Commit | Line | Data |
---|---|---|
a956d7ec GXT |
1 | env: |
2 | LETSENCRYPT_DIR: "/shared/letsencrypt" | |
3 | ||
6ca9e768 GXT |
4 | hooks: |
5 | after_ssl: | |
83d224e7 GXT |
6 | - exec: |
7 | cmd: | |
8 | - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi | |
9 | - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi" | |
10 | ||
6ca9e768 GXT |
11 | - exec: |
12 | cmd: | |
1a9efb17 | 13 | - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89 |
6ca9e768 GXT |
14 | - touch /var/spool/cron/crontabs/root |
15 | - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR | |
1a018a1b GXT |
16 | - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log" |
17 | - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade | |
6ca9e768 | 18 | |
d41b7e6d GXT |
19 | - file: |
20 | path: "/etc/nginx/letsencrypt.conf" | |
21 | contents: | | |
22 | user www-data; | |
23 | worker_processes auto; | |
24 | daemon on; | |
25 | ||
26 | events { | |
27 | worker_connections 768; | |
28 | # multi_accept on; | |
29 | } | |
30 | ||
31 | http { | |
32 | sendfile on; | |
33 | tcp_nopush on; | |
34 | tcp_nodelay on; | |
35 | keepalive_timeout 65; | |
36 | types_hash_max_size 2048; | |
37 | ||
38 | access_log /var/log/nginx/access.letsencrypt.log; | |
39 | error_log /var/log/nginx/error.letsencrypt.log; | |
40 | ||
41 | server { | |
42 | listen 80; | |
43 | listen [::]:80; | |
44 | ||
45 | location ~ /.well-known { | |
46 | root /var/www/discourse/public; | |
47 | allow all; | |
48 | } | |
49 | } | |
50 | } | |
51 | ||
6ca9e768 | 52 | - file: |
844ca250 | 53 | path: /etc/runit/1.d/letsencrypt |
6ca9e768 GXT |
54 | chmod: "+x" |
55 | contents: | | |
56 | #!/bin/bash | |
d41b7e6d GXT |
57 | /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf |
58 | ||
278a42fc | 59 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public |
844ca250 GXT |
60 | |
61 | if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then | |
62 | # Try to issue the cert again if something goes wrong | |
4e1cec8b | 63 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public |
844ca250 GXT |
64 | fi |
65 | ||
66 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx" | |
d41b7e6d GXT |
67 | |
68 | /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop | |
6ca9e768 GXT |
69 | |
70 | - replace: | |
71 | filename: "/etc/nginx/conf.d/discourse.conf" | |
72 | from: /ssl_certificate.+/ | |
73 | to: | | |
74 | ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer; | |
75 | ||
83d224e7 GXT |
76 | - replace: |
77 | filename: /shared/letsencrypt/account.conf | |
210874a0 | 78 | from: /#?ACCOUNT_EMAIL=.+/ |
83d224e7 GXT |
79 | to: | |
80 | ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL | |
81 | ||
6ca9e768 GXT |
82 | - replace: |
83 | filename: "/etc/nginx/conf.d/discourse.conf" | |
84 | from: /ssl_certificate_key.+/ | |
85 | to: | | |
844ca250 | 86 | ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; |
6ca9e768 GXT |
87 | |
88 | - replace: | |
89 | filename: "/etc/nginx/conf.d/discourse.conf" | |
90 | from: /add_header.+/ | |
91 | to: | | |
963a0b87 | 92 | add_header Strict-Transport-Security 'max-age=63072000'; |