feat(proxy): mioproxy

3 files changed, 139 insertions, 0 deletions

diff --git a/provisioning/.gitignore b/provisioning/.gitignore
new file mode 100644
index 00000000..69b81016
--- /dev/null
+++ b/provisioning/.gitignore
@@ -0,0 +1 @@
+/.bin
diff --git a/provisioning/recipe.rb b/provisioning/recipe.rb
new file mode 100644
index 00000000..99d935b0
--- /dev/null
+++ b/provisioning/recipe.rb
@@ -0,0 +1,110 @@
+BIN_ROOT = ENV['BIN_ROOT'] || raise
+REPO_ROOT = ENV['REPO_ROOT'] || raise
+LEGO_VERSION = ENV['LEGO_VERSION'] || raise
+LEGO_ARCH = ENV['LEGO_ARCH'] || raise
+LEGO_CONF_EMAIL = ENV['LEGO_CONF_EMAIL'] || raise
+LEGO_CONF_WEBROOT = ENV['LEGO_CONF_WEBROOT'] || raise
+LEGO_CONF_PATH = ENV['LEGO_CONF_PATH'] || raise
+LEGO_CONF_DOMAINS = ENV['LEGO_CONF_DOMAINS'] || raise
+GOLANG_VERSION = ENV['GOLANG_VERSION'] || raise
+MIOPROXY_VERSION = ENV['MIOPROXY_VERSION'] || raise
+
+lego_tarball = "lego_#{LEGO_VERSION}_linux_#{LEGO_ARCH}.tar.gz"
+lego_tarball_url = "https://github.com/go-acme/lego/releases/download/#{LEGO_VERSION}/#{lego_tarball}"
+lego_conf_domains = LEGO_CONF_DOMAINS.split(',')
+lego_conf_primary_domain = lego_conf_domains.first || raise
+lego_run_cmdline = [
+  "#{BIN_ROOT}/lego",
+  '--accept-tos',
+  '--email', LEGO_CONF_EMAIL,
+  '--http',
+  '--path', LEGO_CONF_PATH,
+  *lego_conf_domains.map { ['--domains', _1] },
+  'run',
+].join(' ')
+lego_renew_cmdline = [
+  "#{BIN_ROOT}/lego",
+  '--accept-tos',
+  '--email', LEGO_CONF_EMAIL,
+  '--http',
+  '--http.webroot', LEGO_CONF_WEBROOT,
+  '--path', LEGO_CONF_PATH,
+  *lego_conf_domains.map { ['--domains', _1] },
+  'renew',
+  '--renew-hook', "'systemctl restart mioproxy'",
+].join(' ')
+
+http_request "#{BIN_ROOT}/lego.tar.gz" do
+  url lego_tarball_url
+end
+
+execute "tar xf #{BIN_ROOT}/lego.tar.gz -C #{BIN_ROOT}"
+
+file "#{BIN_ROOT}/CHANGELOG.md" do action :delete end
+file "#{BIN_ROOT}/LICENSE" do action :delete end
+file "#{BIN_ROOT}/lego.tar.gz" do action :delete end
+
+execute lego_run_cmdline do
+  not_if "test -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.crt' -a -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.key'"
+end
+
+execute "docker run --rm golang:#{GOLANG_VERSION} sh -c 'go install github.com/nsfisis/mioproxy@#{MIOPROXY_VERSION}; cat \"$(go env GOPATH)/bin/mioproxy\"' > #{BIN_ROOT}/mioproxy"
+
+file "#{BIN_ROOT}/mioproxy" do
+  mode '755'
+end
+
+file '/etc/systemd/system/mioproxy.service' do
+  content <<~EOS
+    [Unit]
+    Description=MioProxy
+
+    [Service]
+    ExecStart=#{BIN_ROOT}/mioproxy #{REPO_ROOT}/mioproxy.prod.hcl
+    Restart=always
+    User=root
+    Group=root
+    WorkingDirectory=#{REPO_ROOT}
+
+    [Install]
+    WantedBy=multi-user.target
+  EOS
+end
+
+service 'mioproxy.service' do
+  action [:enable, :start]
+end
+
+file '/etc/systemd/system/lego-renew.service' do
+  content <<~EOS
+    [Unit]
+    Description=Lego Renew
+
+    [Service]
+    Type=oneshot
+    ExecStart=#{lego_renew_cmdline}
+    User=root
+    Group=root
+  EOS
+end
+
+file '/etc/systemd/system/lego-renew.timer' do
+  content <<~EOS
+    [Unit]
+    Description=Lego Renew Timer
+
+    [Timer]
+    Persistent=true
+    OnCalendar=*-*-* 1:23
+    RandomizedDelaySec=1h
+
+    [Install]
+    WantedBy=timers.target
+  EOS
+end
+
+service 'lego-renew.timer' do
+  action [:enable, :start]
+end
+
+# ken  ALL=(ALL:ALL) NOPASSWD:  /usr/bin/systemctl status mioproxy, /usr/bin/systemctl start mioproxy, /usr/bin/systemctl stop mioproxy, /usr/bin/systemctl restart mioproxy
diff --git a/provisioning/run.sh b/provisioning/run.sh
new file mode 100755
index 00000000..1986a20d
--- /dev/null
+++ b/provisioning/run.sh
@@ -0,0 +1,28 @@
+set -eu
+
+this_dir="$(cd "$(dirname "$0")"; pwd)"
+export BIN_ROOT="${this_dir}/.bin"
+export REPO_ROOT="$(cd "${this_dir}/.."; pwd)"
+
+export MITAMAE_VERSION=v1.14.0
+export MITAMAE_ARCH=x86_64-linux
+export LEGO_VERSION=v4.14.2
+export LEGO_ARCH=amd64
+export LEGO_CONF_EMAIL=nsfisis@gmail.com
+export LEGO_CONF_WEBROOT="${REPO_ROOT}/letsencrypt/webroot"
+export LEGO_CONF_PATH="${REPO_ROOT}/letsencrypt/lego"
+export LEGO_CONF_DOMAINS=nsfisis.dev,blog.nsfisis.dev
+export GOLANG_VERSION=1.21.1
+export MIOPROXY_VERSION=v0.1.0
+
+mitamae_bin_url="https://github.com/itamae-kitchen/mitamae/releases/download/${MITAMAE_VERSION}/mitamae-${MITAMAE_ARCH}.tar.gz"
+
+rm -rf "${BIN_ROOT}"
+mkdir "${BIN_ROOT}"
+
+curl -L -o "${BIN_ROOT}/mitamae.tar.gz" "${mitamae_bin_url}"
+tar xf "${BIN_ROOT}/mitamae.tar.gz" -C "${BIN_ROOT}"
+mv "${BIN_ROOT}/mitamae-${MITAMAE_ARCH}" "${BIN_ROOT}/mitamae"
+rm -f '${BIN_ROOT}/mitamae.tar.gz'
+
+"${BIN_ROOT}/mitamae" local "${this_dir}/recipe.rb"