bundles/ssl: support using a preexisting ssl certificate
This commit is contained in:
parent
019d658442
commit
d98a1adfd9
4 changed files with 76 additions and 23 deletions
|
@ -6,8 +6,9 @@ server {
|
||||||
location / {
|
location / {
|
||||||
return 308 https://$host$request_uri;
|
return 308 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
|
% if needs_le:
|
||||||
location /.well-known/acme-challenge/ {
|
location /.well-known/acme-challenge/ {
|
||||||
alias /var/lib/dehydrated/acme-challenges/;
|
alias /var/lib/dehydrated/acme-challenges/;
|
||||||
}
|
}
|
||||||
|
% endif
|
||||||
}
|
}
|
||||||
|
|
|
@ -11,9 +11,13 @@ server {
|
||||||
listen 443 ssl http2;
|
listen 443 ssl http2;
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
ssl_trusted_certificate /var/lib/dehydrated/certs/${domain}/chain.pem;
|
% if ssl == 'letsencrypt':
|
||||||
ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
|
ssl_certificate /var/lib/dehydrated/certs/${domain}/fullchain.pem;
|
||||||
ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
|
ssl_certificate_key /var/lib/dehydrated/certs/${domain}/privkey.pem;
|
||||||
|
% else:
|
||||||
|
ssl_certificate /etc/nginx/ssl/${vhost}.crt;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/${vhost}.key;
|
||||||
|
% endif
|
||||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
|
6
bundles/nginx/files/ssl_template
Normal file
6
bundles/nginx/files/ssl_template
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
<%
|
||||||
|
from os.path import isfile, join
|
||||||
|
%><%include file="ssl/${domain}.crt.pem"/>
|
||||||
|
% if isfile(join(repo.path, 'data', 'ssl', f'{domain}.crt_intermediate.pem')):
|
||||||
|
<%include file="ssl/${domain}.crt_intermediate.pem"/>
|
||||||
|
% endif
|
|
@ -5,6 +5,12 @@ directories = {
|
||||||
'svc_systemd:nginx:restart',
|
'svc_systemd:nginx:restart',
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
|
'/etc/nginx/ssl': {
|
||||||
|
'purge': True,
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
|
},
|
||||||
'/var/www': {},
|
'/var/www': {},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -47,27 +53,13 @@ svc_systemd = {
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
# Always redirect all traffic to HTTPS, except if there is only one
|
|
||||||
# vhost and this vhost has ssl disabled.
|
|
||||||
install_port80_redirect = True
|
|
||||||
if len(node.metadata.get('nginx/vhosts', {})) == 1:
|
|
||||||
vhost_name = list(node.metadata['nginx']['vhosts'].keys())[0]
|
|
||||||
if node.metadata.get('nginx/vhosts/{}/ssl'.format(vhost_name), 'letsencrypt') == False:
|
|
||||||
install_port80_redirect = False
|
install_port80_redirect = False
|
||||||
|
port80_has_letsencrypt = False
|
||||||
if install_port80_redirect:
|
|
||||||
files['/etc/nginx/sites/000-port80.conf'] = {
|
|
||||||
'source': 'port80.conf',
|
|
||||||
'triggers': {
|
|
||||||
'svc_systemd:nginx:restart',
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
if not 'domain' in config:
|
if not 'domain' in config:
|
||||||
config['domain'] = vhost
|
config['domain'] = vhost
|
||||||
|
|
||||||
files['/etc/nginx/sites/{}'.format(vhost)] = {
|
files[f'/etc/nginx/sites/{vhost}'] = {
|
||||||
'source': 'site_template',
|
'source': 'site_template',
|
||||||
'content_type': 'mako',
|
'content_type': 'mako',
|
||||||
'context': {
|
'context': {
|
||||||
|
@ -76,20 +68,70 @@ for vhost, config in node.metadata.get('nginx/vhosts', {}).items():
|
||||||
**config,
|
**config,
|
||||||
},
|
},
|
||||||
'needs': set(),
|
'needs': set(),
|
||||||
|
'needed_by': {
|
||||||
|
'svc_systemd:nginx',
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
'triggers': {
|
'triggers': {
|
||||||
'svc_systemd:nginx:restart',
|
'svc_systemd:nginx:restart',
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
if not 'webroot' in config:
|
if not 'webroot' in config:
|
||||||
directories['/var/www/{}'.format(vhost)] = {}
|
directories[f'/var/www/{vhost}'] = {}
|
||||||
|
|
||||||
if node.has_bundle('zfs'):
|
if node.has_bundle('zfs'):
|
||||||
directories['/var/www/{}'.format(vhost)]['needs'] = {
|
directories[f'/var/www/{vhost}']['needs'] = {
|
||||||
'bundle:zfs',
|
'bundle:zfs',
|
||||||
}
|
}
|
||||||
|
|
||||||
directories['/var/www/{}'.format(vhost)].update(config.get('webroot_config', {}))
|
directories[f'/var/www/{vhost}'].update(config.get('webroot_config', {}))
|
||||||
|
|
||||||
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
|
if config.get('ssl', 'letsencrypt') == 'letsencrypt':
|
||||||
files['/etc/nginx/sites/{}'.format(vhost)]['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add('action:letsencrypt_ensure-some-certificate_{}'.format(config['domain']))
|
||||||
|
files[f'/etc/nginx/sites/{vhost}']['needed_by'].add('action:letsencrypt_update_certificates')
|
||||||
|
port80_has_letsencrypt = True
|
||||||
|
install_port80_redirect = True
|
||||||
|
|
||||||
|
elif config.get('ssl', 'letsencrypt'):
|
||||||
|
files[f'/etc/nginx/ssl/{vhost}.crt'] = {
|
||||||
|
'content_type': 'mako',
|
||||||
|
'source': 'ssl_template',
|
||||||
|
'context': {
|
||||||
|
'domain': config['ssl'],
|
||||||
|
},
|
||||||
|
'needed_by': {
|
||||||
|
'svc_systemd:nginx',
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nginx:reload',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
files[f'/etc/nginx/ssl/{vhost}.key'] = {
|
||||||
|
'content': repo.vault.decrypt_file('ssl/{}.key.pem.vault'.format(config['ssl'])),
|
||||||
|
'mode': '0600',
|
||||||
|
'needed_by': {
|
||||||
|
'svc_systemd:nginx',
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nginx:reload',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.crt')
|
||||||
|
files[f'/etc/nginx/sites/{vhost}']['needs'].add(f'file:/etc/nginx/ssl/{vhost}.key')
|
||||||
|
install_port80_redirect = True
|
||||||
|
|
||||||
|
if install_port80_redirect:
|
||||||
|
files['/etc/nginx/sites/000-port80.conf'] = {
|
||||||
|
'source': 'port80.conf',
|
||||||
|
'content_type': 'mako',
|
||||||
|
'context': {
|
||||||
|
'needs_le': port80_has_letsencrypt,
|
||||||
|
},
|
||||||
|
'triggers': {
|
||||||
|
'svc_systemd:nginx:restart',
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue