[Git][qa/jenkins.debian.net][master] handle the ssl cert of reproduce.d.n with letsencrypt like we do everywhere else

Tue Nov 12 12:47:38 GMT 2024


Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net


Commits:
3390622f by Mattia Rizzolo at 2024-11-12T13:47:06+01:00
handle the ssl cert of reproduce.d.n with letsencrypt like we do everywhere else

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


6 changed files:

- + hosts/osuosl5-amd64/etc/dehydrated/conf.d/local_local.sh
- + hosts/osuosl5-amd64/etc/dehydrated/domains.txt
- + hosts/osuosl5-amd64/etc/dehydrated/hooks.sh
- hosts/osuosl5-amd64/etc/nginx/nginx.conf
- + hosts/osuosl5-amd64/etc/sudoers.d/letsencrypt
- update_jdn.sh


Changes:

=====================================
hosts/osuosl5-amd64/etc/dehydrated/conf.d/local_local.sh
=====================================
@@ -0,0 +1,13 @@
+# shellcheck shell=sh disable=SC2034
+
+CA="https://acme-v02.api.letsencrypt.org/directory"
+#CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+RENEW_DAYS="30"
+KEYSIZE="4096"
+PRIVATE_KEY_RENEW="no"
+
+CHALLENGETYPE="http-01"
+HOOK="/etc/dehydrated/hooks.sh"
+
+CONTACT_EMAIL="contact at reproducible-builds.org"


=====================================
hosts/osuosl5-amd64/etc/dehydrated/domains.txt
=====================================
@@ -0,0 +1 @@
+reproduce.debian.net


=====================================
hosts/osuosl5-amd64/etc/dehydrated/hooks.sh
=====================================
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+set -eu
+
+OP=$1
+
+_log () {
+    echo " + ($OP) $*"
+}
+
+reload_apache () {
+    _log "Reloading apache..."
+    sudo apache2ctl graceful
+}
+
+reload_nginx () {
+    _log "Reloading nginx..."
+    sudo systemctl reload nginx
+}
+
+email () {
+    # $1: domain name $6: timestamp of cert creation
+    printf "%s\n\n    %s\t%s" \
+            "The following SSL certifcate has just been renewed:" \
+            "$1" "$(date -u -d @"$6")" | \
+        mail -s "R-B SSL certifcate renewed" root
+}
+
+case "$OP" in
+    deploy_cert)
+        shift
+        reload_nginx
+        email "$@"
+        ;;
+    *)
+        ;;
+esac
+


=====================================
hosts/osuosl5-amd64/etc/nginx/nginx.conf
=====================================
@@ -14,41 +14,58 @@ http {
 
     server {
         server_name     reproduce.debian.net;
-	index index.html index.htm index.nginx-debian.html;
-	root /var/www/html;
+        index index.html index.htm index.nginx-debian.html;
+        root /var/www/html;
 
-	location / {
-		# First attempt to serve request as file, then
-		# as directory, then fall back to displaying a 404.
-		try_files $uri $uri/ =404;
-	}
+        listen 443 ssl; # managed by Certbot
+        ssl_certificate /var/lib/dehydrated/certs/reproduce.debian.net/privkey.pem
+        ssl_certificate_key /var/lib/dehydrated/certs/reproduce.debian.net/fullchain.pem
 
+        ssl_session_cache shared:le_nginx_SSL:10m;
+        ssl_session_timeout 1440m;
+        ssl_session_tickets off;
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers off;
+        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-C
+        HACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
 
-	location /api/ {
-        	proxy_pass http://127.0.0.1:8484;
-    	}
 
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/reproduce.debian.net/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/reproduce.debian.net/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+        location /.well-known/acme-challenge/ {
+            alias /var/lib/letsencrypt.sh/acme-challenges/;
+            disable_symlinks off;
+            autoindex off;
+        }
 
-}
+        location / {
+            # First attempt to serve request as file, then
+            # as directory, then fall back to displaying a 404.
+            try_files $uri $uri/ =404;
+        }
 
 
-    server {
-    if ($host = reproduce.debian.net) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
+        location /api/ {
+            proxy_pass http://127.0.0.1:8484;
+        }
 
+    }
 
+
+    server {
         listen          80;
         server_name     reproduce.debian.net;
-    return 404; # managed by Certbot
-    
 
-}
+        location /.well-known/acme-challenge/ {
+            alias /var/lib/letsencrypt.sh/acme-challenges/;
+            disable_symlinks off;
+            autoindex off;
+        }
+
+        location / {
+            return 301 https://$host$request_uri;
+        }
+
+        return 404;
+    }
 
 
 }


=====================================
hosts/osuosl5-amd64/etc/sudoers.d/letsencrypt
=====================================
@@ -0,0 +1 @@
+letsencrypt ALL=(root) NOPASSWD: /usr/bin/systemctl reload nginx


=====================================
update_jdn.sh
=====================================
@@ -137,7 +137,7 @@ users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)
 
 	# create the letsencrypt group and user in jenkins if needed
 	# doing it here instead of using the array above as we have to use --system
-	if [ "$HOSTNAME" = jenkins ] || [ "$HOSTNAME" = "ionos7-amd64" ]; then
+	if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "ionos7-amd64" ] || [ "$HOSTNAME" = "osuosl5-amd64" ]; then
 		if ! getent group letsencrypt > /dev/null ; then
 			sudo addgroup --system letsencrypt
 		fi
@@ -539,7 +539,11 @@ if [ -f /etc/debian_version ] ; then
 		esac
 		# packages needed for reproduce.debian.net running rebuilderd
 		case $HOSTNAME in
-			osuosl4*|osuosl5*)	DEBS="$DEBS
+			osuosl5*)	DEBS="$DEBS
+						nginx-full
+						dehydrated
+						" ;;
+			osuosl4*)	DEBS="$DEBS
 						nginx-full
 						python3-certbot-nginx
 						" ;;
@@ -706,7 +710,7 @@ sudo chown root:root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenk
 sudo chown root:root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
 [ -f /etc/mailname ] || ( echo $HOSTNAME.debian.net | sudo tee /etc/mailname )
 
-if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "ionos7-amd64" ]; then
+if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "ionos7-amd64" ] || [ "$HOSTNAME" = "osuosl5-amd64" ]; then
 	for path in /var/lib/dehydrated /var/lib/dehydrated/acme-challenges; do
 		if ! dpkg-statoverride --list "$path" > /dev/null; then
 			sudo dpkg-statoverride --update --add letsencrypt letsencrypt 755 "$path"



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/3390622f076735f56e8844c5d86f933984b177e0

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/3390622f076735f56e8844c5d86f933984b177e0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20241112/cd546607/attachment-0001.htm>
