diff --git a/nodes/sample_host.json b/nodes/sample_host.json index 1525a285..78f30e0b 100644 --- a/nodes/sample_host.json +++ b/nodes/sample_host.json @@ -40,9 +40,10 @@ "redirect_domain_names": ["", "", "<...>"], "ruby_version": "2.1.0", "ssl_info": { - "key": "", - "crt": "" - }, + "enabled": true, + "certificate": "The cert file, optional", + "certificate_key": "The key for the cert file" + }, "env_vars": { "key_1": "val_1", "key_2": "val_2" diff --git a/vendor/cookbooks/rails/files/default/certificates/.keep b/vendor/cookbooks/rails/files/default/certificates/.keep new file mode 100644 index 00000000..e69de29b diff --git a/vendor/cookbooks/rails/libraries/default.rb b/vendor/cookbooks/rails/libraries/default.rb index f60d2bfa..82cd1d34 100644 --- a/vendor/cookbooks/rails/libraries/default.rb +++ b/vendor/cookbooks/rails/libraries/default.rb @@ -16,5 +16,47 @@ def nginx_custom_configuration(app_info) empty_conf.merge(app_info["nginx_custom"] || {}) end + + # Returns a server path to certificate file + # + # applications_root = '/u/apps/' + # name = 'my_app' + # ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_app.crt' + # + # or, + # + # applications_root = '/u/apps/' + # name = 'my_app' + # app_info['ssl_info']['certificate'] = 'my_cert.crt' + # ssl_certificate(applications_root, name, app_info) # => /u/apps/my_app/shared/config/my_cert.crt' + # + # + def ssl_certificate(applications_root, name, app_info) + raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info) + + Pathname.new(applications_root).join(name, "shared", "config", + app_info["ssl_info"]["certificate"] || "#{name}.crt") + end + + # See #ssl_certificate + # + def ssl_certificate_key(applications_root, name, app_info) + raise "Invalid application config given, no `ssl_info` present" unless ssl_info?(app_info) + + Pathname.new(applications_root).join(name, "shared", "config", + app_info["ssl_info"]["certificate_key"] || "#{name}.key") + end + + # Check if the app config has ssl_info section + # + def ssl_info?(app_info) + app_info.key?("ssl_info") + end + + # Checks if the app config has ssl enabled + # + def ssl_enabled?(app_info) + ssl_info?(app_info) && app_info["ssl_info"]["enabled"] + end end end diff --git a/vendor/cookbooks/rails/recipes/default.rb b/vendor/cookbooks/rails/recipes/default.rb index 8c1022a2..37c460ea 100644 --- a/vendor/cookbooks/rails/recipes/default.rb +++ b/vendor/cookbooks/rails/recipes/default.rb @@ -33,6 +33,7 @@ # Include library helpers ::Chef::Resource.send(:include, Rails::Helpers) + ::Chef::Recipe.send(:include, Rails::Helpers) node[:active_applications].each do |app, app_info| rails_env = app_info['rails_env'] || "production" @@ -93,33 +94,42 @@ end - if app_info['ssl_info'] - template "#{applications_root}/#{app}/shared/config/certificate.crt" do - owner "deploy" - group "deploy" - mode 0644 - source "app_cert.crt.erb" - variables :app_crt=> app_info['ssl_info']['crt'] + if ssl_enabled?(app_info) + ssl_certificate_path = ssl_certificate(applications_root, app, app_info) + ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info) + + [ssl_certificate_path, ssl_certificate_key_path].each do |pathname| + cookbook_file pathname.to_s do + source "certificates/#{pathname.basename}" + owner "deploy" + group "deploy" + mode 0644 + end end - template "#{applications_root}/#{app}/shared/config/certificate.key" do - owner "deploy" - group "deploy" - mode 0644 - source "app_cert.key.erb" - variables :app_key=> app_info['ssl_info']['key'] + template "/etc/nginx/sites-available/#{app}.conf" do + source "app_nginx.conf.erb" + variables( + name: app, + domain_names: app_info["domain_names"], + redirect_domain_names: app_info["redirect_domain_names"], + ssl_enabled: true, + ssl_certificate: ssl_certificate_path, + ssl_certificate_key: ssl_certificate_key_path, + custom_configuration: nginx_custom_configuration(app_info)) + notifies :reload, resources(service: "nginx") + end + else + template "/etc/nginx/sites-available/#{app}.conf" do + source "app_nginx.conf.erb" + variables( + name: app, + domain_names: app_info["domain_names"], + redirect_domain_names: app_info["redirect_domain_names"], + ssl_enabled: false, + custom_configuration: nginx_custom_configuration(app_info)) + notifies :reload, resources(service: "nginx") end - end - - template "/etc/nginx/sites-available/#{app}.conf" do - source "app_nginx.conf.erb" - variables( - name: app, - domain_names: app_info["domain_names"], - redirect_domain_names: app_info["redirect_domain_names"], - enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"), - custom_configuration: nginx_custom_configuration(app_info)) - notifies :reload, resources(service: "nginx") end template "#{applications_root}/#{app}/shared/config/unicorn.rb" do diff --git a/vendor/cookbooks/rails/recipes/passenger.rb b/vendor/cookbooks/rails/recipes/passenger.rb index aab970b6..20dc6c29 100644 --- a/vendor/cookbooks/rails/recipes/passenger.rb +++ b/vendor/cookbooks/rails/recipes/passenger.rb @@ -50,6 +50,7 @@ # Include library helpers ::Chef::Resource.send(:include, Rails::Helpers) + ::Chef::Recipe.send(:include, Rails::Helpers) node[:active_applications].each do |app, app_info| rails_env = app_info['rails_env'] || "production" @@ -98,7 +99,6 @@ end if app_info['database_info'] - template "#{applications_root}/#{app}/shared/config/database.yml" do owner deploy_user group deploy_user @@ -106,37 +106,46 @@ source "app_database.yml.erb" variables :database_info => app_info['database_info'], :rails_env => rails_env end - end - if app_info['ssl_info'] - template "#{applications_root}/#{app}/shared/config/certificate.crt" do - owner "deploy" - group "deploy" - mode 0644 - source "app_cert.crt.erb" - variables :app_crt=> app_info['ssl_info']['crt'] + if ssl_enabled?(app_info) + ssl_certificate_path = ssl_certificate(applications_root, app, app_info) + ssl_certificate_key_path = ssl_certificate_key(applications_root, app, app_info) + + [ssl_certificate_path, ssl_certificate_key_path].each do |pathname| + cookbook_file pathname.to_s do + source "certificates/#{pathname.basename}" + owner "deploy" + group "deploy" + mode 0644 + end end - template "#{applications_root}/#{app}/shared/config/certificate.key" do - owner "deploy" - group "deploy" - mode 0644 - source "app_cert.key.erb" - variables :app_key=> app_info['ssl_info']['key'] + template "/etc/nginx/sites-available/#{app}.conf" do + source "app_passenger_nginx.conf.erb" + variables( + name: app, + rails_env: rails_env, + domain_names: app_info["domain_names"], + ssl_enabled: true, + ssl_certificate: ssl_certificate_path, + ssl_certificate_key: ssl_certificate_key_path, + custom_configuration: nginx_custom_configuration(app_info)) + notifies :reload, resources(service: "nginx") + end + else + template "/etc/nginx/sites-available/#{app}.conf" do + source "app_passenger_nginx.conf.erb" + variables( + name: app, + rails_env: rails_env, + domain_names: app_info["domain_names"], + ssl_enabled: false, + custom_configuration: nginx_custom_configuration(app_info)) + notifies :reload, resources(service: "nginx") end end - template "/etc/nginx/sites-available/#{app}.conf" do - source "app_passenger_nginx.conf.erb" - variables( - name: app, - rails_env: rails_env, - domain_names: app_info["domain_names"], - enable_ssl: File.exists?("#{applications_root}/#{app}/shared/config/certificate.crt"), - custom_configuration: nginx_custom_configuration(app_info)) - notifies :reload, resources(:service => "nginx") - end nginx_site "#{app}.conf" do action :enable diff --git a/vendor/cookbooks/rails/templates/default/app_cert.crt.erb b/vendor/cookbooks/rails/templates/default/app_cert.crt.erb deleted file mode 100644 index 87389e27..00000000 --- a/vendor/cookbooks/rails/templates/default/app_cert.crt.erb +++ /dev/null @@ -1 +0,0 @@ -<%= @app_crt %> \ No newline at end of file diff --git a/vendor/cookbooks/rails/templates/default/app_cert.key.erb b/vendor/cookbooks/rails/templates/default/app_cert.key.erb deleted file mode 100644 index 9e9b2c6b..00000000 --- a/vendor/cookbooks/rails/templates/default/app_cert.key.erb +++ /dev/null @@ -1 +0,0 @@ -<%= @app_key %> \ No newline at end of file diff --git a/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb b/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb index de13df6a..5e264a57 100644 --- a/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb +++ b/vendor/cookbooks/rails/templates/default/app_nginx.conf.erb @@ -3,7 +3,7 @@ <% if @redirect_domain_names && @redirect_domain_names.any? %> server { listen <%= node['nginx']['port'] || '80' %>; - <% if @enable_ssl %> + <% if @ssl_enabled %> listen 443 ssl; <% end %> server_name <%= @redirect_domain_names.join(' ') %>; @@ -29,13 +29,13 @@ server { <%= @custom_configuration["server_main"] %> } -<% if @enable_ssl %> +<% if @ssl_enabled %> server { listen 443 ssl; - ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt; - ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key; + ssl_certificate <%= @ssl_certificate %>; + ssl_certificate_key <%= @ssl_certificate_key %>; server_name <%= @domain_names.join(' ') %>; diff --git a/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb b/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb index bd91afb7..342c610a 100644 --- a/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb +++ b/vendor/cookbooks/rails/templates/default/app_passenger_nginx.conf.erb @@ -10,13 +10,13 @@ server { <%= @custom_configuration["server_main"] %> } -<% if @enable_ssl %> +<% if @ssl_enabled %> server { listen 443 ssl; - ssl_certificate <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.crt; - ssl_certificate_key <%= node['rails']['applications_root'] %>/<%= @name %>/shared/config/certificate.key; + ssl_certificate <%= @ssl_certificate %>; + ssl_certificate_key <%= @ssl_certificate_key %>; passenger_enabled on; passenger_app_env <%= @rails_env %>;