Create a nginx_certbot_site resource to remove duplication

It creates a folder, the nginx vhost for certbot and HTTP redirects, and
also runs certbot and recreates the nginx vhost that includes the TLS
cert

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -11,6 +11,8 @@ include_recipe 'apt'
 include_recipe 'ark'
 include_recipe 'composer'
 
+server_name = 'wiki.kosmos.org'
+
 # FIXME: For now run the update script manually after updating:
 #
 # sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
@@ -19,10 +21,10 @@ node.override['mediawiki']['webdir']          = "#{node['mediawiki']['docroot_di
 node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
 node.override['mediawiki']['tarball']['url']  = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
 node.override['mediawiki']['language_code']   = 'en'
-node.override['mediawiki']['server_name']     = 'wiki.kosmos.org'
+node.override['mediawiki']['server_name']     = server_name
 node.override['mediawiki']['site_name']       = 'Kosmos Wiki'
 protocol = node.chef_environment == "development" ? "http" : "https"
-node.override['mediawiki']['server']          = "#{protocol}://#{node['mediawiki']['server_name']}"
+node.override['mediawiki']['server']          = "#{protocol}://#{server_name}"
 mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
 mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
 
@@ -59,22 +61,13 @@ include_recipe "mediawiki"
 include_recipe "kosmos-nginx"
 include_recipe "mediawiki::nginx"
 
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::letsencrypt"
-
-  execute "letsencrypt cert for wiki.kosmos.org" do
-    command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
-    not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
-    notifies :reload, "service[nginx]", :delayed
-  end
-end
 ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
 ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
-template "#{node['nginx']['dir']}/sites-available/mediawiki" do
+template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
   source "nginx.conf.erb"
   variables(
     docroot:        node['mediawiki']['webdir'],
-    server_name:    node['mediawiki']['server_name'],
+    server_name:    server_name,
     ssl_cert:       ssl_cert,
     ssl_key:        ssl_key
   )
@@ -82,10 +75,17 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
   notifies :reload, "service[nginx]", :delayed
 end
 
+# Legacy vhost
 nginx_site 'mediawiki' do
-  enable true
+  action :disable
 end
 
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name
+
 #
 # Extensions
 #

site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb

@@ -1,21 +1,6 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
-        listen 80;
-        server_name <%= @server_name %>;
-        access_log   /var/log/nginx/<%= @server_name %>.access.log;
-        error_log    /var/log/nginx/<%= @server_name %>.error.log;
-
-        location /.well-known {
-                root <%= @docroot %>;
-        }
-        location / {
-                return 301 https://$host$request_uri;
-        }
-}
-
-server {
-        <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
         listen 443 ssl;
-        <% end -%>
         server_name <%= @server_name %>;
 
         access_log   /var/log/nginx/<%= @server_name %>.access.log;
@@ -38,9 +23,8 @@ server {
                 fastcgi_param HTTP_PROXY "";
         }
 
-        <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
         add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
         ssl_certificate <%= @ssl_cert %>;
         ssl_certificate_key <%= @ssl_key %>;
-        <% end -%>
 }
+<% end -%>