ledns_reader

scripts/http_host/http_host_lib/__init__.py

@@ -9,6 +9,7 @@ DEFAULT_ASSETS_DIR = Path('/data/ofm/http_host/assets')
 
 MNT_DIR = Path('/mnt/ofm')
 OFM_CONFIG_DIR = Path('/data/ofm/config')
+HTTP_HOST_BIN_DIR = Path('/data/ofm/http_host/bin')
 
 CERTS_DIR = Path('/data/nginx/certs')
 

scripts/http_host/http_host_lib/nginx.py

@@ -7,6 +7,7 @@ from http_host_lib import (
     CERTS_DIR,
     DEFAULT_RUNS_DIR,
     HOST_CONFIG,
+    HTTP_HOST_BIN_DIR,
     MNT_DIR,
     NGINX_DIR,
     OFM_CONFIG_DIR,
@@ -18,6 +19,7 @@ def write_nginx_config():
 
     domain_cf = HOST_CONFIG['domain_cf']
     domain_le = HOST_CONFIG['domain_le']
+    domain_ledns = HOST_CONFIG['domain_ledns']
 
     # processing Cloudflare config
     if domain_cf:
@@ -30,6 +32,21 @@ def write_nginx_config():
             domain=domain_cf,
         )
 
+    # processing Cloudflare config
+    if domain_ledns:
+        if not (OFM_CONFIG_DIR / 'rclone.conf').is_file():
+            sys.exit('rclone.conf missing')
+
+        # download the ledns certificate from bucket using rclone
+        write_ledns_reader_script(domain_ledns)
+        subprocess.run(['bash', HTTP_HOST_BIN_DIR / 'ledns_reader.sh'], check=True)
+
+        curl_text_mix += create_nginx_conf(
+            template_path=NGINX_DIR / 'ledns.conf',
+            local='ofm_ledns',
+            domain=domain_ledns,
+        )
+
     # processing Let's Encrypt config
     if domain_le:
         le_cert = CERTS_DIR / 'ofm_le.cert'
@@ -59,6 +76,7 @@ def write_nginx_config():
                 HOST_CONFIG['le_email'],
                 '--agree-tos',
                 '--cert-name=ofm_le',
+                # '--staging',
                 '--deploy-hook',
                 'nginx -t && service nginx reload',
                 '-d',
@@ -215,3 +233,15 @@ def create_latest_locations(*, local: str, domain: str) -> str:
         """
 
     return location_str
+
+
+def write_ledns_reader_script(domain_ledns):
+    script = f"""
+#!/usr/bin/env bash
+export RCLONE_CONFIG=/data/ofm/config/rclone.conf
+rclone copyto -v "remote:ofm-private/ledns/{domain_ledns}/ofm_ledns.cert" /data/nginx/certs/ofm_ledns.cert
+rclone copyto -v "remote:ofm-private/ledns/{domain_ledns}/ofm_ledns.key" /data/nginx/certs/ofm_ledns.key
+    """.strip()
+
+    with open(HTTP_HOST_BIN_DIR / 'ledns_reader.sh', 'w') as fp:
+        fp.write(script)

scripts/http_host/http_host_lib/nginx/ledns.conf

@@ -0,0 +1,38 @@
+server {
+    server_name __LOCAL__ __DOMAIN__;
+
+    # ssl: https://ssl-config.mozilla.org / intermediate config
+
+    listen 80;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    ssl_certificate /data/nginx/certs/ofm_ledns.cert;
+    ssl_certificate_key /data/nginx/certs/ofm_ledns.key;
+
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_dhparam /etc/nginx/ffdhe2048.txt;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_prefer_server_ciphers off;
+
+    # access log disabled by default
+    #access_log /data/ofm/http_host/logs_nginx/ledns-access.log access_json buffer=32k;
+    access_log off;
+
+    error_log /data/ofm/http_host/logs_nginx/ledns-error.log;
+
+    __LOCATION_BLOCKS__
+
+    # catch-all block to deny all other requests
+    location / {
+        deny all;
+        error_log /data/ofm/http_host/logs_nginx/__LOCAL__-error.log error;
+    }
+}