magic_recipes_two 0.0.57 → 0.0.58

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,15 +1,15 @@
1
1
  ---
2
2
  !binary "U0hBMQ==":
3
3
  metadata.gz: !binary |-
4
- MDI1MmI5YWQ3OTAxNmM0NmI4NTZhNGI4MWVkOTBmNzZiYTYwYjVmOQ==
4
+ ODhiNWIwYzJiODAwOGUyYmRlOTgzZGExZmE2ZWVhYzc0YWM4Y2Q0YQ==
5
5
  data.tar.gz: !binary |-
6
- NTBmMDFkZjE3Y2M0YWRhMTE5Zjg2ZjViY2UwMWRkMDA2ZDI3NWRmZQ==
6
+ MTU4MjY5MzBjZDNiMWI3NzUxOTc5Zjg3MWJmOTZhMzdmZTc0ZjM4Ng==
7
7
  SHA512:
8
8
  metadata.gz: !binary |-
9
- NGEyNDdhZjg1OGJhNTU0YzJhZjg2YzZmZWRhOTQyMDgzNGIzYWMzZmNhZjBh
10
- MzFmZDI4NTk5ZjY4YmE0YTRmNWI4ZjcwNDE0YTE0MGJiOWRhYmU1ZWZmYWU0
11
- MGE1N2IyNTJiYzQ4ZGIyNmJmNzUxZmM0NDhmZGQwZTNjZmVjMmY=
9
+ YWNmNmM3ZTZhOGUyMDU4YmQzNmZjNzlmYWY4YjEwMjQyZjY3NDhlM2VkNGZm
10
+ ZWVkYmZmOTg5NzY4NmM0MWM5MWIxMmQ5Mjk2ZjM0ZmUxZDgzNmU1ZTRlZTE5
11
+ OTY0NjBlZTkyODcwM2EwOTk1N2IwNzQ3ZWRjMjExOWZiYWJkN2U=
12
12
  data.tar.gz: !binary |-
13
- ZWRhYzk3MTY4Nzc5ZGNlYTg3NGRjNTJiMzA3OGUxM2FjYzJiOTYzYjg0ODg2
14
- MzBmN2EwYzRkNGRiNDI0NjNmYzg5Yjk0YzQyZmRhOWRmOTEzMzc5MjdiNzg5
15
- ZDY0YjRiMGY5OWUzNjY5NTMxZTE1ZjY0YTJjZTg3MTEwZjg0M2U=
13
+ NjNjNzY1NmFjMjAxMzM0ZWVkMDg1NzkzNWNjZTRmMmM5ODU2NjM5MzY1Y2M1
14
+ YzU5ZmMyODk5M2FkOGQ0MzAwZWU3MjdlZGY2MTlhOTQzZmMzZWJlYTllMWQw
15
+ NWJmN2Y0ZDhkNTdmN2Q0MDU1ZTg4YTBhYWE0OWE3NDQyYTY1NjY=
@@ -0,0 +1 @@
1
+ load File.expand_path("../../tasks/lets_encrypt.rake", __FILE__)
@@ -1,5 +1,5 @@
1
1
  module Capistrano
2
2
  module MagicRecipes
3
- VERSION = "0.0.57"
3
+ VERSION = "0.0.58"
4
4
  end
5
5
  end
@@ -0,0 +1,59 @@
1
+ # require 'capistrano/magic_recipes/base_helpers'
2
+ # include Capistrano::MagicRecipes::BaseHelpers
3
+
4
+ namespace :load do
5
+ task :defaults do
6
+ set :lets_encrypt_roles, -> { :web }
7
+ set :lets_encrypt_path, -> { "~" }
8
+ end
9
+ end
10
+
11
+ namespace :lets_encrypt do
12
+
13
+ desc "Install certbot LetsEncrypt"
14
+ task :install do
15
+ on release_roles fetch(:lets_encrypt_roles) do
16
+ execute "cd #{ fetch(:lets_encrypt_path) } ; wget https://dl.eff.org/certbot-auto"
17
+ execute "cd #{ fetch(:lets_encrypt_path) } ; chmod a+x certbot-auto"
18
+ end
19
+ end
20
+
21
+
22
+ desc "Install certbot LetsEncrypt"
23
+ task :certonly do
24
+ on release_roles fetch(:lets_encrypt_roles) do
25
+ # execute "./certbot-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is"
26
+ execute "#{ fetch(:lets_encrypt_path) }/certbot-auto certonly --webroot -w #{current_path}/public#{ fetch(:nginx_major_domain, false) ? " -d #{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")} -d www.#{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")}" : ""} #{ Array(fetch(:nginx_domains)).map{ |d| "-d #{d.gsub(/^\*?\./, "")} -d www.#{d.gsub(/^\*?\./, "")}" }.join(" ") }"
27
+ end
28
+ end
29
+
30
+
31
+ desc "Install certbot LetsEncrypt"
32
+ ## http://serverfault.com/a/825032
33
+ task :auto_renew do
34
+ on release_roles fetch(:lets_encrypt_roles) do
35
+ execute "echo '42 0,12 * * * root #{ fetch(:lets_encrypt_path) }/certbot-auto renew --quiet' | cat > /etc/cron.d/lets_encrypt"
36
+ end
37
+ end
38
+
39
+
40
+ desc "Install certbot LetsEncrypt"
41
+ task :test_renew do
42
+ on release_roles fetch(:lets_encrypt_roles) do
43
+ execute "#{ fetch(:lets_encrypt_path) }/certbot-auto renew --dry-run"
44
+ end
45
+ end
46
+
47
+
48
+ desc "Generate Strong Diffie-Hellman Group"
49
+ task :generate_dhparam do
50
+ on release_roles fetch(:lets_encrypt_roles) do
51
+ execute :sudo, "openssl dhparam -out #{ fetch(:nginx_ssl_dh_path) }/#{ fetch(:nginx_ssl_dh_file) } 2048"
52
+ end
53
+ end
54
+
55
+
56
+ end
57
+
58
+
59
+
@@ -27,6 +27,10 @@ namespace :load do
27
27
  set :nginx_hooks, -> { true }
28
28
  ## Lets Encrypt - Challenge Path
29
29
  set :allow_well_known, -> { false }
30
+ # Diffie-Hellman settings
31
+ set :nginx_ssl_dh_path, -> { "/etc/ssl/certs" }
32
+ set :nginx_ssl_dh_file, -> { "dhparam.pem" }
33
+ set :nginx_ssl_diffie_hellman, -> { false }
30
34
  ## NginX Proxy-Caching
31
35
  # Cache Rails
32
36
  set :proxy_cache_rails, -> { false }
@@ -156,12 +156,36 @@ server {
156
156
 
157
157
  server {
158
158
  <% if fetch(:nginx_use_ssl) %>
159
- listen 443<%= ' default_server ssl' if fetch(:default_site) %>;
159
+ listen 443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
160
+ listen [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
160
161
  ssl on;
161
162
  ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_ssl_certificate) %>;
162
163
  ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_ssl_certificate_key) %>;
164
+ <% if fetch(:nginx_ssl_diffie_hellman, false) %>
165
+ # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
166
+ # from https://cipherli.st/
167
+ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
168
+ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
169
+ ssl_prefer_server_ciphers on;
170
+ ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
171
+ ssl_ecdh_curve secp384r1;
172
+ ssl_session_cache shared:SSL:10m;
173
+ ssl_session_tickets off;
174
+ ssl_stapling on;
175
+ ssl_stapling_verify on;
176
+ resolver 8.8.8.8 8.8.4.4 valid=300s;
177
+ resolver_timeout 5s;
178
+ ## Disable preloading HSTS for now. You can use the commented out header line that includes
179
+ ## the "preload" directive if you understand the implications.
180
+ # => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
181
+ add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
182
+ add_header X-Frame-Options DENY;
183
+ add_header X-Content-Type-Options nosniff;
184
+ ssl_dhparam <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>;
185
+ <% end %>
163
186
  <% else %>
164
187
  listen 80<%= ' default deferred' if fetch(:default_site) %>;
188
+ listen [::]:80<%= ' default deferred' if fetch(:default_site) %>;
165
189
  <% end %>
166
190
  <% if fetch(:nginx_major_domain) %>
167
191
  server_name <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: magic_recipes_two
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.57
4
+ version: 0.0.58
5
5
  platform: ruby
6
6
  authors:
7
7
  - Torsten Wetzel
@@ -137,6 +137,7 @@ files:
137
137
  - lib/capistrano/magic_recipes/db.rb
138
138
  - lib/capistrano/magic_recipes/exception_pages.rb
139
139
  - lib/capistrano/magic_recipes/inform_slack.rb
140
+ - lib/capistrano/magic_recipes/lets_encrypt.rb
140
141
  - lib/capistrano/magic_recipes/monit.rb
141
142
  - lib/capistrano/magic_recipes/nginx.rb
142
143
  - lib/capistrano/magic_recipes/redis.rb
@@ -148,6 +149,7 @@ files:
148
149
  - lib/capistrano/tasks/db.rake
149
150
  - lib/capistrano/tasks/exception_pages.rake
150
151
  - lib/capistrano/tasks/inform_slack.rake
152
+ - lib/capistrano/tasks/lets_encrypt.rake
151
153
  - lib/capistrano/tasks/monit.rake
152
154
  - lib/capistrano/tasks/monit_sidekiq.rake
153
155
  - lib/capistrano/tasks/nginx.rake