From f9c59e53ba1aeedb8f428256a2c9ad9ddeb44d59 Mon Sep 17 00:00:00 2001
From: Kazuhiro MUSASHI <simoom634@yahoo.co.jp>
Date: Sun, 27 Oct 2019 15:15:12 +0800
Subject: [PATCH] Download and install `lego`.

---
 cookbooks/nginx/files/etc/cron.d/lego         |   9 ++
 cookbooks/nginx/files/etc/cron.d/ssl          |   2 -
 cookbooks/nginx/files/etc/lego/lego_run.sh    |   8 ++
 .../files/home/webadm/bin/nginx-config.sh     |  13 ---
 .../files/home/webadm/bin/ssl_renewal.sh      |  31 ------
 cookbooks/nginx/lego.rb                       | 104 +++++++++++++++---
 cookbooks/nginx/webadm.rb                     |   8 --
 7 files changed, 105 insertions(+), 70 deletions(-)
 create mode 100644 cookbooks/nginx/files/etc/cron.d/lego
 delete mode 100644 cookbooks/nginx/files/etc/cron.d/ssl
 create mode 100644 cookbooks/nginx/files/etc/lego/lego_run.sh
 delete mode 100644 cookbooks/nginx/files/home/webadm/bin/nginx-config.sh
 delete mode 100644 cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh

diff --git a/cookbooks/nginx/files/etc/cron.d/lego b/cookbooks/nginx/files/etc/cron.d/lego
new file mode 100644
index 0000000..5270ae4
--- /dev/null
+++ b/cookbooks/nginx/files/etc/cron.d/lego
@@ -0,0 +1,9 @@
+md5:57b921ce69f66f9e8a55f701b6ba1280:salt:181-24-185-209-50-114-63-114:aes-256-cfb:wvv7sg+fdPPpfs6v8NeRSCVXCLpdVrcsI5jr1ct959oIDy2E9mip1wEEt00v
+fP+9XCrHZnRG9aXy7jdVHZfuLI9Pw9ADqL7kJK35CQAue6LKHewSDnwr64CN
+aFaw5pNSdnMpvGvzZiPe0nsqWTucsHl/0/BsnFNYBSdLRH2IZcYG2Do8iYbl
+loml6MZ+Lfaf1YEMUREKkPwNn+vq3eC4ihLd/fs2n21tlq9DBGbTlsL37k/D
+3sIea62lB2uym+3fi4vaSvP4MvYedaJ8WcXYFINMh4miTYMmXCUHLPiDJrX+
+YEVO6QU00psjCqXj/kpYPVhvJRg74E9S6cKfsT/ZDJG7Blm95aVnTEgG2fJV
+MG19BdzXIE/4qrqclFO0A7s/syl9vCC+jecqmP7jWnDiO3eVvPrmr0XHfuIE
+owMUMLnUGfQqK7AS5oYKDEa2g30o44U/PljI91B9jYXwScny0S6g+NRZBZcP
+vG+o4g2oGTVwVrXc
\ No newline at end of file
diff --git a/cookbooks/nginx/files/etc/cron.d/ssl b/cookbooks/nginx/files/etc/cron.d/ssl
deleted file mode 100644
index 064da1c..0000000
--- a/cookbooks/nginx/files/etc/cron.d/ssl
+++ /dev/null
@@ -1,2 +0,0 @@
-2 2 */14 * * root /home/webadm/bin/ssl_renewal.sh
-
diff --git a/cookbooks/nginx/files/etc/lego/lego_run.sh b/cookbooks/nginx/files/etc/lego/lego_run.sh
new file mode 100644
index 0000000..afceee3
--- /dev/null
+++ b/cookbooks/nginx/files/etc/lego/lego_run.sh
@@ -0,0 +1,8 @@
+md5:c3ff40a35a072ebcdf4b00de0c62eede:salt:220-201-162-125-99-148-31-141:aes-256-cfb:P5sXyTi2l8dAegj6vwcxQlxAoXCz9ynBa/f2BATSr+ViTEQmlgqiMi6N7Zud
+URbZGWBf94Wr0QqN3JMDqKX3d/ajr1C6tSoG25NL7r293PjR6icNaGklP4S+
+WjNZWnEslsIfarfZZoSDw557BPo52r8nkEwSPfgdsZQiZgIUvSYAwZbVCp99
+Frwyg9fc9riQ3zxOcYxygCVKZGyEKj0R+W4BBTeoMXzfzVu+kQUR+ZS1HVco
+pEHAufUq4zI7P1EHFhZBM6A/E9c048Xr6ClshStsQA51qLwbnjhrBMZzQbJt
+IJ9fcoTpHQq4NTD6XItiB7vFVbe6DDlQUPP4JQ0e3rxeX0Pwontjipqk2ucM
+L5aN8Q+4H3JdH3x9Z2H0YlDJZ6i1XbIp2vp7ijtMlJR/pEc9ryEvBkbGH2yW
+4DuvEQHOeQcb
\ No newline at end of file
diff --git a/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh b/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh
deleted file mode 100644
index d97dd50..0000000
--- a/cookbooks/nginx/files/home/webadm/bin/nginx-config.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-# Preparation for normal operation:
-rm -f /etc/nginx/sites-enabled/maintenance
-
-for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
-  ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
-done
-
-# Reload `nginx` configuration:
-/bin/systemctl reload nginx
-
-exit 0
diff --git a/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh b/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh
deleted file mode 100644
index 92dc0cd..0000000
--- a/cookbooks/nginx/files/home/webadm/bin/ssl_renewal.sh
+++ /dev/null
@@ -1,31 +0,0 @@
-#!/bin/bash
-
-# Preparation for maintenance:
-rm -f /etc/nginx/sites-enabled/*
-ln -s /etc/nginx/sites-available/maintenance /etc/nginx/sites-enabled/maintenance
-
-# Start maintenance:
-touch /tmp/maintenance
-
-# Reload `nginx` configuration:
-systemctl reload nginx
-
-# Renewal SSL certificate:
-certbot renew
-
-sleep 5
-
-# Stop maintenance:
-rm /tmp/maintenance
-
-# Preparation for normal operation:
-rm -f /etc/nginx/sites-enabled/maintenance
-
-for conf in $(find /etc/nginx/sites-available -maxdepth 1 -type f | grep -v maintenance); do
-  ln -s "${conf}" "/etc/nginx/sites-enabled/${conf/\/etc\/nginx\/sites-available\//}"
-done
-
-# Reload `nginx` configuration:
-systemctl reload nginx
-
-exit 0
diff --git a/cookbooks/nginx/lego.rb b/cookbooks/nginx/lego.rb
index e5cef1b..43679d4 100644
--- a/cookbooks/nginx/lego.rb
+++ b/cookbooks/nginx/lego.rb
@@ -1,28 +1,100 @@
-# Install `Let's Encrypt`:
-[
-  'apt-get install -y software-properties-common',
-  'add-apt-repository ppa:certbot/certbot -y',
-  'apt-get update',
-].each do |cmd|
-  execute cmd do
-    not_if 'which certbot'
+# ---
+# Variables & Constants
+USER         = 'webadm'
+GROUP        = 'webadm'
+TARBALL      = '/home/webadm/lego/lego.tar.gz'
+WORKDIR      = '/home/webadm/lego'
+LEGO_DIR     = '/opt/local/lego'
+LEGO         = '/opt/local/lego/lego'
+LEGO_STORAGE = '/etc/lego/'
+
+vtag         = ''
+tag_version  = ''
+lego         = ''
+# ---
+
+# -------------------------------------------
+# Calculating the latest `nginx-build` version:
+# -------------------------------------------
+begin
+  require 'net/http'
+
+  uri = URI.parse('https://github.com/go-acme/lego/releases/latest')
+
+  Timeout.timeout(3) do
+    response = Net::HTTP.get_response(uri)
+
+    if response.body =~ %r{tag\/(v\d+\.\d+\.\d+)}
+      vtag        = $1
+      tag_version = vtag.sub('v', '')
+
+      lego = "https://github.com/go-acme/lego/releases/download/#{vtag}/lego_#{vtag}_linux_amd64.tar.gz"
+    end
   end
+rescue
+  # Abort the chef client process:
+  raise 'Cannot connect to http://github.com.'
 end
 
-package 'certbot'
+directory WORKDIR do
+  owner USER
+  group GROUP
+  mode '755'
+end
 
-# Deploy the `let's Encrypt` renewal script:
-%w( ssl_renewal.sh nginx-config.sh ).each do |s|
-  remote_file "/home/webadm/bin/#{s}" do
-    owner 'webadm'
-    group 'webadm'
+directory LEGO_DIR do
+  owner 'root'
+  group 'root'
+  mode '755'
+end
+
+# バージョン確認して、アップデート必要かどうか確認
+result = run_command("lego -v | grep #{tag_version}", error: false)
+if result.exit_status != 0
+  execute "wget #{lego} -O #{TARBALL}" do
+    user USER
+  end
+
+  execute "tar xf #{TARBALL} -C #{LEGO_DIR}" do
+    user 'root'
+  end
+
+  file LEGO do
+    user 'root'
+    group 'root'
     mode '755'
   end
+
+  link '/usr/local/bin/lego' do
+    user 'root'
+    to LEGO
+  end
 end
 
-# Also for the renewal crontab configuration:
-remote_file '/etc/cron.d/ssl' do
+directory "#{LEGO_STORAGE}" do
+  user 'root'
+  group 'root'
+  mode '755'
+end
+
+encrypted_remote_file "#{LEGO_STORAGE}/lego_run.sh" do
+  owner 'root'
+  group 'root'
+  mode '500'
+  source   "files/#{LEGO_STORAGE}/lego_run.sh"
+  password ENV['ITAMAE_PASSWORD']
+end
+
+execute "#{LEGO_STORAGE}/lego_run.sh" do
+  user 'root'
+  cwd LEGO_STORAGE
+  not_if "test -d #{LEGO_STORAGE}/.lego"
+end
+
+encrypted_remote_file '/etc/cron.d/lego' do
   owner 'root'
   group 'root'
   mode '644'
+  source   'files/etc/cron.d/lego'
+  password ENV['ITAMAE_PASSWORD']
 end
diff --git a/cookbooks/nginx/webadm.rb b/cookbooks/nginx/webadm.rb
index e1aaefa..35f6e5e 100644
--- a/cookbooks/nginx/webadm.rb
+++ b/cookbooks/nginx/webadm.rb
@@ -39,11 +39,3 @@ end
     password ENV['ITAMAE_PASSWORD']
   end
 end
-
-# Create `/home/webadm/bin` directory:
-directory '/home/webadm/bin' do
-  owner 'webadm'
-  group 'webadm'
-  mode '755'
-end
-