bundles/ssl: support using a preexisting ssl certificate
This commit is contained in:
parent
019d658442
commit
d98a1adfd9
GPG key ID:
12E3D2136B818350
4 changed files with 76 additions and 23 deletions
|
|
@ -5,6 +5,12 @@ directories = {
|
|||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
},
|
||||
'/etc/nginx/ssl': {
|
||||
'purge': True,
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
},
|
||||
'/var/www': {},
|
||||
}
|
||||
|
||||
|
|
@ -47,27 +53,13 @@ svc_systemd = {
|
|||
},
|
||||
}
|
||||
|
||||
# Always redirect all traffic to HTTPS, except if there is only one
|
||||
# vhost and this vhost has ssl disabled.
|
||||
install_port80_redirect = True
|
||||
if len(node.metadata.get('nginx/vhosts', {})) == 1:
|
||||
vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
|
||||
if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
|
||||
install_port80_redirect = False
|
||||
|
||||
if install_port80_redirect:
|
||||
files['/etc/nginx/sites/000-port80.conf'] = {
|
||||
'source': 'port80.conf',
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
}
|
||||
|
||||
install_port80_redirect = False
|
||||
port80_has_letsencrypt = False
|
||||
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||
if not 'domain' in config:
|
||||
config['domain'] = vhost
|
||||
|
||||
files['/etc/nginx/sites/{}'.format(vhost)] = {
|
||||
files[f'/etc/nginx/sites/{vhost}'] = {
|
||||
'source': 'site_template',
|
||||
'content_type': 'mako',
|
||||
'context': {
|
||||
|
|
@ -76,20 +68,70 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
|||
**config,
|
||||
},
|
||||
'needs': set(),
|
||||
'needed_by': {
|
||||
'svc_systemd:nginx',
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
}
|
||||
|
||||
if not 'webroot' in config:
|
||||
directories['/var/www/{}'.format(vhost)] = {}
|
||||
directories[f'/var/www/{vhost}'] = {}
|
||||
|
||||
if node.has_bundle('zfs'):
|
||||
directories['/var/www/{}'.format(vhost)]['needs'] = {
|
||||
directories[f'/var/www/{vhost}']['needs'] = {
|
||||
'bundle:zfs',
|
||||
}
|
||||
|
||||
directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))
|
||||
directories[f'/var/www/{vhost}'].update(config.get('webroot_config', {}))
|
||||
|
||||
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
|
||||
files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
||||
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
|
||||
port80_has_letsencrypt = True
|
||||
install_port80_redirect = True
|
||||
|
||||
elif config.get('ssl', 'letsencrypt'):
|
||||
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
|
||||
'content_type': 'mako',
|
||||
'source': 'ssl_template',
|
||||
'context': {
|
||||
'domain': config['ssl'],
|
||||
},
|
||||
'needed_by': {
|
||||
'svc_systemd:nginx',
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:reload',
|
||||
},
|
||||
}
|
||||
files[f'/etc/nginx/ssl/{vhost}.key'] = {
|
||||
'content': repo.vault.decrypt_file('ssl/{}.key.pem.vault'.format(config['ssl'])),
|
||||
'mode': '0600',
|
||||
'needed_by': {
|
||||
'svc_systemd:nginx',
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:reload',
|
||||
},
|
||||
}
|
||||
|
||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
|
||||
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
|
||||
install_port80_redirect = True
|
||||
|
||||
if install_port80_redirect:
|
||||
files['/etc/nginx/sites/000-port80.conf'] = {
|
||||
'source': 'port80.conf',
|
||||
'content_type': 'mako',
|
||||
'context': {
|
||||
'needs_le': port80_has_letsencrypt,
|
||||
},
|
||||
'triggers': {
|
||||
'svc_systemd:nginx:restart',
|
||||
},
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue