Commit | Line | Data |
---|---|---|
a956d7ec GXT |
1 | env: |
2 | LETSENCRYPT_DIR: "/shared/letsencrypt" | |
3 | ||
6ca9e768 GXT |
4 | hooks: |
5 | after_ssl: | |
83d224e7 GXT |
6 | - exec: |
7 | cmd: | |
8 | - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi | |
9 | - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi" | |
10 | ||
6ca9e768 GXT |
11 | - exec: |
12 | cmd: | |
1a9efb17 | 13 | - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89 |
6ca9e768 GXT |
14 | - touch /var/spool/cron/crontabs/root |
15 | - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR | |
844ca250 | 16 | - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install |
6ca9e768 | 17 | |
d41b7e6d GXT |
18 | - file: |
19 | path: "/etc/nginx/letsencrypt.conf" | |
20 | contents: | | |
21 | user www-data; | |
22 | worker_processes auto; | |
23 | daemon on; | |
24 | ||
25 | events { | |
26 | worker_connections 768; | |
27 | # multi_accept on; | |
28 | } | |
29 | ||
30 | http { | |
31 | sendfile on; | |
32 | tcp_nopush on; | |
33 | tcp_nodelay on; | |
34 | keepalive_timeout 65; | |
35 | types_hash_max_size 2048; | |
36 | ||
37 | access_log /var/log/nginx/access.letsencrypt.log; | |
38 | error_log /var/log/nginx/error.letsencrypt.log; | |
39 | ||
40 | server { | |
41 | listen 80; | |
42 | listen [::]:80; | |
43 | ||
44 | location ~ /.well-known { | |
45 | root /var/www/discourse/public; | |
46 | allow all; | |
47 | } | |
48 | } | |
49 | } | |
50 | ||
6ca9e768 | 51 | - file: |
844ca250 | 52 | path: /etc/runit/1.d/letsencrypt |
6ca9e768 GXT |
53 | chmod: "+x" |
54 | contents: | | |
55 | #!/bin/bash | |
d41b7e6d GXT |
56 | /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf |
57 | ||
278a42fc | 58 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public |
844ca250 GXT |
59 | |
60 | if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then | |
61 | # Try to issue the cert again if something goes wrong | |
4e1cec8b | 62 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public |
844ca250 GXT |
63 | fi |
64 | ||
65 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx" | |
d41b7e6d GXT |
66 | |
67 | /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop | |
6ca9e768 GXT |
68 | |
69 | - replace: | |
70 | filename: "/etc/nginx/conf.d/discourse.conf" | |
71 | from: /ssl_certificate.+/ | |
72 | to: | | |
73 | ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer; | |
74 | ||
83d224e7 GXT |
75 | - replace: |
76 | filename: /shared/letsencrypt/account.conf | |
77 | from: /#ACCOUNT_EMAIL=.+/ | |
78 | to: | | |
79 | ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL | |
80 | ||
6ca9e768 GXT |
81 | - replace: |
82 | filename: "/etc/nginx/conf.d/discourse.conf" | |
83 | from: /ssl_certificate_key.+/ | |
84 | to: | | |
844ca250 | 85 | ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; |
6ca9e768 GXT |
86 | |
87 | - replace: | |
88 | filename: "/etc/nginx/conf.d/discourse.conf" | |
89 | from: /add_header.+/ | |
90 | to: | | |
963a0b87 | 91 | add_header Strict-Transport-Security 'max-age=63072000'; |