Finish packer build for nginx proxy

This commit is contained in:
Jeremy Dormitzer 2021-10-04 13:29:59 -04:00
parent aec886064a
commit 322449a194
9 changed files with 109 additions and 7 deletions

View File

@ -1,11 +1,21 @@
.PHONY: force
packer-manifest.json:
packer-manifest.json: nginx.json \
tmp/nginx.conf \
tmp/do.ini \
files/certbot-renew.service \
files/certbot-renew.timer \
scripts/dependencies.sh \
scripts/nginx.sh
packer build nginx.json
tmp/nginx.conf: tmp force
cd terraform && terraform apply -auto-approve
tmp/do.ini: templates/do.ini.template tmp
sigil -p -f templates/do.ini.template > tmp/do.ini
chmod 600 tmp/do.ini
tmp:
mkdir tmp

View File

@ -0,0 +1,7 @@
[Unit]
Description=Renew certbot certificates
Wants=cerbot-renew.timer
[Service]
Type=simple
ExecStart=/usr/bin/env certbot renew

View File

@ -0,0 +1,10 @@
[Unit]
Description=Renew certbot certificates
[Timer]
OnBootSec=30s
OnCalendar=weekly
Persistent=true
[Install]
WantedBy=timers.target

View File

@ -16,11 +16,32 @@
},
{
"type": "file",
"source": "tmp/nginx.conf"
"source": "tmp/nginx.conf",
"destination": "/tmp/nginx.conf"
},
{
"type": "file",
"source": "tmp/do.ini",
"destination": "/tmp/do.ini"
},
{
"type": "file",
"source": "files/certbot-renew.timer",
"destination": "/tmp/certbot-renew.timer"
},
{
"type": "file",
"source": "files/certbot-renew.service",
"destination": "/tmp/certbot-renew.service"
},
{
"type": "shell",
"script": "scripts/nginx.sh"
}
],
"post-processors": [
{
"type": "manifest"
}
]
}

View File

@ -0,0 +1,14 @@
{
"builds": [
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1633368571,
"files": null,
"artifact_id": "nyc1:92979065",
"packer_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe",
"custom_data": null
}
],
"last_run_uuid": "81fa12be-706c-56b2-80bb-e4133a2c4ffe"
}

View File

@ -2,5 +2,8 @@
set -xe
sudo apt-get update
sudo apt-get install -y nginx
sudo apt-get update && sleep 5
sudo apt-get install -y \
nginx \
certbot \
python3-certbot-dns-digitalocean

View File

@ -2,4 +2,19 @@
set -xe
sudo mv /tmp/do.ini ~/do.ini
sudo certbot certonly \
-n \
--agree-tos \
-m 'jeremy.dormitzer@gmail.com' \
--dns-digitalocean \
--dns-digitalocean-credentials ~/do.ini \
-d '*.jeremydormitzer.com'
sudo mv /tmp/nginx.conf /etc/nginx/sites-available/default
sudo mkdir -p /var/log/nginx
sudo systemctl enable nginx
sudo mv /tmp/certbot-renew.timer /etc/systemd/system/
sudo mv /tmp/certbot-renew.service /etc/systemd/system/
sudo systemctl enable certbot-renew.timer

View File

@ -0,0 +1 @@
dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}

View File

@ -1,10 +1,31 @@
%{ for server in servers ~}
server {
server_name ${server.domain}
server_name ${server.domain};
access_log /var/log/nginx/${server.domain}-access.log;
location / {
proxy_pass http://${server.ip}:${server.port}
proxy_pass http://${server.ip}:${server.port};
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/jeremydormitzer.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jeremydormitzer.com/privkey.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
}
%{ endfor ~}
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}