644 --- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb @@ -11,6 +11,8 @@ include_recipe 'apt' include_recipe 'ark' include_recipe 'composer' +server_name = 'wiki.kosmos.org' + # FIXME: For now run the update script manually after updating: # # sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php @@ -19,10 +21,10 @@ node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_di node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz" node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}" node.override['mediawiki']['language_code'] = 'en' -node.override['mediawiki']['server_name'] = 'wiki.kosmos.org' +node.override['mediawiki']['server_name'] = server_name node.override['mediawiki']['site_name'] = 'Kosmos Wiki' protocol = node.chef_environment == "development" ? "http" : "https" -node.override['mediawiki']['server'] = "#{protocol}://#{node['mediawiki']['server_name']}" +node.override['mediawiki']['server'] = "#{protocol}://#{server_name}" mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql') mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki') @@ -59,22 +61,13 @@ include_recipe "mediawiki" include_recipe "kosmos-nginx" include_recipe "mediawiki::nginx" -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - - execute "letsencrypt cert for wiki.kosmos.org" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n" - not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" } - notifies :reload, "service[nginx]", :delayed - end -end ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem" -template "#{node['nginx']['dir']}/sites-available/mediawiki" do +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source "nginx.conf.erb" variables( docroot: node['mediawiki']['webdir'], - server_name: node['mediawiki']['server_name'], + server_name: server_name, ssl_cert: ssl_cert, ssl_key: ssl_key ) @@ -82,10 +75,17 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do notifies :reload, "service[nginx]", :delayed end +# Legacy vhost nginx_site 'mediawiki' do - enable true + action :disable end +nginx_site server_name do + action :enable +end + +nginx_certbot_site server_name + # # Extensions # diff --git a/site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb b/site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb index 8576fe8..e50be3e 100644 --- a/site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb +++ b/site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb @@ -1,21 +1,6 @@ +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { - listen 80; - server_name <%= @server_name %>; - access_log /var/log/nginx/<%= @server_name %>.access.log; - error_log /var/log/nginx/<%= @server_name %>.error.log; - - location /.well-known { - root <%= @docroot %>; - } - location / { - return 301 https://$host$request_uri; - } -} - -server { - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen 443 ssl; - <% end -%> server_name <%= @server_name %>; access_log /var/log/nginx/<%= @server_name %>.access.log; @@ -38,9 +23,8 @@ server { fastcgi_param HTTP_PROXY ""; } - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - <% end -%> } +<% end -%> diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb new file mode 100644 index 0000000..468499e --- /dev/null +++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb @@ -0,0 +1,49 @@ +resource_name :nginx_certbot_site + +property :domain, String, name_property: true +# pass it if the site name is not the same as the hostname, for example for the +# different parity services running on different ports +property :site, String + +action :create do + include_recipe "kosmos-nginx" + + domain = new_resource.domain + site = new_resource.site || domain + root_directory = "/var/www/#{domain}" + + directory "#{root_directory}/.well-known/acme-challenge" do + owner node["nginx"]["user"] + group node["nginx"]["group"] + action :create + recursive true + end + + template "#{node['nginx']['dir']}/sites-available/#{domain}_certbot" do + source "nginx_conf_certbot.erb" + cookbook "kosmos-nginx" + owner node["nginx"]["user"] + mode 0640 + variables server_name: domain, + root_directory: root_directory + + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site "#{domain}_certbot" do + action :enable + end + + include_recipe "kosmos-base::letsencrypt" + + # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert + # has been generated before. The renew cron will take care of renewing + execute "letsencrypt cert for #{domain}" do + command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n" + only_if do + ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") && + !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem") + end + notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{site}]", :delayed + end +end diff --git a/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb b/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb new file mode 100644 index 0000000..13161f5 --- /dev/null +++ b/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb @@ -0,0 +1,11 @@ +# Used by Let's Encrypt (certbot in webroot mode) +server { + listen 80; + server_name <%= @server_name %>; + location /.well-known { + root "<%= @root_directory %>"; + } + location / { + return 301 https://$host$request_uri; + } +} diff --git a/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb b/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb deleted file mode 100644 index 1791052..0000000 --- a/site-cookbooks/kosmos-parity/recipes/letsencrypt.rb +++ /dev/null @@ -1,39 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: letsencrypt -# -# Copyright 2017, Kosmos -# -# All rights reserved - Do Not Redistribute -# - -include_recipe "kosmos-base::letsencrypt" - -hostname = node['kosmos-parity']['hostname'] - -directory "/var/www/#{hostname}/.well-known/acme-challenge" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - action :create - recursive true -end - -template "#{node['nginx']['dir']}/sites-available/#{hostname}" do - source 'nginx_conf_parity_letsencrypt.erb' - owner 'www-data' - mode 0640 - variables server_name: hostname, - ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site "#{hostname}" do - action :enable -end - -execute "letsencrypt cert for #{hostname}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n" - not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" } - notifies :reload, "service[nginx]", :delayed -end diff --git a/site-cookbooks/kosmos-parity/resources/node.rb b/site-cookbooks/kosmos-parity/resources/node.rb index 4555a07..64b606b 100644 --- a/site-cookbooks/kosmos-parity/resources/node.rb +++ b/site-cookbooks/kosmos-parity/resources/node.rb @@ -108,10 +108,6 @@ action :enable do end if rpc_proxy_port - unless node.chef_environment == "development" - include_recipe "kosmos-parity::letsencrypt" - end - include_recipe "kosmos-nginx" hostname = node['kosmos-parity']['hostname'] @@ -129,8 +125,12 @@ action :enable do notifies :reload, 'service[nginx]', :delayed end - nginx_site "#{parity_service}" do + nginx_site parity_service do action :enable end + + nginx_certbot_site hostname do + site parity_service + end end end diff --git a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb b/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb index 52fb6f3..7fbe815 100644 --- a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb +++ b/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb @@ -15,10 +15,6 @@ server { access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json; error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn; - location /.well-known { - root "/var/www/<%= @parity_service %>"; - } - location / { # Increase number of buffers. Default is 8 proxy_buffers 1024 8k; diff --git a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity_letsencrypt.erb b/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity_letsencrypt.erb deleted file mode 100644 index e01b3f6..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity_letsencrypt.erb +++ /dev/null @@ -1,13 +0,0 @@ -# Generated by Chef -server { - listen 80; # For Let's Encrypt - - server_name <%= @server_name %>; - - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; - - location /.well-known { - root "/var/www/<%= @server_name %>"; - } -} diff --git a/site-cookbooks/kosmos-wordpress/attributes/default.rb b/site-cookbooks/kosmos-wordpress/attributes/default.rb new file mode 100644 index 0000000..766f826 --- /dev/null +++ b/site-cookbooks/kosmos-wordpress/attributes/default.rb @@ -0,0 +1 @@ +node.default["kosmos-wordpress"]["nginx"]["domain"] = "blog.kosmos.org" diff --git a/site-cookbooks/kosmos-wordpress/recipes/nginx.rb b/site-cookbooks/kosmos-wordpress/recipes/nginx.rb index 60c5c56..039c296 100644 --- a/site-cookbooks/kosmos-wordpress/recipes/nginx.rb +++ b/site-cookbooks/kosmos-wordpress/recipes/nginx.rb @@ -34,23 +34,15 @@ include_recipe "kosmos-nginx" include_recipe "wordpress::app" -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" +server_name = node['wordpress']['server_name'] - execute "letsencrypt cert for blog.kosmos.org" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n" - not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" } - notifies :reload, "service[nginx]", :delayed - end -end - -ssl_cert = "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" -ssl_key = "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem" -template "#{node['nginx']['dir']}/sites-available/wordpress" do +ssl_cert = "/etc/letsencrypt/live/#{server_name}/fullchain.pem" +ssl_key = "/etc/letsencrypt/live/#{server_name}/privkey.pem" +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source "nginx.conf.erb" variables( docroot: node['wordpress']['dir'], - server_name: node['wordpress']['server_name'], + server_name: server_name, server_aliases: node['wordpress']['server_aliases'], server_port: node['wordpress']['server_port'], ssl_cert: ssl_cert, @@ -60,6 +52,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do notifies :reload, "service[nginx]", :delayed end -nginx_site 'wordpress' do - enable true +nginx_site server_name do + action :enable end + +nginx_certbot_site server_name diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index b113781..1af1af2 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,3 +1,4 @@ -node.default['sockethub']['port'] = '10551' -node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['revision'] = 'v2.0.5' +node.default['sockethub']['port'] = '10551' +node.default['sockethub']['external_port'] = '10550' +node.default['sockethub']['revision'] = 'v2.0.5' +node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index fd7660b..bf63e79 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -2,14 +2,12 @@ # Cookbook Name:: sockethub # Recipe:: proxy # -# Copyright 2015-2017, Kosmos +# Copyright 2015-2019, Kosmos # # All rights reserved - Do Not Redistribute # unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - include_recipe "firewall" firewall_rule 'sockethub' do port node['sockethub']['external_port'].to_i @@ -19,36 +17,27 @@ unless node.chef_environment == "development" end include_recipe 'kosmos-nginx' +server_name = node['sockethub']['nginx']['server_name'] -directory "/var/www/sockethub" do - owner node["nginx"]["user"] - group node["nginx"]["group"] - action :create - recursive true -end - -template "#{node['nginx']['dir']}/sites-available/sockethub" do +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_sockethub.erb' owner 'www-data' mode 0640 variables sockethub_port: node['sockethub']['port'], sockethub_external_port: node['sockethub']['external_port'], - server_name: 'sockethub.kosmos.org', - ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem" + server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" notifies :reload, 'service[nginx]', :delayed end -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - - execute "letsencrypt cert for sockethub.kosmos.org" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n" - not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" } - notifies :reload, "service[nginx]", :delayed - end +# Legacy vhost +nginx_site "sockethub" do + action :disable end -nginx_site 'sockethub' do - enable true +nginx_site server_name do + action :enable end + +nginx_certbot_site server_name diff --git a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb index 14f565b..4ed2689 100644 --- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb +++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb @@ -8,12 +8,10 @@ map $http_upgrade $connection_upgrade { '' close; } +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { - listen 80; # For Let's Encrypt - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen <%= @sockethub_external_port %> ssl http2; add_header Strict-Transport-Security "max-age=15768000"; - <% end -%> server_name <%= @server_name %>; @@ -23,10 +21,6 @@ server { # We might need real ETags, disable those for now gzip off; - location /.well-known { - root "/var/www/sockethub"; - } - location / { # Increase number of buffers. Default is 8 proxy_buffers 1024 8k; @@ -38,8 +32,7 @@ server { proxy_set_header Connection $connection_upgrade; } - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - <% end -%> } +<% end -%>