[discourse_docker.git] / templates / web.letsencrypt.ssl.template.yml

env:
  LETSENCRYPT_DIR: "/shared/letsencrypt"

hooks:
  after_ssl:
    - exec:
       cmd:
         - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
         - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"

    - exec:
       cmd:
         - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89
         - touch /var/spool/cron/crontabs/root
         - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
         - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install

    - file:
       path: "/etc/nginx/letsencrypt.conf"
       contents: |
        user www-data;
        worker_processes auto;
        daemon on;

        events {
          worker_connections 768;
          # multi_accept on;
        }

        http {
          sendfile on;
          tcp_nopush on;
          tcp_nodelay on;
          keepalive_timeout 65;
          types_hash_max_size 2048;

          access_log /var/log/nginx/access.letsencrypt.log;
          error_log /var/log/nginx/error.letsencrypt.log;

          server {
            listen 80;
            listen [::]:80;

            location ~ /.well-known {
              root /var/www/discourse/public;
              allow all;
            }
          }
        }

    - file:
       path: /etc/runit/1.d/letsencrypt
       chmod: "+x"
       contents: |
          #!/bin/bash
          /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf

          LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public

          if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
            # Try to issue the cert again if something goes wrong
            LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public
          fi

          LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"

          /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /ssl_certificate.+/
       to: |
         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;

    - replace:
       filename: /shared/letsencrypt/account.conf
       from: /#ACCOUNT_EMAIL=.+/
       to: |
         ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /ssl_certificate_key.+/
       to: |
         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /add_header.+/
       to: |
         add_header Strict-Transport-Security 'max-age=63072000';
Commit	Line	Data
a956d7ec GXT	1	env:
	2	LETSENCRYPT_DIR: "/shared/letsencrypt"
	3
6ca9e768 GXT	4	hooks:
6ca9e768 GXT	5	after_ssl:
83d224e7 GXT	6	- exec:
	7	cmd:
	8	- if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
	9	- /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
	10
6ca9e768 GXT	11	- exec:
6ca9e768 GXT	12	cmd:
1a9efb17	13	- cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89
6ca9e768 GXT	14	- touch /var/spool/cron/crontabs/root
6ca9e768 GXT	15	- install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
844ca250	16	- cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install
6ca9e768	17
d41b7e6d GXT	18	- file:
	19	path: "/etc/nginx/letsencrypt.conf"
	20	contents: \|
	21	user www-data;
	22	worker_processes auto;
	23	daemon on;
	24
	25	events {
	26	worker_connections 768;
	27	# multi_accept on;
	28	}
	29
	30	http {
	31	sendfile on;
	32	tcp_nopush on;
	33	tcp_nodelay on;
	34	keepalive_timeout 65;
	35	types_hash_max_size 2048;
	36
	37	access_log /var/log/nginx/access.letsencrypt.log;
	38	error_log /var/log/nginx/error.letsencrypt.log;
	39
	40	server {
	41	listen 80;
	42	listen [::]:80;
	43
	44	location ~ /.well-known {
	45	root /var/www/discourse/public;
	46	allow all;
	47	}
	48	}
	49	}
	50
6ca9e768	51	- file:
844ca250	52	path: /etc/runit/1.d/letsencrypt
6ca9e768 GXT	53	chmod: "+x"
	54	contents: \|
	55	#!/bin/bash
d41b7e6d GXT	56	/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
d41b7e6d GXT	57
278a42fc	58	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public
844ca250 GXT	59
	60	if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer \| grep "OK")" ]; then
	61	# Try to issue the cert again if something goes wrong
4e1cec8b	62	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public
844ca250 GXT	63	fi
	64
	65	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
d41b7e6d GXT	66
d41b7e6d GXT	67	/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
6ca9e768 GXT	68
	69	- replace:
	70	filename: "/etc/nginx/conf.d/discourse.conf"
	71	from: /ssl_certificate.+/
	72	to: \|
	73	ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
	74
83d224e7 GXT	75	- replace:
	76	filename: /shared/letsencrypt/account.conf
	77	from: /#ACCOUNT_EMAIL=.+/
	78	to: \|
	79	ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
	80
6ca9e768 GXT	81	- replace:
	82	filename: "/etc/nginx/conf.d/discourse.conf"
	83	from: /ssl_certificate_key.+/
	84	to: \|
844ca250	85	ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
6ca9e768 GXT	86
	87	- replace:
	88	filename: "/etc/nginx/conf.d/discourse.conf"
	89	from: /add_header.+/
	90	to: \|
963a0b87	91	add_header Strict-Transport-Security 'max-age=63072000';