chef/site-cookbooks/sockethub/recipes/proxy.rb

#
# Cookbook Name:: sockethub
# Recipe:: proxy
#

include_recipe 'sockethub::firewall'
include_recipe 'kosmos-nginx'
include_recipe "kosmos-base::letsencrypt"

server_name = node['sockethub']['nginx']['server_name']

nginx_post_hook = <<-EOF
#!/usr/bin/env bash

set -e

systemctl reload nginx
EOF

file "/etc/letsencrypt/renewal-hooks/post/nginx" do
  content nginx_post_hook
  mode 0755
  owner "root"
  group "root"
end

gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

template "/root/gandi_dns_certbot_hook.sh" do
  variables gandi_api_key: gandi_api_data_bag_item["key"]
  mode 0770
end

# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for sockethub" do
  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name}  -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
  end
end

template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
  source 'nginx_conf_sockethub.erb'
  owner 'www-data'
  mode 0640
  variables sockethub_port:          node['sockethub']['port'],
            sockethub_external_port: node['sockethub']['external_port'],
            server_name:             server_name,
            ssl_cert:                "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
            ssl_key:                 "/etc/letsencrypt/live/#{server_name}/privkey.pem"
  notifies :reload, 'service[nginx]', :delayed
end

nginx_site server_name do
  action :enable
end