Add nginx reverse proxy for botka on freenode

site-cookbooks/kosmos-hubot/recipes/default.rb

@@ -9,7 +9,7 @@
 
 unless node.chef_environment == "development"
   include_recipe 'firewall'
-  firewall_rule 'hubot_express_hal8000' do
+  firewall_rule 'hubot_express_hal8000_freenode' do
     port     8080
     protocol :tcp
     command  :allow
@@ -185,7 +185,7 @@ application botka_freenode_path do
         "HUBOT_RSS_PRINTERROR"        => "false",
         "HUBOT_RSS_IRCCOLORS"         => "true",
         # "HUBOT_LOG_LEVEL"             => "error",
-        "EXPRESS_PORT"                => "8082",
+        "EXPRESS_PORT"                => "8081",
         "HUBOT_AUTH_ADMIN"            => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao",
         "RS_LOGGER_USER"              => "kosmos@5apps.com",
         "RS_LOGGER_TOKEN"             => botka_freenode_data_bag_item['rs_logger_token'],
@@ -205,3 +205,46 @@ application botka_freenode_path do
     action [:enable, :start]
   end
 end
+
+#
+# Nginx reverse proxy
+#
+express_port = 8081
+express_domain = "freenode.botka.kosmos.org"
+
+unless node.chef_environment == "development"
+  include_recipe "kosmos-base::letsencrypt"
+end
+
+include_recipe 'kosmos-nginx'
+
+directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
+  owner     node["nginx"]["user"]
+  group     node["nginx"]["group"]
+  recursive true
+  action    :create
+end
+
+template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
+  source 'nginx_conf_hubot.erb'
+  owner node["nginx"]["user"]
+  mode 0640
+  variables express_port: express_port,
+            server_name:  express_domain,
+            ssl_cert:     "/etc/letsencrypt/live/#{express_domain}/fullchain.pem",
+            ssl_key:      "/etc/letsencrypt/live/#{express_domain}/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site express_domain do
+  enable true
+end
+
+unless node.chef_environment == "development"
+  execute "letsencrypt cert for #{express_domain}" do
+    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
+    cwd "/usr/local/certbot"
+    not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
+    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
+  end
+end

site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb

@@ -0,0 +1,44 @@
+#
+# Generated by Chef
+#
+upstream _express_<%= @server_name.gsub(".", "_") %> {
+  server localhost:<%= @express_port %>;
+}
+
+server {
+  listen 80;
+  server_name <%= @server_name %>;
+
+  # For Let's Encrypt ACME verification
+  location /.well-known {
+    root "/var/www/<%= @server_name %>";
+  }
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  add_header Strict-Transport-Security "max-age=15768000";
+  <% end -%>
+
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
+
+  location / {
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    proxy_pass http://_express_<%= @server_name.gsub(".", "_") %>;
+    proxy_http_version 1.1;
+   }
+
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+  <% end -%>
+}