Compare commits
4 Commits
abb652cc2b
...
d79dcd8e65
| Author | SHA1 | Date | |
|---|---|---|---|
|
d79dcd8e65 | ||
|
|
c1e2145ba1 | ||
|
|
d077dfdcf2 | ||
|
|
8a3c519a6c |
@ -27,7 +27,7 @@ knife[:automatic_attribute_whitelist] = %w[
|
||||
]
|
||||
|
||||
knife[:default_attribute_whitelist] = []
|
||||
knife[:normal_attribute_whitelist] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd']
|
||||
knife[:normal_attribute_whitelist] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd', 'openresty']
|
||||
knife[:override_attribute_whitelist] = []
|
||||
|
||||
knife[:allowed_normal_attributes] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd']
|
||||
knife[:allowed_normal_attributes] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd', 'openresty']
|
||||
|
||||
@ -52,16 +52,17 @@ end
|
||||
end
|
||||
end
|
||||
|
||||
# TODO check if nginx is installed/running on the node
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
|
||||
content <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
# Reloading nginx is enough to read the new certificates
|
||||
systemctl reload nginx
|
||||
EOF
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
if node.run_list.roles.include?("openresty_proxy")
|
||||
file "/etc/letsencrypt/renewal-hooks/post/openresty" do
|
||||
content <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
# Reloading openresty is enough to read the new certificates
|
||||
systemctl reload openresty
|
||||
EOF
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
end
|
||||
|
||||
# include_recipe 'kosmos-base::systemd_emails'
|
||||
|
||||
46
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
Normal file
46
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
Normal file
@ -0,0 +1,46 @@
|
||||
resource_name :tls_cert_for
|
||||
provides :tls_cert_for
|
||||
|
||||
property :domain, [String, Array], name_property: true
|
||||
property :auth, [String, NilClass], default: nil
|
||||
|
||||
default_action :create
|
||||
|
||||
action :create do
|
||||
include_recipe 'kosmos-base::letsencrypt'
|
||||
|
||||
domains = Array(new_resource.domain)
|
||||
|
||||
case new_resource.auth
|
||||
when "gandi_dns"
|
||||
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
|
||||
|
||||
hook_path = "/root/gandi_dns_certbot_hook.sh"
|
||||
template hook_path do
|
||||
cookbook "kosmos-base"
|
||||
variables gandi_api_key: gandi_api_data_bag_item["key"]
|
||||
mode 0770
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
||||
# The systemd timer will take care of renewing
|
||||
execute "letsencrypt cert for #{domains.join(', ')}" do
|
||||
command <<-CMD
|
||||
certbot certonly --manual -n \
|
||||
--preferred-challenges dns \
|
||||
--manual-public-ip-logging-ok \
|
||||
--agree-tos \
|
||||
--manual-auth-hook '#{hook_path} auth' \
|
||||
--manual-cleanup-hook '#{hook_path} cleanup' \
|
||||
--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
|
||||
--email ops@kosmos.org \
|
||||
#{domains.map {|d| "-d #{d}" }.join(" ")}
|
||||
CMD
|
||||
not_if do
|
||||
::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
|
||||
end
|
||||
end
|
||||
else
|
||||
# regular http auth
|
||||
end
|
||||
end
|
||||
63
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
Executable file
63
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
Executable file
@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
set -euf -o pipefail
|
||||
|
||||
# ************** USAGE **************
|
||||
#
|
||||
# Example usage (with this hook file saved in /root/):
|
||||
#
|
||||
# sudo su -
|
||||
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
|
||||
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
|
||||
#
|
||||
# This hook requires configuration, continue reading.
|
||||
#
|
||||
# ************** CONFIGURATION **************
|
||||
#
|
||||
# GANDI_API_KEY: Your Gandi Live API key
|
||||
#
|
||||
# PROVIDER_UPDATE_DELAY:
|
||||
# How many seconds to wait after updating your DNS records. This may be required,
|
||||
# depending on how slow your DNS host is to begin serving new DNS records after updating
|
||||
# them via the API. 30 seconds is a safe default, but some providers can be very slow
|
||||
# (e.g. Linode).
|
||||
#
|
||||
# Defaults to 30 seconds.
|
||||
#
|
||||
GANDI_API_KEY="<%= @gandi_api_key %>"
|
||||
PROVIDER_UPDATE_DELAY=2
|
||||
|
||||
regex='.*\.(.*\..*)'
|
||||
if [[ $CERTBOT_DOMAIN =~ $regex ]]
|
||||
then
|
||||
DOMAIN="${BASH_REMATCH[1]}"
|
||||
else
|
||||
DOMAIN="${CERTBOT_DOMAIN}"
|
||||
fi
|
||||
|
||||
# To be invoked via Certbot's --manual-auth-hook
|
||||
function auth {
|
||||
curl -s -D- -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
|
||||
\"rrset_type\": \"TXT\",
|
||||
\"rrset_ttl\": 3600,
|
||||
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
|
||||
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
|
||||
|
||||
|
||||
sleep ${PROVIDER_UPDATE_DELAY}
|
||||
}
|
||||
|
||||
# To be invoked via Certbot's --manual-cleanup-hook
|
||||
function cleanup {
|
||||
curl -s -X DELETE -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
|
||||
}
|
||||
|
||||
HANDLER=$1; shift;
|
||||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
||||
$HANDLER "$@"
|
||||
fi
|
||||
@ -7,4 +7,5 @@ long_description 'Configures static asset Web hosting'
|
||||
version '1.0.0'
|
||||
chef_version '>= 15.10' if respond_to?(:chef_version)
|
||||
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-base"
|
||||
depends "kosmos_openresty"
|
||||
|
||||
@ -1,38 +1,35 @@
|
||||
#
|
||||
# Cookbook:: kosmos_assets
|
||||
# Recipe:: nginx_site
|
||||
# Recipe:: openresty_site
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "kosmos_openresty"
|
||||
|
||||
domain = node["kosmos_assets"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
directory "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
user node["openresty"]["user"]
|
||||
group node["openresty"]["group"]
|
||||
mode "0755"
|
||||
recursive true
|
||||
end
|
||||
|
||||
git "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
user node["openresty"]["user"]
|
||||
group node["openresty"]["group"]
|
||||
repository node["kosmos_assets"]["repo"]
|
||||
revision node["kosmos_assets"]["revision"]
|
||||
action :sync
|
||||
end
|
||||
|
||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||
source "nginx_conf_assets.erb"
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_assets.erb"
|
||||
variables domain: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
end
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
|
||||
|
||||
@ -5,3 +5,8 @@
|
||||
|
||||
# Install openresty from official packages
|
||||
include_recipe 'openresty::apt_package'
|
||||
|
||||
openresty_site 'hello_world' do
|
||||
template 'hello_world.conf.erb'
|
||||
action :enable
|
||||
end
|
||||
|
||||
@ -0,0 +1,9 @@
|
||||
server {
|
||||
listen 80 reuseport;
|
||||
location / {
|
||||
default_type text/plain;
|
||||
content_by_lua_block {
|
||||
ngx.say("Hello World")
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1 +1 @@
|
||||
Subproject commit 0406e84985a43afc9253b238f563a0850aca892e
|
||||
Subproject commit f48675c7f6aa03498dcd966a21f38d8f8f25f9f4
|
||||
Loading…
x
Reference in New Issue
Block a user