Merge branch 'use-lego-for-ssl-certificate' of kazu634/itamae into master

This commit is contained in:
Kazuhiro MUSASHI 2019-10-28 00:54:05 +09:00 committed by Gitea
commit f57ee89459
9 changed files with 118 additions and 83 deletions

View File

@ -14,4 +14,4 @@ include_recipe './build.rb'
include_recipe './setup.rb'
# Install Let's Encrypt:
include_recipe './letsencrypt.rb'
include_recipe './lego.rb'

View File

@ -0,0 +1,9 @@
md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v
fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN
aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl
loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D
3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+
YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV
MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE
owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP
vG+o4g2oGTVwVrXc

View File

@ -1,2 +0,0 @@
2 2 */14 * * root /home/webadm/bin/ssl_renewal.sh

View File

@ -0,0 +1,8 @@
md5:c3ff40a35a072ebcdf4b00de0c62eede:salt:220-201-162-125-99-148-31-141:aes-256-cfb:P5sXyTi2l8dAegj6vwcxQlxAoXCz9ynBa/f2BATSr+ViTEQmlgqiMi6N7Zud
URbZGWBf94Wr0QqN3JMDqKX3d/ajr1C6tSoG25NL7r293PjR6icNaGklP4S+
WjNZWnEslsIfarfZZoSDw557BPo52r8nkEwSPfgdsZQiZgIUvSYAwZbVCp99
Frwyg9fc9riQ3zxOcYxygCVKZGyEKj0R+W4BBTeoMXzfzVu+kQUR+ZS1HVco
pEHAufUq4zI7P1EHFhZBM6A/E9c048Xr6ClshStsQA51qLwbnjhrBMZzQbJt
IJ9fcoTpHQq4NTD6XItiB7vFVbe6DDlQUPP4JQ0e3rxeX0Pwontjipqk2ucM
L5aN8Q+4H3JdH3x9Z2H0YlDJZ6i1XbIp2vp7ijtMlJR/pEc9ryEvBkbGH2yW
4DuvEQHOeQcb

View File

@ -1,13 +0,0 @@
#!/bin/bash
# Preparation for normal operation:
rm -f /etc/nginx/sites-enabled/maintenance
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
done
# Reload `nginx` configuration:
/bin/systemctl reload nginx
exit 0

View File

@ -1,31 +0,0 @@
#!/bin/bash
# Preparation for maintenance:
rm -f /etc/nginx/sites-enabled/*
ln -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance
# Start maintenance:
touch /tmp/maintenance
# Reload `nginx` configuration:
systemctl reload nginx
# Renewal SSL certificate:
certbot renew
sleep 5
# Stop maintenance:
rm /tmp/maintenance
# Preparation for normal operation:
rm -f /etc/nginx/sites-enabled/maintenance
for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
done
# Reload `nginx` configuration:
systemctl reload nginx
exit 0

100
cookbooks/nginx/lego.rb Normal file
View File

@ -0,0 +1,100 @@
# ---
# Variables & Constants
USER = 'webadm'
GROUP = 'webadm'
TARBALL = '/home/webadm/lego/lego.tar.gz'
WORKDIR = '/home/webadm/lego'
LEGO_DIR = '/opt/local/lego'
LEGO = '/opt/local/lego/lego'
LEGO_STORAGE = '/etc/lego/'
vtag = ''
tag_version = ''
lego = ''
# ---
# -------------------------------------------
# Calculating the latest `nginx-build` version:
# -------------------------------------------
begin
require 'net/http'
uri = URI.parse('https://github.com/go-acme/lego/releases/latest')
Timeout.timeout(3) do
response = Net::HTTP.get_response(uri)
if response.body =~ %r{tag\/(v\d+\.\d+\.\d+)}
vtag = $1
tag_version = vtag.sub('v', '')
lego = "https://github.com/go-acme/lego/releases/download/#{vtag}/lego_#{vtag}_linux_amd64.tar.gz"
end
end
rescue
# Abort the chef client process:
raise 'Cannot connect to http://github.com.'
end
directory WORKDIR do
owner USER
group GROUP
mode '755'
end
directory LEGO_DIR do
owner 'root'
group 'root'
mode '755'
end
# バージョン確認して、アップデート必要かどうか確認
result = run_command("lego -v | grep #{tag_version}", error: false)
if result.exit_status != 0
execute "wget #{lego} -O #{TARBALL}" do
user USER
end
execute "tar xf #{TARBALL} -C #{LEGO_DIR}" do
user 'root'
end
file LEGO do
user 'root'
group 'root'
mode '755'
end
link '/usr/local/bin/lego' do
user 'root'
to LEGO
end
end
directory "#{LEGO_STORAGE}" do
user 'root'
group 'root'
mode '755'
end
encrypted_remote_file "#{LEGO_STORAGE}/lego_run.sh" do
owner 'root'
group 'root'
mode '500'
source "files/#{LEGO_STORAGE}/lego_run.sh"
password ENV['ITAMAE_PASSWORD']
end
execute "#{LEGO_STORAGE}/lego_run.sh" do
user 'root'
cwd LEGO_STORAGE
not_if "test -d #{LEGO_STORAGE}/.lego"
end
encrypted_remote_file '/etc/cron.d/lego' do
owner 'root'
group 'root'
mode '644'
source 'files/etc/cron.d/lego'
password ENV['ITAMAE_PASSWORD']
end

View File

@ -1,28 +0,0 @@
# Install `Let's Encrypt`:
[
'apt-get install -y software-properties-common',
'add-apt-repository ppa:certbot/certbot -y',
'apt-get update',
].each do |cmd|
execute cmd do
not_if 'which certbot'
end
end
package 'certbot'
# Deploy the `let's Encrypt` renewal script:
%w( ssl_renewal.sh nginx-config.sh ).each do |s|
remote_file "/home/webadm/bin/#{s}" do
owner 'webadm'
group 'webadm'
mode '755'
end
end
# Also for the renewal crontab configuration:
remote_file '/etc/cron.d/ssl' do
owner 'root'
group 'root'
mode '644'
end

View File

@ -39,11 +39,3 @@ end
password ENV['ITAMAE_PASSWORD']
end
end
# Create `/home/webadm/bin` directory:
directory '/home/webadm/bin' do
owner 'webadm'
group 'webadm'
mode '755'
end