Merge branch 'feature/support-non-letsencrypt-certs' into 'master'

feat(config): support personal TLS certificates See merge request la-crise/discourse-formula!7

Merge branch 'feature/support-non-letsencrypt-certs' into 'master'
feat(config): support personal TLS certificates See merge request la-crise/discourse-formula!7
a203413c · Daniel Dehennin · de0720f1 · 4d79a370 · a203413c · a203413c
Commit a203413c authored Apr 03, 2020 by Daniel Dehennin
--- a/discourse/config/files/default/app.yml.jinja
+++ b/discourse/config/files/default/app.yml.jinja
@@ -6,6 +6,8 @@
 ## BE *VERY* CAREFUL WHEN EDITING!
 ## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
 ## visit http://www.yamllint.com/ to validate this file as needed
+{%- set letsencrypt = discourse | traverse('letsencrypt:enabled', False) | to_bool %}
+{%- set tls = discourse | traverse('tls:enabled', False) | to_bool %}

 templates:
  - "templates/postgres.template.yml"
@@ -13,9 +15,13 @@ templates:
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
 ## Uncomment these two lines if you wish to add Lets Encrypt (https)
-{%- if discourse | traverse('letsencrypt:enabled', False) | to_bool %}
+{%- if letsencrypt or tls %}
  - "templates/web.ssl.template.yml"
+  {%- if letsencrypt %}
  - "templates/web.letsencrypt.ssl.template.yml"
+  {%- else %}
+  - "templates/force-tls.template.yml"
+  {%- endif %}
 {%- endif %}
  - "templates/rake.autosetup.template.yml"

@@ -24,7 +30,7 @@ templates:
 ## see https://meta.discourse.org/t/17247 for details
 expose:
  - "80:80"   # http
-{%- if discourse | traverse('letsencrypt:enabled', False) | to_bool %}
+{%- if letsencrypt or tls %}
  - "443:443" # https
 {%- endif %}


--- a/discourse/config/files/default/force-tls.template.yml.jinja
+++ b/discourse/config/files/default/force-tls.template.yml.jinja
+env:
+  SSL_DIR: "/shared/ssl"
+
+hooks:
+  after_ssl:
+    - file:
+       path: /etc/runit/1.d/force-tls
+       chmod: "+x"
+       contents: |
+        #!/bin/bash
+        if [ -f "${SSL_DIR}/ssl.crt" -a -f "${SSL_DIR}/ssl.key" ]
+        then
+          grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
+        fi
--- a/discourse/config/files/default/ssl.crt.jinja
+++ b/discourse/config/files/default/ssl.crt.jinja
+{{ tls.get('cert') }}
--- a/discourse/config/files/default/ssl.key.jinja
+++ b/discourse/config/files/default/ssl.key.jinja
+{{ tls.get('key') }}
--- a/discourse/config/init.sls
+++ b/discourse/config/init.sls
@@ -2,4 +2,5 @@
 # vim: ft=sls

 include:
+  - .tls
  - .file
--- a/discourse/config/tls.sls
+++ b/discourse/config/tls.sls
+# -*- coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_config_file = tplroot ~ '.config.file' %}
+{%- from tplroot | path_join("map.jinja") import discourse with context %}
+{%- from tplroot | path_join("libtofs.jinja") import files_switch with context %}
+
+include:
+  - {{ sls_config_file }}
+
+{%- if discourse | traverse('tls:enabled', False) | to_bool %}
+{%- set tls_dir = discourse.directory | path_join('shared',
+                                                  'standalone',
+                                                  'ssl'
+                                                 )
+  %}
+{%- set tls = discourse | traverse('tls') %}
+
+discourse-config-tls-force-tls-template-file-managed:
+  file.managed:
+    - name: {{ discourse.directory | path_join('templates',
+                                               'force-tls.template.yml')
+              }}
+    - source: {{ files_switch(['force-tls.template.yml.jinja'],
+                              lookup='discourse-config-tls-force-tls-template-file-managed',
+                              use_subpath=True
+                 )
+              }}
+    - mode: 644
+    - user: root
+    - group: root
+    - makedirs: True
+    - require_in:
+      - sls: {{ sls_config_file }}
+
+
+discourse-config-tls-cert-file-managed:
+  file.managed:
+    - name: {{ tls_dir | path_join('ssl.crt') }}
+    - source: {{ files_switch(['ssl.crt', 'ssl.crt.jinja'],
+                              lookup='discourse-config-tls-cert-file-managed',
+                              use_subpath=True
+                 )
+              }}
+    - mode: 600
+    - user: root
+    - group: root
+    - makedirs: True
+    - template: jinja
+    - context:
+        tls: {{ tls | json }}
+    - require_in:
+      - sls: {{ sls_config_file }}
+
+discourse-config-tls-key-file-managed:
+  file.managed:
+    - name: {{ tls_dir | path_join('ssl.key') }}
+    - source: {{ files_switch(['ssl.key', 'ssl.key.jinja'],
+                              lookup='discourse-config-tls-key-file-managed',
+                              use_subpath=True
+                 )
+              }}
+    - mode: 600
+    - user: root
+    - group: root
+    - makedirs: True
+    - template: jinja
+    - context:
+        tls: {{ tls | json }}
+    - require_in:
+      - sls: {{ sls_config_file }}
+{%- endif %}
--- a/docs/README.rst
+++ b/docs/README.rst
@@ -49,6 +49,28 @@ Available states
 ``discourse.config``
 ^^^^^^^^^^^^^^^^^^^^

+*Meta-state (This is a state that includes other states)*.
+
+This state will configure the deployment of ``discourse``.
+
+
+``discourse.config.tls``
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+This state will configure a personal TLS certificate and key instead
+of using Let's Encrypt if the ``discourse:tls:enabled`` is ``true``
+and ``discourse:letsencrypt:enabled`` is false.
+
+It requires two private pillar values:
+
+- ``discourse.tls.cert``
+- ``discourse.tls.key``
+
+It hooks as a dependency of ``discourse.config.file``.
+
+``discourse.config.file``
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
 This state will configure the deployement by generating the
 ``containers/app.yml`` file.