Merge branch 'use-lego-for-ssl-certificate' of kazu634/itamae into master
This commit is contained in:
commit
f57ee89459
|
@ -14,4 +14,4 @@ include_recipe './build.rb'
|
||||||
include_recipe './setup.rb'
|
include_recipe './setup.rb'
|
||||||
|
|
||||||
# Install Let's Encrypt:
|
# Install Let's Encrypt:
|
||||||
include_recipe './letsencrypt.rb'
|
include_recipe './lego.rb'
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v
|
||||||
|
fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN
|
||||||
|
aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl
|
||||||
|
loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D
|
||||||
|
3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+
|
||||||
|
YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV
|
||||||
|
MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE
|
||||||
|
owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP
|
||||||
|
vG+o4g2oGTVwVrXc
|
|
@ -1,2 +0,0 @@
|
||||||
2 2 */14 * * root /home/webadm/bin/ssl_renewal.sh
|
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
md5:c3ff40a35a072ebcdf4b00de0c62eede:salt:220-201-162-125-99-148-31-141:aes-256-cfb:P5sXyTi2l8dAegj6vwcxQlxAoXCz9ynBa/f2BATSr+ViTEQmlgqiMi6N7Zud
|
||||||
|
URbZGWBf94Wr0QqN3JMDqKX3d/ajr1C6tSoG25NL7r293PjR6icNaGklP4S+
|
||||||
|
WjNZWnEslsIfarfZZoSDw557BPo52r8nkEwSPfgdsZQiZgIUvSYAwZbVCp99
|
||||||
|
Frwyg9fc9riQ3zxOcYxygCVKZGyEKj0R+W4BBTeoMXzfzVu+kQUR+ZS1HVco
|
||||||
|
pEHAufUq4zI7P1EHFhZBM6A/E9c048Xr6ClshStsQA51qLwbnjhrBMZzQbJt
|
||||||
|
IJ9fcoTpHQq4NTD6XItiB7vFVbe6DDlQUPP4JQ0e3rxeX0Pwontjipqk2ucM
|
||||||
|
L5aN8Q+4H3JdH3x9Z2H0YlDJZ6i1XbIp2vp7ijtMlJR/pEc9ryEvBkbGH2yW
|
||||||
|
4DuvEQHOeQcb
|
|
@ -1,13 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Preparation for normal operation:
|
|
||||||
rm -f /etc/nginx/sites-enabled/maintenance
|
|
||||||
|
|
||||||
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
|
|
||||||
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Reload `nginx` configuration:
|
|
||||||
/bin/systemctl reload nginx
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -1,31 +0,0 @@
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Preparation for maintenance:
|
|
||||||
rm -f /etc/nginx/sites-enabled/*
|
|
||||||
ln -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance
|
|
||||||
|
|
||||||
# Start maintenance:
|
|
||||||
touch /tmp/maintenance
|
|
||||||
|
|
||||||
# Reload `nginx` configuration:
|
|
||||||
systemctl reload nginx
|
|
||||||
|
|
||||||
# Renewal SSL certificate:
|
|
||||||
certbot renew
|
|
||||||
|
|
||||||
sleep 5
|
|
||||||
|
|
||||||
# Stop maintenance:
|
|
||||||
rm /tmp/maintenance
|
|
||||||
|
|
||||||
# Preparation for normal operation:
|
|
||||||
rm -f /etc/nginx/sites-enabled/maintenance
|
|
||||||
|
|
||||||
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
|
|
||||||
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
|
|
||||||
done
|
|
||||||
|
|
||||||
# Reload `nginx` configuration:
|
|
||||||
systemctl reload nginx
|
|
||||||
|
|
||||||
exit 0
|
|
|
@ -0,0 +1,100 @@
|
||||||
|
# ---
|
||||||
|
# Variables & Constants
|
||||||
|
USER = 'webadm'
|
||||||
|
GROUP = 'webadm'
|
||||||
|
TARBALL = '/home/webadm/lego/lego.tar.gz'
|
||||||
|
WORKDIR = '/home/webadm/lego'
|
||||||
|
LEGO_DIR = '/opt/local/lego'
|
||||||
|
LEGO = '/opt/local/lego/lego'
|
||||||
|
LEGO_STORAGE = '/etc/lego/'
|
||||||
|
|
||||||
|
vtag = ''
|
||||||
|
tag_version = ''
|
||||||
|
lego = ''
|
||||||
|
# ---
|
||||||
|
|
||||||
|
# -------------------------------------------
|
||||||
|
# Calculating the latest `nginx-build` version:
|
||||||
|
# -------------------------------------------
|
||||||
|
begin
|
||||||
|
require 'net/http'
|
||||||
|
|
||||||
|
uri = URI.parse('https://github.com/go-acme/lego/releases/latest')
|
||||||
|
|
||||||
|
Timeout.timeout(3) do
|
||||||
|
response = Net::HTTP.get_response(uri)
|
||||||
|
|
||||||
|
if response.body =~ %r{tag\/(v\d+\.\d+\.\d+)}
|
||||||
|
vtag = $1
|
||||||
|
tag_version = vtag.sub('v', '')
|
||||||
|
|
||||||
|
lego = "https://github.com/go-acme/lego/releases/download/#{vtag}/lego_#{vtag}_linux_amd64.tar.gz"
|
||||||
|
end
|
||||||
|
end
|
||||||
|
rescue
|
||||||
|
# Abort the chef client process:
|
||||||
|
raise 'Cannot connect to http://github.com.'
|
||||||
|
end
|
||||||
|
|
||||||
|
directory WORKDIR do
|
||||||
|
owner USER
|
||||||
|
group GROUP
|
||||||
|
mode '755'
|
||||||
|
end
|
||||||
|
|
||||||
|
directory LEGO_DIR do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '755'
|
||||||
|
end
|
||||||
|
|
||||||
|
# バージョン確認して、アップデート必要かどうか確認
|
||||||
|
result = run_command("lego -v | grep #{tag_version}", error: false)
|
||||||
|
if result.exit_status != 0
|
||||||
|
execute "wget #{lego} -O #{TARBALL}" do
|
||||||
|
user USER
|
||||||
|
end
|
||||||
|
|
||||||
|
execute "tar xf #{TARBALL} -C #{LEGO_DIR}" do
|
||||||
|
user 'root'
|
||||||
|
end
|
||||||
|
|
||||||
|
file LEGO do
|
||||||
|
user 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '755'
|
||||||
|
end
|
||||||
|
|
||||||
|
link '/usr/local/bin/lego' do
|
||||||
|
user 'root'
|
||||||
|
to LEGO
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
directory "#{LEGO_STORAGE}" do
|
||||||
|
user 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '755'
|
||||||
|
end
|
||||||
|
|
||||||
|
encrypted_remote_file "#{LEGO_STORAGE}/lego_run.sh" do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '500'
|
||||||
|
source "files/#{LEGO_STORAGE}/lego_run.sh"
|
||||||
|
password ENV['ITAMAE_PASSWORD']
|
||||||
|
end
|
||||||
|
|
||||||
|
execute "#{LEGO_STORAGE}/lego_run.sh" do
|
||||||
|
user 'root'
|
||||||
|
cwd LEGO_STORAGE
|
||||||
|
not_if "test -d #{LEGO_STORAGE}/.lego"
|
||||||
|
end
|
||||||
|
|
||||||
|
encrypted_remote_file '/etc/cron.d/lego' do
|
||||||
|
owner 'root'
|
||||||
|
group 'root'
|
||||||
|
mode '644'
|
||||||
|
source 'files/etc/cron.d/lego'
|
||||||
|
password ENV['ITAMAE_PASSWORD']
|
||||||
|
end
|
|
@ -1,28 +0,0 @@
|
||||||
# Install `Let's Encrypt`:
|
|
||||||
[
|
|
||||||
'apt-get install -y software-properties-common',
|
|
||||||
'add-apt-repository ppa:certbot/certbot -y',
|
|
||||||
'apt-get update',
|
|
||||||
].each do |cmd|
|
|
||||||
execute cmd do
|
|
||||||
not_if 'which certbot'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
package 'certbot'
|
|
||||||
|
|
||||||
# Deploy the `let's Encrypt` renewal script:
|
|
||||||
%w( ssl_renewal.sh nginx-config.sh ).each do |s|
|
|
||||||
remote_file "/home/webadm/bin/#{s}" do
|
|
||||||
owner 'webadm'
|
|
||||||
group 'webadm'
|
|
||||||
mode '755'
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
# Also for the renewal crontab configuration:
|
|
||||||
remote_file '/etc/cron.d/ssl' do
|
|
||||||
owner 'root'
|
|
||||||
group 'root'
|
|
||||||
mode '644'
|
|
||||||
end
|
|
|
@ -39,11 +39,3 @@ end
|
||||||
password ENV['ITAMAE_PASSWORD']
|
password ENV['ITAMAE_PASSWORD']
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Create `/home/webadm/bin` directory:
|
|
||||||
directory '/home/webadm/bin' do
|
|
||||||
owner 'webadm'
|
|
||||||
group 'webadm'
|
|
||||||
mode '755'
|
|
||||||
end
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue