[discourse_docker.git] / templates / web.letsencrypt.ssl.template.yml

env:
  LETSENCRYPT_DIR: "/shared/letsencrypt"

hooks:
  after_ssl:
    - exec:
       cmd:
         - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
         - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"

    - exec:
       cmd:
         - apt-get install -y netcat
         - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard 8d5618c44a2ab973aa7eb243db740e22c742b809
         - touch /var/spool/cron/crontabs/root
         - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
         - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install

    - file:
       path: /etc/runit/1.d/letsencrypt
       chmod: "+x"
       contents: |
          #!/bin/bash
          LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone

          if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
            # Try to issue the cert again if something goes wrong
            LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone --force
          fi

          LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
          # After the initial install, switch to Webroot plugin
          LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /ssl_certificate.+/
       to: |
         ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;

    - replace:
       filename: /shared/letsencrypt/account.conf
       from: /#ACCOUNT_EMAIL=.+/
       to: |
         ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /ssl_certificate_key.+/
       to: |
         ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;

    - replace:
       filename: "/etc/nginx/conf.d/discourse.conf"
       from: /add_header.+/
       to: |
         # remember the certificate for 80 days and automatically connect to HTTPS for this domain
         add_header Strict-Transport-Security 'max-age=6912000';
Commit	Line	Data
a956d7ec GXT	1	env:
	2	LETSENCRYPT_DIR: "/shared/letsencrypt"
	3
6ca9e768 GXT	4	hooks:
6ca9e768 GXT	5	after_ssl:
83d224e7 GXT	6	- exec:
	7	cmd:
	8	- if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
	9	- /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
	10
6ca9e768 GXT	11	- exec:
6ca9e768 GXT	12	cmd:
844ca250 GXT	13	- apt-get install -y netcat
844ca250 GXT	14	- cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard 8d5618c44a2ab973aa7eb243db740e22c742b809
6ca9e768 GXT	15	- touch /var/spool/cron/crontabs/root
6ca9e768 GXT	16	- install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
844ca250	17	- cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install
6ca9e768 GXT	18
6ca9e768 GXT	19	- file:
844ca250	20	path: /etc/runit/1.d/letsencrypt
6ca9e768 GXT	21	chmod: "+x"
	22	contents: \|
	23	#!/bin/bash
844ca250 GXT	24	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone
	25
	26	if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer \| grep "OK")" ]; then
	27	# Try to issue the cert again if something goes wrong
	28	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone --force
	29	fi
	30
	31	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
6ca9e768	32	# After the initial install, switch to Webroot plugin
844ca250	33	LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"
6ca9e768 GXT	34
	35	- replace:
	36	filename: "/etc/nginx/conf.d/discourse.conf"
	37	from: /ssl_certificate.+/
	38	to: \|
	39	ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
	40
83d224e7 GXT	41	- replace:
	42	filename: /shared/letsencrypt/account.conf
	43	from: /#ACCOUNT_EMAIL=.+/
	44	to: \|
	45	ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
	46
6ca9e768 GXT	47	- replace:
	48	filename: "/etc/nginx/conf.d/discourse.conf"
	49	from: /ssl_certificate_key.+/
	50	to: \|
844ca250	51	ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
6ca9e768 GXT	52
	53	- replace:
	54	filename: "/etc/nginx/conf.d/discourse.conf"
	55	from: /add_header.+/
	56	to: \|
844ca250 GXT	57	# remember the certificate for 80 days and automatically connect to HTTPS for this domain
844ca250 GXT	58	add_header Strict-Transport-Security 'max-age=6912000';