Create a nginx_certbot_site resource to remove duplication

It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
2019-03-15 19:03:28 +01:00
parent b30dcab4da
commit 17f1b2a20a
23 changed files with 152 additions and 302 deletions
--- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
+++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
@@ -0,0 +1,49 @@
+resource_name :nginx_certbot_site
+
+property :domain, String, name_property: true
+# pass it if the site name is not the same as the hostname, for example for the
+# different parity services running on different ports
+property :site, String
+
+action :create do
+  include_recipe "kosmos-nginx"
+
+  domain = new_resource.domain
+  site = new_resource.site || domain
+  root_directory = "/var/www/#{domain}"
+
+  directory "#{root_directory}/.well-known/acme-challenge" do
+    owner node["nginx"]["user"]
+    group node["nginx"]["group"]
+    action :create
+    recursive true
+  end
+
+  template "#{node['nginx']['dir']}/sites-available/#{domain}_certbot" do
+    source "nginx_conf_certbot.erb"
+    cookbook "kosmos-nginx"
+    owner node["nginx"]["user"]
+    mode 0640
+    variables server_name:    domain,
+              root_directory: root_directory
+
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site "#{domain}_certbot" do
+    action :enable
+  end
+
+  include_recipe "kosmos-base::letsencrypt"
+
+  # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
+  # has been generated before. The renew cron will take care of renewing
+  execute "letsencrypt cert for #{domain}" do
+    command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
+    only_if do
+      ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
+        !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
+    end
+    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{site}]", :delayed
+  end
+end
--- a/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb
+++ b/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb
@@ -0,0 +1,11 @@
+# Used by Let's Encrypt (certbot in webroot mode)
+server {
+  listen 80;
+  server_name <%= @server_name %>;
+  location /.well-known {
+    root "<%= @root_directory %>";
+  }
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}