Finish packer build for nginx proxy
This commit is contained in:
parent
aec886064a
commit
322449a194
@ -1,11 +1,21 @@
|
||||
.PHONY: force
|
||||
|
||||
packer-manifest.json:
|
||||
packer-manifest.json: nginx.json \
|
||||
tmp/nginx.conf \
|
||||
tmp/do.ini \
|
||||
files/certbot-renew.service \
|
||||
files/certbot-renew.timer \
|
||||
scripts/dependencies.sh \
|
||||
scripts/nginx.sh
|
||||
packer build nginx.json
|
||||
|
||||
tmp/nginx.conf: tmp force
|
||||
cd terraform && terraform apply -auto-approve
|
||||
|
||||
tmp/do.ini: templates/do.ini.template tmp
|
||||
sigil -p -f templates/do.ini.template > tmp/do.ini
|
||||
chmod 600 tmp/do.ini
|
||||
|
||||
tmp:
|
||||
mkdir tmp
|
||||
|
||||
|
7
prod/nginx/packer/files/certbot-renew.service
Normal file
7
prod/nginx/packer/files/certbot-renew.service
Normal file
@ -0,0 +1,7 @@
|
||||
[Unit]
|
||||
Description=Renew certbot certificates
|
||||
Wants=cerbot-renew.timer
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStart=/usr/bin/env certbot renew
|
10
prod/nginx/packer/files/certbot-renew.timer
Normal file
10
prod/nginx/packer/files/certbot-renew.timer
Normal file
@ -0,0 +1,10 @@
|
||||
[Unit]
|
||||
Description=Renew certbot certificates
|
||||
|
||||
[Timer]
|
||||
OnBootSec=30s
|
||||
OnCalendar=weekly
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
@ -16,11 +16,32 @@
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "tmp/nginx.conf"
|
||||
"source": "tmp/nginx.conf",
|
||||
"destination": "/tmp/nginx.conf"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "tmp/do.ini",
|
||||
"destination": "/tmp/do.ini"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "files/certbot-renew.timer",
|
||||
"destination": "/tmp/certbot-renew.timer"
|
||||
},
|
||||
{
|
||||
"type": "file",
|
||||
"source": "files/certbot-renew.service",
|
||||
"destination": "/tmp/certbot-renew.service"
|
||||
},
|
||||
{
|
||||
"type": "shell",
|
||||
"script": "scripts/nginx.sh"
|
||||
}
|
||||
],
|
||||
"post-processors": [
|
||||
{
|
||||
"type": "manifest"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
14
prod/nginx/packer/packer-manifest.json
Normal file
14
prod/nginx/packer/packer-manifest.json
Normal file
@ -0,0 +1,14 @@
|
||||
{
|
||||
"builds": [
|
||||
{
|
||||
"name": "digitalocean",
|
||||
"builder_type": "digitalocean",
|
||||
"build_time": 1633368571,
|
||||
"files": null,
|
||||
"artifact_id": "nyc1:92979065",
|
||||
"packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe",
|
||||
"custom_data": null
|
||||
}
|
||||
],
|
||||
"last_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe"
|
||||
}
|
@ -2,5 +2,8 @@
|
||||
|
||||
set -xe
|
||||
|
||||
sudo apt-get update
|
||||
sudo apt-get install -y nginx
|
||||
sudo apt-get update && sleep 5
|
||||
sudo apt-get install -y \
|
||||
nginx \
|
||||
certbot \
|
||||
python3-certbot-dns-digitalocean
|
||||
|
@ -2,4 +2,19 @@
|
||||
|
||||
set -xe
|
||||
|
||||
sudo mv /tmp/do.ini ~/do.ini
|
||||
sudo certbot certonly \
|
||||
-n \
|
||||
--agree-tos \
|
||||
-m 'jeremy.dormitzer@gmail.com' \
|
||||
--dns-digitalocean \
|
||||
--dns-digitalocean-credentials ~/do.ini \
|
||||
-d '*.jeremydormitzer.com'
|
||||
|
||||
sudo mv /tmp/nginx.conf /etc/nginx/sites-available/default
|
||||
sudo mkdir -p /var/log/nginx
|
||||
sudo systemctl enable nginx
|
||||
|
||||
sudo mv /tmp/certbot-renew.timer /etc/systemd/system/
|
||||
sudo mv /tmp/certbot-renew.service /etc/systemd/system/
|
||||
sudo systemctl enable certbot-renew.timer
|
||||
|
1
prod/nginx/packer/templates/do.ini.template
Normal file
1
prod/nginx/packer/templates/do.ini.template
Normal file
@ -0,0 +1 @@
|
||||
dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
|
@ -1,10 +1,31 @@
|
||||
%{ for server in servers ~}
|
||||
server {
|
||||
server_name ${server.domain}
|
||||
server_name ${server.domain};
|
||||
access_log /var/log/nginx/${server.domain}-access.log;
|
||||
|
||||
location / {
|
||||
proxy_pass http://${server.ip}:${server.port}
|
||||
proxy_pass http://${server.ip}:${server.port};
|
||||
}
|
||||
|
||||
listen [::]:443 ssl ipv6only=on;
|
||||
listen 443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem;
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:1m;
|
||||
ssl_session_timeout 1440m;
|
||||
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
||||
|
||||
}
|
||||
|
||||
%{ endfor ~}
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
Loading…
Reference in New Issue
Block a user