diff --git a/.gitignore b/.gitignore index 5682953d4..fa13312a1 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ nbproject .metadata /.env package-lock.json +/deployment/bare_metal/.env diff --git a/deployment/bare_metal/.env.dist b/deployment/bare_metal/.env.dist new file mode 100644 index 000000000..fa64ae770 --- /dev/null +++ b/deployment/bare_metal/.env.dist @@ -0,0 +1,11 @@ +NGINX_SSL=false +NGINX_SERVER_NAME=_ + +#Example data + +#NGINX_SSL=true +#NGINX_SERVER_NAME=stage1.gradido.net +#NGINX_SSL_CERTIFICATE=/etc/letsencrypt/live/stage1.gradido.net/fullchain.pem +#NGINX_SSL_CERTIFICATE_KEY=/etc/letsencrypt/live/stage1.gradido.net/privkey.pem +#NGINX_SSL_DHPARAM=/etc/letsencrypt/ssl-dhparams.pem +#NGINX_SSL_INCLUDE=/etc/letsencrypt/options-ssl-nginx.conf \ No newline at end of file diff --git a/deployment/bare_metal/install.sh b/deployment/bare_metal/install.sh index c83741ab8..933571e7e 100755 --- a/deployment/bare_metal/install.sh +++ b/deployment/bare_metal/install.sh @@ -3,6 +3,15 @@ # This install script requires the minimum requirements already installed. # How to do this is described in detail in [setup.md](./setup.md) +# Load .env or .env.dist if not present +set -o allexport +if [ -f ".env"]; then + source .env +else + source .env.dist +fi +set +o allexport + # Install mariadb sudo apt-get install -y mariadb-server sudo mysql_secure_installation @@ -85,8 +94,12 @@ sudo yarn global add pm2 # Install certbot sudo apt-get install -y certbot sudo apt-get install -y python3-certbot-nginx -sudo certbot +sudo certbot --certonly > Enter email address (used for urgent renewal and security notices) > support@gradido.net > Please read the Terms of Service at > Y > Would you be willing, once your first certificate is successfully issued, to > N -> No names were found in your configuration files. Please enter in your domain > stage1.gradido.net \ No newline at end of file +> No names were found in your configuration files. Please enter in your domain > stage1.gradido.net + +# Generate gradido.conf from template +# TODO order - first certbot, then nginx setup +envsubst < gradido.conf.template > gradido.conf \ No newline at end of file diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf b/deployment/bare_metal/nginx/sites-available/gradido.conf.template similarity index 68% rename from deployment/bare_metal/nginx/sites-available/gradido.conf rename to deployment/bare_metal/nginx/sites-available/gradido.conf.template index fe2e47f99..2868ac136 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -1,28 +1,34 @@ -# HTTP server -#TODO -server { - if ($host = stage1.gradido.net) { - return 301 https://$host$request_uri; - } # managed by Certbot +if ($NGINX_SSL = 'true') + server { + if ($host = $NGINX_SERVER_NAME) { + return 301 https://$host$request_uri; + } - server_name stage1.gradido.net; - listen 80; - listen [::]:80; - return 404; # managed by Certbot + server_name $NGINX_SERVER_NAME; + listen 80; + listen [::]:80; + return 404; + } } -# HTTPS Server server { - # TODO correct server name stage1.gradido.net - server_name stage1.gradido.net; + server_name $NGINX_SERVER_NAME; - # TODO - listen [::]:443 ssl ipv6only=on; # managed by Certbot - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/stage1.gradido.net/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/stage1.gradido.net/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot + if ($NGINX_SSL = 'true') { + listen [::]:443 ssl ipv6only=on; + listen 443 ssl; + ssl_certificate $NGINX_SSL_CERTIFICATE; + ssl_certificate_key $NGINX_SSL_CERTIFICATE_KEY; + ssl_dhparam $NGINX_SSL_DHPARAM; + if ($NGINX_SSL_INCLUDE != '') { + include $NGINX_SSL_INCLUDE; + } + } + + if ($NGINX_SSL != 'true'){ + listen 80; + listen [::]:80; + } include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf;