potluck-nginx 0.0.6 → 0.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/VERSION +1 -0
- data/lib/potluck/nginx/nginx_config.rb +388 -0
- data/lib/potluck/nginx/version.rb +7 -0
- data/lib/potluck/nginx.rb +485 -286
- metadata +30 -25
- data/lib/potluck/nginx/ssl.rb +0 -134
- data/lib/potluck/nginx/util.rb +0 -55
metadata
CHANGED
|
@@ -1,14 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: potluck-nginx
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.0.
|
|
4
|
+
version: 0.0.8
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Nate Pickens
|
|
8
|
-
autorequire:
|
|
9
8
|
bindir: bin
|
|
10
9
|
cert_chain: []
|
|
11
|
-
date:
|
|
10
|
+
date: 2025-03-19 00:00:00.000000000 Z
|
|
12
11
|
dependencies:
|
|
13
12
|
- !ruby/object:Gem::Dependency
|
|
14
13
|
name: potluck
|
|
@@ -16,14 +15,14 @@ dependencies:
|
|
|
16
15
|
requirements:
|
|
17
16
|
- - '='
|
|
18
17
|
- !ruby/object:Gem::Version
|
|
19
|
-
version: 0.0.
|
|
18
|
+
version: 0.0.8
|
|
20
19
|
type: :runtime
|
|
21
20
|
prerelease: false
|
|
22
21
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
22
|
requirements:
|
|
24
23
|
- - '='
|
|
25
24
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: 0.0.
|
|
25
|
+
version: 0.0.8
|
|
27
26
|
- !ruby/object:Gem::Dependency
|
|
28
27
|
name: bundler
|
|
29
28
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -42,42 +41,49 @@ dependencies:
|
|
|
42
41
|
name: minitest
|
|
43
42
|
requirement: !ruby/object:Gem::Requirement
|
|
44
43
|
requirements:
|
|
45
|
-
- - "
|
|
46
|
-
- !ruby/object:Gem::Version
|
|
47
|
-
version: 5.11.2
|
|
48
|
-
- - "<"
|
|
44
|
+
- - "~>"
|
|
49
45
|
- !ruby/object:Gem::Version
|
|
50
|
-
version:
|
|
46
|
+
version: '5.24'
|
|
51
47
|
type: :development
|
|
52
48
|
prerelease: false
|
|
53
49
|
version_requirements: !ruby/object:Gem::Requirement
|
|
54
50
|
requirements:
|
|
55
|
-
- - "
|
|
51
|
+
- - "~>"
|
|
56
52
|
- !ruby/object:Gem::Version
|
|
57
|
-
version: 5.
|
|
58
|
-
|
|
53
|
+
version: '5.24'
|
|
54
|
+
- !ruby/object:Gem::Dependency
|
|
55
|
+
name: minitest-reporters
|
|
56
|
+
requirement: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - "~>"
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: '1.7'
|
|
61
|
+
type: :development
|
|
62
|
+
prerelease: false
|
|
63
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
64
|
+
requirements:
|
|
65
|
+
- - "~>"
|
|
59
66
|
- !ruby/object:Gem::Version
|
|
60
|
-
version:
|
|
67
|
+
version: '1.7'
|
|
61
68
|
description: An extension to the Potluck gem that provides control over the Nginx
|
|
62
69
|
process and its configuration files from Ruby.
|
|
63
|
-
email:
|
|
64
70
|
executables: []
|
|
65
71
|
extensions: []
|
|
66
72
|
extra_rdoc_files: []
|
|
67
73
|
files:
|
|
68
74
|
- LICENSE
|
|
69
75
|
- README.md
|
|
76
|
+
- VERSION
|
|
70
77
|
- lib/potluck/nginx.rb
|
|
71
|
-
- lib/potluck/nginx/
|
|
72
|
-
- lib/potluck/nginx/
|
|
78
|
+
- lib/potluck/nginx/nginx_config.rb
|
|
79
|
+
- lib/potluck/nginx/version.rb
|
|
73
80
|
homepage: https://github.com/npickens/potluck/tree/master/potluck-nginx
|
|
74
81
|
licenses:
|
|
75
82
|
- MIT
|
|
76
83
|
metadata:
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
source_code_uri: https://github.com/npickens/potluck/tree/
|
|
80
|
-
post_install_message:
|
|
84
|
+
bug_tracker_uri: https://github.com/npickens/potluck/issues
|
|
85
|
+
documentation_uri: https://github.com/npickens/potluck/blob/0.0.8/potluck-nginx/README.md
|
|
86
|
+
source_code_uri: https://github.com/npickens/potluck/tree/0.0.8/potluck-nginx
|
|
81
87
|
rdoc_options: []
|
|
82
88
|
require_paths:
|
|
83
89
|
- lib
|
|
@@ -85,15 +91,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
85
91
|
requirements:
|
|
86
92
|
- - ">="
|
|
87
93
|
- !ruby/object:Gem::Version
|
|
88
|
-
version:
|
|
94
|
+
version: 3.0.0
|
|
89
95
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
90
96
|
requirements:
|
|
91
97
|
- - ">="
|
|
92
98
|
- !ruby/object:Gem::Version
|
|
93
|
-
version:
|
|
99
|
+
version: 2.0.0
|
|
94
100
|
requirements: []
|
|
95
|
-
rubygems_version: 3.
|
|
96
|
-
signing_key:
|
|
101
|
+
rubygems_version: 3.6.6
|
|
97
102
|
specification_version: 4
|
|
98
103
|
summary: A Ruby manager for Nginx.
|
|
99
104
|
test_files: []
|
data/lib/potluck/nginx/ssl.rb
DELETED
|
@@ -1,134 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
require('time')
|
|
4
|
-
|
|
5
|
-
module Potluck
|
|
6
|
-
class Nginx < Service
|
|
7
|
-
##
|
|
8
|
-
# SSL-specific configuration for Nginx. Provides self-signed certificate generation for use in
|
|
9
|
-
# developemnt.
|
|
10
|
-
#
|
|
11
|
-
class SSL
|
|
12
|
-
# Reference: https://ssl-config.mozilla.org/#server=nginx&config=intermediate&guideline=5.6
|
|
13
|
-
DEFAULT_CONFIG = {
|
|
14
|
-
'ssl_ciphers' => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM'\
|
|
15
|
-
'-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:D'\
|
|
16
|
-
'HE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
|
|
17
|
-
'ssl_prefer_server_ciphers' => 'off',
|
|
18
|
-
'ssl_protocols' => 'TLSv1.2 TLSv1.3',
|
|
19
|
-
'ssl_session_cache' => 'shared:SSL:10m',
|
|
20
|
-
'ssl_session_tickets' => 'off',
|
|
21
|
-
'ssl_session_timeout' => '1d',
|
|
22
|
-
'add_header' => {
|
|
23
|
-
repeat: true,
|
|
24
|
-
'Strict-Transport-Security' => '\'max-age=31536000; includeSubDomains\' always',
|
|
25
|
-
}.freeze,
|
|
26
|
-
}.freeze
|
|
27
|
-
|
|
28
|
-
CERT_DAYS = 365
|
|
29
|
-
CERT_RENEW_DAYS = 14
|
|
30
|
-
|
|
31
|
-
attr_reader(:csr_file, :key_file, :crt_file, :dhparam_file, :config)
|
|
32
|
-
|
|
33
|
-
##
|
|
34
|
-
# Creates a new instance. Providing no SSL files will cue generation of a self-signed certificate.
|
|
35
|
-
#
|
|
36
|
-
# * +nginx+ - Nginx instance.
|
|
37
|
-
# * +dir+ - Directory where SSL files are located or should be written to.
|
|
38
|
-
# * +host+ - Name of the host for determining file names and generating a self-signed certificate.
|
|
39
|
-
# * +crt_file+ - Path to the CRT file (optional).
|
|
40
|
-
# * +key_file+ - Path to the KEY file (optional).
|
|
41
|
-
# * +dhparam_file+ - Path to the DH parameters file (optional).
|
|
42
|
-
# * +config+ - Nginx configuration hash (optional).
|
|
43
|
-
#
|
|
44
|
-
def initialize(nginx, dir, host, crt_file: nil, key_file: nil, dhparam_file: nil, config: {})
|
|
45
|
-
@nginx = nginx
|
|
46
|
-
@dir = dir
|
|
47
|
-
@host = host
|
|
48
|
-
|
|
49
|
-
@auto_generated = !crt_file && !key_file && !dhparam_file
|
|
50
|
-
|
|
51
|
-
if !@auto_generated && (!crt_file || !key_file || !dhparam_file)
|
|
52
|
-
raise(ArgumentError, 'Must supply values for all three or none: crt_file, key_file, dhparam_file')
|
|
53
|
-
end
|
|
54
|
-
|
|
55
|
-
@csr_file = File.join(@dir, "#{@host}.csr").freeze
|
|
56
|
-
@crt_file = crt_file || File.join(@dir, "#{@host}.crt").freeze
|
|
57
|
-
@key_file = key_file || File.join(@dir, "#{@host}.key").freeze
|
|
58
|
-
@dhparam_file = dhparam_file || File.join(@dir, 'dhparam.pem').freeze
|
|
59
|
-
|
|
60
|
-
@config = Util.deep_merge({
|
|
61
|
-
'ssl_certificate' => @crt_file,
|
|
62
|
-
'ssl_certificate_key' => @key_file,
|
|
63
|
-
'ssl_dhparam' => @dhparam_file,
|
|
64
|
-
'ssl_stapling' => ('on' unless @auto_generated),
|
|
65
|
-
'ssl_stapling_verify' => ('on' unless @auto_generated),
|
|
66
|
-
}, DEFAULT_CONFIG, config)
|
|
67
|
-
end
|
|
68
|
-
|
|
69
|
-
##
|
|
70
|
-
# If SSL files were passed to SSL.new, does nothing. Otherwise checks if auto-generated SSL files
|
|
71
|
-
# exist and generates them if not. If they do exist, the expiration for the certificate is checked and
|
|
72
|
-
# the certificate regenerated if the expiration date is soon or in the past.
|
|
73
|
-
#
|
|
74
|
-
def ensure_files
|
|
75
|
-
return if !@auto_generated || (
|
|
76
|
-
File.exists?(@csr_file) &&
|
|
77
|
-
File.exists?(@key_file) &&
|
|
78
|
-
File.exists?(@crt_file) &&
|
|
79
|
-
File.exists?(@dhparam_file) &&
|
|
80
|
-
(Time.parse(
|
|
81
|
-
@nginx.run("openssl x509 -enddate -noout -in #{@crt_file}").sub('notAfter=', '')
|
|
82
|
-
) - Time.now) >= CERT_RENEW_DAYS * 24 * 60 * 60
|
|
83
|
-
)
|
|
84
|
-
|
|
85
|
-
@nginx.log('Generating SSL files...')
|
|
86
|
-
|
|
87
|
-
@nginx.run("openssl genrsa -out #{@key_file} 4096", capture_stderr: false)
|
|
88
|
-
@nginx.run("openssl req -out #{@csr_file} -key #{@key_file} -new -sha256 -config /dev/stdin <<< "\
|
|
89
|
-
"'#{openssl_config}'", capture_stderr: false)
|
|
90
|
-
@nginx.run("openssl x509 -in #{@csr_file} -out #{@crt_file} -signkey #{@key_file} -days "\
|
|
91
|
-
"#{CERT_DAYS} -req -sha256 -extensions req_ext -extfile /dev/stdin <<< '#{openssl_config}'",
|
|
92
|
-
capture_stderr: false)
|
|
93
|
-
@nginx.run("openssl dhparam -out #{@dhparam_file} 2048", capture_stderr: false)
|
|
94
|
-
|
|
95
|
-
if IS_MACOS
|
|
96
|
-
@nginx.log('Adding cert to keychain...')
|
|
97
|
-
|
|
98
|
-
@nginx.run(
|
|
99
|
-
"sudo security delete-certificate -t -c #{@host} 2>&1 || "\
|
|
100
|
-
"sudo security delete-certificate -c #{@host} 2>&1 || :"
|
|
101
|
-
)
|
|
102
|
-
|
|
103
|
-
@nginx.run("sudo security add-trusted-cert -d -r trustRoot -k "\
|
|
104
|
-
"/Library/Keychains/System.keychain #{@crt_file}")
|
|
105
|
-
end
|
|
106
|
-
end
|
|
107
|
-
|
|
108
|
-
private
|
|
109
|
-
|
|
110
|
-
##
|
|
111
|
-
# OpenSSL configuration content used when auto-generating an SSL certificate.
|
|
112
|
-
#
|
|
113
|
-
def openssl_config
|
|
114
|
-
<<~EOS
|
|
115
|
-
[ req ]
|
|
116
|
-
prompt = no
|
|
117
|
-
default_bits = 4096
|
|
118
|
-
distinguished_name = req_distinguished_name
|
|
119
|
-
req_extensions = req_ext
|
|
120
|
-
|
|
121
|
-
[ req_distinguished_name ]
|
|
122
|
-
commonName = #{@host}
|
|
123
|
-
|
|
124
|
-
[ req_ext ]
|
|
125
|
-
subjectAltName = @alt_names
|
|
126
|
-
|
|
127
|
-
[alt_names]
|
|
128
|
-
DNS.1 = #{@host}
|
|
129
|
-
DNS.2 = *.#{@host}
|
|
130
|
-
EOS
|
|
131
|
-
end
|
|
132
|
-
end
|
|
133
|
-
end
|
|
134
|
-
end
|
data/lib/potluck/nginx/util.rb
DELETED
|
@@ -1,55 +0,0 @@
|
|
|
1
|
-
# frozen_string_literal: true
|
|
2
|
-
|
|
3
|
-
module Potluck
|
|
4
|
-
class Nginx < Service
|
|
5
|
-
##
|
|
6
|
-
# Utility methods for Nginx class.
|
|
7
|
-
#
|
|
8
|
-
class Util
|
|
9
|
-
##
|
|
10
|
-
# Merges N hashes by merging nested hashes rather than overwriting them as is the case with
|
|
11
|
-
# <tt>Hash#merge</tt>.
|
|
12
|
-
#
|
|
13
|
-
# * +hashes+ - Hashes to deep merge.
|
|
14
|
-
# * +arrays+ - True if arrays should be merged rather than overwritten (optional, default: false).
|
|
15
|
-
#
|
|
16
|
-
# Example:
|
|
17
|
-
#
|
|
18
|
-
# h1 = {hello: {item1: 'world'}}
|
|
19
|
-
# h2 = {hello: {item2: 'friend'}}
|
|
20
|
-
#
|
|
21
|
-
# Util.deep_merge(h1, h2)
|
|
22
|
-
# # => {hello: {item1: 'world', item2: 'friend'}}
|
|
23
|
-
#
|
|
24
|
-
# By default only hashes are merged and arrays are still overwritten as they are with
|
|
25
|
-
# <tt>Hash#merge</tt>. Passing <tt>arrays: true</tt> will result in arrays being merged similarly to
|
|
26
|
-
# hashes. Example:
|
|
27
|
-
#
|
|
28
|
-
# h1 = {hello: {item1: ['world']}}
|
|
29
|
-
# h2 = {hello: {item1: ['friend']}}
|
|
30
|
-
#
|
|
31
|
-
# Util.deep_merge(h1, h2, arrays: true)
|
|
32
|
-
# # => {hello: {item1: ['world', 'friend']}}
|
|
33
|
-
#
|
|
34
|
-
def self.deep_merge(*hashes, arrays: false)
|
|
35
|
-
hash = hashes[0].dup
|
|
36
|
-
|
|
37
|
-
hashes[1..-1].each do |other_hash|
|
|
38
|
-
other_hash.each do |key, other_value|
|
|
39
|
-
this_value = hash[key]
|
|
40
|
-
|
|
41
|
-
if this_value.kind_of?(Hash) && other_value.kind_of?(Hash)
|
|
42
|
-
hash[key] = deep_merge(this_value, other_value, arrays: arrays)
|
|
43
|
-
elsif arrays && this_value.kind_of?(Array)
|
|
44
|
-
hash[key] |= Array(other_value)
|
|
45
|
-
else
|
|
46
|
-
hash[key] = other_value
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
|
-
end
|
|
50
|
-
|
|
51
|
-
hash
|
|
52
|
-
end
|
|
53
|
-
end
|
|
54
|
-
end
|
|
55
|
-
end
|