Put wallabag behind nginx proxy

2021-10-05 17:45:53 -04:00 · 2021-10-05 17:45:53 -04:00 · 6c10b1bb97
commit 6c10b1bb97
parent dd29785d86
10 changed files with 35 additions and 82 deletions
--- a/mgmt/do-jeremydormitzer-com/terraform/data.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf
@ -28,21 +28,6 @@ data "terraform_remote_state" "syncthing" {
  }
 }

-data "terraform_remote_state" "wallabag" {
-  backend = "s3"
-
-  config = {
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    access_key                  = var.spaces_access_id
-    secret_key                  = var.spaces_secret_key
-    region                      = "us-east-1"
-    endpoint                    = "nyc3.digitaloceanspaces.com"
-    bucket                      = "jdormit-tf-state"
-    key                         = "prod/wallabag.tfstate"
-  }
-}
-
 data "terraform_remote_state" "freshrss" {
  backend = "s3"

--- a/mgmt/do-jeremydormitzer-com/terraform/main.tf
+++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf
@ -88,7 +88,7 @@ resource "digitalocean_record" "wallabag" {
  domain = digitalocean_domain.jeremydormitzer_com.name
  type   = "A"
  name   = "wallabag"
-  value  = data.terraform_remote_state.wallabag.outputs.ip_address
+  value  = data.terraform_remote_state.nginx.outputs.nginx_ip_address
  ttl    = 3600
 }

--- a/prod/nginx/packer/packer-manifest.json
+++ b/prod/nginx/packer/packer-manifest.json
@ -53,7 +53,25 @@
      "artifact_id": "nyc1:93041994",
      "packer_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c",
      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633459198,
+      "files": null,
+      "artifact_id": "nyc1:93047327",
+      "packer_run_uuid": "4adb4205-6a8b-6a87-b92d-a3766eada22d",
+      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633469746,
+      "files": null,
+      "artifact_id": "nyc1:93061502",
+      "packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f",
+      "custom_data": null
    }
  ],
-  "last_run_uuid": "8a308586-3253-93bb-b2a7-c11151a8d19c"
+  "last_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f"
 }
--- a/prod/nginx/packer/terraform/templates/nginx.conf.template
+++ b/prod/nginx/packer/terraform/templates/nginx.conf.template
@ -61,6 +61,7 @@ http {
        error_log /var/log/nginx/${server.domain}_error.log;
    
        location / {
+            proxy_set_header Host $host;
            proxy_pass http://${server.ip}:${server.port};
        }
    
--- a/prod/wallabag/packer/Makefile
+++ b/prod/wallabag/packer/Makefile
@ -1,5 +1,3 @@
-.PHONY: reissue-certs
-
 packer-manifest.json: wallabag.json \
 		      scripts/dependencies.sh \
 		      scripts/nginx.sh \
@ -8,9 +6,7 @@ packer-manifest.json: wallabag.json \
 		      files/wallabag-nginx.conf \
 		      files/entries.json \
 	              files/wallabag-params.yml \
-		      files/clients.sql \
-		      certbot/live/wallabag.jeremydormitzer.com/fullchain.pem \
-		      certbot/live/wallabag.jeremydormitzer.com/privkey.pem
+		      files/clients.sql
 	packer build wallabag.json

 files/wallabag-params.yml: templates/wallabag-params.yml.template
@ -18,25 +14,3 @@ files/wallabag-params.yml: templates/wallabag-params.yml.template

 files/clients.sql: templates/clients.sql.template
 	sigil -p -f templates/clients.sql.template > files/clients.sql
-
-certbot/live/wallabag.jeremydormitzer.com/fullchain.pem certbot/live/wallabag.jeremydormitzer.com/privkey.pem &: tmp/do.ini
-	certbot certonly -n \
-                         --agree-tos \
-                         --email ${CERTBOT_EMAIL} \
-                         --dns-digitalocean \
-                         --dns-digitalocean-credentials tmp/do.ini \
-                         --config-dir ./certbot \
-                         --work-dir ./certbot \
-                         --logs-dir ./certbot \
-                         -d wallabag.jeremydormitzer.com
-
-tmp/do.ini: templates/do.ini.template tmp
-	sigil -p -f templates/do.ini.template > tmp/do.ini
-	chmod 600 tmp/do.ini
-
-tmp:
-	mkdir tmp
-
-reissue-certs:
-	rm -rf certbot
-	make
--- a/prod/wallabag/packer/files/wallabag-nginx.conf
+++ b/prod/wallabag/packer/files/wallabag-nginx.conf
@ -32,29 +32,11 @@ server {
        return 404;
    }

-    listen [::]:443 ssl ipv6only=on;
-    listen 443 ssl;
-
-    ssl_certificate /var/www/wallabag/fullchain.pem;
-    ssl_certificate_key /var/www/wallabag/privkey.pem;
-
-    ssl_session_cache shared:le_nginx_SSL:1m;
-    ssl_session_timeout 1440m;
-
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_prefer_server_ciphers on;
-
-    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
-
+    listen 80;
+    listen [::]:80;

    error_log /var/log/nginx/wallabag_error.log;
    access_log /var/log/nginx/wallabag_access.log;

    client_max_body_size 512M; # allows file uploads up to 512 megabytes
-}
-
-server {
-       listen 80;
-       listen [::]:80;
-       return 301 https://$host$request_uri;
 }
--- a/prod/wallabag/packer/packer-manifest.json
+++ b/prod/wallabag/packer/packer-manifest.json
@ -152,7 +152,16 @@
      "artifact_id": "nyc1:92911527",
      "packer_run_uuid": "3a30edf6-a694-103e-2bf8-68fd5d530ec5",
      "custom_data": null
+    },
+    {
+      "name": "digitalocean",
+      "builder_type": "digitalocean",
+      "build_time": 1633458464,
+      "files": null,
+      "artifact_id": "nyc1:93046881",
+      "packer_run_uuid": "def16176-d225-bf50-7611-7cde1c9e7c17",
+      "custom_data": null
    }
  ],
-  "last_run_uuid": "3a30edf6-a694-103e-2bf8-68fd5d530ec5"
+  "last_run_uuid": "def16176-d225-bf50-7611-7cde1c9e7c17"
 }
--- a/prod/wallabag/packer/scripts/nginx.sh
+++ b/prod/wallabag/packer/scripts/nginx.sh
@ -2,9 +2,6 @@

 set -xe

-sudo mv /tmp/fullchain.pem /var/www/wallabag/fullchain.pem
-sudo mv /tmp/privkey.pem /var/www/wallabag/privkey.pem
-chown www-data:www-data /var/www/wallabag/{fullchain,privkey}.pem
 sudo mv /tmp/wallabag-nginx.conf \
     /etc/nginx/sites-available/wallabag.conf
 sudo ln -s /etc/nginx/sites-available/wallabag.conf \
--- a/prod/wallabag/packer/templates/do.ini.template
+++ b/prod/wallabag/packer/templates/do.ini.template
@ -1 +0,0 @@
-dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
--- a/prod/wallabag/packer/wallabag.json
+++ b/prod/wallabag/packer/wallabag.json
@ -35,21 +35,9 @@
    },
    {
      "type": "shell",
-      "environment_vars": [
-        "ADMIN_PASSWORD={{user `wallabag_admin_password`}}"
-      ],
+      "environment_vars": ["ADMIN_PASSWORD={{user `wallabag_admin_password`}}"],
      "script": "scripts/wallabag.sh"
    },
-    {
-      "type": "file",
-      "source": "certbot/live/wallabag.jeremydormitzer.com/fullchain.pem",
-      "destination": "/tmp/fullchain.pem"
-    },
-    {
-      "type": "file",
-      "source": "certbot/live/wallabag.jeremydormitzer.com/privkey.pem",
-      "destination": "/tmp/privkey.pem"
-    },
    {
      "type": "file",
      "source": "files/wallabag-nginx.conf",
				`@ -1 +0,0 @@`
				`dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}`