diff --git a/site-cookbooks/kosmos-hubot/recipes/default.rb b/site-cookbooks/kosmos-hubot/recipes/default.rb index da40a89..eb85c88 100644 --- a/site-cookbooks/kosmos-hubot/recipes/default.rb +++ b/site-cookbooks/kosmos-hubot/recipes/default.rb @@ -9,7 +9,7 @@ unless node.chef_environment == "development" include_recipe 'firewall' - firewall_rule 'hubot_express_hal8000' do + firewall_rule 'hubot_express_hal8000_freenode' do port 8080 protocol :tcp command :allow @@ -185,7 +185,7 @@ application botka_freenode_path do "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", # "HUBOT_LOG_LEVEL" => "error", - "EXPRESS_PORT" => "8082", + "EXPRESS_PORT" => "8081", "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao", "RS_LOGGER_USER" => "kosmos@5apps.com", "RS_LOGGER_TOKEN" => botka_freenode_data_bag_item['rs_logger_token'], @@ -205,3 +205,46 @@ application botka_freenode_path do action [:enable, :start] end end + +# +# Nginx reverse proxy +# +express_port = 8081 +express_domain = "freenode.botka.kosmos.org" + +unless node.chef_environment == "development" + include_recipe "kosmos-base::letsencrypt" +end + +include_recipe 'kosmos-nginx' + +directory "/var/www/#{express_domain}/.well-known/acme-challenge" do + owner node["nginx"]["user"] + group node["nginx"]["group"] + recursive true + action :create +end + +template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: express_port, + server_name: express_domain, + ssl_cert: "/etc/letsencrypt/live/#{express_domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{express_domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site express_domain do + enable true +end + +unless node.chef_environment == "development" + execute "letsencrypt cert for #{express_domain}" do + command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n" + cwd "/usr/local/certbot" + not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" } + notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately + end +end diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb new file mode 100644 index 0000000..c2449a1 --- /dev/null +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -0,0 +1,44 @@ +# +# Generated by Chef +# +upstream _express_<%= @server_name.gsub(".", "_") %> { + server localhost:<%= @express_port %>; +} + +server { + listen 80; + server_name <%= @server_name %>; + + # For Let's Encrypt ACME verification + location /.well-known { + root "/var/www/<%= @server_name %>"; + } + location / { + return 301 https://$host$request_uri; + } +} + +server { + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> + listen 443 ssl http2; + add_header Strict-Transport-Security "max-age=15768000"; + <% end -%> + + server_name <%= @server_name %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; + error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; + + location / { + # Increase number of buffers. Default is 8 + proxy_buffers 1024 8k; + + proxy_pass http://_express_<%= @server_name.gsub(".", "_") %>; + proxy_http_version 1.1; + } + + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + <% end -%> +}