diff --git a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb index 3be5800..2775c60 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb @@ -23,11 +23,12 @@ template "#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org" do source 'nginx_conf_ipfs.kosmos.org.erb' owner 'www-data' mode 0640 - variables server_name: 'ipfs.kosmos.org', - root_directory: root_directory, - ssl_cert: "/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/ipfs.kosmos.org/privkey.pem", - ipfs_api_port: 5001 + variables server_name: 'ipfs.kosmos.org', + root_directory: root_directory, + ssl_cert: "/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/ipfs.kosmos.org/privkey.pem", + ipfs_api_port: 5001, + ipfs_external_api_port: 5444 notifies :reload, 'service[nginx]', :delayed end @@ -36,6 +37,12 @@ nginx_site 'ipfs.kosmos.org' do enable true end +firewall_rule 'ipfs_api' do + port 5444 + protocol :tcp + command :allow +end + # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # has been generated before. The renew cron will take care of renewing execute "letsencrypt cert for ipfs.kosmos.org" do diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index 7aaff58..94c75a1 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -16,7 +16,7 @@ server { server { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen 443 ssl spdy; + listen <%= @ipfs_external_api_port %> ssl spdy; <% else -%> listen 80; <% end -%>