@@ -0,0 +1,2 @@ | |||
conf | |||
core/certbot |
@@ -0,0 +1,80 @@ | |||
## mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, mort.coffee) | |||
serve(mort.coffee, www) | |||
} | |||
server { https_redirect(mort.coffee) } | |||
server { listen(www.mort.coffee) redirect(https://mort.coffee) } | |||
server { listen_ssl(mort.coffee, www.mort.coffee) redirect(https://mort.coffee) } | |||
## s.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, s.mort.coffee) | |||
serve(mort.coffee, s) | |||
} | |||
server { https_redirect(s.mort.coffee) } | |||
## bendik.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, bendik.mort.coffee) | |||
autoindex on; | |||
root /home/bendik/www; | |||
} | |||
server { https_redirect(bendik.mort.coffee) } | |||
## pass.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, pass.mort.coffee) | |||
proxy(http://localhost:8080) | |||
} | |||
server { https_redirect(pass.mort.coffee) } | |||
## git.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, git.mort.coffee) | |||
proxy(http://localhost:8082) | |||
} | |||
server { https_redirect(git.mort.coffee) } | |||
## irc.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, irc.mort.coffee) | |||
proxy(http://localhost:8087) | |||
wsproxy(http://localhost:8087, socket.io/) | |||
} | |||
server { https_redirect(irc.mort.coffee) } | |||
## tpb.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, tpb.mort.coffee) | |||
proxy(http://localhost:8086) | |||
} | |||
server { https_redirect(tpb.mort.coffee) } | |||
## shoplist.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, shoplist.mort.coffee) | |||
proxy(http://localhost:8090) | |||
} | |||
server { https_redirect(shoplist.mort.coffee) } | |||
## sonen.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, sonen.mort.coffee) | |||
proxy(http://localhost:8089) | |||
} | |||
server { https_redirect(sonen.mort.coffee) } | |||
## beer.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, beer.mort.coffee) | |||
proxy(http://localhost:8091) | |||
} | |||
server { https_redirect(beer.mort.coffee) } | |||
## colors.mort.coffee | |||
server { | |||
listen_ssl(mort.coffee, colors.mort.coffee) | |||
proxy(http://localhost:8092) | |||
} | |||
server { https_redirect(colors.mort.coffee) } |
@@ -0,0 +1,5 @@ | |||
# shared | |||
m4_include(`shared.m4') | |||
# basic | |||
m4_include(`basic.m4') |
@@ -0,0 +1,4 @@ | |||
upstream php-handler { | |||
server unix:/run/php/php7.0-fpm.sock; | |||
} | |||
@@ -0,0 +1,20 @@ | |||
# A list of certificates, separated by semicolons. | |||
# The domains in the certificate is separated by commas. | |||
domains=" | |||
example.com: | |||
example.com, | |||
foo.example.com, | |||
bar.example.com, | |||
baz.example.com; | |||
example.net: | |||
example.net, | |||
foo.example.net, | |||
bar.example.com;" | |||
email="example@example.com" | |||
dryrun=0 | |||
testcert=0 | |||
precmd="systemctl stop nginx" | |||
postcmd="systemctl start nginx" |
@@ -0,0 +1,33 @@ | |||
m4_define(`listen', `` | |||
listen 80; | |||
server_name $1;'') | |||
m4_define(`listen_ssl', `` | |||
listen 443 ssl; | |||
server_name $2; | |||
ssl_certificate /etc/letsencrypt/live/$1/fullchain.pem; | |||
ssl_certificate_key /etc/letsencrypt/live/$1/privkey.pem; | |||
ssl_trusted_certificate /etc/letsencrypt/live/$1/fullchain.pem;'') | |||
m4_define(`redirect', `` | |||
return 302 $1;'') | |||
m4_define(`redirect_perm', `` | |||
return 301 $1;'') | |||
m4_define(`https_redirect', ` | |||
listen($1) | |||
redirect(https://$1$request_uri)') | |||
m4_define(`wsproxy', `` | |||
location /$2 { | |||
proxy_pass $1; | |||
proxy_set_header Upgrade $http_upgrade; | |||
proxy_set_header Connection "upgrade"; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
}'') | |||
m4_define(`proxy', `` | |||
location /$2 { | |||
proxy_pass $1; | |||
proxy_set_header X-Real-IP $remote_addr; | |||
}'') | |||
m4_define(`serve', `` | |||
autoindex on; | |||
root /var/www/$1/$2/public;'') | |||
m4_include(`main.m4') |
@@ -0,0 +1,27 @@ | |||
#!/bin/sh | |||
set -e | |||
out="/etc/nginx/sites-available/autogen" | |||
if ! [ -w "$out" ]; then | |||
echo "Must have write access to $out." | |||
exit 1 | |||
fi | |||
cp "$out" "$out.bak" | |||
output="$(m4 -P -I ../conf/nginx nginx.m4)" | |||
echo "$output" \ | |||
| sed '/^\s*$/d' \ | |||
| tee "$out" >/dev/null | |||
if ! sudo nginx -t; then | |||
echo "Reverting to backup file." | |||
mv "$out.bak" "$out" | |||
else | |||
echo "Press enter to restart nginx." | |||
read _ | |||
echo "Restarting..." | |||
systemctl restart nginx | |||
fi |
@@ -0,0 +1,110 @@ | |||
#!/bin/bash | |||
set -e | |||
. ../conf/ssl.conf | |||
user="$(stat -c %U "$0")" | |||
asuser() { | |||
echo "Running as $user: " "$@" | |||
sudo -u "$user" "$@" | |||
} | |||
printcol() { | |||
str="$1" | |||
shift | |||
for x in "$@"; do | |||
tput $x | |||
done | |||
printf "%s%s\n" "$str" $(tput sgr0) | |||
} | |||
printed=0 | |||
printstatus() { | |||
if [ "$printed" = 1 ]; then | |||
echo | |||
fi | |||
printed=1 | |||
printcol "$1" bold | |||
} | |||
certbot="https://github.com/certbot/certbot.git" | |||
validate() { | |||
if [ -z "$email" ]; then | |||
echo "Missing config 'email'." | |||
elif [ -z "$domains" ]; then | |||
echo "Missing config 'domains'." | |||
elif [ -z "$testcert" ]; then | |||
echo "Missing config 'testcert'." | |||
elif [ -z "$dryrun" ]; then | |||
echo "Missing config 'dryrun'." | |||
elif [ -z "$precmd" ]; then | |||
echo "Missing config 'precmd'." | |||
elif [ -z "$postcmd" ]; then | |||
echo "Missing config 'postcmd'." | |||
else | |||
return 0 | |||
fi | |||
exit 1 | |||
} | |||
validate | |||
if ! [ -d certbot ]; then | |||
asuser git clone "$certbot" certbot | |||
fi | |||
if [ "$dryrun" = 1 ]; then | |||
printstatus "Running a dry run." | |||
fi | |||
cd certbot | |||
printstatus "Updating certbot..." | |||
# necessary because certbot sometime schanges itself | |||
asuser git reset --hard | |||
asuser git pull | |||
printstatus "Running pre command..." | |||
echo "$precmd" | |||
sh -c "$precmd" | |||
printstatus "Obtaining certificates..." | |||
domains="$(echo "$domains" \ | |||
| tr '\n' ' ' \ | |||
| sed 's/\s*//g; s/\;/\n/g')" | |||
while read line; do | |||
if [ -z "$line" ]; then | |||
continue | |||
fi | |||
cname=$(echo "$line" | sed 's/:.*//') | |||
dom=$(echo "$line" | sed 's/.*://') | |||
printstatus "Certificate $cname" | |||
if ./certbot-auto certonly \ | |||
-n --standalone --agree-tos \ | |||
-m "$email" \ | |||
--cert-name "$cname" \ | |||
$([ "$testcert" = 1 ] && echo --test-cert) \ | |||
$([ "$dryrun" = 1 ] && echo "--dry-run") \ | |||
-d "$dom" | |||
then | |||
echo | |||
printcol "Certbot succeeded." "setaf 2" "bold" | |||
else | |||
fail=1 | |||
echo | |||
printcol "Certbot failed." "setaf 1" "bold" | |||
fi | |||
done <<< "$domains" | |||
printstatus "Running post command..." | |||
echo "$postcmd" | |||
sh -c "$postcmd" | |||
if [ "$fail" = 1 ]; then | |||
exit 1 | |||
else | |||
exit 0 | |||
fi |
@@ -0,0 +1,13 @@ | |||
#!/bin/sh | |||
cd "$(dirname "$0")" | |||
cd core | |||
if [ "$1" = ssl ]; then | |||
./ssl.sh | |||
elif [ "$1" = nginx ]; then | |||
./nginx.sh | |||
else | |||
echo "Usage: $0 <ssl | nginx>" | |||
exit 1 | |||
fi |