sysadmin/openfreemap
1
0
Fork 0
mirror of https://github.com/hyperknot/openfreemap.git synced 2026-05-21 14:02:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

certs

Browse Source
This commit is contained in:
Zsolt Ero
2024-02-24 14:08:33 +01:00
parent 5a8b8c5338
commit b11a46fee1
8 changed files with 112 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
scripts/http_host/http_host_lib/__init__.py
View File

@@ -10,6 +10,8 @@ DEFAULT_ASSETS_DIR = Path('/data/ofm/http_host/assets')
MNT_DIR = Path('/mnt/ofm')
OFM_CONFIG_DIR = Path('/data/ofm/config')
CERTS_DIR = Path('/data/nginx/certs')
try:
with open('/data/ofm/config/http_host.json') as fp:
HOST_CONFIG = json.load(fp)

62
scripts/http_host/http_host_lib/nginx.py
View File

@@ -1,20 +1,76 @@
import shutil
import subprocess
import sys
from pathlib import Path
from http_host_lib import DEFAULT_RUNS_DIR, HOST_CONFIG, MNT_DIR, NGINX_DIR, OFM_CONFIG_DIR
from http_host_lib import (
CERTS_DIR,
DEFAULT_RUNS_DIR,
HOST_CONFIG,
MNT_DIR,
NGINX_DIR,
OFM_CONFIG_DIR,
)
def write_nginx_config():
curl_text_mix = ''
if HOST_CONFIG['domain_cf']:
domain_cf = HOST_CONFIG['domain_cf']
domain_le = HOST_CONFIG['domain_le']
# processing Cloudflare config
if domain_cf:
if not (CERTS_DIR / 'cf.cert').exists() or not (CERTS_DIR / 'cf.key').exists():
sys.exit('cf.cert or cf.key missing')
curl_text_mix += create_nginx_conf(
template_path=NGINX_DIR / 'cf.conf',
local='ofm_cf',
domain=HOST_CONFIG['domain_cf'],
domain=domain_cf,
)
# processing Let's Encrypt config
if domain_le:
le_cert = CERTS_DIR / 'le.cert'
le_key = CERTS_DIR / 'le.key'
if not (CERTS_DIR / 'le.cert').exists() or not (CERTS_DIR / 'le.key').exists():
shutil.copyfile(Path('/etc/nginx/ssl/dummy.crt'), le_cert)
shutil.copyfile(Path('/etc/nginx/ssl/dummy.key'), le_key)
curl_text_mix += create_nginx_conf(
template_path=NGINX_DIR / 'le.conf',
local='ofm_le',
domain=domain_le,
)
subprocess.run(['nginx', '-t'], check=True)
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)
subprocess.run(
[
'lego',
'--accept-tos',
'--email',
HOST_CONFIG['le_email'],
'--http',
'--http.webroot=/data/nginx/acme-challenges/',
'--domains',
domain_le,
'--http-timeout=30',
'--path=/data/nginx/lego/',
'run',
],
check=True,
)
# link lego certs to nginx dir
le_cert.unlink()
le_key.unlink()
le_cert.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.crt'))
le_key.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.key'))
subprocess.run(['nginx', '-t'], check=True)
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)

2
scripts/http_host/http_host_lib/nginx/cf.conf
View File

@@ -13,7 +13,7 @@ server {
ssl_certificate_key /data/nginx/certs/cf.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration

17
scripts/http_host/http_host_lib/nginx/le.conf
View File

@@ -8,11 +8,11 @@ server {
listen [::]:443 ssl;
http2 on;
ssl_certificate /data/nginx/certs/cf.cert;
ssl_certificate_key /data/nginx/certs/cf.key;
ssl_certificate /data/nginx/certs/le.cert;
ssl_certificate_key /data/nginx/certs/le.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ffdhe2048.txt;
@@ -23,11 +23,16 @@ server {
ssl_prefer_server_ciphers off;
# access log disabled by default
#access_log /data/ofm/http_host/logs_nginx/cf-access.log access_json buffer=32k;
#access_log /data/ofm/http_host/logs_nginx/le-access.log access_json buffer=32k;
access_log off;
error_log /data/ofm/http_host/logs_nginx/cf-error.log;
error_log /data/ofm/http_host/logs_nginx/le-error.log;
location ^~ /.well-known/acme-challenge/ {
# trailing slash
root /data/nginx/acme-challenges;
try_files $uri =404;
}
__LOCATION_BLOCKS__
}