diff options
| author | Mathias Magnusson <mathias@magnusson.space> | 2023-11-29 14:48:22 +0100 |
|---|---|---|
| committer | Mathias Magnusson <mathias@magnusson.space> | 2023-11-29 14:48:22 +0100 |
| commit | fc50463cbf9d561a5c482df2e5807121494ca88c (patch) | |
| tree | 5ba8337b8d386e3843a6266bd670b4c056f1e087 | |
| parent | aab5eaa47ccc9e3a54f052719d3eb4c4d34d6903 (diff) | |
| download | garm-fc50463cbf9d561a5c482df2e5807121494ca88c.tar.gz | |
Attempt to fix ssl certs
| -rw-r--r-- | jobs/certificates.nomad.hcl | 6 | ||||
| -rw-r--r-- | jobs/virtual-hosting.nomad.hcl | 40 |
2 files changed, 30 insertions, 16 deletions
diff --git a/jobs/certificates.nomad.hcl b/jobs/certificates.nomad.hcl index c2f4a23..52f0638 100644 --- a/jobs/certificates.nomad.hcl +++ b/jobs/certificates.nomad.hcl @@ -26,7 +26,7 @@ job "certificates" { provider = "nomad" tags = [ - "nginx.hijack_http=.dinlugnastund.se", + "nginx.acme-challenge", ] } @@ -47,7 +47,7 @@ job "certificates" { #!/usr/bin/env bash function dns() { - [ -f "/lego/certificates/$1.key" ] && cmd="renew --days 45" || cmd=run + [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run /local/lego \ --accept-tos \ --path /lego \ @@ -58,7 +58,7 @@ function dns() { } function http() { - [ -f "/lego/certificates/$1.key" ] && cmd="renew --days 45" || cmd=run + [ -f "/lego/certificates/$1.key" ] && cmd="renew --no-random-sleep --days 45" || cmd=run /local/lego \ --accept-tos \ --path /lego \ diff --git a/jobs/virtual-hosting.nomad.hcl b/jobs/virtual-hosting.nomad.hcl index d7fcc27..49000ef 100644 --- a/jobs/virtual-hosting.nomad.hcl +++ b/jobs/virtual-hosting.nomad.hcl @@ -81,27 +81,30 @@ EOF } template { data = <<EOF -{{- $hijackHTTPHostnames := sprig_list -}} -{{- $hijackUpstream := "" -}} +{{- $hijackUpstream := false -}} {{- range $s := nomadServices -}} {{- range $tag := $s.Tags -}} - {{- if $tag | regexMatch "nginx.hijack_http=" -}} - {{- $hijackHTTPHostnames = $tag | replaceAll "nginx.hijack_http=" "" | split "," -}} - {{- $hijackUpstream = $s.Name | toLower | regexReplaceAll "[^a-z0-9\\-._]" "" -}} -upstream {{ $hijackUpstream }} { + {{- if eq $tag "nginx.acme-challenge" -}} + {{- $hijackUpstream = true -}} +upstream acme-challenge { {{- range nomadService $s.Name }} server {{ .Address }}:{{ .Port }}; {{- end }} } {{- break -}} {{- end -}} - {{- if ne (len $hijackHTTPHostnames) 0 -}} + {{- if $hijackUpstream -}} {{- break -}} {{- end -}} {{- end -}} {{- end }} +{{ if not $hijackUpstream }} +upstream acme-challenge { + server magnusson.space:10101; +} +{{ end }} -{{- range nomadServices -}} +{{ range nomadServices -}} {{- $hostname := "" -}} {{- $certname := "" -}} @@ -137,12 +140,13 @@ server { http2 on; server_name {{ $hostname }}; + location /.well-known/acme-challenge { + proxy_pass http://acme-challenge; + proxy_set_header Host $host; + } + location / { - {{ if $hijackHTTPHostnames | contains $hostname -}} - proxy_pass http://{{ $hijackUpstream }}; - {{- else -}} - proxy_pass http://{{ $upstream }}; - {{- end }} + proxy_pass http://{{ $upstream }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; @@ -192,6 +196,11 @@ server { http2 on; server_name {{ $hostname }}; + location /.well-known/acme-challenge { + proxy_pass http://acme-challenge; + proxy_set_header Host $host; + } + return 301 https://$host$request_uri; } @@ -205,6 +214,11 @@ server { ssl_certificate_key /var/local/certs/certificates/{{ $certname }}.key; ssl_trusted_certificate /var/local/certs/certificates/{{ $certname }}.issuer.crt; + location /.well-known/acme-challenge { + proxy_pass http://acme-challenge; + proxy_set_header Host $host; + } + location / { proxy_pass http://{{ $upstream }}; |