diff --git a/cookbooks/hosting/recipes/nginx.rb b/cookbooks/hosting/recipes/nginx.rb new file mode 100644 index 0000000..41feab0 --- /dev/null +++ b/cookbooks/hosting/recipes/nginx.rb @@ -0,0 +1,62 @@ +# apt_repository 'open resty repo' do +# uri 'http://openresty.org/package/ubuntu' +# key 'https://openresty.org/package/pubkey.gpg' +# components ['main'] +# end + +apt_package 'software-properties-common' + +execute 'add key' do + command 'wget -qO - https://openresty.org/package/pubkey.gpg | sudo apt-key add -' +end + +execute 'add repo' do + command 'add-apt-repository -y "deb http://openresty.org/package/ubuntu $(lsb_release -sc) main"; apt update' +end + +apt_package 'openresty' + +apt_package 'luarocks' + +execute 'install lua-resty-auto-ssl' do + command 'luarocks install lua-resty-auto-ssl' +end + +directory '/etc/ssl' do + mode '0755' + action :create +end + +execute 'defualt ssl' do + command "openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt" +end + +execute 'defualt ssl' do + command "openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -subj '/CN=sni-support-required-for-valid-ssl' -keyout /etc/ssl/resty-auto-ssl-fallback.key -out /etc/ssl/resty-auto-ssl-fallback.crt" +end + +template '/etc/openresty/nginx.conf' do + source 'nginx.conf.erb' +end + +template '/etc/openresty/autossl.conf' do + source 'autossl.conf.erb' +end + +directory '/etc/openresty/sites-enabled' do + mode '0755' + action :create +end + +directory '/var/log/nginx/' do + mode '0775' + action :create +end + +template '/etc/openresty/sites-enabled/host.conf' do + source 'host.conf.erb' +end + +systemd_unit 'openresty' do + action :reload +end \ No newline at end of file diff --git a/cookbooks/hosting/templates/autossl.conf.erb b/cookbooks/hosting/templates/autossl.conf.erb new file mode 100644 index 0000000..ca48e88 --- /dev/null +++ b/cookbooks/hosting/templates/autossl.conf.erb @@ -0,0 +1,16 @@ + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_prefer_server_ciphers on; + ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; + + ssl_certificate_by_lua_block { + auto_ssl:ssl_certificate() + } + + location /.well-known/acme-challenge/ { + content_by_lua_block { + auto_ssl:challenge_server() + } + } + + ssl_certificate /etc/ssl/resty-auto-ssl-fallback.crt; + ssl_certificate_key /etc/ssl/resty-auto-ssl-fallback.key; \ No newline at end of file diff --git a/cookbooks/hosting/templates/host.conf.erb b/cookbooks/hosting/templates/host.conf.erb new file mode 100644 index 0000000..0cc05b4 --- /dev/null +++ b/cookbooks/hosting/templates/host.conf.erb @@ -0,0 +1,24 @@ +server { + listen 80; + listen 443 ssl; + server_name localhost.vm42.us; + + include autossl.conf; + + proxy_set_header X-Forwarded-For $remote_addr; + + location / { + proxy_pass http://localhost:3000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + proxy_read_timeout 1200s; + + # used for view/edit office file via Office Online Server + client_max_body_size 0; + + access_log /var/log/nginx/gitea.access.log; + error_log /var/log/nginx/gitea.error.log; + } +} diff --git a/cookbooks/hosting/templates/nginx.conf.erb b/cookbooks/hosting/templates/nginx.conf.erb new file mode 100644 index 0000000..78462bf --- /dev/null +++ b/cookbooks/hosting/templates/nginx.conf.erb @@ -0,0 +1,75 @@ +#user nobody; +worker_processes 4; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + client_max_body_size 4g; + + + lua_shared_dict auto_ssl 100m; + lua_shared_dict auto_ssl_settings 64k; + + resolver 8.8.4.4 8.8.8.8; + + init_by_lua_block { + auto_ssl = (require "resty.auto-ssl").new() + auto_ssl:set("storage_adapter", "resty.auto-ssl.storage_adapters.redis") + auto_ssl:set("allow_domain", function(domain) + return true + end) + auto_ssl:init() + } + + init_worker_by_lua_block { + auto_ssl:init_worker() + } + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + server { + listen 127.0.0.1:8999; + + # Increase the body buffer size, to ensure the internal POSTs can always + # parse the full POST contents into memory. + client_body_buffer_size 128k; + client_max_body_size 128k; + + location / { + content_by_lua_block { + auto_ssl:hook_server() + } + } + } + + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + include sites-enabled/*; + +} \ No newline at end of file diff --git a/init.sh b/init.sh new file mode 100644 index 0000000..ff99252 --- /dev/null +++ b/init.sh @@ -0,0 +1,6 @@ +wget https://packages.chef.io/files/stable/chefdk/3.9.0/ubuntu/16.04/chefdk_3.9.0-1_amd64.deb -O chefdk.deb +dpkg -i chefdk.deb +mkdir /opt/theta42 -p +rm -rf /opt/theta42/provision-node +git clone https://git.theta42.com/git-hosting/provision-node.git /opt/theta42/provision-node +chef-solo -c /opt/theta42/provision-node/cookbooks/solo.rb -j /opt/theta42/provision-node/cookbooks/hosting.json diff --git a/roles/gitea.rb b/roles/gitea.rb index 6770f01..965779d 100644 --- a/roles/gitea.rb +++ b/roles/gitea.rb @@ -6,5 +6,7 @@ run_list( "recipe[hosting::mkdir]", "recipe[hosting::postgress]", "recipe[hosting::gitea]", + "recipe[hosting::nginx]", + ) \ No newline at end of file