From f9c59e53ba1aeedb8f428256a2c9ad9ddeb44d59 Mon Sep 17 00:00:00 2001 From: Kazuhiro MUSASHI Date: Sun, 27 Oct 2019 15:15:12 +0800 Subject: [PATCH] Download and install `lego`. --- cookbooks/nginx/files/etc/cron.d/lego | 9 ++ cookbooks/nginx/files/etc/cron.d/ssl | 2 - cookbooks/nginx/files/etc/lego/lego_run.sh | 8 ++ .../files/home/webadm/bin/nginx-config.sh | 13 --- .../files/home/webadm/bin/ssl_renewal.sh | 31 ------ cookbooks/nginx/lego.rb | 104 +++++++++++++++--- cookbooks/nginx/webadm.rb | 8 -- 7 files changed, 105 insertions(+), 70 deletions(-) create mode 100644 cookbooks/nginx/files/etc/cron.d/lego delete mode 100644 cookbooks/nginx/files/etc/cron.d/ssl create mode 100644 cookbooks/nginx/files/etc/lego/lego_run.sh delete mode 100644 cookbooks/nginx/files/home/webadm/bin/nginx-config.sh delete mode 100644 cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh diff --git a/cookbooks/nginx/files/etc/cron.d/lego b/cookbooks/nginx/files/etc/cron.d/lego new file mode 100644 index 0000000..5270ae4 --- /dev/null +++ b/cookbooks/nginx/files/etc/cron.d/lego @@ -0,0 +1,9 @@ +md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v +fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN +aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl +loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D +3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+ +YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV +MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE +owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP +vG+o4g2oGTVwVrXc \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/cron.d/ssl b/cookbooks/nginx/files/etc/cron.d/ssl deleted file mode 100644 index 064da1c..0000000 --- a/cookbooks/nginx/files/etc/cron.d/ssl +++ /dev/null @@ -1,2 +0,0 @@ -2 2 */14 * * root /home/webadm/bin/ssl_renewal.sh - diff --git a/cookbooks/nginx/files/etc/lego/lego_run.sh b/cookbooks/nginx/files/etc/lego/lego_run.sh new file mode 100644 index 0000000..afceee3 --- /dev/null +++ b/cookbooks/nginx/files/etc/lego/lego_run.sh @@ -0,0 +1,8 @@ +md5:c3ff40a35a072ebcdf4b00de0c62eede:salt:220-201-162-125-99-148-31-141:aes-256-cfb:P5sXyTi2l8dAegj6vwcxQlxAoXCz9ynBa/f2BATSr+ViTEQmlgqiMi6N7Zud +URbZGWBf94Wr0QqN3JMDqKX3d/ajr1C6tSoG25NL7r293PjR6icNaGklP4S+ +WjNZWnEslsIfarfZZoSDw557BPo52r8nkEwSPfgdsZQiZgIUvSYAwZbVCp99 +Frwyg9fc9riQ3zxOcYxygCVKZGyEKj0R+W4BBTeoMXzfzVu+kQUR+ZS1HVco +pEHAufUq4zI7P1EHFhZBM6A/E9c048Xr6ClshStsQA51qLwbnjhrBMZzQbJt +IJ9fcoTpHQq4NTD6XItiB7vFVbe6DDlQUPP4JQ0e3rxeX0Pwontjipqk2ucM +L5aN8Q+4H3JdH3x9Z2H0YlDJZ6i1XbIp2vp7ijtMlJR/pEc9ryEvBkbGH2yW +4DuvEQHOeQcb \ No newline at end of file diff --git a/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh b/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh deleted file mode 100644 index d97dd50..0000000 --- a/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -# Preparation for normal operation: -rm -f /etc/nginx/sites-enabled/maintenance - -for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do - ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}" -done - -# Reload `nginx` configuration: -/bin/systemctl reload nginx - -exit 0 diff --git a/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh b/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh deleted file mode 100644 index 92dc0cd..0000000 --- a/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash - -# Preparation for maintenance: -rm -f /etc/nginx/sites-enabled/* -ln -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance - -# Start maintenance: -touch /tmp/maintenance - -# Reload `nginx` configuration: -systemctl reload nginx - -# Renewal SSL certificate: -certbot renew - -sleep 5 - -# Stop maintenance: -rm /tmp/maintenance - -# Preparation for normal operation: -rm -f /etc/nginx/sites-enabled/maintenance - -for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do - ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}" -done - -# Reload `nginx` configuration: -systemctl reload nginx - -exit 0 diff --git a/cookbooks/nginx/lego.rb b/cookbooks/nginx/lego.rb index e5cef1b..43679d4 100644 --- a/cookbooks/nginx/lego.rb +++ b/cookbooks/nginx/lego.rb @@ -1,28 +1,100 @@ -# Install `Let's Encrypt`: -[ - 'apt-get install -y software-properties-common', - 'add-apt-repository ppa:certbot/certbot -y', - 'apt-get update', -].each do |cmd| - execute cmd do - not_if 'which certbot' +# --- +# Variables & Constants +USER = 'webadm' +GROUP = 'webadm' +TARBALL = '/home/webadm/lego/lego.tar.gz' +WORKDIR = '/home/webadm/lego' +LEGO_DIR = '/opt/local/lego' +LEGO = '/opt/local/lego/lego' +LEGO_STORAGE = '/etc/lego/' + +vtag = '' +tag_version = '' +lego = '' +# --- + +# ------------------------------------------- +# Calculating the latest `nginx-build` version: +# ------------------------------------------- +begin + require 'net/http' + + uri = URI.parse('https://github.com/go-acme/lego/releases/latest') + + Timeout.timeout(3) do + response = Net::HTTP.get_response(uri) + + if response.body =~ %r{tag\/(v\d+\.\d+\.\d+)} + vtag = $1 + tag_version = vtag.sub('v', '') + + lego = "https://github.com/go-acme/lego/releases/download/#{vtag}/lego_#{vtag}_linux_amd64.tar.gz" + end end +rescue + # Abort the chef client process: + raise 'Cannot connect to http://github.com.' end -package 'certbot' +directory WORKDIR do + owner USER + group GROUP + mode '755' +end -# Deploy the `let's Encrypt` renewal script: -%w( ssl_renewal.sh nginx-config.sh ).each do |s| - remote_file "/home/webadm/bin/#{s}" do - owner 'webadm' - group 'webadm' +directory LEGO_DIR do + owner 'root' + group 'root' + mode '755' +end + +# バージョン確認して、アップデート必要かどうか確認 +result = run_command("lego -v | grep #{tag_version}", error: false) +if result.exit_status != 0 + execute "wget #{lego} -O #{TARBALL}" do + user USER + end + + execute "tar xf #{TARBALL} -C #{LEGO_DIR}" do + user 'root' + end + + file LEGO do + user 'root' + group 'root' mode '755' end + + link '/usr/local/bin/lego' do + user 'root' + to LEGO + end end -# Also for the renewal crontab configuration: -remote_file '/etc/cron.d/ssl' do +directory "#{LEGO_STORAGE}" do + user 'root' + group 'root' + mode '755' +end + +encrypted_remote_file "#{LEGO_STORAGE}/lego_run.sh" do + owner 'root' + group 'root' + mode '500' + source "files/#{LEGO_STORAGE}/lego_run.sh" + password ENV['ITAMAE_PASSWORD'] +end + +execute "#{LEGO_STORAGE}/lego_run.sh" do + user 'root' + cwd LEGO_STORAGE + not_if "test -d #{LEGO_STORAGE}/.lego" +end + +encrypted_remote_file '/etc/cron.d/lego' do owner 'root' group 'root' mode '644' + source 'files/etc/cron.d/lego' + password ENV['ITAMAE_PASSWORD'] end diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb index e1aaefa..35f6e5e 100644 --- a/cookbooks/nginx/webadm.rb +++ b/cookbooks/nginx/webadm.rb @@ -39,11 +39,3 @@ end password ENV['ITAMAE_PASSWORD'] end end - -# Create `/home/webadm/bin` directory: -directory '/home/webadm/bin' do - owner 'webadm' - group 'webadm' - mode '755' -end -