Commit | Line | Data |
---|---|---|
a956d7ec GXT |
1 | env: |
2 | LETSENCRYPT_DIR: "/shared/letsencrypt" | |
3 | ||
6ca9e768 GXT |
4 | hooks: |
5 | after_ssl: | |
83d224e7 GXT |
6 | - exec: |
7 | cmd: | |
8 | - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi | |
9 | - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi" | |
10 | ||
6ca9e768 GXT |
11 | - exec: |
12 | cmd: | |
844ca250 GXT |
13 | - apt-get install -y netcat |
14 | - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard 8d5618c44a2ab973aa7eb243db740e22c742b809 | |
6ca9e768 GXT |
15 | - touch /var/spool/cron/crontabs/root |
16 | - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR | |
844ca250 | 17 | - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install |
6ca9e768 GXT |
18 | |
19 | - file: | |
844ca250 | 20 | path: /etc/runit/1.d/letsencrypt |
6ca9e768 GXT |
21 | chmod: "+x" |
22 | contents: | | |
23 | #!/bin/bash | |
844ca250 GXT |
24 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone |
25 | ||
26 | if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then | |
27 | # Try to issue the cert again if something goes wrong | |
28 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --standalone --force | |
29 | fi | |
30 | ||
31 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx" | |
6ca9e768 | 32 | # After the initial install, switch to Webroot plugin |
844ca250 | 33 | LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public" |
6ca9e768 GXT |
34 | |
35 | - replace: | |
36 | filename: "/etc/nginx/conf.d/discourse.conf" | |
37 | from: /ssl_certificate.+/ | |
38 | to: | | |
39 | ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer; | |
40 | ||
83d224e7 GXT |
41 | - replace: |
42 | filename: /shared/letsencrypt/account.conf | |
43 | from: /#ACCOUNT_EMAIL=.+/ | |
44 | to: | | |
45 | ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL | |
46 | ||
6ca9e768 GXT |
47 | - replace: |
48 | filename: "/etc/nginx/conf.d/discourse.conf" | |
49 | from: /ssl_certificate_key.+/ | |
50 | to: | | |
844ca250 | 51 | ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; |
6ca9e768 GXT |
52 | |
53 | - replace: | |
54 | filename: "/etc/nginx/conf.d/discourse.conf" | |
55 | from: /add_header.+/ | |
56 | to: | | |
844ca250 GXT |
57 | # remember the certificate for 80 days and automatically connect to HTTPS for this domain |
58 | add_header Strict-Transport-Security 'max-age=6912000'; |