magic_recipes_two 0.0.57 → 0.0.58
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/lib/capistrano/magic_recipes/lets_encrypt.rb +1 -0
- data/lib/capistrano/magic_recipes/version.rb +1 -1
- data/lib/capistrano/tasks/lets_encrypt.rake +59 -0
- data/lib/capistrano/tasks/nginx.rake +4 -0
- data/lib/generators/capistrano/magic_recipes/templates/nginx.conf.erb +25 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
ODhiNWIwYzJiODAwOGUyYmRlOTgzZGExZmE2ZWVhYzc0YWM4Y2Q0YQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
MTU4MjY5MzBjZDNiMWI3NzUxOTc5Zjg3MWJmOTZhMzdmZTc0ZjM4Ng==
|
|
7
7
|
SHA512:
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
YWNmNmM3ZTZhOGUyMDU4YmQzNmZjNzlmYWY4YjEwMjQyZjY3NDhlM2VkNGZm
|
|
10
|
+
ZWVkYmZmOTg5NzY4NmM0MWM5MWIxMmQ5Mjk2ZjM0ZmUxZDgzNmU1ZTRlZTE5
|
|
11
|
+
OTY0NjBlZTkyODcwM2EwOTk1N2IwNzQ3ZWRjMjExOWZiYWJkN2U=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
NjNjNzY1NmFjMjAxMzM0ZWVkMDg1NzkzNWNjZTRmMmM5ODU2NjM5MzY1Y2M1
|
|
14
|
+
YzU5ZmMyODk5M2FkOGQ0MzAwZWU3MjdlZGY2MTlhOTQzZmMzZWJlYTllMWQw
|
|
15
|
+
NWJmN2Y0ZDhkNTdmN2Q0MDU1ZTg4YTBhYWE0OWE3NDQyYTY1NjY=
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
load File.expand_path("../../tasks/lets_encrypt.rake", __FILE__)
|
|
@@ -0,0 +1,59 @@
|
|
|
1
|
+
# require 'capistrano/magic_recipes/base_helpers'
|
|
2
|
+
# include Capistrano::MagicRecipes::BaseHelpers
|
|
3
|
+
|
|
4
|
+
namespace :load do
|
|
5
|
+
task :defaults do
|
|
6
|
+
set :lets_encrypt_roles, -> { :web }
|
|
7
|
+
set :lets_encrypt_path, -> { "~" }
|
|
8
|
+
end
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
namespace :lets_encrypt do
|
|
12
|
+
|
|
13
|
+
desc "Install certbot LetsEncrypt"
|
|
14
|
+
task :install do
|
|
15
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
|
16
|
+
execute "cd #{ fetch(:lets_encrypt_path) } ; wget https://dl.eff.org/certbot-auto"
|
|
17
|
+
execute "cd #{ fetch(:lets_encrypt_path) } ; chmod a+x certbot-auto"
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
|
|
22
|
+
desc "Install certbot LetsEncrypt"
|
|
23
|
+
task :certonly do
|
|
24
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
|
25
|
+
# execute "./certbot-auto certonly --webroot -w /var/www/example -d example.com -d www.example.com -w /var/www/thing -d thing.is -d m.thing.is"
|
|
26
|
+
execute "#{ fetch(:lets_encrypt_path) }/certbot-auto certonly --webroot -w #{current_path}/public#{ fetch(:nginx_major_domain, false) ? " -d #{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")} -d www.#{fetch(:nginx_major_domain).to_s.gsub(/^\*?\./, "")}" : ""} #{ Array(fetch(:nginx_domains)).map{ |d| "-d #{d.gsub(/^\*?\./, "")} -d www.#{d.gsub(/^\*?\./, "")}" }.join(" ") }"
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
desc "Install certbot LetsEncrypt"
|
|
32
|
+
## http://serverfault.com/a/825032
|
|
33
|
+
task :auto_renew do
|
|
34
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
|
35
|
+
execute "echo '42 0,12 * * * root #{ fetch(:lets_encrypt_path) }/certbot-auto renew --quiet' | cat > /etc/cron.d/lets_encrypt"
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
|
|
40
|
+
desc "Install certbot LetsEncrypt"
|
|
41
|
+
task :test_renew do
|
|
42
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
|
43
|
+
execute "#{ fetch(:lets_encrypt_path) }/certbot-auto renew --dry-run"
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
|
|
48
|
+
desc "Generate Strong Diffie-Hellman Group"
|
|
49
|
+
task :generate_dhparam do
|
|
50
|
+
on release_roles fetch(:lets_encrypt_roles) do
|
|
51
|
+
execute :sudo, "openssl dhparam -out #{ fetch(:nginx_ssl_dh_path) }/#{ fetch(:nginx_ssl_dh_file) } 2048"
|
|
52
|
+
end
|
|
53
|
+
end
|
|
54
|
+
|
|
55
|
+
|
|
56
|
+
end
|
|
57
|
+
|
|
58
|
+
|
|
59
|
+
|
|
@@ -27,6 +27,10 @@ namespace :load do
|
|
|
27
27
|
set :nginx_hooks, -> { true }
|
|
28
28
|
## Lets Encrypt - Challenge Path
|
|
29
29
|
set :allow_well_known, -> { false }
|
|
30
|
+
# Diffie-Hellman settings
|
|
31
|
+
set :nginx_ssl_dh_path, -> { "/etc/ssl/certs" }
|
|
32
|
+
set :nginx_ssl_dh_file, -> { "dhparam.pem" }
|
|
33
|
+
set :nginx_ssl_diffie_hellman, -> { false }
|
|
30
34
|
## NginX Proxy-Caching
|
|
31
35
|
# Cache Rails
|
|
32
36
|
set :proxy_cache_rails, -> { false }
|
|
@@ -156,12 +156,36 @@ server {
|
|
|
156
156
|
|
|
157
157
|
server {
|
|
158
158
|
<% if fetch(:nginx_use_ssl) %>
|
|
159
|
-
listen 443<%= ' default_server
|
|
159
|
+
listen 443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
|
160
|
+
listen [::]:443 ssl http2<%= ' default_server' if fetch(:default_site) %>;
|
|
160
161
|
ssl on;
|
|
161
162
|
ssl_certificate <%= fetch(:nginx_ssl_certificate_path) %>/<%= fetch(:nginx_ssl_certificate) %>;
|
|
162
163
|
ssl_certificate_key <%= fetch(:nginx_ssl_certificate_key_path) %>/<%= fetch(:nginx_ssl_certificate_key) %>;
|
|
164
|
+
<% if fetch(:nginx_ssl_diffie_hellman, false) %>
|
|
165
|
+
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04
|
|
166
|
+
# from https://cipherli.st/
|
|
167
|
+
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
|
|
168
|
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
169
|
+
ssl_prefer_server_ciphers on;
|
|
170
|
+
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
|
171
|
+
ssl_ecdh_curve secp384r1;
|
|
172
|
+
ssl_session_cache shared:SSL:10m;
|
|
173
|
+
ssl_session_tickets off;
|
|
174
|
+
ssl_stapling on;
|
|
175
|
+
ssl_stapling_verify on;
|
|
176
|
+
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
177
|
+
resolver_timeout 5s;
|
|
178
|
+
## Disable preloading HSTS for now. You can use the commented out header line that includes
|
|
179
|
+
## the "preload" directive if you understand the implications.
|
|
180
|
+
# => add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
|
|
181
|
+
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
|
|
182
|
+
add_header X-Frame-Options DENY;
|
|
183
|
+
add_header X-Content-Type-Options nosniff;
|
|
184
|
+
ssl_dhparam <%= fetch(:nginx_ssl_dh_path) %>/<%= fetch(:nginx_ssl_dh_file) %>;
|
|
185
|
+
<% end %>
|
|
163
186
|
<% else %>
|
|
164
187
|
listen 80<%= ' default deferred' if fetch(:default_site) %>;
|
|
188
|
+
listen [::]:80<%= ' default deferred' if fetch(:default_site) %>;
|
|
165
189
|
<% end %>
|
|
166
190
|
<% if fetch(:nginx_major_domain) %>
|
|
167
191
|
server_name <%= ".#{fetch(:nginx_major_domain).gsub(/^\*?\./, "")}" %>;
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: magic_recipes_two
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.58
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Torsten Wetzel
|
|
@@ -137,6 +137,7 @@ files:
|
|
|
137
137
|
- lib/capistrano/magic_recipes/db.rb
|
|
138
138
|
- lib/capistrano/magic_recipes/exception_pages.rb
|
|
139
139
|
- lib/capistrano/magic_recipes/inform_slack.rb
|
|
140
|
+
- lib/capistrano/magic_recipes/lets_encrypt.rb
|
|
140
141
|
- lib/capistrano/magic_recipes/monit.rb
|
|
141
142
|
- lib/capistrano/magic_recipes/nginx.rb
|
|
142
143
|
- lib/capistrano/magic_recipes/redis.rb
|
|
@@ -148,6 +149,7 @@ files:
|
|
|
148
149
|
- lib/capistrano/tasks/db.rake
|
|
149
150
|
- lib/capistrano/tasks/exception_pages.rake
|
|
150
151
|
- lib/capistrano/tasks/inform_slack.rake
|
|
152
|
+
- lib/capistrano/tasks/lets_encrypt.rake
|
|
151
153
|
- lib/capistrano/tasks/monit.rake
|
|
152
154
|
- lib/capistrano/tasks/monit_sidekiq.rake
|
|
153
155
|
- lib/capistrano/tasks/nginx.rake
|