sysadmin/openfreemap
1
0
Fork 0
mirror of https://github.com/hyperknot/openfreemap.git synced 2026-05-21 14:02:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

certs

Browse Source
This commit is contained in:
Zsolt Ero
2024-02-24 14:08:33 +01:00
parent 5a8b8c5338
commit b11a46fee1
8 changed files with 112 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
config/.env.sample
View File

@@ -1,8 +1,11 @@
# Leave it empty if you use SSH keys
SSH_PASSWD=
# Domain to server directly, without CloudFlare
DOMAIN_LE=direct.openfreemap.org
# Domain to server directly, with Let's Encrypt certificates
DOMAIN_LE=le.openfreemap.org
# Let's Encrypt account email
LE_EMAIL=user@example.com
# Domain via CloudFlare, using origin certificates
# Please put cf.key and cf.cert files in config/certs

24
init-server.py
View File

@@ -9,7 +9,7 @@ from fabric import Config, Connection
from ssh_lib import CONFIG_DIR, HTTP_HOST_BIN, OFM_DIR, REMOTE_CONFIG, SCRIPTS_DIR, TILE_GEN_BIN
from ssh_lib.benchmark import c1000k, wrk
from ssh_lib.kernel import kernel_tweaks_ofm
from ssh_lib.nginx import lego, nginx
from ssh_lib.nginx import certbot, lego, nginx
from ssh_lib.pkg_base import pkg_base, pkg_upgrade
from ssh_lib.planetiler import planetiler
from ssh_lib.rclone import rclone
@@ -97,11 +97,12 @@ def prepare_tile_gen(c):
def upload_http_host_config(c):
domain_le = dotenv_values(f'{CONFIG_DIR}/.env').get('DOMAIN_LE', '').strip()
domain_cf = dotenv_values(f'{CONFIG_DIR}/.env').get('DOMAIN_CF', '').strip()
skip_planet = (
dotenv_values(f'{CONFIG_DIR}/.env').get('SKIP_PLANET', '').lower().strip() == 'true'
)
env_values = dotenv_values(f'{CONFIG_DIR}/.env')
domain_le = env_values.get('DOMAIN_LE', '').strip()
domain_cf = env_values.get('DOMAIN_CF', '').strip()
skip_planet = env_values.get('SKIP_PLANET', '').lower().strip() == 'true'
le_email = env_values.get('LE_EMAIL', '').strip()
if not (domain_le or domain_cf):
sys.exit('Please specify DOMAIN_LE or DOMAIN_CF in config/.env')
@@ -117,6 +118,7 @@ def upload_http_host_config(c):
'domain_le': domain_le,
'domain_cf': domain_cf,
'skip_planet': skip_planet,
'le_email': le_email,
}
host_config_str = json.dumps(host_config, indent=2, ensure_ascii=False)
@@ -126,7 +128,7 @@ def upload_http_host_config(c):
def prepare_http_host(c):
nginx(c)
lego(c)
certbot(c)
c.sudo('rm -rf /data/ofm/http_host/logs')
c.sudo('mkdir -p /data/ofm/http_host/logs')
@@ -260,14 +262,12 @@ def tile_gen(hostname, user, port):
def debug(hostname, user, port):
c = get_connection(hostname, user, port)
lego(c)
upload_http_host_config(c)
# upload_http_host_config(c)
upload_https_host_files(c)
# upload_https_host_files(c)
# run_http_host_sync(c)
# sudo_cmd(c, '/data/ofm/venv/bin/python -u /data/ofm/http_host/bin/host_manager.py nginx-sync')
sudo_cmd(c, '/data/ofm/venv/bin/python -u /data/ofm/http_host/bin/host_manager.py nginx-sync')
if __name__ == '__main__':

2
scripts/http_host/http_host_lib/__init__.py
View File

@@ -10,6 +10,8 @@ DEFAULT_ASSETS_DIR = Path('/data/ofm/http_host/assets')
MNT_DIR = Path('/mnt/ofm')
OFM_CONFIG_DIR = Path('/data/ofm/config')
CERTS_DIR = Path('/data/nginx/certs')
try:
with open('/data/ofm/config/http_host.json') as fp:
HOST_CONFIG = json.load(fp)

62
scripts/http_host/http_host_lib/nginx.py
View File

@@ -1,20 +1,76 @@
import shutil
import subprocess
import sys
from pathlib import Path
from http_host_lib import DEFAULT_RUNS_DIR, HOST_CONFIG, MNT_DIR, NGINX_DIR, OFM_CONFIG_DIR
from http_host_lib import (
CERTS_DIR,
DEFAULT_RUNS_DIR,
HOST_CONFIG,
MNT_DIR,
NGINX_DIR,
OFM_CONFIG_DIR,
)
def write_nginx_config():
curl_text_mix = ''
if HOST_CONFIG['domain_cf']:
domain_cf = HOST_CONFIG['domain_cf']
domain_le = HOST_CONFIG['domain_le']
# processing Cloudflare config
if domain_cf:
if not (CERTS_DIR / 'cf.cert').exists() or not (CERTS_DIR / 'cf.key').exists():
sys.exit('cf.cert or cf.key missing')
curl_text_mix += create_nginx_conf(
template_path=NGINX_DIR / 'cf.conf',
local='ofm_cf',
domain=HOST_CONFIG['domain_cf'],
domain=domain_cf,
)
# processing Let's Encrypt config
if domain_le:
le_cert = CERTS_DIR / 'le.cert'
le_key = CERTS_DIR / 'le.key'
if not (CERTS_DIR / 'le.cert').exists() or not (CERTS_DIR / 'le.key').exists():
shutil.copyfile(Path('/etc/nginx/ssl/dummy.crt'), le_cert)
shutil.copyfile(Path('/etc/nginx/ssl/dummy.key'), le_key)
curl_text_mix += create_nginx_conf(
template_path=NGINX_DIR / 'le.conf',
local='ofm_le',
domain=domain_le,
)
subprocess.run(['nginx', '-t'], check=True)
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)
subprocess.run(
[
'lego',
'--accept-tos',
'--email',
HOST_CONFIG['le_email'],
'--http',
'--http.webroot=/data/nginx/acme-challenges/',
'--domains',
domain_le,
'--http-timeout=30',
'--path=/data/nginx/lego/',
'run',
],
check=True,
)
# link lego certs to nginx dir
le_cert.unlink()
le_key.unlink()
le_cert.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.crt'))
le_key.symlink_to(Path(f'/data/nginx/lego/certificates/{domain_le}.key'))
subprocess.run(['nginx', '-t'], check=True)
subprocess.run(['systemctl', 'reload', 'nginx'], check=True)

2
scripts/http_host/http_host_lib/nginx/cf.conf
View File

@@ -13,7 +13,7 @@ server {
ssl_certificate_key /data/nginx/certs/cf.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# modern configuration

17
scripts/http_host/http_host_lib/nginx/le.conf
View File

@@ -8,11 +8,11 @@ server {
listen [::]:443 ssl;
http2 on;
ssl_certificate /data/nginx/certs/cf.cert;
ssl_certificate_key /data/nginx/certs/cf.key;
ssl_certificate /data/nginx/certs/le.cert;
ssl_certificate_key /data/nginx/certs/le.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/ffdhe2048.txt;
@@ -23,11 +23,16 @@ server {
ssl_prefer_server_ciphers off;
# access log disabled by default
#access_log /data/ofm/http_host/logs_nginx/cf-access.log access_json buffer=32k;
#access_log /data/ofm/http_host/logs_nginx/le-access.log access_json buffer=32k;
access_log off;
error_log /data/ofm/http_host/logs_nginx/cf-error.log;
error_log /data/ofm/http_host/logs_nginx/le-error.log;
location ^~ /.well-known/acme-challenge/ {
# trailing slash
root /data/nginx/acme-challenges;
try_files $uri =404;
}
__LOCATION_BLOCKS__
}

6
ssh_lib/nginx.py
View File

@@ -81,6 +81,8 @@ def lego(c):
f'wget -q "{url}" -O /tmp/lego/out.tar.gz',
)
c.run('tar xzvf /tmp/lego/out.tar.gz -C /tmp/lego')
c.run('mv /tmp/lego/lego /usr/bin')
c.run('chmod +x /usr/bin/lego')
c.run('chmod +x /tmp/lego/lego')
c.run('mv /tmp/lego/lego /usr/local/bin')
c.run('rm -rf /tmp/lego*')
c.run('mkdir -p /data/nginx/acme-challenges/')

19
ssh_lib/utils.py
View File

@@ -1,9 +1,11 @@
import os
import secrets
import string
import sys
from pathlib import Path
import requests
from invoke import UnexpectedExit
def put(
@@ -76,7 +78,22 @@ def append_str(c, remote_path, str_):
def sudo_cmd(c, cmd, *, user=None):
cmd = cmd.replace('"', '\\"')
c.sudo(f'bash -c "{cmd}"', user=user)
try:
c.sudo(f'bash -c "{cmd}"', user=user)
except UnexpectedExit as e:
print(f'Command failed: {e.result.command}')
print(f'Error: {e.result.stderr}')
sys.exit(1)
def run_nice(c, cmd):
try:
c.run(cmd)
except UnexpectedExit as e:
print(f'Command failed: {e.result.command}')
print(f'Error: {e.result.stderr}')
sys.exit(1)
def set_permission(c, path, *, permissions=None, user=None, group=None):