templatified nginx config and added loading .env, added .env.dist

2025-12-13 07:45:54 +00:00 · 2022-01-08 04:39:55 +01:00 · 2022-01-08 04:39:55 +01:00 · 58f391f167
commit 58f391f167
parent 3e8ffbf5ae
4 changed files with 53 additions and 22 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@ nbproject
 .metadata
 /.env
 package-lock.json
+/deployment/bare_metal/.env
--- a/deployment/bare_metal/.env.dist
+++ b/deployment/bare_metal/.env.dist
@ -0,0 +1,11 @@
+NGINX_SSL=false
+NGINX_SERVER_NAME=_
+
+#Example data
+
+#NGINX_SSL=true
+#NGINX_SERVER_NAME=stage1.gradido.net
+#NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem
+#NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem
+#NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem
+#NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf
--- a/deployment/bare_metal/install.sh
+++ b/deployment/bare_metal/install.sh
@ -3,6 +3,15 @@
 # This install script requires the minimum requirements already installed.
 # How to do this is described in detail in [setup.md](./setup.md)

+# Load .env or .env.dist if not present
+set -o allexport
+if [ -f ".env"]; then
+    source .env
+else
+    source .env.dist
+fi
+set +o allexport
+
 # Install mariadb
 sudo apt-get install -y mariadb-server
 sudo mysql_secure_installation
@ -85,8 +94,12 @@ sudo yarn global add pm2
 # Install certbot
 sudo apt-get install -y certbot
 sudo apt-get install -y python3-certbot-nginx
-sudo certbot
+sudo certbot --certonly
 > Enter email address (used for urgent renewal and security notices) > support@gradido.net
 > Please read the Terms of Service at > Y
 > Would you be willing, once your first certificate is successfully issued, to > N
-> No names were found in your configuration files. Please enter in your domain > stage1.gradido.net
+> No names were found in your configuration files. Please enter in your domain > stage1.gradido.net
+
+# Generate gradido.conf from template
+# TODO order - first certbot, then nginx setup
+envsubst < gradido.conf.template > gradido.conf
--- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template
+++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template
@ -1,28 +1,34 @@
-# HTTP server
-#TODO
-server {
-    if ($host = stage1.gradido.net) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
+if ($NGINX_SSL = 'true')
+    server {
+        if ($host = $NGINX_SERVER_NAME) {
+            return 301 https://$host$request_uri;
+        }

-    server_name stage1.gradido.net;
-    listen 80;
-    listen [::]:80;
-    return 404; # managed by Certbot
+        server_name $NGINX_SERVER_NAME;
+        listen 80;
+        listen [::]:80;
+        return 404;
+    }
 }

-# HTTPS Server
 server {
-    # TODO correct server name stage1.gradido.net
-    server_name stage1.gradido.net;
+    server_name $NGINX_SERVER_NAME;

-    # TODO
-    listen [::]:443 ssl ipv6only=on; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/stage1.gradido.net/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/stage1.gradido.net/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    if ($NGINX_SSL = 'true') {
+        listen [::]:443 ssl ipv6only=on;
+        listen 443 ssl;
+        ssl_certificate $NGINX_SSL_CERTIFICATE;
+        ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY;
+        ssl_dhparam $NGINX_SSL_DHPARAM;
+        if ($NGINX_SSL_INCLUDE != '') {
+            include $NGINX_SSL_INCLUDE;
+        }
+    }
+
+    if ($NGINX_SSL != 'true'){
+        listen 80;
+        listen [::]:80;
+    }

    include /etc/nginx/common/protect.conf;
    include /etc/nginx/common/protect_add_header.conf;