From: Tom Hughes <tom@compton.nu>
Date: Tue, 14 Feb 2017 18:37:22 +0000 (+0000)
Subject: Enable SSL for imagery sites
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/6adfd52016f87f9622a750cea3e2e926e1f09d61

Enable SSL for imagery sites
---

diff --git a/cookbooks/imagery/.foodcritic b/cookbooks/imagery/.foodcritic
index 435876eff..5c5875e10 100644
--- a/cookbooks/imagery/.foodcritic
+++ b/cookbooks/imagery/.foodcritic
@@ -1,3 +1,4 @@
+~FC001
 ~FC005
 ~FC064
 ~FC065
diff --git a/cookbooks/imagery/metadata.rb b/cookbooks/imagery/metadata.rb
index 5df29639d..74a4a1d89 100644
--- a/cookbooks/imagery/metadata.rb
+++ b/cookbooks/imagery/metadata.rb
@@ -8,3 +8,4 @@ version           "1.0.0"
 depends           "nginx"
 depends           "git"
 depends           "systemd"
+depends           "ssl"
diff --git a/cookbooks/imagery/resources/site.rb b/cookbooks/imagery/resources/site.rb
index f80f0407a..f8ab66731 100644
--- a/cookbooks/imagery/resources/site.rb
+++ b/cookbooks/imagery/resources/site.rb
@@ -88,7 +88,13 @@ action :create do
     variables :bbox => bbox, :layers => layers
   end
 
-  nginx_site name do
+  base_domains = [name] + Array(aliases)
+
+  ssl_certificate new_resource.name do
+    domains base_domains.flat_map { |d| [d, "a.#{d}", "b.#{d}", "c.#{d}"] }
+  end
+
+  nginx_site new_resource.name do
     template "nginx_imagery.conf.erb"
     directory "/srv/imagery/#{name}"
     restart_nginx false
diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
index 94b570768..b926d479c 100644
--- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
+++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
@@ -1,8 +1,21 @@
 server {
     listen [::]:80;
+    listen [::]:443 ssl;
     server_name  <%= @name %> a.<%= @name %> b.<%= @name %> c.<%= @name %><% @aliases.each do |alias_name| %> <%= alias_name %> a.<%= alias_name %> b.<%= alias_name %> c.<%= alias_name %><%- end -%>;
 
+    ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
+    ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers <%= node[:ssl][:ciphers] -%>;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 30m;
+    ssl_stapling on;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+
     root "/srv/<%= @name %>";
+    rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;
 
     gzip on;
     gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit