diff options
| author | nsfisis <nsfisis@gmail.com> | 2023-10-08 00:23:44 +0900 |
|---|---|---|
| committer | nsfisis <nsfisis@gmail.com> | 2023-10-08 00:35:45 +0900 |
| commit | 111c7319d54d32eb1360c731c443b1675edc3ded (patch) | |
| tree | fb00a815689aa5596204c003e52d1d0fe5cb029c /provisioning/recipe.rb | |
| parent | 777d36505713749916dfbd4d0a5fd90302271328 (diff) | |
| download | nsfisis.dev-111c7319d54d32eb1360c731c443b1675edc3ded.tar.gz nsfisis.dev-111c7319d54d32eb1360c731c443b1675edc3ded.tar.zst nsfisis.dev-111c7319d54d32eb1360c731c443b1675edc3ded.zip | |
feat(proxy): mioproxy
Diffstat (limited to 'provisioning/recipe.rb')
| -rw-r--r-- | provisioning/recipe.rb | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/provisioning/recipe.rb b/provisioning/recipe.rb new file mode 100644 index 00000000..99d935b0 --- /dev/null +++ b/provisioning/recipe.rb @@ -0,0 +1,110 @@ +BIN_ROOT = ENV['BIN_ROOT'] || raise +REPO_ROOT = ENV['REPO_ROOT'] || raise +LEGO_VERSION = ENV['LEGO_VERSION'] || raise +LEGO_ARCH = ENV['LEGO_ARCH'] || raise +LEGO_CONF_EMAIL = ENV['LEGO_CONF_EMAIL'] || raise +LEGO_CONF_WEBROOT = ENV['LEGO_CONF_WEBROOT'] || raise +LEGO_CONF_PATH = ENV['LEGO_CONF_PATH'] || raise +LEGO_CONF_DOMAINS = ENV['LEGO_CONF_DOMAINS'] || raise +GOLANG_VERSION = ENV['GOLANG_VERSION'] || raise +MIOPROXY_VERSION = ENV['MIOPROXY_VERSION'] || raise + +lego_tarball = "lego_#{LEGO_VERSION}_linux_#{LEGO_ARCH}.tar.gz" +lego_tarball_url = "https://github.com/go-acme/lego/releases/download/#{LEGO_VERSION}/#{lego_tarball}" +lego_conf_domains = LEGO_CONF_DOMAINS.split(',') +lego_conf_primary_domain = lego_conf_domains.first || raise +lego_run_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'run', +].join(' ') +lego_renew_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--http.webroot', LEGO_CONF_WEBROOT, + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'renew', + '--renew-hook', "'systemctl restart mioproxy'", +].join(' ') + +http_request "#{BIN_ROOT}/lego.tar.gz" do + url lego_tarball_url +end + +execute "tar xf #{BIN_ROOT}/lego.tar.gz -C #{BIN_ROOT}" + +file "#{BIN_ROOT}/CHANGELOG.md" do action :delete end +file "#{BIN_ROOT}/LICENSE" do action :delete end +file "#{BIN_ROOT}/lego.tar.gz" do action :delete end + +execute lego_run_cmdline do + not_if "test -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.crt' -a -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.key'" +end + +execute "docker run --rm golang:#{GOLANG_VERSION} sh -c 'go install github.com/nsfisis/mioproxy@#{MIOPROXY_VERSION}; cat \"$(go env GOPATH)/bin/mioproxy\"' > #{BIN_ROOT}/mioproxy" + +file "#{BIN_ROOT}/mioproxy" do + mode '755' +end + +file '/etc/systemd/system/mioproxy.service' do + content <<~EOS + [Unit] + Description=MioProxy + + [Service] + ExecStart=#{BIN_ROOT}/mioproxy #{REPO_ROOT}/mioproxy.prod.hcl + Restart=always + User=root + Group=root + WorkingDirectory=#{REPO_ROOT} + + [Install] + WantedBy=multi-user.target + EOS +end + +service 'mioproxy.service' do + action [:enable, :start] +end + +file '/etc/systemd/system/lego-renew.service' do + content <<~EOS + [Unit] + Description=Lego Renew + + [Service] + Type=oneshot + ExecStart=#{lego_renew_cmdline} + User=root + Group=root + EOS +end + +file '/etc/systemd/system/lego-renew.timer' do + content <<~EOS + [Unit] + Description=Lego Renew Timer + + [Timer] + Persistent=true + OnCalendar=*-*-* 1:23 + RandomizedDelaySec=1h + + [Install] + WantedBy=timers.target + EOS +end + +service 'lego-renew.timer' do + action [:enable, :start] +end + +# ken ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status mioproxy, /usr/bin/systemctl start mioproxy, /usr/bin/systemctl stop mioproxy, /usr/bin/systemctl restart mioproxy |