From d10fc77af832191a6df8d319fda87be729f83296 Mon Sep 17 00:00:00 2001 From: Jeremy Dormitzer Date: Tue, 5 Oct 2021 21:16:44 -0400 Subject: [PATCH] Put syncthing behind nginx --- mgmt/do-jeremydormitzer-com/terraform/data.tf | 15 -------- mgmt/do-jeremydormitzer-com/terraform/main.tf | 2 +- prod/nginx/packer/packer-manifest.json | 11 +++++- prod/nginx/packer/scripts/nginx.sh | 4 ++- prod/syncthing/packer/Makefile | 24 +------------ prod/syncthing/packer/do.ini.template | 1 - prod/syncthing/packer/packer-manifest.json | 11 +++++- prod/syncthing/packer/syncthing.conf | 26 -------------- prod/syncthing/packer/syncthing.json | 36 +++---------------- 9 files changed, 30 insertions(+), 100 deletions(-) delete mode 100644 prod/syncthing/packer/do.ini.template delete mode 100644 prod/syncthing/packer/syncthing.conf diff --git a/mgmt/do-jeremydormitzer-com/terraform/data.tf b/mgmt/do-jeremydormitzer-com/terraform/data.tf index 75c9c0f..e9f8da4 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/data.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/data.tf @@ -13,21 +13,6 @@ data "terraform_remote_state" "nginx" { } } -data "terraform_remote_state" "syncthing" { - backend = "s3" - - config = { - skip_credentials_validation = true - skip_metadata_api_check = true - access_key = var.spaces_access_id - secret_key = var.spaces_secret_key - region = "us-east-1" - endpoint = "nyc3.digitaloceanspaces.com" - bucket = "jdormit-tf-state" - key = "prod/syncthing.tfstate" - } -} - data "terraform_remote_state" "freshrss" { backend = "s3" diff --git a/mgmt/do-jeremydormitzer-com/terraform/main.tf b/mgmt/do-jeremydormitzer-com/terraform/main.tf index 94a610c..67f1e77 100644 --- a/mgmt/do-jeremydormitzer-com/terraform/main.tf +++ b/mgmt/do-jeremydormitzer-com/terraform/main.tf @@ -80,7 +80,7 @@ resource "digitalocean_record" "syncthing" { domain = digitalocean_domain.jeremydormitzer_com.name type = "A" name = "syncthing" - value = data.terraform_remote_state.syncthing.outputs.ip_address + value = data.terraform_remote_state.nginx.outputs.nginx_ip_address ttl = 3600 } diff --git a/prod/nginx/packer/packer-manifest.json b/prod/nginx/packer/packer-manifest.json index fef0647..964a8b7 100644 --- a/prod/nginx/packer/packer-manifest.json +++ b/prod/nginx/packer/packer-manifest.json @@ -71,7 +71,16 @@ "artifact_id": "nyc1:93061502", "packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633480191, + "files": null, + "artifact_id": "nyc1:93071958", + "packer_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c", + "custom_data": null } ], - "last_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f" + "last_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c" } \ No newline at end of file diff --git a/prod/nginx/packer/scripts/nginx.sh b/prod/nginx/packer/scripts/nginx.sh index 9d45c0e..6e3a829 100644 --- a/prod/nginx/packer/scripts/nginx.sh +++ b/prod/nginx/packer/scripts/nginx.sh @@ -9,7 +9,9 @@ sudo certbot certonly \ -m 'jeremy.dormitzer@gmail.com' \ --dns-digitalocean \ --dns-digitalocean-credentials ~/do.ini \ - -d '*.jeremydormitzer.com' + --dns-digitalocean-propagation-seconds 30 \ + -d '*.jeremydormitzer.com' \ + -d 'jeremydormitzer.com' sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf sudo mkdir -p /var/log/nginx diff --git a/prod/syncthing/packer/Makefile b/prod/syncthing/packer/Makefile index 5b76152..774fa05 100644 --- a/prod/syncthing/packer/Makefile +++ b/prod/syncthing/packer/Makefile @@ -2,12 +2,9 @@ packer-manifest.json: syncthing-config.xml \ syncthing.json \ - syncthing.conf \ syncthing@.service \ syncthing-cert.pem \ - syncthing-key.pem \ - certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \ - certbot/live/syncthing.jeremydormitzer.com/privkey.pem + syncthing-key.pem packer build syncthing.json syncthing-config.xml: syncthing-config.xml.template @@ -18,22 +15,3 @@ syncthing-cert.pem: syncthing-cert.pem.template syncthing-key.pem: syncthing-key.pem.template sigil -p -f syncthing-key.pem.template > syncthing-key.pem - -certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini - certbot certonly -n \ - --agree-tos \ - --email ${CERTBOT_EMAIL} \ - --dns-digitalocean \ - --dns-digitalocean-credentials do.ini \ - --config-dir ./certbot \ - --work-dir ./certbot \ - --logs-dir ./certbot \ - -d syncthing.jeremydormitzer.com - -do.ini: do.ini.template - sigil -p -f do.ini.template > do.ini - chmod 600 do.ini - -reissue-certs: - rm -rf certbot - make diff --git a/prod/syncthing/packer/do.ini.template b/prod/syncthing/packer/do.ini.template deleted file mode 100644 index 7c6ec3f..0000000 --- a/prod/syncthing/packer/do.ini.template +++ /dev/null @@ -1 +0,0 @@ -dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?} \ No newline at end of file diff --git a/prod/syncthing/packer/packer-manifest.json b/prod/syncthing/packer/packer-manifest.json index 604292e..a348905 100644 --- a/prod/syncthing/packer/packer-manifest.json +++ b/prod/syncthing/packer/packer-manifest.json @@ -71,7 +71,16 @@ "artifact_id": "nyc1:85651139", "packer_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae", "custom_data": null + }, + { + "name": "digitalocean", + "builder_type": "digitalocean", + "build_time": 1633471355, + "files": null, + "artifact_id": "nyc1:93062577", + "packer_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c", + "custom_data": null } ], - "last_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae" + "last_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c" } \ No newline at end of file diff --git a/prod/syncthing/packer/syncthing.conf b/prod/syncthing/packer/syncthing.conf deleted file mode 100644 index 969ff5d..0000000 --- a/prod/syncthing/packer/syncthing.conf +++ /dev/null @@ -1,26 +0,0 @@ -server { - - location / { - proxy_pass http://127.0.0.1:8384; - } - - listen [::]:443 ssl ipv6only=on; - listen 443 ssl; - - ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem; - ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem; - - ssl_session_cache shared:le_nginx_SSL:1m; - ssl_session_timeout 1440m; - - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - - ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; -} - -server { - listen 80; - listen [::]:80; - return 301 https://$host$request_uri; -} \ No newline at end of file diff --git a/prod/syncthing/packer/syncthing.json b/prod/syncthing/packer/syncthing.json index b1e32cb..471c35f 100644 --- a/prod/syncthing/packer/syncthing.json +++ b/prod/syncthing/packer/syncthing.json @@ -14,7 +14,7 @@ "type": "shell", "inline": [ "sudo apt-get update", - "sudo apt-get install -y bindfs", + "sudo apt-get install -y bindfs ca-certificates", "sudo useradd -m syncthing", "sudo mkdir -p /mnt/syncthing-volume", "sudo mkdir -p /mnt/syncthing", @@ -46,8 +46,10 @@ { "type": "shell", "inline": [ - "curl -s https://syncthing.net/release-key.txt | sudo apt-key add -", - "echo \"deb https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list", + "sudo update-ca-certificates", + "sudo curl -s -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg", + "echo \"deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list", + "printf \"Package: *\nPin: origin apt.syncthing.net\nPin-Priority: 990\n\" | sudo tee /etc/apt/preferences.d/syncthing", "sudo apt-get update", "sudo apt-get install -y syncthing", "sudo mkdir -p /home/syncthing/.config/syncthing", @@ -59,34 +61,6 @@ "sudo systemctl daemon-reload", "sudo systemctl enable syncthing@syncthing" ] - }, - { - "type": "file", - "source": "syncthing.conf", - "destination": "/tmp/syncthing.conf" - }, - { - "type": "file", - "source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem", - "destination": "/tmp/https-cert.pem" - }, - { - "type": "file", - "source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem", - "destination": "/tmp/https-key.pem" - }, - { - "type": "shell", - "inline": [ - "sudo apt-get install -y nginx", - "sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf", - "sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem", - "sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem", - "sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing", - "sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/", - "sudo unlink /etc/nginx/sites-enabled/default", - "sudo systemctl enable nginx" - ] } ], "post-processors": [