Add an nginx vhost with a Let's Encrypt certificate for schlupp
This commit is contained in:
Greg Karékinian
parent
2f0ff1f559
commit
d7bdd5cdf3
@ -7,10 +7,12 @@
|
|||||||
# All rights reserved - Do Not Redistribute
|
# All rights reserved - Do Not Redistribute
|
||||||
#
|
#
|
||||||
|
|
||||||
|
express_port = 8083
|
||||||
|
|
||||||
unless node.chef_environment == "development"
|
unless node.chef_environment == "development"
|
||||||
include_recipe "firewall"
|
include_recipe "firewall"
|
||||||
firewall_rule 'hubot_express_schlupp_xmpp' do
|
firewall_rule 'hubot_express_schlupp_xmpp' do
|
||||||
port 8083
|
port express_port
|
||||||
protocol :tcp
|
protocol :tcp
|
||||||
command :allow
|
command :allow
|
||||||
end
|
end
|
||||||
@ -105,3 +107,41 @@ application schlupp_xmpp_path do
|
|||||||
action [:enable, :start]
|
action [:enable, :start]
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# nginx reverse proxy
|
||||||
|
unless node.chef_environment == "development"
|
||||||
|
include_recipe "kosmos-base::letsencrypt"
|
||||||
|
end
|
||||||
|
|
||||||
|
include_recipe 'kosmos-nginx'
|
||||||
|
|
||||||
|
directory "/var/www/hubot.5apps.com/.well-known/acme-challenge" do
|
||||||
|
owner node["nginx"]["user"]
|
||||||
|
group node["nginx"]["group"]
|
||||||
|
recursive true
|
||||||
|
action :create
|
||||||
|
end
|
||||||
|
|
||||||
|
template "#{node['nginx']['dir']}/sites-available/hubot.5apps.com" do
|
||||||
|
source 'nginx_conf_hubot.5apps.com.erb'
|
||||||
|
owner node["nginx"]["user"]
|
||||||
|
mode 0640
|
||||||
|
variables express_port: express_port,
|
||||||
|
server_name: 'hubot.5apps.com',
|
||||||
|
ssl_cert: "/etc/letsencrypt/live/hubot.5apps.com/fullchain.pem",
|
||||||
|
ssl_key: "/etc/letsencrypt/live/hubot.5apps.com/privkey.pem"
|
||||||
|
notifies :reload, 'service[nginx]', :delayed
|
||||||
|
end
|
||||||
|
|
||||||
|
nginx_site 'hubot.5apps.com' do
|
||||||
|
enable true
|
||||||
|
end
|
||||||
|
|
||||||
|
unless node.chef_environment == "development"
|
||||||
|
execute "letsencrypt cert for hubot.5apps.com" do
|
||||||
|
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/hubot.5apps.com -d hubot.5apps.com -n"
|
||||||
|
cwd "/usr/local/certbot"
|
||||||
|
not_if { File.exist? "/etc/letsencrypt/live/hubot.5apps.com/fullchain.pem" }
|
||||||
|
notifies :create, "template[#{node['nginx']['dir']}/sites-available/hubot.5apps.com]", :immediately
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|||||||
@ -0,0 +1,41 @@
|
|||||||
|
# Generated by Chef
|
||||||
|
upstream _express_schlupp {
|
||||||
|
server localhost:<%= @express_port %>;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 80; # For Let's Encrypt
|
||||||
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
|
location /.well-known {
|
||||||
|
root "/var/www/hubot.5apps.com";
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
|
listen 443 ssl http2;
|
||||||
|
add_header Strict-Transport-Security "max-age=15768000";
|
||||||
|
<% end -%>
|
||||||
|
|
||||||
|
server_name <%= @server_name %>;
|
||||||
|
|
||||||
|
access_log <%= node[:nginx][:log_dir] %>/hubot.5apps.com.access.log json;
|
||||||
|
error_log <%= node[:nginx][:log_dir] %>/hubot.5apps.com.error.log warn;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
# Increase number of buffers. Default is 8
|
||||||
|
proxy_buffers 1024 8k;
|
||||||
|
|
||||||
|
proxy_pass http://_express_schlupp;
|
||||||
|
proxy_http_version 1.1;
|
||||||
|
}
|
||||||
|
|
||||||
|
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||||
|
ssl_certificate <%= @ssl_cert %>;
|
||||||
|
ssl_certificate_key <%= @ssl_key %>;
|
||||||
|
<% end -%>
|
||||||
|
}
|
||||||
Loading…
x
Reference in New Issue
Block a user