bundles/ssl: support using a preexisting ssl certificate

This commit is contained in:
Franzi 2021-04-25 09:09:23 +02:00
parent 019d658442
commit d98a1adfd9
Signed by: kunsi
GPG key ID: 12E3D2136B818350
4 changed files with 76 additions and 23 deletions

View file

@ -6,8 +6,9 @@ server {
location / { location / {
return 308 https://$host$request_uri; return 308 https://$host$request_uri;
} }
% if needs_le:
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/; alias /var/lib/dehydrated/acme-challenges/;
} }
% endif
} }

View file

@ -11,9 +11,13 @@ server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
ssl_trusted_certificate /var/lib/dehydrated/certs/${domain}/chain.pem; % if ssl == 'letsencrypt':
ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem; ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem; ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
% else:
ssl_certificate /etc/nginx/ssl/${vhost}.crt;
ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
% endif
ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

View file

@ -0,0 +1,6 @@
<%
from os.path import isfile, join
%><%include file="ssl/${domain}.crt.pem"/>
% if isfile(join(repo.path, 'data', 'ssl', f'{domain}.crt_intermediate.pem')):
<%include file="ssl/${domain}.crt_intermediate.pem"/>
% endif

View file

@ -5,6 +5,12 @@ directories = {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
}, },
'/etc/nginx/ssl': {
'purge': True,
'triggers': {
'svc_systemd:nginx:restart',
},
},
'/var/www': {}, '/var/www': {},
} }
@ -47,27 +53,13 @@ svc_systemd = {
}, },
} }
# Always redirect all traffic to HTTPS, except if there is only one
# vhost and this vhost has ssl disabled.
install_port80_redirect = True
if len(node.metadata.get('nginx/vhosts', {})) == 1:
vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
install_port80_redirect = False install_port80_redirect = False
port80_has_letsencrypt = False
if install_port80_redirect:
files['/etc/nginx/sites/000-port80.conf'] = {
'source': 'port80.conf',
'triggers': {
'svc_systemd:nginx:restart',
},
}
for vhost, config in node.metadata.get('nginx/vhosts', {}).items(): for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
if not 'domain' in config: if not 'domain' in config:
config['domain'] = vhost config['domain'] = vhost
files['/etc/nginx/sites/{}'.format(vhost)] = { files[f'/etc/nginx/sites/{vhost}'] = {
'source': 'site_template', 'source': 'site_template',
'content_type': 'mako', 'content_type': 'mako',
'context': { 'context': {
@ -76,20 +68,70 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
**config, **config,
}, },
'needs': set(), 'needs': set(),
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': { 'triggers': {
'svc_systemd:nginx:restart', 'svc_systemd:nginx:restart',
}, },
} }
if not 'webroot' in config: if not 'webroot' in config:
directories['/var/www/{}'.format(vhost)] = {} directories[f'/var/www/{vhost}'] = {}
if node.has_bundle('zfs'): if node.has_bundle('zfs'):
directories['/var/www/{}'.format(vhost)]['needs'] = { directories[f'/var/www/{vhost}']['needs'] = {
'bundle:zfs', 'bundle:zfs',
} }
directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {})) directories[f'/var/www/{vhost}'].update(config.get('webroot_config', {}))
if config.get('ssl', 'letsencrypt') == 'letsencrypt': if config.get('ssl', 'letsencrypt') == 'letsencrypt':
files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain'])) files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
port80_has_letsencrypt = True
install_port80_redirect = True
elif config.get('ssl', 'letsencrypt'):
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
'content_type': 'mako',
'source': 'ssl_template',
'context': {
'domain': config['ssl'],
},
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:reload',
},
}
files[f'/etc/nginx/ssl/{vhost}.key'] = {
'content': repo.vault.decrypt_file('ssl/{}.key.pem.vault'.format(config['ssl'])),
'mode': '0600',
'needed_by': {
'svc_systemd:nginx',
'svc_systemd:nginx:restart',
},
'triggers': {
'svc_systemd:nginx:reload',
},
}
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
install_port80_redirect = True
if install_port80_redirect:
files['/etc/nginx/sites/000-port80.conf'] = {
'source': 'port80.conf',
'content_type': 'mako',
'context': {
'needs_le': port80_has_letsencrypt,
},
'triggers': {
'svc_systemd:nginx:restart',
},
}