diff --git a/prod/nginx/packer/Makefile b/prod/nginx/packer/Makefile index 73710d7..3a23030 100644 --- a/prod/nginx/packer/Makefile +++ b/prod/nginx/packer/Makefile @@ -1,11 +1,21 @@ .PHONY: force -packer-manifest.json: +packer-manifest.json: nginx.json \ + tmp/nginx.conf \ + tmp/do.ini \ + files/certbot-renew.service \ + files/certbot-renew.timer \ + scripts/dependencies.sh \ + scripts/nginx.sh packer build nginx.json tmp/nginx.conf: tmp force cd terraform && terraform apply -auto-approve +tmp/do.ini: templates/do.ini.template tmp + sigil -p -f templates/do.ini.template > tmp/do.ini + chmod 600 tmp/do.ini + tmp: mkdir tmp diff --git a/prod/nginx/packer/files/certbot-renew.service b/prod/nginx/packer/files/certbot-renew.service new file mode 100644 index 0000000..60f294a --- /dev/null +++ b/prod/nginx/packer/files/certbot-renew.service @@ -0,0 +1,7 @@ +[Unit] +Description=Renew certbot certificates +Wants=cerbot-renew.timer + +[Service] +Type=simple +ExecStart=/usr/bin/env certbot renew \ No newline at end of file diff --git a/prod/nginx/packer/files/certbot-renew.timer b/prod/nginx/packer/files/certbot-renew.timer new file mode 100644 index 0000000..cb7faaf --- /dev/null +++ b/prod/nginx/packer/files/certbot-renew.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Renew certbot certificates + +[Timer] +OnBootSec=30s +OnCalendar=weekly +Persistent=true + +[Install] +WantedBy=timers.target \ No newline at end of file diff --git a/prod/nginx/packer/nginx.json b/prod/nginx/packer/nginx.json index 0b709a9..6c578d6 100644 --- a/prod/nginx/packer/nginx.json +++ b/prod/nginx/packer/nginx.json @@ -16,11 +16,32 @@ }, { "type": "file", - "source": "tmp/nginx.conf" + "source": "tmp/nginx.conf", + "destination": "/tmp/nginx.conf" + }, + { + "type": "file", + "source": "tmp/do.ini", + "destination": "/tmp/do.ini" + }, + { + "type": "file", + "source": "files/certbot-renew.timer", + "destination": "/tmp/certbot-renew.timer" + }, + { + "type": "file", + "source": "files/certbot-renew.service", + "destination": "/tmp/certbot-renew.service" }, { "type": "shell", "script": "scripts/nginx.sh" } + ], + "post-processors": [ + { + "type": "manifest" + } ] } diff --git a/prod/nginx/packer/packer-manifest.json b/prod/nginx/packer/packer-manifest.json new file mode 100644 index 0000000..76e56aa --- /dev/null +++ b/prod/nginx/packer/packer-manifest.json @@ -0,0 +1,14 @@ +{ + "builds": [ + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633368571, + "files": null, + "artifact_id": "nyc1:92979065", + "packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe", + "custom_data": null + } + ], + "last_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe" +} \ No newline at end of file diff --git a/prod/nginx/packer/scripts/dependencies.sh b/prod/nginx/packer/scripts/dependencies.sh index 83696df..6b8a9e8 100644 --- a/prod/nginx/packer/scripts/dependencies.sh +++ b/prod/nginx/packer/scripts/dependencies.sh @@ -2,5 +2,8 @@ set -xe -sudo apt-get update -sudo apt-get install -y nginx +sudo apt-get update && sleep 5 +sudo apt-get install -y \ + nginx \ + certbot \ + python3-certbot-dns-digitalocean diff --git a/prod/nginx/packer/scripts/nginx.sh b/prod/nginx/packer/scripts/nginx.sh index aaa2e54..99996b5 100644 --- a/prod/nginx/packer/scripts/nginx.sh +++ b/prod/nginx/packer/scripts/nginx.sh @@ -2,4 +2,19 @@ set -xe +sudo mv /tmp/do.ini ~/do.ini +sudo certbot certonly \ + -n \ + --agree-tos \ + -m 'jeremy.dormitzer@gmail.com' \ + --dns-digitalocean \ + --dns-digitalocean-credentials ~/do.ini \ + -d '*.jeremydormitzer.com' + +sudo mv /tmp/nginx.conf /etc/nginx/sites-available/default +sudo mkdir -p /var/log/nginx sudo systemctl enable nginx + +sudo mv /tmp/certbot-renew.timer /etc/systemd/system/ +sudo mv /tmp/certbot-renew.service /etc/systemd/system/ +sudo systemctl enable certbot-renew.timer diff --git a/prod/nginx/packer/templates/do.ini.template b/prod/nginx/packer/templates/do.ini.template new file mode 100644 index 0000000..7c6ec3f --- /dev/null +++ b/prod/nginx/packer/templates/do.ini.template @@ -0,0 +1 @@ +dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/nginx/packer/terraform/templates/nginx.conf.template b/prod/nginx/packer/terraform/templates/nginx.conf.template index a7af42b..675f882 100644 --- a/prod/nginx/packer/terraform/templates/nginx.conf.template +++ b/prod/nginx/packer/terraform/templates/nginx.conf.template @@ -1,10 +1,31 @@ %{ for server in servers ~} server { - server_name ${server.domain} + server_name ${server.domain}; + access_log /var/log/nginx/${server.domain}-access.log; location / { - proxy_pass http://${server.ip}:${server.port} + proxy_pass http://${server.ip}:${server.port}; } + + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + } -%{ endfor ~} \ No newline at end of file +%{ endfor ~} +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; +} \ No newline at end of file