Commit | Line | Data |
---|---|---|
a956d7ec GXT |
1 | env: |
2 | LETSENCRYPT_DIR: "/shared/letsencrypt" | |
3 | ||
4 | run: | |
5 | - exec: | |
6 | cmd: | |
7 | - cd /root && git clone https://github.com/Neilpang/le.git | |
8 | - touch /var/spool/cron/crontabs/root | |
9 | - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR | |
10 | - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install | |
11 | ||
12 | - file: | |
13 | path: /etc/runit/1.d/letsencrypt | |
14 | chmod: "+x" | |
15 | contents: | | |
16 | #!/bin/bash | |
17 | set -e | |
18 | LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096 | |
19 | LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key no "sv reload nginx" | |
20 | # After the initial install, switch to Webroot plugin | |
21 | LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public" | |
22 | ||
23 | - exec: | |
24 | cmd: | |
25 | # Generate strong Diffie-Hellman parameters | |
26 | - "mkdir -p /shared/ssl/" | |
27 | - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048" | |
28 | ||
29 | - replace: | |
30 | filename: "/etc/nginx/conf.d/discourse.conf" | |
31 | from: /server.+{/ | |
32 | to: | | |
33 | server { | |
34 | listen 80; | |
35 | rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent; | |
36 | } | |
37 | server { | |
38 | - replace: | |
39 | filename: "/etc/nginx/conf.d/discourse.conf" | |
40 | from: /listen 80;\s+gzip on;/m | |
41 | to: | | |
42 | listen 443 ssl http2; | |
43 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
44 | # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations | |
45 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | |
46 | ssl_prefer_server_ciphers on; | |
47 | ||
48 | ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer; | |
49 | ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; | |
50 | ssl_dhparam /shared/ssl/dhparams.pem; | |
51 | ||
52 | ssl_session_tickets off; | |
53 | ssl_session_timeout 1d; | |
54 | ssl_session_cache shared:SSL:1m; | |
55 | ||
56 | # remember the certificate for 2 months and automatically connect to HTTPS for this domain | |
57 | add_header Strict-Transport-Security 'max-age=5184000'; | |
58 | ||
59 | gzip on; | |
60 | ||
61 | if ($http_host != $$ENV_DISCOURSE_HOSTNAME) { | |
62 | rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent; | |
63 | } |