env:
LETSENCRYPT_DIR: "/shared/letsencrypt"
-run:
- - exec:
- cmd:
- - cd /root && git clone https://github.com/Neilpang/le.git
- - touch /var/spool/cron/crontabs/root
- - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
- - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install
-
- - file:
- path: /etc/runit/1.d/letsencrypt
- chmod: "+x"
- contents: |
- #!/bin/bash
- set -e
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key no "sv reload nginx"
- # After the initial install, switch to Webroot plugin
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"
-
- - exec:
- cmd:
- # Generate strong Diffie-Hellman parameters
- - "mkdir -p /shared/ssl/"
- - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048"
-
- - replace:
- filename: "/etc/nginx/conf.d/discourse.conf"
- from: /server.+{/
- to: |
- server {
- listen 80;
- rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent;
- }
- server {
- - replace:
- filename: "/etc/nginx/conf.d/discourse.conf"
- from: /listen 80;\s+gzip on;/m
- to: |
- listen 443 ssl http2;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
- ssl_prefer_server_ciphers on;
-
- ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
- ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
- ssl_dhparam /shared/ssl/dhparams.pem;
-
- ssl_session_tickets off;
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:1m;
-
- # remember the certificate for 2 months and automatically connect to HTTPS for this domain
- add_header Strict-Transport-Security 'max-age=5184000';
-
- gzip on;
-
- if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
- rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
- }
+hooks:
+ after_ssl:
+ - exec:
+ cmd:
+ - if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
+ - /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
+
+ - exec:
+ cmd:
+ - cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89
+ - touch /var/spool/cron/crontabs/root
+ - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
+ - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
+ - cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
+
+ - file:
+ path: "/etc/nginx/letsencrypt.conf"
+ contents: |
+ user www-data;
+ worker_processes auto;
+ daemon on;
+
+ events {
+ worker_connections 768;
+ # multi_accept on;
+ }
+
+ http {
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+ types_hash_max_size 2048;
+
+ access_log /var/log/nginx/access.letsencrypt.log;
+ error_log /var/log/nginx/error.letsencrypt.log;
+
+ server {
+ listen 80;
+ listen [::]:80;
+
+ location ~ /.well-known {
+ root /var/www/discourse/public;
+ allow all;
+ }
+ }
+ }
+
+ - file:
+ path: /etc/runit/1.d/letsencrypt
+ chmod: "+x"
+ contents: |
+ #!/bin/bash
+ /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
+
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 -w /var/www/discourse/public
+
+ if [ ! "$(cd $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME && openssl verify -CAfile ca.cer fullchain.cer | grep "OK")" ]; then
+ # Try to issue the cert again if something goes wrong
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --issue -d $$ENV_DISCOURSE_HOSTNAME -k 4096 --force -w /var/www/discourse/public
+ fi
+
+ LE_WORKING_DIR="${LETSENCRYPT_DIR}" $$ENV_LETSENCRYPT_DIR/acme.sh --installcert -d $$ENV_DISCOURSE_HOSTNAME --fullchainpath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer --keypath /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key --reloadcmd "sv reload nginx"
+
+ /usr/sbin/nginx -c /etc/nginx/letsencrypt.conf -s stop
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /ssl_certificate.+/
+ to: |
+ ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
+
+ - replace:
+ filename: /shared/letsencrypt/account.conf
+ from: /#?ACCOUNT_EMAIL=.+/
+ to: |
+ ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /ssl_certificate_key.+/
+ to: |
+ ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /add_header.+/
+ to: |
+ add_header Strict-Transport-Security 'max-age=63072000';