Create a nginx_certbot_site resource to remove duplication

It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
2019-03-15 19:03:28 +01:00
parent b30dcab4da
commit 17f1b2a20a
23 changed files with 152 additions and 302 deletions
--- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
+++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
@@ -94,14 +94,7 @@ unless node.chef_environment == "development"

  include_recipe "kosmos-base::letsencrypt"

-  include_recipe 'kosmos-nginx'
-
-  directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
-    owner     node["nginx"]["user"]
-    group     node["nginx"]["group"]
-    recursive true
-    action    :create
-  end
+  include_recipe "kosmos-nginx"

  template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
    source 'nginx_conf_hubot.erb'
@@ -115,15 +108,8 @@ unless node.chef_environment == "development"
  end

  nginx_site express_domain do
-    enable true
+    action :enable
  end

-  # FIXME This doesn't actually work on the first run. Apparently nginx is not
-  # reloaded after adding the vhost or sth, because it does work on the second
-  # run.
-  execute "letsencrypt cert for #{express_domain}" do
-    command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
-    not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
-    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
-  end
+  nginx_certbot_site express_domain
 end
--- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
+++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
@@ -5,24 +5,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
  server localhost:<%= @express_port %>;
 }

+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 80;
-  server_name <%= @server_name %>;
-
-  # For Let's Encrypt ACME verification
-  location /.well-known {
-    root "/var/www/<%= @server_name %>";
-  }
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  listen 443 ssl http2;
  add_header Strict-Transport-Security "max-age=15768000";
-  <% end -%>

  server_name <%= @server_name %>;

@@ -37,8 +23,7 @@ server {
    proxy_http_version 1.1;
   }

-  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  ssl_certificate <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
-  <% end -%>
 }
+<% end -%>