Create a nginx_certbot_site resource to remove duplication

It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
2019-03-15 19:03:28 +01:00
parent b30dcab4da
commit 17f1b2a20a
23 changed files with 152 additions and 302 deletions
--- a/site-cookbooks/kosmos-ipfs/attributes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb
@@ -4,5 +4,6 @@
 # FIXME api_port should come from the ipfs cookbook/attributes
 # It has nothing to do with nginx
 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
+node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444

 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
--- a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
@@ -2,61 +2,39 @@
 # Cookbook Name:: kosmos-ipfs
 # Recipe:: letsencrypt
 #
-# Copyright 2017, Kosmos
+# Copyright 2019, Kosmos
 #
 # All rights reserved - Do Not Redistribute
 #
-# nginx config to generate a Let's Encrypt cert
-
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::letsencrypt"
-end

 include_recipe "kosmos-nginx"

-root_directory = "/var/www/#{node["kosmos-ipfs"]["nginx"]["domain"]}"
+domain = node["kosmos-ipfs"]["nginx"]["domain"]

-directory "#{root_directory}/.well-known/acme-challenge" do
-  owner node["nginx"]["user"]
-  group node["nginx"]["group"]
-  action :create
-  recursive true
-end
-
-template "#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}" do
-  source "nginx_conf_#{node["kosmos-ipfs"]["nginx"]["domain"]}.erb"
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf_#{domain}.erb"
  owner 'www-data'
  mode 0640
-  variables server_name:             node["kosmos-ipfs"]["nginx"]["domain"],
-            root_directory:          root_directory,
-            ssl_cert:                "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem",
-            ssl_key:                 "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/privkey.pem",
-            ipfs_api_port:           node['kosmos-ipfs']['nginx']['api_port'],
-            ipfs_external_api_port:  5444
+  variables server_name:            domain,
+            ssl_cert:               "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:                "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            ipfs_api_port:          node['kosmos-ipfs']['nginx']['api_port'],
+            ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port']

  notifies :reload, 'service[nginx]', :delayed
 end

-nginx_site node["kosmos-ipfs"]["nginx"]["domain"] do
-  enable true
+nginx_site domain do
+  action :enable
 end

+nginx_certbot_site domain
+
 unless node.chef_environment == "development"
  include_recipe "firewall"
  firewall_rule 'ipfs_api' do
-    port     5444
+    port     node['kosmos-ipfs']['nginx']['external_api_port']
    protocol :tcp
    command  :allow
  end
-
-  # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
-  # has been generated before. The renew cron will take care of renewing
-  execute "letsencrypt cert for #{node["kosmos-ipfs"]["nginx"]["domain"]}" do
-    command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{node["kosmos-ipfs"]["nginx"]["domain"]} -n"
-    only_if do
-      File.exist?("#{node['nginx']['dir']}/sites-enabled/#{node["kosmos-ipfs"]["nginx"]["domain"]}") &&
-        !File.exist?("/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem")
-    end
-    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}]", :delayed
-  end
 end
--- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
+++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
@@ -2,24 +2,13 @@ upstream _ipfs {
  server   localhost:<%= @ipfs_api_port %>;
 }

-# Used by Let's Encrypt (certbot in webroot mode)
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-  listen 80;
-  server_name <%= @server_name %>;
-  location /.well-known {
-    root "<%= @root_directory %>";
-  }
-  location / {
-    return 301 https://$host$request_uri;
-  }
-}
-
-server {
-  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  listen <%= @ipfs_external_api_port %> ssl http2;
-  <% else -%>
-  listen 80;
-  <% end -%>
+<% else -%>
+server {
+  listen <%= @ipfs_external_api_port %>;
+<% end -%>

  server_name <%= @server_name %>;

@@ -45,8 +34,6 @@ server {
    proxy_pass http://_ipfs/api/v0/object/data;
  }

-  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
  ssl_certificate <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;
-  <% end -%>
 }