diff --git a/prod/wallabag/packer/.gitignore b/prod/wallabag/packer/.gitignore index 7cc7967..e07b1c4 100644 --- a/prod/wallabag/packer/.gitignore +++ b/prod/wallabag/packer/.gitignore @@ -1 +1,4 @@ -files/wallabag-params.yml \ No newline at end of file +files/wallabag-params.yml +files/clients.sql +tmp/ +certbot/ \ No newline at end of file diff --git a/prod/wallabag/packer/Makefile b/prod/wallabag/packer/Makefile index 252d1c2..430ebf5 100644 --- a/prod/wallabag/packer/Makefile +++ b/prod/wallabag/packer/Makefile @@ -5,8 +5,32 @@ packer-manifest.json: wallabag.json \ scripts/wallabag.sh \ files/wallabag-nginx.conf \ files/entries.json \ - files/wallabag-params.yml + files/wallabag-params.yml \ + files/clients.sql \ + certbot/live/wallabag.jeremydormitzer.com/fullchain.pem \ + certbot/live/wallabag.jeremydormitzer.com/privkey.pem packer build wallabag.json files/wallabag-params.yml: templates/wallabag-params.yml.template sigil -p -f templates/wallabag-params.yml.template > files/wallabag-params.yml + +files/clients.sql: templates/clients.sql.template + sigil -p -f templates/clients.sql.template > files/clients.sql + +certbot/live/wallabag.jeremydormitzer.com/fullchain.pem certbot/live/wallabag.jeremydormitzer.com/privkey.pem &: tmp/do.ini + certbot certonly -n \ + --agree-tos \ + --email ${CERTBOT_EMAIL} \ + --dns-digitalocean \ + --dns-digitalocean-credentials tmp/do.ini \ + --config-dir ./certbot \ + --work-dir ./certbot \ + --logs-dir ./certbot \ + -d wallabag.jeremydormitzer.com + +tmp/do.ini: templates/do.ini.template tmp + sigil -p -f templates/do.ini.template > tmp/do.ini + chmod 600 tmp/do.ini + +tmp: + mkdir tmp diff --git a/prod/wallabag/packer/files/wallabag-nginx.conf b/prod/wallabag/packer/files/wallabag-nginx.conf index 001064b..e97ac35 100644 --- a/prod/wallabag/packer/files/wallabag-nginx.conf +++ b/prod/wallabag/packer/files/wallabag-nginx.conf @@ -32,8 +32,29 @@ server { return 404; } + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + + ssl_certificate /var/www/wallabag/fullchain.pem; + ssl_certificate_key /var/www/wallabag/privkey.pem; + + ssl_session_cache shared:le_nginx_SSL:1m; + ssl_session_timeout 1440m; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + + ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; + + error_log /var/log/nginx/wallabag_error.log; access_log /var/log/nginx/wallabag_access.log; client_max_body_size 512M; # allows file uploads up to 512 megabytes +} + +server { + listen 80; + listen [::]:80; + return 301 https://$host$request_uri; } \ No newline at end of file diff --git a/prod/wallabag/packer/packer-manifest.json b/prod/wallabag/packer/packer-manifest.json index 181ea95..32d1da5 100644 --- a/prod/wallabag/packer/packer-manifest.json +++ b/prod/wallabag/packer/packer-manifest.json @@ -62,7 +62,52 @@ "artifact_id": "nyc1:76467390", "packer_run_uuid": "bbdb5c8d-a7c7-9f7b-ea51-efb20dea80d3", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1609969544, + "files": null, + "artifact_id": "nyc1:76475302", + "packer_run_uuid": "0ee078df-61d1-ca71-55ad-54af353951bc", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1609970473, + "files": null, + "artifact_id": "nyc1:76476102", + "packer_run_uuid": "b63fe1c4-a1e1-4e5e-be44-6a55b81fe342", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1609971370, + "files": null, + "artifact_id": "nyc1:76477000", + "packer_run_uuid": "2baa8d5b-496a-45cf-ab6d-143923b65079", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1609976881, + "files": null, + "artifact_id": "nyc1:76481960", + "packer_run_uuid": "49264f22-48ae-4a65-dd29-b79edd3f81e6", + "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1610030808, + "files": null, + "artifact_id": "nyc1:76519919", + "packer_run_uuid": "407ebe24-29e2-fe61-80fe-b46b8cffd12b", + "custom_data": null } ], - "last_run_uuid": "bbdb5c8d-a7c7-9f7b-ea51-efb20dea80d3" + "last_run_uuid": "407ebe24-29e2-fe61-80fe-b46b8cffd12b" } \ No newline at end of file diff --git a/prod/wallabag/packer/scripts/nginx.sh b/prod/wallabag/packer/scripts/nginx.sh index 5e918e7..6757348 100644 --- a/prod/wallabag/packer/scripts/nginx.sh +++ b/prod/wallabag/packer/scripts/nginx.sh @@ -2,6 +2,9 @@ set -xe +sudo mv /tmp/fullchain.pem /var/www/wallabag/fullchain.pem +sudo mv /tmp/privkey.pem /var/www/wallabag/privkey.pem +chown www-data:www-data /var/www/wallabag/{fullchain,privkey}.pem sudo mv /tmp/wallabag-nginx.conf \ /etc/nginx/sites-available/wallabag.conf sudo ln -s /etc/nginx/sites-available/wallabag.conf \ diff --git a/prod/wallabag/packer/scripts/wallabag.sh b/prod/wallabag/packer/scripts/wallabag.sh index 382e748..b807b0f 100644 --- a/prod/wallabag/packer/scripts/wallabag.sh +++ b/prod/wallabag/packer/scripts/wallabag.sh @@ -16,4 +16,5 @@ cd /var/www/wallabag make install php bin/console --env=prod fos:user:create jdormit jeremy.dormitzer@gmail.com "$ADMIN_PASSWORD" --super-admin php bin/console --env=prod wallabag:import --importer=v2 jdormit /tmp/entries.json +sqlite3 /var/www/wallabag/data/db/wallabag.sqlite < /tmp/clients.sql EOF diff --git a/prod/wallabag/packer/templates/clients.sql.template b/prod/wallabag/packer/templates/clients.sql.template new file mode 100644 index 0000000..ea2572f --- /dev/null +++ b/prod/wallabag/packer/templates/clients.sql.template @@ -0,0 +1,91 @@ +--- -*- mode: sql -*- +BEGIN TRANSACTION; +INSERT INTO + wallabag_oauth2_clients ( + id, + user_id, + random_id, + secret, + redirect_uris, + allowed_grant_types, + name + ) +SELECT + 1, + id, + '${WALLABAG_WALLABAGER_ID:?}', + '${WALLABAG_WALLABAGER_SECRET:?}', + 'a:1:{i:0;N;}', + 'a:4:{i:0;s:5:"token";i:1;s:18:"authorization_code";i:2;s:8:"password";i:3;s:13:"refresh_token";}', + 'wallabager' +FROM + wallabag_user +WHERE + username = 'jdormit'; +INSERT INTO + wallabag_oauth2_clients ( + id, + user_id, + random_id, + secret, + redirect_uris, + allowed_grant_types, + name + ) +SELECT + 2, + id, + '${WALLABAG_ANDROID_APP_ID}', + '${WALLABAG_ANDROID_APP_SECRET:?}', + 'a:1:{i:0;N;}', + 'a:4:{i:0;s:5:"token";i:1;s:18:"authorization_code";i:2;s:8:"password";i:3;s:13:"refresh_token";}', + 'Android app' +FROM + wallabag_user +WHERE + username = 'jdormit'; +INSERT INTO + wallabag_oauth2_clients ( + id, + user_id, + random_id, + secret, + redirect_uris, + allowed_grant_types, + name + ) +SELECT + 3, + id, + '${WALLABAG_IPAD_ID:?}', + '${WALLABAG_IPAD_SECRET:?}', + 'a:1:{i:0;N;}', + 'a:4:{i:0;s:5:"token";i:1;s:18:"authorization_code";i:2;s:8:"password";i:3;s:13:"refresh_token";}', + 'iPad' +FROM + wallabag_user +WHERE + username = 'jdormit'; +INSERT INTO + wallabag_oauth2_clients ( + id, + user_id, + random_id, + secret, + redirect_uris, + allowed_grant_types, + name + ) +SELECT + 4, + id, + '${WALLABAG_WALLABAG_EL_ID:?}', + '${WALLABAG_WALLABAG_EL_SECRET:?}', + 'a:1:{i:0;N;}', + 'a:4:{i:0;s:5:"token";i:1;s:18:"authorization_code";i:2;s:8:"password";i:3;s:13:"refresh_token";}', + 'wallabag.el' +FROM + wallabag_user +WHERE + username = 'jdormit'; +COMMIT; diff --git a/prod/wallabag/packer/templates/do.ini.template b/prod/wallabag/packer/templates/do.ini.template new file mode 100644 index 0000000..7c6ec3f --- /dev/null +++ b/prod/wallabag/packer/templates/do.ini.template @@ -0,0 +1 @@ +dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/wallabag/packer/templates/wallabag-params.yml.template b/prod/wallabag/packer/templates/wallabag-params.yml.template index 036b8a1..eaf6fd9 100644 --- a/prod/wallabag/packer/templates/wallabag-params.yml.template +++ b/prod/wallabag/packer/templates/wallabag-params.yml.template @@ -7,7 +7,7 @@ parameters: database_name: null database_user: null database_password: null - database_path: /var/www/wallabag/wallabag.sqlite + database_path: /var/www/wallabag/data/db/wallabag.sqlite database_table_prefix: wallabag_ database_socket: null database_charset: utf8mb4 diff --git a/prod/wallabag/packer/wallabag.json b/prod/wallabag/packer/wallabag.json index 07f350d..e7fefb0 100644 --- a/prod/wallabag/packer/wallabag.json +++ b/prod/wallabag/packer/wallabag.json @@ -28,6 +28,11 @@ "source": "files/entries.json", "destination": "/tmp/entries.json" }, + { + "type": "file", + "source": "files/clients.sql", + "destination": "/tmp/clients.sql" + }, { "type": "shell", "environment_vars": [ @@ -35,6 +40,16 @@ ], "script": "scripts/wallabag.sh" }, + { + "type": "file", + "source": "certbot/live/wallabag.jeremydormitzer.com/fullchain.pem", + "destination": "/tmp/fullchain.pem" + }, + { + "type": "file", + "source": "certbot/live/wallabag.jeremydormitzer.com/privkey.pem", + "destination": "/tmp/privkey.pem" + }, { "type": "file", "source": "files/wallabag-nginx.conf",