diff options
Diffstat (limited to 'provisioning')
| -rw-r--r-- | provisioning/.gitignore | 1 | ||||
| -rw-r--r-- | provisioning/recipe.rb | 110 | ||||
| -rwxr-xr-x | provisioning/run.sh | 28 |
3 files changed, 139 insertions, 0 deletions
diff --git a/provisioning/.gitignore b/provisioning/.gitignore new file mode 100644 index 00000000..69b81016 --- /dev/null +++ b/provisioning/.gitignore @@ -0,0 +1 @@ +/.bin diff --git a/provisioning/recipe.rb b/provisioning/recipe.rb new file mode 100644 index 00000000..99d935b0 --- /dev/null +++ b/provisioning/recipe.rb @@ -0,0 +1,110 @@ +BIN_ROOT = ENV['BIN_ROOT'] || raise +REPO_ROOT = ENV['REPO_ROOT'] || raise +LEGO_VERSION = ENV['LEGO_VERSION'] || raise +LEGO_ARCH = ENV['LEGO_ARCH'] || raise +LEGO_CONF_EMAIL = ENV['LEGO_CONF_EMAIL'] || raise +LEGO_CONF_WEBROOT = ENV['LEGO_CONF_WEBROOT'] || raise +LEGO_CONF_PATH = ENV['LEGO_CONF_PATH'] || raise +LEGO_CONF_DOMAINS = ENV['LEGO_CONF_DOMAINS'] || raise +GOLANG_VERSION = ENV['GOLANG_VERSION'] || raise +MIOPROXY_VERSION = ENV['MIOPROXY_VERSION'] || raise + +lego_tarball = "lego_#{LEGO_VERSION}_linux_#{LEGO_ARCH}.tar.gz" +lego_tarball_url = "https://github.com/go-acme/lego/releases/download/#{LEGO_VERSION}/#{lego_tarball}" +lego_conf_domains = LEGO_CONF_DOMAINS.split(',') +lego_conf_primary_domain = lego_conf_domains.first || raise +lego_run_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'run', +].join(' ') +lego_renew_cmdline = [ + "#{BIN_ROOT}/lego", + '--accept-tos', + '--email', LEGO_CONF_EMAIL, + '--http', + '--http.webroot', LEGO_CONF_WEBROOT, + '--path', LEGO_CONF_PATH, + *lego_conf_domains.map { ['--domains', _1] }, + 'renew', + '--renew-hook', "'systemctl restart mioproxy'", +].join(' ') + +http_request "#{BIN_ROOT}/lego.tar.gz" do + url lego_tarball_url +end + +execute "tar xf #{BIN_ROOT}/lego.tar.gz -C #{BIN_ROOT}" + +file "#{BIN_ROOT}/CHANGELOG.md" do action :delete end +file "#{BIN_ROOT}/LICENSE" do action :delete end +file "#{BIN_ROOT}/lego.tar.gz" do action :delete end + +execute lego_run_cmdline do + not_if "test -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.crt' -a -f '#{LEGO_CONF_PATH}/certificates/#{lego_conf_primary_domain}.key'" +end + +execute "docker run --rm golang:#{GOLANG_VERSION} sh -c 'go install github.com/nsfisis/mioproxy@#{MIOPROXY_VERSION}; cat \"$(go env GOPATH)/bin/mioproxy\"' > #{BIN_ROOT}/mioproxy" + +file "#{BIN_ROOT}/mioproxy" do + mode '755' +end + +file '/etc/systemd/system/mioproxy.service' do + content <<~EOS + [Unit] + Description=MioProxy + + [Service] + ExecStart=#{BIN_ROOT}/mioproxy #{REPO_ROOT}/mioproxy.prod.hcl + Restart=always + User=root + Group=root + WorkingDirectory=#{REPO_ROOT} + + [Install] + WantedBy=multi-user.target + EOS +end + +service 'mioproxy.service' do + action [:enable, :start] +end + +file '/etc/systemd/system/lego-renew.service' do + content <<~EOS + [Unit] + Description=Lego Renew + + [Service] + Type=oneshot + ExecStart=#{lego_renew_cmdline} + User=root + Group=root + EOS +end + +file '/etc/systemd/system/lego-renew.timer' do + content <<~EOS + [Unit] + Description=Lego Renew Timer + + [Timer] + Persistent=true + OnCalendar=*-*-* 1:23 + RandomizedDelaySec=1h + + [Install] + WantedBy=timers.target + EOS +end + +service 'lego-renew.timer' do + action [:enable, :start] +end + +# ken ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl status mioproxy, /usr/bin/systemctl start mioproxy, /usr/bin/systemctl stop mioproxy, /usr/bin/systemctl restart mioproxy diff --git a/provisioning/run.sh b/provisioning/run.sh new file mode 100755 index 00000000..1986a20d --- /dev/null +++ b/provisioning/run.sh @@ -0,0 +1,28 @@ +set -eu + +this_dir="$(cd "$(dirname "$0")"; pwd)" +export BIN_ROOT="${this_dir}/.bin" +export REPO_ROOT="$(cd "${this_dir}/.."; pwd)" + +export MITAMAE_VERSION=v1.14.0 +export MITAMAE_ARCH=x86_64-linux +export LEGO_VERSION=v4.14.2 +export LEGO_ARCH=amd64 +export LEGO_CONF_EMAIL=nsfisis@gmail.com +export LEGO_CONF_WEBROOT="${REPO_ROOT}/letsencrypt/webroot" +export LEGO_CONF_PATH="${REPO_ROOT}/letsencrypt/lego" +export LEGO_CONF_DOMAINS=nsfisis.dev,blog.nsfisis.dev +export GOLANG_VERSION=1.21.1 +export MIOPROXY_VERSION=v0.1.0 + +mitamae_bin_url="https://github.com/itamae-kitchen/mitamae/releases/download/${MITAMAE_VERSION}/mitamae-${MITAMAE_ARCH}.tar.gz" + +rm -rf "${BIN_ROOT}" +mkdir "${BIN_ROOT}" + +curl -L -o "${BIN_ROOT}/mitamae.tar.gz" "${mitamae_bin_url}" +tar xf "${BIN_ROOT}/mitamae.tar.gz" -C "${BIN_ROOT}" +mv "${BIN_ROOT}/mitamae-${MITAMAE_ARCH}" "${BIN_ROOT}/mitamae" +rm -f '${BIN_ROOT}/mitamae.tar.gz' + +"${BIN_ROOT}/mitamae" local "${this_dir}/recipe.rb" |