Merge branch 'use-lego-for-ssl-certificate' of kazu634/itamae into master
This commit is contained in:
commit
f57ee89459
|
@ -14,4 +14,4 @@ include_recipe './build.rb'
|
|||
include_recipe './setup.rb'
|
||||
|
||||
# Install Let's Encrypt:
|
||||
include_recipe './letsencrypt.rb'
|
||||
include_recipe './lego.rb'
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v
|
||||
fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN
|
||||
aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl
|
||||
loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D
|
||||
3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+
|
||||
YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV
|
||||
MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE
|
||||
owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP
|
||||
vG+o4g2oGTVwVrXc
|
|
@ -1,2 +0,0 @@
|
|||
2 2 */14 * * root /home/webadm/bin/ssl_renewal.sh
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
md5:c3ff40a35a072ebcdf4b00de0c62eede:salt:220-201-162-125-99-148-31-141:aes-256-cfb:P5sXyTi2l8dAegj6vwcxQlxAoXCz9ynBa/f2BATSr+ViTEQmlgqiMi6N7Zud
|
||||
URbZGWBf94Wr0QqN3JMDqKX3d/ajr1C6tSoG25NL7r293PjR6icNaGklP4S+
|
||||
WjNZWnEslsIfarfZZoSDw557BPo52r8nkEwSPfgdsZQiZgIUvSYAwZbVCp99
|
||||
Frwyg9fc9riQ3zxOcYxygCVKZGyEKj0R+W4BBTeoMXzfzVu+kQUR+ZS1HVco
|
||||
pEHAufUq4zI7P1EHFhZBM6A/E9c048Xr6ClshStsQA51qLwbnjhrBMZzQbJt
|
||||
IJ9fcoTpHQq4NTD6XItiB7vFVbe6DDlQUPP4JQ0e3rxeX0Pwontjipqk2ucM
|
||||
L5aN8Q+4H3JdH3x9Z2H0YlDJZ6i1XbIp2vp7ijtMlJR/pEc9ryEvBkbGH2yW
|
||||
4DuvEQHOeQcb
|
|
@ -1,13 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Preparation for normal operation:
|
||||
rm -f /etc/nginx/sites-enabled/maintenance
|
||||
|
||||
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
|
||||
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
|
||||
done
|
||||
|
||||
# Reload `nginx` configuration:
|
||||
/bin/systemctl reload nginx
|
||||
|
||||
exit 0
|
|
@ -1,31 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Preparation for maintenance:
|
||||
rm -f /etc/nginx/sites-enabled/*
|
||||
ln -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance
|
||||
|
||||
# Start maintenance:
|
||||
touch /tmp/maintenance
|
||||
|
||||
# Reload `nginx` configuration:
|
||||
systemctl reload nginx
|
||||
|
||||
# Renewal SSL certificate:
|
||||
certbot renew
|
||||
|
||||
sleep 5
|
||||
|
||||
# Stop maintenance:
|
||||
rm /tmp/maintenance
|
||||
|
||||
# Preparation for normal operation:
|
||||
rm -f /etc/nginx/sites-enabled/maintenance
|
||||
|
||||
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
|
||||
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
|
||||
done
|
||||
|
||||
# Reload `nginx` configuration:
|
||||
systemctl reload nginx
|
||||
|
||||
exit 0
|
|
@ -0,0 +1,100 @@
|
|||
# ---
|
||||
# Variables & Constants
|
||||
USER = 'webadm'
|
||||
GROUP = 'webadm'
|
||||
TARBALL = '/home/webadm/lego/lego.tar.gz'
|
||||
WORKDIR = '/home/webadm/lego'
|
||||
LEGO_DIR = '/opt/local/lego'
|
||||
LEGO = '/opt/local/lego/lego'
|
||||
LEGO_STORAGE = '/etc/lego/'
|
||||
|
||||
vtag = ''
|
||||
tag_version = ''
|
||||
lego = ''
|
||||
# ---
|
||||
|
||||
# -------------------------------------------
|
||||
# Calculating the latest `nginx-build` version:
|
||||
# -------------------------------------------
|
||||
begin
|
||||
require 'net/http'
|
||||
|
||||
uri = URI.parse('https://github.com/go-acme/lego/releases/latest')
|
||||
|
||||
Timeout.timeout(3) do
|
||||
response = Net::HTTP.get_response(uri)
|
||||
|
||||
if response.body =~ %r{tag\/(v\d+\.\d+\.\d+)}
|
||||
vtag = $1
|
||||
tag_version = vtag.sub('v', '')
|
||||
|
||||
lego = "https://github.com/go-acme/lego/releases/download/#{vtag}/lego_#{vtag}_linux_amd64.tar.gz"
|
||||
end
|
||||
end
|
||||
rescue
|
||||
# Abort the chef client process:
|
||||
raise 'Cannot connect to http://github.com.'
|
||||
end
|
||||
|
||||
directory WORKDIR do
|
||||
owner USER
|
||||
group GROUP
|
||||
mode '755'
|
||||
end
|
||||
|
||||
directory LEGO_DIR do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '755'
|
||||
end
|
||||
|
||||
# バージョン確認して、アップデート必要かどうか確認
|
||||
result = run_command("lego -v | grep #{tag_version}", error: false)
|
||||
if result.exit_status != 0
|
||||
execute "wget #{lego} -O #{TARBALL}" do
|
||||
user USER
|
||||
end
|
||||
|
||||
execute "tar xf #{TARBALL} -C #{LEGO_DIR}" do
|
||||
user 'root'
|
||||
end
|
||||
|
||||
file LEGO do
|
||||
user 'root'
|
||||
group 'root'
|
||||
mode '755'
|
||||
end
|
||||
|
||||
link '/usr/local/bin/lego' do
|
||||
user 'root'
|
||||
to LEGO
|
||||
end
|
||||
end
|
||||
|
||||
directory "#{LEGO_STORAGE}" do
|
||||
user 'root'
|
||||
group 'root'
|
||||
mode '755'
|
||||
end
|
||||
|
||||
encrypted_remote_file "#{LEGO_STORAGE}/lego_run.sh" do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '500'
|
||||
source "files/#{LEGO_STORAGE}/lego_run.sh"
|
||||
password ENV['ITAMAE_PASSWORD']
|
||||
end
|
||||
|
||||
execute "#{LEGO_STORAGE}/lego_run.sh" do
|
||||
user 'root'
|
||||
cwd LEGO_STORAGE
|
||||
not_if "test -d #{LEGO_STORAGE}/.lego"
|
||||
end
|
||||
|
||||
encrypted_remote_file '/etc/cron.d/lego' do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '644'
|
||||
source 'files/etc/cron.d/lego'
|
||||
password ENV['ITAMAE_PASSWORD']
|
||||
end
|
|
@ -1,28 +0,0 @@
|
|||
# Install `Let's Encrypt`:
|
||||
[
|
||||
'apt-get install -y software-properties-common',
|
||||
'add-apt-repository ppa:certbot/certbot -y',
|
||||
'apt-get update',
|
||||
].each do |cmd|
|
||||
execute cmd do
|
||||
not_if 'which certbot'
|
||||
end
|
||||
end
|
||||
|
||||
package 'certbot'
|
||||
|
||||
# Deploy the `let's Encrypt` renewal script:
|
||||
%w( ssl_renewal.sh nginx-config.sh ).each do |s|
|
||||
remote_file "/home/webadm/bin/#{s}" do
|
||||
owner 'webadm'
|
||||
group 'webadm'
|
||||
mode '755'
|
||||
end
|
||||
end
|
||||
|
||||
# Also for the renewal crontab configuration:
|
||||
remote_file '/etc/cron.d/ssl' do
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '644'
|
||||
end
|
|
@ -39,11 +39,3 @@ end
|
|||
password ENV['ITAMAE_PASSWORD']
|
||||
end
|
||||
end
|
||||
|
||||
# Create `/home/webadm/bin` directory:
|
||||
directory '/home/webadm/bin' do
|
||||
owner 'webadm'
|
||||
group 'webadm'
|
||||
mode '755'
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue