From 7349dc9b306b873296aa48fed68416e9e3b24358 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 13:42:07 +0800 Subject: [PATCH 1/7] Clone the nginx config from the git repository. --- cookbooks/nginx/webadm.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb index 35f6e5e..03fdb5b 100644 --- a/cookbooks/nginx/webadm.rb +++ b/cookbooks/nginx/webadm.rb @@ -39,3 +39,10 @@ end password ENV['ITAMAE_PASSWORD'] end end + +# Create `repo` directory: +git '/home/webadm/repo/nginx-config' do + user 'webadm' + repository 'https://gitea.kazu634.com/kazu634/nginx-config.git' +end + From eddc0a517fc378ac27bd917fb4ab9f85d6517fa9 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 13:38:31 +0800 Subject: [PATCH 2/7] Create sym-link to `/etc/nginx` config directories. --- cookbooks/nginx/setup.rb | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/cookbooks/nginx/setup.rb b/cookbooks/nginx/setup.rb index 1a29ef8..9c33e6a 100644 --- a/cookbooks/nginx/setup.rb +++ b/cookbooks/nginx/setup.rb @@ -7,12 +7,18 @@ end end -%w( sites-available sites-enabled stream-available stream-enabled).each do |d| - directory "/etc/nginx/#{d}" do - owner 'root' - group 'root' - mode '755' - end +link '/etc/nginx/sites-enabled' do + to '/home/webadm/repo/nginx-config/sites-available' + user 'root' + + notifies :reload, 'service[nginx]' +end + +link '/etc/nginx/stream-enabled' do + to '/home/webadm/repo/nginx-config/stream-available' + user 'root' + + notifies :reload, 'service[nginx]' end # Deploy the nginx configuration files: From 494f16b4f84ff7fcdf2f391de842e540bc58f0cc Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 13:41:09 +0800 Subject: [PATCH 3/7] Use `nginx` repository configs --- cookbooks/blog/nginx.rb | 26 -------------------------- cookbooks/nginx/setup.rb | 14 -------------- 2 files changed, 40 deletions(-) diff --git a/cookbooks/blog/nginx.rb b/cookbooks/blog/nginx.rb index 19ab20c..6591425 100644 --- a/cookbooks/blog/nginx.rb +++ b/cookbooks/blog/nginx.rb @@ -1,29 +1,3 @@ -# Deploy the nginx configuration file: -remote_file '/etc/nginx/sites-available/blog' do - owner 'root' - group 'root' - mode '644' -end - -# Deploy cron tab configuration for nginx -remote_file '/etc/cron.d/blog' do - owner 'root' - group 'root' - mode '644' -end - -# Create link: -link '/etc/nginx/sites-enabled/blog' do - user 'root' - to '/etc/nginx/sites-available/blog' - - notifies :restart, 'service[nginx]' -end - -service 'nginx' do - action :nothing -end - # Create the nginx directory: directory '/var/www/blog' do owner 'www-data' diff --git a/cookbooks/nginx/setup.rb b/cookbooks/nginx/setup.rb index 9c33e6a..1901f90 100644 --- a/cookbooks/nginx/setup.rb +++ b/cookbooks/nginx/setup.rb @@ -30,20 +30,6 @@ remote_file '/etc/nginx/nginx.conf' do notifies :reload, 'service[nginx]' end -%w( default maintenance ).each do |conf| - remote_file "/etc/nginx/sites-available/#{conf}" do - owner 'root' - group 'root' - mode '644' - end -end - -link '/etc/nginx/sites-enabled/default' do - to '/etc/nginx/sites-available/default' - - notifies :reload, 'service[nginx]' -end - # Log rotation setting: remote_file '/etc/logrotate.d/nginx' do owner 'root' From 37e11592cd7d07b6e7ffeb01b799f129065478b5 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 13:31:19 +0800 Subject: [PATCH 4/7] Do not execute the maitenance procedures. --- cookbooks/blog/ssl.rb | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/cookbooks/blog/ssl.rb b/cookbooks/blog/ssl.rb index b57731b..7a05379 100644 --- a/cookbooks/blog/ssl.rb +++ b/cookbooks/blog/ssl.rb @@ -1,13 +1,3 @@ -[ - 'rm -f /etc/nginx/sites-enabled/*', - 'ln -f -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance', - 'systemctl reload nginx', - "test -e /etc/letsencrypt/live/#{node['blog']['FQDN']}/cert.pem || certbot certonly --webroot -d #{node['blog']['FQDN']} --webroot-path /usr/share/nginx/html/ --email simoom634@yahoo.co.jp --agree-tos -n", - '/home/webadm/bin/nginx-config.sh', -].each do |cmd| - execute cmd -end - remote_file "/etc/letsencrypt/live/#{node['blog']['FQDN']}/dhparams_4096.pem" do owner 'root' group 'root' From 28053a2c370840e2facfb04c0234249ef849e3fb Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 13:32:08 +0800 Subject: [PATCH 5/7] Deploy `dhparams_4096.pem` & `ticket.key`. --- cookbooks/blog/ssl.rb | 6 ++++-- .../files/etc/lego}/dhparams_4096.pem | 0 cookbooks/nginx/lego.rb | 8 ++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) rename cookbooks/{blog/files/etc/letsencrypt/live/blog.kazu634.com => nginx/files/etc/lego}/dhparams_4096.pem (100%) diff --git a/cookbooks/blog/ssl.rb b/cookbooks/blog/ssl.rb index 7a05379..ed9b535 100644 --- a/cookbooks/blog/ssl.rb +++ b/cookbooks/blog/ssl.rb @@ -1,6 +1,8 @@ -remote_file "/etc/letsencrypt/live/#{node['blog']['FQDN']}/dhparams_4096.pem" do +remote_file "/etc/lego/dhparams_4096.pem" do owner 'root' group 'root' + mode '444' end -execute "openssl rand 48 > /etc/letsencrypt/live/#{node['blog']['FQDN']}/ticket.key" +execute "openssl rand 48 > /etc/lego/ticket.key" + diff --git a/cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem b/cookbooks/nginx/files/etc/lego/dhparams_4096.pem similarity index 100% rename from cookbooks/blog/files/etc/letsencrypt/live/blog.kazu634.com/dhparams_4096.pem rename to cookbooks/nginx/files/etc/lego/dhparams_4096.pem diff --git a/cookbooks/nginx/lego.rb b/cookbooks/nginx/lego.rb index 43679d4..c1dc3da 100644 --- a/cookbooks/nginx/lego.rb +++ b/cookbooks/nginx/lego.rb @@ -98,3 +98,11 @@ encrypted_remote_file '/etc/cron.d/lego' do source 'files/etc/cron.d/lego' password ENV['ITAMAE_PASSWORD'] end + +remote_file "/etc/lego/dhparams_4096.pem" do + owner 'root' + group 'root' + mode '444' +end + +execute "openssl rand 48 > /etc/lego/ticket.key" From 7d6ae95020a59a5586453607c6c4990a8f60f209 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 3 Nov 2019 16:05:26 +0800 Subject: [PATCH 6/7] Generate `ticket.key` by `nginx` cookbook. --- cookbooks/blog/default.rb | 1 - cookbooks/blog/files/etc/cron.d/blog | 1 - cookbooks/blog/ssl.rb | 8 -------- cookbooks/nginx/files/etc/cron.d/lego | 19 ++++++++++--------- 4 files changed, 10 insertions(+), 19 deletions(-) delete mode 100644 cookbooks/blog/ssl.rb diff --git a/cookbooks/blog/default.rb b/cookbooks/blog/default.rb index d41bb85..e17ba34 100644 --- a/cookbooks/blog/default.rb +++ b/cookbooks/blog/default.rb @@ -1,6 +1,5 @@ include_recipe './attributes.rb' if node['blog']['production'] - include_recipe './ssl.rb' include_recipe './nginx.rb' end diff --git a/cookbooks/blog/files/etc/cron.d/blog b/cookbooks/blog/files/etc/cron.d/blog index 0418f45..5374f8c 100644 --- a/cookbooks/blog/files/etc/cron.d/blog +++ b/cookbooks/blog/files/etc/cron.d/blog @@ -1,2 +1 @@ @reboot webadm cp -pr /home/webadm/works/public/* /var/www/blog/ -12 3 * * * root openssl rand 48 > /etc/letsencrypt/live/blog.kazu634.com/ticket.key diff --git a/cookbooks/blog/ssl.rb b/cookbooks/blog/ssl.rb deleted file mode 100644 index ed9b535..0000000 --- a/cookbooks/blog/ssl.rb +++ /dev/null @@ -1,8 +0,0 @@ -remote_file "/etc/lego/dhparams_4096.pem" do - owner 'root' - group 'root' - mode '444' -end - -execute "openssl rand 48 > /etc/lego/ticket.key" - diff --git a/cookbooks/nginx/files/etc/cron.d/lego b/cookbooks/nginx/files/etc/cron.d/lego index 5270ae4..fa1700f 100644 --- a/cookbooks/nginx/files/etc/cron.d/lego +++ b/cookbooks/nginx/files/etc/cron.d/lego @@ -1,9 +1,10 @@ -md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v -fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN -aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl -loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D -3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+ -YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV -MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE -owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP -vG+o4g2oGTVwVrXc \ No newline at end of file +md5:30a0e77addb4f453a88596f1d19c504d:salt:179-208-102-156-63-139-97-68:aes-256-cfb:lH4eJhn7bmGIA2yV3C9OC3nPS7fFs9gewhGr8ZnGwcJy12EHYkrRhgJOJbyv +Rn7vyHEbHWUpcTI6PdYs7HX+7OjxiNTkEvagc8DwGegy9TUcnDLwoeyXzX9o +MU4/DI3B06wguG04HRpv3428uF1r6a+wNbi1CGaTfFqIDlTFW920BM7vEKhn +HrvLrO6m8mCHpqfCFUF7UPIUx+0DhfH9yCfqIa0Wz+x7QwEGdzXJY8i8oA1/ +ryV4248P3WVv18GD/Pm3Kjq1LDkjwwgsjFm8m/V1WDL+1uWv6aWILUqdqYge +4hgDgT6TjsovatXsBTGJ21f21J/qlTRvhIXNHs62RAcLglFAShFp6RPY/VMf +mQqccWxKhidms/nqM9Xh+3o8dqhqr8FWMdVlQ1SX/Yi1OzB64e2i1MxiqpvQ +DfCOxJLVo13WuoiDmquuI4PV16ozl1p+0ccaQEDEoQZK0AsOBJJ6aCloSak0 +MMM1+fmvvqB2MaFUUt2txsv/5J1lNVZ3xW6H5veOSFNTXMFBqLPFSjoMDOEs +s+lkHd+AneN5YTUIGxDCpfdsPhginA== \ No newline at end of file From 272afbaf2ec15285b9349ab8a4e3cd3dc6138653 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Mon, 4 Nov 2019 00:36:28 +0800 Subject: [PATCH 7/7] Deploy /etc/cron.d/blog. --- cookbooks/blog/nginx.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cookbooks/blog/nginx.rb b/cookbooks/blog/nginx.rb index 6591425..96004e0 100644 --- a/cookbooks/blog/nginx.rb +++ b/cookbooks/blog/nginx.rb @@ -22,6 +22,12 @@ execute 'mount -a' do action :nothing end +remote_file '/etc/cron.d/blog' do + owner 'root' + group 'root' + mode '644' +end + # Add monit configuration file for monitoring nginx logs: remote_file '/etc/monit/conf.d/blog-log.conf' do owner 'root'