1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
BIN_ROOT = ENV['BIN_ROOT'] || raise
REPO_ROOT = ENV['REPO_ROOT'] || raise
LEGO_VERSION = ENV['LEGO_VERSION'] || raise
LEGO_ARCH = ENV['LEGO_ARCH'] || raise
LEGO_CONF_EMAIL = ENV['LEGO_CONF_EMAIL'] || raise
LEGO_CONF_WEBROOT = ENV['LEGO_CONF_WEBROOT'] || raise
LEGO_CONF_PATH = ENV['LEGO_CONF_PATH'] || raise
LEGO_CONF_DOMAINS = ENV['LEGO_CONF_DOMAINS'] || raise
GOLANG_VERSION = ENV['GOLANG_VERSION'] || raise
MIOPROXY_VERSION = ENV['MIOPROXY_VERSION'] || raise
lego_tarball = "lego_#{LEGO_VERSION}_linux_#{LEGO_ARCH}.tar.gz"
lego_tarball_url = "https://github.com/go-acme/lego/releases/download/#{LEGO_VERSION}/#{lego_tarball}"
lego_conf_domains = LEGO_CONF_DOMAINS.split(',')
lego_conf_primary_domain = lego_conf_domains.first || raise
lego_run_cmdline = [
"#{BIN_ROOT}/lego",
'--accept-tos',
'--email', LEGO_CONF_EMAIL,
'--http',
'--path', LEGO_CONF_PATH,
*lego_conf_domains.map { ['--domains', _1] },
'run',
].join(' ')
lego_renew_cmdline = [
"#{BIN_ROOT}/lego",
'--accept-tos',
'--email', LEGO_CONF_EMAIL,
'--http',
'--http.webroot', LEGO_CONF_WEBROOT,
'--path', LEGO_CONF_PATH,
*lego_conf_domains.map { ['--domains', _1] },
'renew',
'--renew-hook', "'systemctl restart mioproxy'",
].join(' ')
http_request "#{BIN_ROOT}/lego.tar.gz" do
url lego_tarball_url
end
execute "tar xf #{BIN_ROOT}/lego.tar.gz -C #{BIN_ROOT}"
file "#{BIN_ROOT}/CHANGELOG.md" do action :delete end
file "#{BIN_ROOT}/LICENSE" do action :delete end
file "#{BIN_ROOT}/lego.tar.gz" do action :delete end
execute lego_run_cmdline do
not_if "test -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.crt' -a -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.key'"
end
execute "docker run --rm golang:#{GOLANG_VERSION} sh -c 'go install github.com/nsfisis/mioproxy@#{MIOPROXY_VERSION}; cat \"$(go env GOPATH)/bin/mioproxy\"' > #{BIN_ROOT}/mioproxy"
file "#{BIN_ROOT}/mioproxy" do
mode '755'
end
file '/etc/systemd/system/mioproxy.service' do
content <<~EOS
[Unit]
Description=MioProxy
[Service]
ExecStart=#{BIN_ROOT}/mioproxy #{REPO_ROOT}/mioproxy.prod.hcl
Restart=always
User=root
Group=root
WorkingDirectory=#{REPO_ROOT}
[Install]
WantedBy=multi-user.target
EOS
end
service 'mioproxy.service' do
action [:enable, :start]
end
file '/etc/systemd/system/lego-renew.service' do
content <<~EOS
[Unit]
Description=Lego Renew
[Service]
Type=oneshot
ExecStart=#{lego_renew_cmdline}
User=root
Group=root
EOS
end
file '/etc/systemd/system/lego-renew.timer' do
content <<~EOS
[Unit]
Description=Lego Renew Timer
[Timer]
Persistent=true
OnCalendar=*-*-* 1:23
RandomizedDelaySec=1h
[Install]
WantedBy=timers.target
EOS
end
service 'lego-renew.timer' do
action [:enable, :start]
end
# ken ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status mioproxy, /usr/bin/systemctl start mioproxy, /usr/bin/systemctl stop mioproxy, /usr/bin/systemctl restart mioproxy
|
