Commit a203413c authored by Daniel Dehennin's avatar Daniel Dehennin

Merge branch 'feature/support-non-letsencrypt-certs' into 'master'

feat(config): support personal TLS certificates

See merge request la-crise/discourse-formula!7
parents de0720f1 4d79a370
......@@ -6,6 +6,8 @@
## BE *VERY* CAREFUL WHEN EDITING!
## YAML FILES ARE SUPER SUPER SENSITIVE TO MISTAKES IN WHITESPACE OR ALIGNMENT!
## visit http://www.yamllint.com/ to validate this file as needed
{%- set letsencrypt = discourse | traverse('letsencrypt:enabled', False) | to_bool %}
{%- set tls = discourse | traverse('tls:enabled', False) | to_bool %}
templates:
- "templates/postgres.template.yml"
......@@ -13,9 +15,13 @@ templates:
- "templates/web.template.yml"
- "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
{%- if discourse | traverse('letsencrypt:enabled', False) | to_bool %}
{%- if letsencrypt or tls %}
- "templates/web.ssl.template.yml"
{%- if letsencrypt %}
- "templates/web.letsencrypt.ssl.template.yml"
{%- else %}
- "templates/force-tls.template.yml"
{%- endif %}
{%- endif %}
- "templates/rake.autosetup.template.yml"
......@@ -24,7 +30,7 @@ templates:
## see https://meta.discourse.org/t/17247 for details
expose:
- "80:80" # http
{%- if discourse | traverse('letsencrypt:enabled', False) | to_bool %}
{%- if letsencrypt or tls %}
- "443:443" # https
{%- endif %}
......
env:
SSL_DIR: "/shared/ssl"
hooks:
after_ssl:
- file:
path: /etc/runit/1.d/force-tls
chmod: "+x"
contents: |
#!/bin/bash
if [ -f "${SSL_DIR}/ssl.crt" -a -f "${SSL_DIR}/ssl.key" ]
then
grep -q 'force_https' "/var/www/discourse/config/discourse.conf" || echo "force_https = 'true'" >> "/var/www/discourse/config/discourse.conf"
fi
......@@ -2,4 +2,5 @@
# vim: ft=sls
include:
- .tls
- .file
# -*- coding: utf-8 -*-
# vim: ft=sls
{#- Get the `tplroot` from `tpldir` #}
{%- set tplroot = tpldir.split('/')[0] %}
{%- set sls_config_file = tplroot ~ '.config.file' %}
{%- from tplroot | path_join("map.jinja") import discourse with context %}
{%- from tplroot | path_join("libtofs.jinja") import files_switch with context %}
include:
- {{ sls_config_file }}
{%- if discourse | traverse('tls:enabled', False) | to_bool %}
{%- set tls_dir = discourse.directory | path_join('shared',
'standalone',
'ssl'
)
%}
{%- set tls = discourse | traverse('tls') %}
discourse-config-tls-force-tls-template-file-managed:
file.managed:
- name: {{ discourse.directory | path_join('templates',
'force-tls.template.yml')
}}
- source: {{ files_switch(['force-tls.template.yml.jinja'],
lookup='discourse-config-tls-force-tls-template-file-managed',
use_subpath=True
)
}}
- mode: 644
- user: root
- group: root
- makedirs: True
- require_in:
- sls: {{ sls_config_file }}
discourse-config-tls-cert-file-managed:
file.managed:
- name: {{ tls_dir | path_join('ssl.crt') }}
- source: {{ files_switch(['ssl.crt', 'ssl.crt.jinja'],
lookup='discourse-config-tls-cert-file-managed',
use_subpath=True
)
}}
- mode: 600
- user: root
- group: root
- makedirs: True
- template: jinja
- context:
tls: {{ tls | json }}
- require_in:
- sls: {{ sls_config_file }}
discourse-config-tls-key-file-managed:
file.managed:
- name: {{ tls_dir | path_join('ssl.key') }}
- source: {{ files_switch(['ssl.key', 'ssl.key.jinja'],
lookup='discourse-config-tls-key-file-managed',
use_subpath=True
)
}}
- mode: 600
- user: root
- group: root
- makedirs: True
- template: jinja
- context:
tls: {{ tls | json }}
- require_in:
- sls: {{ sls_config_file }}
{%- endif %}
......@@ -49,6 +49,28 @@ Available states
``discourse.config``
^^^^^^^^^^^^^^^^^^^^
*Meta-state (This is a state that includes other states)*.
This state will configure the deployment of ``discourse``.
``discourse.config.tls``
^^^^^^^^^^^^^^^^^^^^^^^^
This state will configure a personal TLS certificate and key instead
of using Let's Encrypt if the ``discourse:tls:enabled`` is ``true``
and ``discourse:letsencrypt:enabled`` is false.
It requires two private pillar values:
- ``discourse.tls.cert``
- ``discourse.tls.key``
It hooks as a dependency of ``discourse.config.file``.
``discourse.config.file``
^^^^^^^^^^^^^^^^^^^^^^^^^
This state will configure the deployement by generating the
``containers/app.yml`` file.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment