diff --git a/cookbooks/blog/default.rb b/cookbooks/blog/default.rb index d41bb85..e17ba34 100644 --- a/cookbooks/blog/default.rb +++ b/cookbooks/blog/default.rb @@ -1,6 +1,5 @@ include_recipe './attributes.rb' if node['blog']['production'] - include_recipe './ssl.rb' include_recipe './nginx.rb' end diff --git a/cookbooks/blog/files/etc/cron.d/blog b/cookbooks/blog/files/etc/cron.d/blog index 0418f45..5374f8c 100644 --- a/cookbooks/blog/files/etc/cron.d/blog +++ b/cookbooks/blog/files/etc/cron.d/blog @@ -1,2 +1 @@ @reboot webadm cp -pr /home/webadm/works/public/* /var/www/blog/ -12 3 * * * root openssl rand 48 > /etc/letsencrypt/live/blog.kazu634.com/ticket.key diff --git a/cookbooks/blog/nginx.rb b/cookbooks/blog/nginx.rb index 19ab20c..96004e0 100644 --- a/cookbooks/blog/nginx.rb +++ b/cookbooks/blog/nginx.rb @@ -1,29 +1,3 @@ -# Deploy the nginx configuration file: -remote_file '/etc/nginx/sites-available/blog' do - owner 'root' - group 'root' - mode '644' -end - -# Deploy cron tab configuration for nginx -remote_file '/etc/cron.d/blog' do - owner 'root' - group 'root' - mode '644' -end - -# Create link: -link '/etc/nginx/sites-enabled/blog' do - user 'root' - to '/etc/nginx/sites-available/blog' - - notifies :restart, 'service[nginx]' -end - -service 'nginx' do - action :nothing -end - # Create the nginx directory: directory '/var/www/blog' do owner 'www-data' @@ -48,6 +22,12 @@ execute 'mount -a' do action :nothing end +remote_file '/etc/cron.d/blog' do + owner 'root' + group 'root' + mode '644' +end + # Add monit configuration file for monitoring nginx logs: remote_file '/etc/monit/conf.d/blog-log.conf' do owner 'root' diff --git a/cookbooks/blog/ssl.rb b/cookbooks/blog/ssl.rb deleted file mode 100644 index b57731b..0000000 --- a/cookbooks/blog/ssl.rb +++ /dev/null @@ -1,16 +0,0 @@ -[ - 'rm -f /etc/nginx/sites-enabled/*', - 'ln -f -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance', - 'systemctl reload nginx', - "test -e /etc/letsencrypt/live/#{node['blog']['FQDN']}/cert.pem || certbot certonly --webroot -d #{node['blog']['FQDN']} --webroot-path /usr/share/nginx/html/ --email simoom634@yahoo.co.jp --agree-tos -n", - '/home/webadm/bin/nginx-config.sh', -].each do |cmd| - execute cmd -end - -remote_file "/etc/letsencrypt/live/#{node['blog']['FQDN']}/dhparams_4096.pem" do - owner 'root' - group 'root' -end - -execute "openssl rand 48 > /etc/letsencrypt/live/#{node['blog']['FQDN']}/ticket.key" diff --git a/cookbooks/nginx/files/etc/cron.d/lego b/cookbooks/nginx/files/etc/cron.d/lego index 5270ae4..fa1700f 100644 --- a/cookbooks/nginx/files/etc/cron.d/lego +++ b/cookbooks/nginx/files/etc/cron.d/lego @@ -1,9 +1,10 @@ -md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v -fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN -aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl -loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D -3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+ -YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV -MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE -owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP -vG+o4g2oGTVwVrXc \ No newline at end of file +md5:30a0e77addb4f453a88596f1d19c504d:salt:179-208-102-156-63-139-97-68:aes-256-cfb:lH4eJhn7bmGIA2yV3C9OC3nPS7fFs9gewhGr8ZnGwcJy12EHYkrRhgJOJbyv +Rn7vyHEbHWUpcTI6PdYs7HX+7OjxiNTkEvagc8DwGegy9TUcnDLwoeyXzX9o +MU4/DI3B06wguG04HRpv3428uF1r6a+wNbi1CGaTfFqIDlTFW920BM7vEKhn +HrvLrO6m8mCHpqfCFUF7UPIUx+0DhfH9yCfqIa0Wz+x7QwEGdzXJY8i8oA1/ +ryV4248P3WVv18GD/Pm3Kjq1LDkjwwgsjFm8m/V1WDL+1uWv6aWILUqdqYge +4hgDgT6TjsovatXsBTGJ21f21J/qlTRvhIXNHs62RAcLglFAShFp6RPY/VMf +mQqccWxKhidms/nqM9Xh+3o8dqhqr8FWMdVlQ1SX/Yi1OzB64e2i1MxiqpvQ +DfCOxJLVo13WuoiDmquuI4PV16ozl1p+0ccaQEDEoQZK0AsOBJJ6aCloSak0 +MMM1+fmvvqB2MaFUUt2txsv/5J1lNVZ3xW6H5veOSFNTXMFBqLPFSjoMDOEs +s+lkHd+AneN5YTUIGxDCpfdsPhginA== \ No newline at end of file diff --git a/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem b/cookbooks/nginx/files/etc/lego/dhparams_4096.pem similarity index 100% rename from cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem rename to cookbooks/nginx/files/etc/lego/dhparams_4096.pem diff --git a/cookbooks/nginx/lego.rb b/cookbooks/nginx/lego.rb index 43679d4..c1dc3da 100644 --- a/cookbooks/nginx/lego.rb +++ b/cookbooks/nginx/lego.rb @@ -98,3 +98,11 @@ encrypted_remote_file '/etc/cron.d/lego' do source 'files/etc/cron.d/lego' password ENV['ITAMAE_PASSWORD'] end + +remote_file "/etc/lego/dhparams_4096.pem" do + owner 'root' + group 'root' + mode '444' +end + +execute "openssl rand 48 > /etc/lego/ticket.key" diff --git a/cookbooks/nginx/setup.rb b/cookbooks/nginx/setup.rb index 1a29ef8..1901f90 100644 --- a/cookbooks/nginx/setup.rb +++ b/cookbooks/nginx/setup.rb @@ -7,12 +7,18 @@ end end -%w( sites-available sites-enabled stream-available stream-enabled).each do |d| - directory "/etc/nginx/#{d}" do - owner 'root' - group 'root' - mode '755' - end +link '/etc/nginx/sites-enabled' do + to '/home/webadm/repo/nginx-config/sites-available' + user 'root' + + notifies :reload, 'service[nginx]' +end + +link '/etc/nginx/stream-enabled' do + to '/home/webadm/repo/nginx-config/stream-available' + user 'root' + + notifies :reload, 'service[nginx]' end # Deploy the nginx configuration files: @@ -24,20 +30,6 @@ remote_file '/etc/nginx/nginx.conf' do notifies :reload, 'service[nginx]' end -%w( default maintenance ).each do |conf| - remote_file "/etc/nginx/sites-available/#{conf}" do - owner 'root' - group 'root' - mode '644' - end -end - -link '/etc/nginx/sites-enabled/default' do - to '/etc/nginx/sites-available/default' - - notifies :reload, 'service[nginx]' -end - # Log rotation setting: remote_file '/etc/logrotate.d/nginx' do owner 'root' diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb index 35f6e5e..03fdb5b 100644 --- a/cookbooks/nginx/webadm.rb +++ b/cookbooks/nginx/webadm.rb @@ -39,3 +39,10 @@ end password ENV['ITAMAE_PASSWORD'] end end + +# Create `repo` directory: +git '/home/webadm/repo/nginx-config' do + user 'webadm' + repository 'https://gitea.kazu634.com/kazu634/nginx-config.git' +end +