igorwwwwwwwwwwwwwwwwwwww · April 17, 2016 21:34
diff --git a/enable-encryption.sh b/enable-encryption.sh
 #!/bin/bash
 set -e

 acmetool want $(cat /etc/acme-hostname)
 nginx -s reload
diff --git a/enable-self-signed-certs.sh b/enable-self-signed-certs.sh
 #!/bin/bash

 mkdir -p /var/lib/acme/live

 for DOMAIN in "$@"; do
    if [ ! -d /var/lib/acme/live/$DOMAIN ]; then
        mkdir /var/lib/acme/live/$DOMAIN
        openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
            -keyout /var/lib/acme/live/$DOMAIN/privkey \
            -out /var/lib/acme/live/$DOMAIN/cert \
            -subj "/C=US/ST=/L=/O=/OU=/CN=$DOMAIN"
        cp /var/lib/acme/live/$DOMAIN/cert /var/lib/acme/live/$DOMAIN/fullchain
    fi
 done
diff --git a/node-acme.tf b/node-acme.tf
 variable "acme-hostname" {
    type = "string"
    default = "some-random.website"
 }

 variable "acme-ip" {
    type = "string"
    default = "123.456.7.8"
 }

 resource "template_file" "acme-vhost" {
    template = "${file("data/acme/vhost.conf")}"
    vars {
        hostname = "${var.acme-hostname}"
        ip = "${var.acme-ip}"
    }
 }

 resource "digitalocean_droplet" "acme" {
    image = "ubuntu-15-10-x64"
    name = "acme"
    region = "nyc2"
    size = "512mb"
    ipv6 = true
    private_networking = true
    ssh_keys = ["${digitalocean_ssh_key.default.id}"]
    user_data = <<EOF
 #cloud-config
 hostname: acme
 manage_etc_hosts: true
 runcmd:
 - add-apt-repository ppa:hlandau/rhea
 - add-apt-repository ppa:nginx/development
 - apt-get update
 # - apt-get upgrade -y
 - apt-get install -y acmetool
 - apt-get install -y nginx
 - rm /etc/nginx/sites-enabled/default

 - echo ${var.acme-hostname} > /etc/acme-hostname
 - mkdir -p /var/lib/acme/conf
 - echo ${base64encode(file("data/acme/response-file.yaml"))} | base64 -d > /var/lib/acme/conf/responses
 - echo ${base64encode(file("data/acme/nginx.conf"))} | base64 -d > /etc/nginx/nginx.conf
 - echo ${base64encode(template_file.acme-vhost.rendered)} | base64 -d > /etc/nginx/sites-available/acme
 - ln -s /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
 - echo ${base64encode(file("data/acme/generate-self-signed-certs"))} | base64 -d > /usr/local/bin/generate-self-signed-certs
 - chmod 0755 /usr/local/bin/generate-self-signed-certs
 - echo ${base64encode(file("data/acme/enable-encryption"))} | base64 -d > /usr/local/bin/enable-encryption
 - chmod 0755 /usr/local/bin/enable-encryption

 - generate-self-signed-certs ${var.acme-hostname}
 - service nginx restart
 - rm -r /var/lib/acme/live/${var.acme-hostname}
 EOF
 }

 resource "digitalocean_domain" "acme-website" {
    name = "acme.website"
    ip_address = "${digitalocean_droplet.acme.ipv4_address}"
 }
diff --git a/response-file.yaml b/response-file.yaml
 "acme-enter-email": "[email protected]"
 "acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf": true
 "acmetool-quickstart-choose-server": https://acme-staging.api.letsencrypt.org/directory
 "acmetool-quickstart-choose-method": proxy
 "acmetool-quickstart-complete": true
 "acmetool-quickstart-install-cronjob": true
 "acmetool-quickstart-install-haproxy-script": true
 "acmetool-quickstart-install-redirector-systemd": true
 "acmetool-quickstart-key-type": ecdsa
 "acmetool-quickstart-rsa-key-size": 4096
 "acmetool-quickstart-ecdsa-curve": nistp256
diff --git a/vhost.conf b/vhost.conf
 upstream original-website {
    server ${ip};

    keepalive 32;
 }

 upstream acmetool {
    server localhost:402;
 }

 server {
    listen 80;
    listen [::]:80;

    location /.well-known/acme-challenge/ {
        proxy_pass http://acmetool;
        proxy_set_header Host $host;
    }

    location / {
        proxy_pass http://original-website;
        proxy_set_header Host $host;
        proxy_set_header Connection "";
    }
 }

 server {
    listen 80;
    listen [::]:80;
    server_name ${hostname};

    location /.well-known/acme-challenge/ {
        proxy_pass http://acmetool;
        proxy_set_header Host $host;
    }

    location / {
        rewrite ^(.*) https://${hostname}$1 permanent;
    }
 }

 server {
    listen   443 ssl http2;
    listen   [::]:443 ssl http2;
    server_name ${hostname};

    ssl  on;
    ssl_certificate     /var/lib/acme/live/${hostname}/fullchain;
    ssl_certificate_key /var/lib/acme/live/${hostname}/privkey;

    location / {
        proxy_pass http://original-website;
        proxy_set_header Host $host;
        proxy_set_header Connection "";
    }
 }
	#!/bin/bash
	set -e

	acmetool want $(cat /etc/acme-hostname)
	nginx -s reload
	#!/bin/bash

	mkdir -p /var/lib/acme/live

	for DOMAIN in "$@"; do
	if [ ! -d /var/lib/acme/live/$DOMAIN ]; then
	mkdir /var/lib/acme/live/$DOMAIN
	openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
	-keyout /var/lib/acme/live/$DOMAIN/privkey \
	-out /var/lib/acme/live/$DOMAIN/cert \
	-subj "/C=US/ST=/L=/O=/OU=/CN=$DOMAIN"
	cp /var/lib/acme/live/$DOMAIN/cert /var/lib/acme/live/$DOMAIN/fullchain
	fi
	done
	variable "acme-hostname" {
	type = "string"
	default = "some-random.website"
	}

	variable "acme-ip" {
	type = "string"
	default = "123.456.7.8"
	}

	resource "template_file" "acme-vhost" {
	template = "${file("data/acme/vhost.conf")}"
	vars {
	hostname = "${var.acme-hostname}"
	ip = "${var.acme-ip}"
	}
	}

	resource "digitalocean_droplet" "acme" {
	image = "ubuntu-15-10-x64"
	name = "acme"
	region = "nyc2"
	size = "512mb"
	ipv6 = true
	private_networking = true
	ssh_keys = ["${digitalocean_ssh_key.default.id}"]
	user_data = <<EOF
	#cloud-config
	hostname: acme
	manage_etc_hosts: true
	runcmd:
	- add-apt-repository ppa:hlandau/rhea
	- add-apt-repository ppa:nginx/development
	- apt-get update
	# - apt-get upgrade -y
	- apt-get install -y acmetool
	- apt-get install -y nginx
	- rm /etc/nginx/sites-enabled/default

	- echo ${var.acme-hostname} > /etc/acme-hostname
	- mkdir -p /var/lib/acme/conf
	- echo ${base64encode(file("data/acme/response-file.yaml"))} \| base64 -d > /var/lib/acme/conf/responses
	- echo ${base64encode(file("data/acme/nginx.conf"))} \| base64 -d > /etc/nginx/nginx.conf
	- echo ${base64encode(template_file.acme-vhost.rendered)} \| base64 -d > /etc/nginx/sites-available/acme
	- ln -s /etc/nginx/sites-available/acme /etc/nginx/sites-enabled/acme
	- echo ${base64encode(file("data/acme/generate-self-signed-certs"))} \| base64 -d > /usr/local/bin/generate-self-signed-certs
	- chmod 0755 /usr/local/bin/generate-self-signed-certs
	- echo ${base64encode(file("data/acme/enable-encryption"))} \| base64 -d > /usr/local/bin/enable-encryption
	- chmod 0755 /usr/local/bin/enable-encryption

	- generate-self-signed-certs ${var.acme-hostname}
	- service nginx restart
	- rm -r /var/lib/acme/live/${var.acme-hostname}
	EOF
	}

	resource "digitalocean_domain" "acme-website" {
	name = "acme.website"
	ip_address = "${digitalocean_droplet.acme.ipv4_address}"
	}
	"acme-enter-email": "[email protected]"
	"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf": true
	"acmetool-quickstart-choose-server": https://acme-staging.api.letsencrypt.org/directory
	"acmetool-quickstart-choose-method": proxy
	"acmetool-quickstart-complete": true
	"acmetool-quickstart-install-cronjob": true
	"acmetool-quickstart-install-haproxy-script": true
	"acmetool-quickstart-install-redirector-systemd": true
	"acmetool-quickstart-key-type": ecdsa
	"acmetool-quickstart-rsa-key-size": 4096
	"acmetool-quickstart-ecdsa-curve": nistp256
	upstream original-website {
	server ${ip};

	keepalive 32;
	}

	upstream acmetool {
	server localhost:402;
	}

	server {
	listen 80;
	listen [::]:80;

	location /.well-known/acme-challenge/ {
	proxy_pass http://acmetool;
	proxy_set_header Host $host;
	}

	location / {
	proxy_pass http://original-website;
	proxy_set_header Host $host;
	proxy_set_header Connection "";
	}
	}

	server {
	listen 80;
	listen [::]:80;
	server_name ${hostname};

	location /.well-known/acme-challenge/ {
	proxy_pass http://acmetool;
	proxy_set_header Host $host;
	}

	location / {
	rewrite ^(.*) https://${hostname}$1 permanent;
	}
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name ${hostname};

	ssl on;
	ssl_certificate /var/lib/acme/live/${hostname}/fullchain;
	ssl_certificate_key /var/lib/acme/live/${hostname}/privkey;

	location / {
	proxy_pass http://original-website;
	proxy_set_header Host $host;
	proxy_set_header Connection "";
	}
	}