From: Tom Hughes <tom@compton.nu>
Date: Tue, 14 Feb 2017 19:15:35 +0000 (+0000)
Subject: Configure resolvers for stapling with nginx
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/df4783f181b8eb09cf1b48a28a41ca8d14283258

Configure resolvers for stapling with nginx
---

diff --git a/cookbooks/imagery/resources/site.rb b/cookbooks/imagery/resources/site.rb
index f8ab66731..137153a72 100644
--- a/cookbooks/imagery/resources/site.rb
+++ b/cookbooks/imagery/resources/site.rb
@@ -94,11 +94,15 @@ action :create do
     domains base_domains.flat_map { |d| [d, "a.#{d}", "b.#{d}", "c.#{d}"] }
   end
 
+  resolvers = node[:networking][:nameservers].map do |resolver|
+    IPAddr.new(resolver).ipv6? ? "[#{resolver}]" : resolver
+  end
+
   nginx_site new_resource.name do
     template "nginx_imagery.conf.erb"
     directory "/srv/imagery/#{name}"
     restart_nginx false
-    variables new_resource.to_hash
+    variables new_resource.to_hash.merge(:resolvers => resolvers)
   end
 end
 
diff --git a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
index b926d479c..7001f794c 100644
--- a/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
+++ b/cookbooks/imagery/templates/default/nginx_imagery.conf.erb
@@ -13,6 +13,8 @@ server {
     ssl_session_timeout 30m;
     ssl_stapling on;
     ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    resolver <%= @resolvers.join(" ") %>;
+    resolver_timeout 5s;
 
     root "/srv/<%= @name %>";
     rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;