env:
LETSENCRYPT_DIR: "/shared/letsencrypt"
-run:
- - exec:
- cmd:
- - cd /root && git clone https://github.com/Neilpang/le.git
- - touch /var/spool/cron/crontabs/root
- - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
- - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install
+hooks:
+ after_ssl:
+ - exec:
+ cmd:
+ - cd /root && git clone https://github.com/Neilpang/le.git
+ - touch /var/spool/cron/crontabs/root
+ - install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
+ - cd /root/le && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./le.sh install
+
+ - file:
+ path: /etc/runit/1.d/letsencrypt
+ chmod: "+x"
+ contents: |
+ #!/bin/bash
+ set -e
+ LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096
+ LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer "sv reload nginx"
+ # After the initial install, switch to Webroot plugin
+ LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /ssl_certificate.+/
+ to: |
+ ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /ssl_certificate_key.+/
+ to: |
+ ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key; # remember the certificate for 2 months and automatically connect to HTTPS for this domain
+
+ - replace:
+ filename: "/etc/nginx/conf.d/discourse.conf"
+ from: /add_header.+/
+ to: |
+ add_header Strict-Transport-Security 'max-age=5184000';
- - file:
- path: /etc/runit/1.d/letsencrypt
- chmod: "+x"
- contents: |
- #!/bin/bash
- set -e
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh issue no $$ENV_DISCOURSE_HOSTNAME no 4096
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh installcert $$ENV_DISCOURSE_HOSTNAME /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key no "sv reload nginx"
- # After the initial install, switch to Webroot plugin
- LE_WORKING_DIR="$$ENV_LETSENCRYPT_DIR" $$ENV_LETSENCRYPT_DIR/le.sh _setopt $$ENV_LETSENCRYPT_DIR/$$ENV_DISCOURSE_HOSTNAME/$$ENV_DISCOURSE_HOSTNAME.conf "Le_Webroot" "=" "/var/www/discourse/public"
- - exec:
- cmd:
- # Generate strong Diffie-Hellman parameters
- - "mkdir -p /shared/ssl/"
- - "[ -e /shared/ssl/dhparams.pem ] || openssl dhparam -out /shared/ssl/dhparams.pem 2048"
-
- - replace:
- filename: "/etc/nginx/conf.d/discourse.conf"
- from: /server.+{/
- to: |
- server {
- listen 80;
- rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent;
- }
- server {
- - replace:
- filename: "/etc/nginx/conf.d/discourse.conf"
- from: /listen 80;\s+gzip on;/m
- to: |
- listen 443 ssl http2;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # courtesy of https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
- ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
- ssl_prefer_server_ciphers on;
-
- ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
- ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
- ssl_dhparam /shared/ssl/dhparams.pem;
-
- ssl_session_tickets off;
- ssl_session_timeout 1d;
- ssl_session_cache shared:SSL:1m;
-
- # remember the certificate for 2 months and automatically connect to HTTPS for this domain
- add_header Strict-Transport-Security 'max-age=5184000';
-
- gzip on;
-
- if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
- rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
- }
projects / discourse_docker.git / commitdiff