Create a nginx_certbot_site resource to remove duplication
It creates a folder, the nginx vhost for certbot and HTTP redirects, and also runs certbot and recreates the nginx vhost that includes the TLS cert
This commit is contained in:
parent
b30dcab4da
commit
17f1b2a20a
|
@ -119,13 +119,6 @@ end
|
||||||
|
|
||||||
include_recipe 'kosmos-nginx'
|
include_recipe 'kosmos-nginx'
|
||||||
|
|
||||||
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
|
|
||||||
owner node["nginx"]["user"]
|
|
||||||
group node["nginx"]["group"]
|
|
||||||
recursive true
|
|
||||||
action :create
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
||||||
source 'nginx_conf_hubot.erb'
|
source 'nginx_conf_hubot.erb'
|
||||||
owner node["nginx"]["user"]
|
owner node["nginx"]["user"]
|
||||||
|
@ -138,13 +131,7 @@ template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site express_domain do
|
nginx_site express_domain do
|
||||||
enable true
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
nginx_certbot_site express_domain
|
||||||
execute "letsencrypt cert for #{express_domain}" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
|
|
||||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
|
@ -5,19 +5,6 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
|
||||||
server localhost:<%= @express_port %>;
|
server localhost:<%= @express_port %>;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
|
|
||||||
# For Let's Encrypt ACME verification
|
|
||||||
location /.well-known {
|
|
||||||
root "/var/www/<%= @server_name %>";
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
|
|
|
@ -94,14 +94,7 @@ unless node.chef_environment == "development"
|
||||||
|
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
include_recipe "kosmos-base::letsencrypt"
|
||||||
|
|
||||||
include_recipe 'kosmos-nginx'
|
include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
|
|
||||||
owner node["nginx"]["user"]
|
|
||||||
group node["nginx"]["group"]
|
|
||||||
recursive true
|
|
||||||
action :create
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
|
||||||
source 'nginx_conf_hubot.erb'
|
source 'nginx_conf_hubot.erb'
|
||||||
|
@ -115,15 +108,8 @@ unless node.chef_environment == "development"
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site express_domain do
|
nginx_site express_domain do
|
||||||
enable true
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
# FIXME This doesn't actually work on the first run. Apparently nginx is not
|
nginx_certbot_site express_domain
|
||||||
# reloaded after adding the vhost or sth, because it does work on the second
|
|
||||||
# run.
|
|
||||||
execute "letsencrypt cert for #{express_domain}" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
|
|
||||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -5,24 +5,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
|
||||||
server localhost:<%= @express_port %>;
|
server localhost:<%= @express_port %>;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
server {
|
server {
|
||||||
listen 80;
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
|
|
||||||
# For Let's Encrypt ACME verification
|
|
||||||
location /.well-known {
|
|
||||||
root "/var/www/<%= @server_name %>";
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
add_header Strict-Transport-Security "max-age=15768000";
|
||||||
<% end -%>
|
|
||||||
|
|
||||||
server_name <%= @server_name %>;
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
|
@ -37,8 +23,7 @@ server {
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
}
|
}
|
||||||
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
ssl_certificate <%= @ssl_cert %>;
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
ssl_certificate_key <%= @ssl_key %>;
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
<% end -%>
|
|
||||||
}
|
}
|
||||||
|
<% end -%>
|
||||||
|
|
|
@ -4,5 +4,6 @@
|
||||||
# FIXME api_port should come from the ipfs cookbook/attributes
|
# FIXME api_port should come from the ipfs cookbook/attributes
|
||||||
# It has nothing to do with nginx
|
# It has nothing to do with nginx
|
||||||
node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
|
node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
|
||||||
|
node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
|
||||||
|
|
||||||
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
|
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
|
||||||
|
|
|
@ -2,61 +2,39 @@
|
||||||
# Cookbook Name:: kosmos-ipfs
|
# Cookbook Name:: kosmos-ipfs
|
||||||
# Recipe:: letsencrypt
|
# Recipe:: letsencrypt
|
||||||
#
|
#
|
||||||
# Copyright 2017, Kosmos
|
# Copyright 2019, Kosmos
|
||||||
#
|
#
|
||||||
# All rights reserved - Do Not Redistribute
|
# All rights reserved - Do Not Redistribute
|
||||||
#
|
#
|
||||||
# nginx config to generate a Let's Encrypt cert
|
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
|
||||||
end
|
|
||||||
|
|
||||||
include_recipe "kosmos-nginx"
|
include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
root_directory = "/var/www/#{node["kosmos-ipfs"]["nginx"]["domain"]}"
|
domain = node["kosmos-ipfs"]["nginx"]["domain"]
|
||||||
|
|
||||||
directory "#{root_directory}/.well-known/acme-challenge" do
|
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||||
owner node["nginx"]["user"]
|
source "nginx_conf_#{domain}.erb"
|
||||||
group node["nginx"]["group"]
|
|
||||||
action :create
|
|
||||||
recursive true
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}" do
|
|
||||||
source "nginx_conf_#{node["kosmos-ipfs"]["nginx"]["domain"]}.erb"
|
|
||||||
owner 'www-data'
|
owner 'www-data'
|
||||||
mode 0640
|
mode 0640
|
||||||
variables server_name: node["kosmos-ipfs"]["nginx"]["domain"],
|
variables server_name: domain,
|
||||||
root_directory: root_directory,
|
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||||
ssl_cert: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem",
|
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||||
ssl_key: "/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/privkey.pem",
|
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
|
||||||
ipfs_api_port: node['kosmos-ipfs']['nginx']['api_port'],
|
ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port']
|
||||||
ipfs_external_api_port: 5444
|
|
||||||
|
|
||||||
notifies :reload, 'service[nginx]', :delayed
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site node["kosmos-ipfs"]["nginx"]["domain"] do
|
nginx_site domain do
|
||||||
enable true
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site domain
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
unless node.chef_environment == "development"
|
||||||
include_recipe "firewall"
|
include_recipe "firewall"
|
||||||
firewall_rule 'ipfs_api' do
|
firewall_rule 'ipfs_api' do
|
||||||
port 5444
|
port node['kosmos-ipfs']['nginx']['external_api_port']
|
||||||
protocol :tcp
|
protocol :tcp
|
||||||
command :allow
|
command :allow
|
||||||
end
|
end
|
||||||
|
|
||||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
|
||||||
# has been generated before. The renew cron will take care of renewing
|
|
||||||
execute "letsencrypt cert for #{node["kosmos-ipfs"]["nginx"]["domain"]}" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{node["kosmos-ipfs"]["nginx"]["domain"]} -n"
|
|
||||||
only_if do
|
|
||||||
File.exist?("#{node['nginx']['dir']}/sites-enabled/#{node["kosmos-ipfs"]["nginx"]["domain"]}") &&
|
|
||||||
!File.exist?("/etc/letsencrypt/live/#{node["kosmos-ipfs"]["nginx"]["domain"]}/fullchain.pem")
|
|
||||||
end
|
|
||||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{node["kosmos-ipfs"]["nginx"]["domain"]}]", :delayed
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
|
@ -2,24 +2,13 @@ upstream _ipfs {
|
||||||
server localhost:<%= @ipfs_api_port %>;
|
server localhost:<%= @ipfs_api_port %>;
|
||||||
}
|
}
|
||||||
|
|
||||||
# Used by Let's Encrypt (certbot in webroot mode)
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
server {
|
server {
|
||||||
listen 80;
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
location /.well-known {
|
|
||||||
root "<%= @root_directory %>";
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
listen <%= @ipfs_external_api_port %> ssl http2;
|
listen <%= @ipfs_external_api_port %> ssl http2;
|
||||||
<% else -%>
|
<% else -%>
|
||||||
listen 80;
|
server {
|
||||||
<% end -%>
|
listen <%= @ipfs_external_api_port %>;
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
server_name <%= @server_name %>;
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
|
@ -45,8 +34,6 @@ server {
|
||||||
proxy_pass http://_ipfs/api/v0/object/data;
|
proxy_pass http://_ipfs/api/v0/object/data;
|
||||||
}
|
}
|
||||||
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
ssl_certificate <%= @ssl_cert %>;
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
ssl_certificate_key <%= @ssl_key %>;
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
<% end -%>
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -91,12 +91,6 @@ application mastodon_path do
|
||||||
vapid_public_key: mastodon_credentials['vapid_public_key']
|
vapid_public_key: mastodon_credentials['vapid_public_key']
|
||||||
end
|
end
|
||||||
|
|
||||||
directory "#{mastodon_path}/public/.well-known" do
|
|
||||||
owner node['nginx']['user']
|
|
||||||
group node['nginx']['group']
|
|
||||||
recursive true
|
|
||||||
end
|
|
||||||
|
|
||||||
bundle_install do
|
bundle_install do
|
||||||
user "mastodon"
|
user "mastodon"
|
||||||
deployment true
|
deployment true
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
# Cookbook Name:: kosmos-mastodon
|
# Cookbook Name:: kosmos-mastodon
|
||||||
# Recipe:: nginx
|
# Recipe:: nginx
|
||||||
#
|
#
|
||||||
# Copyright 2017, Kosmos
|
# Copyright 2019, Kosmos
|
||||||
#
|
#
|
||||||
# All rights reserved - Do Not Redistribute
|
# All rights reserved - Do Not Redistribute
|
||||||
#
|
#
|
||||||
|
@ -12,35 +12,26 @@ server_name = node["kosmos-mastodon"]["server_name"]
|
||||||
|
|
||||||
include_recipe "kosmos-nginx"
|
include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
directory "/var/www/mastodon/.well-known/acme-challenge" do
|
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||||
owner node["nginx"]["user"]
|
|
||||||
group node["nginx"]["group"]
|
|
||||||
recursive true
|
|
||||||
action :create
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/mastodon" do
|
|
||||||
source 'nginx_conf_mastodon.erb'
|
source 'nginx_conf_mastodon.erb'
|
||||||
owner 'www-data'
|
owner 'www-data'
|
||||||
mode 0640
|
mode 0640
|
||||||
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
||||||
puma_port: node["kosmos-mastodon"]["puma_port"],
|
puma_port: node["kosmos-mastodon"]["puma_port"],
|
||||||
server_name: server_name,
|
server_name: server_name,
|
||||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||||
mastodon_path: mastodon_path
|
mastodon_path: mastodon_path
|
||||||
notifies :reload, 'service[nginx]', :delayed
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site 'mastodon' do
|
# Legacy vhost
|
||||||
enable true
|
nginx_site "mastodon" do
|
||||||
|
action :disable
|
||||||
end
|
end
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
nginx_site server_name do
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
action :enable
|
||||||
execute "letsencrypt cert for #{server_name}" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" }
|
|
||||||
notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site server_name
|
||||||
|
|
|
@ -3,18 +3,6 @@ map $http_upgrade $connection_upgrade {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
|
|
||||||
access_log "/var/log/nginx/mastodon.access.log";
|
|
||||||
error_log "/var/log/nginx/mastodon.error.log";
|
|
||||||
|
|
||||||
location /.well-known { root "/var/www/mastodon"; }
|
|
||||||
location / { return 301 https://$host$request_uri; }
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
|
@ -11,6 +11,8 @@ include_recipe 'apt'
|
||||||
include_recipe 'ark'
|
include_recipe 'ark'
|
||||||
include_recipe 'composer'
|
include_recipe 'composer'
|
||||||
|
|
||||||
|
server_name = 'wiki.kosmos.org'
|
||||||
|
|
||||||
# FIXME: For now run the update script manually after updating:
|
# FIXME: For now run the update script manually after updating:
|
||||||
#
|
#
|
||||||
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
|
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
|
||||||
|
@ -19,10 +21,10 @@ node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_di
|
||||||
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
|
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
|
||||||
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
|
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
|
||||||
node.override['mediawiki']['language_code'] = 'en'
|
node.override['mediawiki']['language_code'] = 'en'
|
||||||
node.override['mediawiki']['server_name'] = 'wiki.kosmos.org'
|
node.override['mediawiki']['server_name'] = server_name
|
||||||
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
|
node.override['mediawiki']['site_name'] = 'Kosmos Wiki'
|
||||||
protocol = node.chef_environment == "development" ? "http" : "https"
|
protocol = node.chef_environment == "development" ? "http" : "https"
|
||||||
node.override['mediawiki']['server'] = "#{protocol}://#{node['mediawiki']['server_name']}"
|
node.override['mediawiki']['server'] = "#{protocol}://#{server_name}"
|
||||||
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
|
mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql')
|
||||||
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki')
|
||||||
|
|
||||||
|
@ -59,22 +61,13 @@ include_recipe "mediawiki"
|
||||||
include_recipe "kosmos-nginx"
|
include_recipe "kosmos-nginx"
|
||||||
include_recipe "mediawiki::nginx"
|
include_recipe "mediawiki::nginx"
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
|
||||||
|
|
||||||
execute "letsencrypt cert for wiki.kosmos.org" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
|
|
||||||
notifies :reload, "service[nginx]", :delayed
|
|
||||||
end
|
|
||||||
end
|
|
||||||
ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
|
ssl_cert = "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem"
|
||||||
ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
|
ssl_key = "/etc/letsencrypt/live/wiki.kosmos.org/privkey.pem"
|
||||||
template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||||
source "nginx.conf.erb"
|
source "nginx.conf.erb"
|
||||||
variables(
|
variables(
|
||||||
docroot: node['mediawiki']['webdir'],
|
docroot: node['mediawiki']['webdir'],
|
||||||
server_name: node['mediawiki']['server_name'],
|
server_name: server_name,
|
||||||
ssl_cert: ssl_cert,
|
ssl_cert: ssl_cert,
|
||||||
ssl_key: ssl_key
|
ssl_key: ssl_key
|
||||||
)
|
)
|
||||||
|
@ -82,10 +75,17 @@ template "#{node['nginx']['dir']}/sites-available/mediawiki" do
|
||||||
notifies :reload, "service[nginx]", :delayed
|
notifies :reload, "service[nginx]", :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Legacy vhost
|
||||||
nginx_site 'mediawiki' do
|
nginx_site 'mediawiki' do
|
||||||
enable true
|
action :disable
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_site server_name do
|
||||||
|
action :enable
|
||||||
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site server_name
|
||||||
|
|
||||||
#
|
#
|
||||||
# Extensions
|
# Extensions
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,21 +1,6 @@
|
||||||
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
server {
|
server {
|
||||||
listen 80;
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
|
||||||
error_log /var/log/nginx/<%= @server_name %>.error.log;
|
|
||||||
|
|
||||||
location /.well-known {
|
|
||||||
root <%= @docroot %>;
|
|
||||||
}
|
|
||||||
location / {
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
listen 443 ssl;
|
listen 443 ssl;
|
||||||
<% end -%>
|
|
||||||
server_name <%= @server_name %>;
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
||||||
|
@ -38,9 +23,8 @@ server {
|
||||||
fastcgi_param HTTP_PROXY "";
|
fastcgi_param HTTP_PROXY "";
|
||||||
}
|
}
|
||||||
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
|
||||||
ssl_certificate <%= @ssl_cert %>;
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
ssl_certificate_key <%= @ssl_key %>;
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
<% end -%>
|
|
||||||
}
|
}
|
||||||
|
<% end -%>
|
||||||
|
|
|
@ -0,0 +1,49 @@
|
||||||
|
resource_name :nginx_certbot_site
|
||||||
|
|
||||||
|
property :domain, String, name_property: true
|
||||||
|
# pass it if the site name is not the same as the hostname, for example for the
|
||||||
|
# different parity services running on different ports
|
||||||
|
property :site, String
|
||||||
|
|
||||||
|
action :create do
|
||||||
|
include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
|
domain = new_resource.domain
|
||||||
|
site = new_resource.site || domain
|
||||||
|
root_directory = "/var/www/#{domain}"
|
||||||
|
|
||||||
|
directory "#{root_directory}/.well-known/acme-challenge" do
|
||||||
|
owner node["nginx"]["user"]
|
||||||
|
group node["nginx"]["group"]
|
||||||
|
action :create
|
||||||
|
recursive true
|
||||||
|
end
|
||||||
|
|
||||||
|
template "#{node['nginx']['dir']}/sites-available/#{domain}_certbot" do
|
||||||
|
source "nginx_conf_certbot.erb"
|
||||||
|
cookbook "kosmos-nginx"
|
||||||
|
owner node["nginx"]["user"]
|
||||||
|
mode 0640
|
||||||
|
variables server_name: domain,
|
||||||
|
root_directory: root_directory
|
||||||
|
|
||||||
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
|
end
|
||||||
|
|
||||||
|
nginx_site "#{domain}_certbot" do
|
||||||
|
action :enable
|
||||||
|
end
|
||||||
|
|
||||||
|
include_recipe "kosmos-base::letsencrypt"
|
||||||
|
|
||||||
|
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||||
|
# has been generated before. The renew cron will take care of renewing
|
||||||
|
execute "letsencrypt cert for #{domain}" do
|
||||||
|
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} -d #{domain} -n"
|
||||||
|
only_if do
|
||||||
|
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
|
||||||
|
!::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
|
||||||
|
end
|
||||||
|
notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{site}]", :delayed
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,11 @@
|
||||||
|
# Used by Let's Encrypt (certbot in webroot mode)
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name <%= @server_name %>;
|
||||||
|
location /.well-known {
|
||||||
|
root "<%= @root_directory %>";
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
|
@ -1,39 +0,0 @@
|
||||||
#
|
|
||||||
# Cookbook Name:: kosmos-parity
|
|
||||||
# Recipe:: letsencrypt
|
|
||||||
#
|
|
||||||
# Copyright 2017, Kosmos
|
|
||||||
#
|
|
||||||
# All rights reserved - Do Not Redistribute
|
|
||||||
#
|
|
||||||
|
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
|
||||||
|
|
||||||
hostname = node['kosmos-parity']['hostname']
|
|
||||||
|
|
||||||
directory "/var/www/#{hostname}/.well-known/acme-challenge" do
|
|
||||||
owner node["nginx"]["user"]
|
|
||||||
group node["nginx"]["group"]
|
|
||||||
action :create
|
|
||||||
recursive true
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/#{hostname}" do
|
|
||||||
source 'nginx_conf_parity_letsencrypt.erb'
|
|
||||||
owner 'www-data'
|
|
||||||
mode 0640
|
|
||||||
variables server_name: hostname,
|
|
||||||
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
|
|
||||||
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
|
|
||||||
notifies :reload, 'service[nginx]', :delayed
|
|
||||||
end
|
|
||||||
|
|
||||||
nginx_site "#{hostname}" do
|
|
||||||
action :enable
|
|
||||||
end
|
|
||||||
|
|
||||||
execute "letsencrypt cert for #{hostname}" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" }
|
|
||||||
notifies :reload, "service[nginx]", :delayed
|
|
||||||
end
|
|
|
@ -108,10 +108,6 @@ action :enable do
|
||||||
end
|
end
|
||||||
|
|
||||||
if rpc_proxy_port
|
if rpc_proxy_port
|
||||||
unless node.chef_environment == "development"
|
|
||||||
include_recipe "kosmos-parity::letsencrypt"
|
|
||||||
end
|
|
||||||
|
|
||||||
include_recipe "kosmos-nginx"
|
include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
hostname = node['kosmos-parity']['hostname']
|
hostname = node['kosmos-parity']['hostname']
|
||||||
|
@ -129,8 +125,12 @@ action :enable do
|
||||||
notifies :reload, 'service[nginx]', :delayed
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site "#{parity_service}" do
|
nginx_site parity_service do
|
||||||
action :enable
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site hostname do
|
||||||
|
site parity_service
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -15,10 +15,6 @@ server {
|
||||||
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
|
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
|
||||||
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
|
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
|
||||||
|
|
||||||
location /.well-known {
|
|
||||||
root "/var/www/<%= @parity_service %>";
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# Increase number of buffers. Default is 8
|
# Increase number of buffers. Default is 8
|
||||||
proxy_buffers 1024 8k;
|
proxy_buffers 1024 8k;
|
||||||
|
|
|
@ -1,13 +0,0 @@
|
||||||
# Generated by Chef
|
|
||||||
server {
|
|
||||||
listen 80; # For Let's Encrypt
|
|
||||||
|
|
||||||
server_name <%= @server_name %>;
|
|
||||||
|
|
||||||
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
|
|
||||||
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
|
|
||||||
|
|
||||||
location /.well-known {
|
|
||||||
root "/var/www/<%= @server_name %>";
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -0,0 +1 @@
|
||||||
|
node.default["kosmos-wordpress"]["nginx"]["domain"] = "blog.kosmos.org"
|
|
@ -34,23 +34,15 @@ include_recipe "kosmos-nginx"
|
||||||
|
|
||||||
include_recipe "wordpress::app"
|
include_recipe "wordpress::app"
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
server_name = node['wordpress']['server_name']
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
|
||||||
|
|
||||||
execute "letsencrypt cert for blog.kosmos.org" do
|
ssl_cert = "/etc/letsencrypt/live/#{server_name}/fullchain.pem"
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['wordpress']['dir']} -d blog.kosmos.org -n"
|
ssl_key = "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem" }
|
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||||
notifies :reload, "service[nginx]", :delayed
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
ssl_cert = "/etc/letsencrypt/live/blog.kosmos.org/fullchain.pem"
|
|
||||||
ssl_key = "/etc/letsencrypt/live/blog.kosmos.org/privkey.pem"
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
|
||||||
source "nginx.conf.erb"
|
source "nginx.conf.erb"
|
||||||
variables(
|
variables(
|
||||||
docroot: node['wordpress']['dir'],
|
docroot: node['wordpress']['dir'],
|
||||||
server_name: node['wordpress']['server_name'],
|
server_name: server_name,
|
||||||
server_aliases: node['wordpress']['server_aliases'],
|
server_aliases: node['wordpress']['server_aliases'],
|
||||||
server_port: node['wordpress']['server_port'],
|
server_port: node['wordpress']['server_port'],
|
||||||
ssl_cert: ssl_cert,
|
ssl_cert: ssl_cert,
|
||||||
|
@ -60,6 +52,8 @@ template "#{node['nginx']['dir']}/sites-available/wordpress" do
|
||||||
notifies :reload, "service[nginx]", :delayed
|
notifies :reload, "service[nginx]", :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site 'wordpress' do
|
nginx_site server_name do
|
||||||
enable true
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site server_name
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
node.default['sockethub']['port'] = '10551'
|
node.default['sockethub']['port'] = '10551'
|
||||||
node.default['sockethub']['external_port'] = '10550'
|
node.default['sockethub']['external_port'] = '10550'
|
||||||
node.default['sockethub']['revision'] = 'v2.0.5'
|
node.default['sockethub']['revision'] = 'v2.0.5'
|
||||||
|
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
|
||||||
|
|
|
@ -2,14 +2,12 @@
|
||||||
# Cookbook Name:: sockethub
|
# Cookbook Name:: sockethub
|
||||||
# Recipe:: proxy
|
# Recipe:: proxy
|
||||||
#
|
#
|
||||||
# Copyright 2015-2017, Kosmos
|
# Copyright 2015-2019, Kosmos
|
||||||
#
|
#
|
||||||
# All rights reserved - Do Not Redistribute
|
# All rights reserved - Do Not Redistribute
|
||||||
#
|
#
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
unless node.chef_environment == "development"
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
|
||||||
|
|
||||||
include_recipe "firewall"
|
include_recipe "firewall"
|
||||||
firewall_rule 'sockethub' do
|
firewall_rule 'sockethub' do
|
||||||
port node['sockethub']['external_port'].to_i
|
port node['sockethub']['external_port'].to_i
|
||||||
|
@ -19,36 +17,27 @@ unless node.chef_environment == "development"
|
||||||
end
|
end
|
||||||
|
|
||||||
include_recipe 'kosmos-nginx'
|
include_recipe 'kosmos-nginx'
|
||||||
|
server_name = node['sockethub']['nginx']['server_name']
|
||||||
|
|
||||||
directory "/var/www/sockethub" do
|
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||||
owner node["nginx"]["user"]
|
|
||||||
group node["nginx"]["group"]
|
|
||||||
action :create
|
|
||||||
recursive true
|
|
||||||
end
|
|
||||||
|
|
||||||
template "#{node['nginx']['dir']}/sites-available/sockethub" do
|
|
||||||
source 'nginx_conf_sockethub.erb'
|
source 'nginx_conf_sockethub.erb'
|
||||||
owner 'www-data'
|
owner 'www-data'
|
||||||
mode 0640
|
mode 0640
|
||||||
variables sockethub_port: node['sockethub']['port'],
|
variables sockethub_port: node['sockethub']['port'],
|
||||||
sockethub_external_port: node['sockethub']['external_port'],
|
sockethub_external_port: node['sockethub']['external_port'],
|
||||||
server_name: 'sockethub.kosmos.org',
|
server_name: server_name,
|
||||||
ssl_cert: "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem",
|
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||||
ssl_key: "/etc/letsencrypt/live/sockethub.kosmos.org/privkey.pem"
|
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||||
notifies :reload, 'service[nginx]', :delayed
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
end
|
end
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
# Legacy vhost
|
||||||
include_recipe "kosmos-base::letsencrypt"
|
nginx_site "sockethub" do
|
||||||
|
action :disable
|
||||||
execute "letsencrypt cert for sockethub.kosmos.org" do
|
|
||||||
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/sockethub -d sockethub.kosmos.org -n"
|
|
||||||
not_if { File.exist? "/etc/letsencrypt/live/sockethub.kosmos.org/fullchain.pem" }
|
|
||||||
notifies :reload, "service[nginx]", :delayed
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
nginx_site 'sockethub' do
|
nginx_site server_name do
|
||||||
enable true
|
action :enable
|
||||||
end
|
end
|
||||||
|
|
||||||
|
nginx_certbot_site server_name
|
||||||
|
|
|
@ -8,12 +8,10 @@ map $http_upgrade $connection_upgrade {
|
||||||
'' close;
|
'' close;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
server {
|
server {
|
||||||
listen 80; # For Let's Encrypt
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
listen <%= @sockethub_external_port %> ssl http2;
|
listen <%= @sockethub_external_port %> ssl http2;
|
||||||
add_header Strict-Transport-Security "max-age=15768000";
|
add_header Strict-Transport-Security "max-age=15768000";
|
||||||
<% end -%>
|
|
||||||
|
|
||||||
server_name <%= @server_name %>;
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
|
@ -23,10 +21,6 @@ server {
|
||||||
# We might need real ETags, disable those for now
|
# We might need real ETags, disable those for now
|
||||||
gzip off;
|
gzip off;
|
||||||
|
|
||||||
location /.well-known {
|
|
||||||
root "/var/www/sockethub";
|
|
||||||
}
|
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
# Increase number of buffers. Default is 8
|
# Increase number of buffers. Default is 8
|
||||||
proxy_buffers 1024 8k;
|
proxy_buffers 1024 8k;
|
||||||
|
@ -38,8 +32,7 @@ server {
|
||||||
proxy_set_header Connection $connection_upgrade;
|
proxy_set_header Connection $connection_upgrade;
|
||||||
}
|
}
|
||||||
|
|
||||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
|
||||||
ssl_certificate <%= @ssl_cert %>;
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
ssl_certificate_key <%= @ssl_key %>;
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
<% end -%>
|
|
||||||
}
|
}
|
||||||
|
<% end -%>
|
||||||
|
|
Loading…
Reference in New Issue