cgr/webserver.cg at main · commandgraph/cgr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
var domain = "app.example.com"
var ssh_user = "deploy"
var ssh_host = "10.0.1.5"

use "apt/install_package"
use "firewall/allow_port"
use "systemd/enable_service"
use "tls/certbot"
use "nginx/vhost"

node "web-1" {
  via ssh user = "${ssh_user}" host = "${ssh_host}"

  resource deploy_app_files {
    description "deploy app files"
    needs install_package_nginx_curl, vhost_app_example_com
    check `test -f /var/www/${domain}/index.html`
    run `echo '<h1>${domain} is live</h1>' > /var/www/${domain}/index.html`
    as root
  }
  resource start_nginx {
    description "start nginx"
    needs deploy_app_files, certbot_app_example_com, allow_port_443, allow_port_80, write_ssl_params
    check `systemctl is-active nginx | grep -q active`
    run `systemctl reload-or-restart nginx`
    as root
    resource write_ssl_params {
      description "write ssl params"
      check `test -f /etc/nginx/snippets/ssl-params.conf`
      run `printf 'ssl_protocols TLSv1.2 TLSv1.3;\nssl_prefer_server_ciphers on;\nssl_ciphers HIGH:!aNULL:!MD5;\n' > /etc/nginx/snippets/ssl-params.conf`
      as root
    }
  }
  verify "HTTPS 200 on ${domain}" {
    needs start_nginx, enable_service_nginx, install_package_nginx_curl
    run `curl -sfk -o /dev/null -w '%{http_code}' https://${domain}/ | grep -q 200`
    timeout 30
    retry 3
    on_fail warn
  }
  install_package {
    name = "nginx curl"
  }
  allow_port {
    port = "80"
  }
  allow_port {
    port = "443"
  }
  certbot {
    domain = "${domain}"
    email = "ops@example.com"
  }
  vhost {
    domain = "${domain}"
    port = "443"
    doc_root = "/var/www/${domain}"
  }
  enable_service {
    service = "nginx"
  }
}