initial commit

.gitignore

@@ -0,0 +1,2 @@
+conf
+core/certbot

conf.example/nginx/basic.m4

@@ -0,0 +1,80 @@
+## mort.coffee
+server {
+	listen_ssl(mort.coffee, mort.coffee)
+	serve(mort.coffee, www)
+}
+server { https_redirect(mort.coffee) }
+server { listen(www.mort.coffee) redirect(https://mort.coffee) }
+server { listen_ssl(mort.coffee, www.mort.coffee) redirect(https://mort.coffee) }
+
+## s.mort.coffee
+server {
+	listen_ssl(mort.coffee, s.mort.coffee)
+	serve(mort.coffee, s)
+}
+server { https_redirect(s.mort.coffee) }
+
+## bendik.mort.coffee
+server {
+	listen_ssl(mort.coffee, bendik.mort.coffee)
+	autoindex on;
+	root /home/bendik/www;
+}
+server { https_redirect(bendik.mort.coffee) }
+
+## pass.mort.coffee
+server {
+	listen_ssl(mort.coffee, pass.mort.coffee)
+	proxy(http://localhost:8080)
+}
+server { https_redirect(pass.mort.coffee) }
+
+## git.mort.coffee
+server {
+	listen_ssl(mort.coffee, git.mort.coffee)
+	proxy(http://localhost:8082)
+}
+server { https_redirect(git.mort.coffee) }
+
+## irc.mort.coffee
+server {
+	listen_ssl(mort.coffee, irc.mort.coffee)
+	proxy(http://localhost:8087)
+	wsproxy(http://localhost:8087, socket.io/)
+}
+server { https_redirect(irc.mort.coffee) }
+
+## tpb.mort.coffee
+server {
+	listen_ssl(mort.coffee, tpb.mort.coffee)
+	proxy(http://localhost:8086)
+}
+server { https_redirect(tpb.mort.coffee) }
+
+## shoplist.mort.coffee
+server {
+	listen_ssl(mort.coffee, shoplist.mort.coffee)
+	proxy(http://localhost:8090)
+}
+server { https_redirect(shoplist.mort.coffee) }
+
+## sonen.mort.coffee
+server {
+	listen_ssl(mort.coffee, sonen.mort.coffee)
+	proxy(http://localhost:8089)
+}
+server { https_redirect(sonen.mort.coffee) }
+
+## beer.mort.coffee
+server {
+	listen_ssl(mort.coffee, beer.mort.coffee)
+	proxy(http://localhost:8091)
+}
+server { https_redirect(beer.mort.coffee) }
+
+## colors.mort.coffee
+server {
+	listen_ssl(mort.coffee, colors.mort.coffee)
+	proxy(http://localhost:8092)
+}
+server { https_redirect(colors.mort.coffee) }

conf.example/nginx/main.m4

@@ -0,0 +1,5 @@
+# shared
+m4_include(`shared.m4')
+
+# basic
+m4_include(`basic.m4')

conf.example/nginx/shared.m4

@@ -0,0 +1,4 @@
+upstream php-handler {
+	server unix:/run/php/php7.0-fpm.sock;
+}
+

conf.example/ssl.conf

@@ -0,0 +1,20 @@
+
+# A list of certificates, separated by semicolons.
+# The domains in the certificate is separated by commas.
+domains="
+	example.com:
+		example.com,
+		foo.example.com,
+		bar.example.com,
+		baz.example.com;
+	example.net:
+		example.net,
+		foo.example.net,
+		bar.example.com;"
+
+email="example@example.com"
+dryrun=0
+testcert=0
+
+precmd="systemctl stop nginx"
+postcmd="systemctl start nginx"

core/nginx.m4

@@ -0,0 +1,33 @@
+m4_define(`listen', ``
+	listen 80;
+	server_name $1;'')
+m4_define(`listen_ssl', ``
+	listen 443 ssl;
+	server_name $2;
+	ssl_certificate /etc/letsencrypt/live/$1/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/$1/privkey.pem;
+	ssl_trusted_certificate /etc/letsencrypt/live/$1/fullchain.pem;'')
+m4_define(`redirect', ``
+	return 302 $1;'')
+m4_define(`redirect_perm', ``
+	return 301 $1;'')
+m4_define(`https_redirect', `
+	listen($1)
+	redirect(https://$1$request_uri)')
+m4_define(`wsproxy', ``
+	location /$2 {
+		proxy_pass $1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header X-Real-IP $remote_addr;
+	}'')
+m4_define(`proxy', ``
+	location /$2 {
+		proxy_pass $1;
+		proxy_set_header X-Real-IP $remote_addr;
+	}'')
+m4_define(`serve', ``
+	autoindex on;
+	root /var/www/$1/$2/public;'')
+
+m4_include(`main.m4')

core/nginx.sh

@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -e
+
+out="/etc/nginx/sites-available/autogen"
+
+if ! [ -w "$out" ]; then
+	echo "Must have write access to $out."
+	exit 1
+fi
+
+cp "$out" "$out.bak"
+output="$(m4 -P -I ../conf/nginx nginx.m4)"
+echo "$output" \
+	| sed '/^\s*$/d' \
+	| tee "$out" >/dev/null
+
+if ! sudo nginx -t; then
+	echo "Reverting to backup file."
+	mv "$out.bak" "$out"
+else
+	echo "Press enter to restart nginx."
+	read _
+
+	echo "Restarting..."
+	systemctl restart nginx
+fi

core/ssl.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+set -e
+
+. ../conf/ssl.conf
+
+user="$(stat -c %U "$0")"
+
+asuser() {
+	echo "Running as $user: " "$@"
+	sudo -u "$user" "$@"
+}
+
+printcol() {
+	str="$1"
+	shift
+	for x in "$@"; do
+		tput $x
+	done
+	printf "%s%s\n" "$str" $(tput sgr0)
+}
+
+printed=0
+printstatus() {
+	if [ "$printed" = 1 ]; then
+		echo
+	fi
+	printed=1
+	printcol "$1" bold
+}
+
+certbot="https://github.com/certbot/certbot.git"
+
+validate() {
+	if [ -z "$email" ]; then
+		echo "Missing config 'email'."
+	elif [ -z "$domains" ]; then
+		echo "Missing config 'domains'."
+	elif [ -z "$testcert" ]; then
+		echo "Missing config 'testcert'."
+	elif [ -z "$dryrun" ]; then
+		echo "Missing config 'dryrun'."
+	elif [ -z "$precmd" ]; then
+		echo "Missing config 'precmd'."
+	elif [ -z "$postcmd" ]; then
+		echo "Missing config 'postcmd'."
+	else
+		return 0
+	fi
+	exit 1
+}
+validate
+
+if ! [ -d certbot ]; then
+	asuser git clone "$certbot" certbot
+fi
+
+if [ "$dryrun" = 1 ]; then
+	printstatus "Running a dry run."
+fi
+
+cd certbot
+printstatus "Updating certbot..."
+# necessary because certbot sometime schanges itself
+asuser git reset --hard
+asuser git pull
+
+printstatus "Running pre command..."
+echo "$precmd"
+sh -c "$precmd"
+
+printstatus "Obtaining certificates..."
+domains="$(echo "$domains" \
+	| tr '\n' ' ' \
+	| sed 's/\s*//g; s/\;/\n/g')"
+while read line; do
+	if [ -z "$line" ]; then
+		continue
+	fi
+
+	cname=$(echo "$line" | sed 's/:.*//')
+	dom=$(echo "$line" | sed 's/.*://')
+
+	printstatus "Certificate $cname"
+	if ./certbot-auto certonly \
+		-n --standalone --agree-tos \
+		-m "$email" \
+		--cert-name "$cname" \
+		$([ "$testcert" = 1 ] && echo --test-cert) \
+		$([ "$dryrun" = 1 ] && echo "--dry-run") \
+		-d "$dom"
+	then
+		echo
+		printcol "Certbot succeeded." "setaf 2" "bold"
+	else
+		fail=1
+		echo
+		printcol "Certbot failed." "setaf 1" "bold"
+	fi
+done <<< "$domains"
+
+printstatus "Running post command..."
+echo "$postcmd"
+sh -c "$postcmd"
+
+if [ "$fail" = 1 ]; then
+	exit 1
+else
+	exit 0
+fi

ctl.sh

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+cd "$(dirname "$0")"
+cd core
+
+if [ "$1" = ssl ]; then
+	./ssl.sh
+elif [ "$1" = nginx ]; then
+	./nginx.sh
+else
+	echo "Usage: $0 <ssl | nginx>"
+	exit 1
+fi