From 2287ce73a578be6354d905fcdde7b967b545f988 Mon Sep 17 00:00:00 2001
From: richard <r_morgan@sympatico.ca>
Date: Fri, 6 Oct 2017 06:24:04 -0400
Subject: [PATCH] - switch to using single ssl cert for all domains

---
 .../letsencrypt/docker-compose-install.yml    | 47 +++++++++++++++++++
 .../letsencrypt/docker-compose-update.yml     | 15 +++---
 dockerfiles/services/letsencrypt/readme.md    |  6 +--
 .../services/sslproxy/docker-compose-prod.yml |  2 +-
 .../hosts/dkregistry.xai-corp.net.conf        |  4 +-
 .../sslproxy/hosts/dkui.xai-corp.net.conf     |  4 +-
 .../sslproxy/hosts/fs.xai-corp.net.conf       |  4 +-
 .../sslproxy/hosts/git.xai-corp.net.conf      |  4 +-
 .../sslproxy/hosts/jenkins.xai-corp.net.conf  |  4 +-
 .../services/sslproxy/hosts/letsencrypt.conf  | 13 +++++
 .../sslproxy/hosts/logs.xai-corp.net.conf     | 15 ------
 .../hosts/tripbuilder.xai-corp.net.conf       | 14 ------
 .../sslproxy/hosts/xaibox.xai-corp.net.conf   |  4 +-
 .../templates/xai-corp.net.internal.j2        |  5 +-
 14 files changed, 86 insertions(+), 55 deletions(-)
 create mode 100644 dockerfiles/services/letsencrypt/docker-compose-install.yml
 create mode 100644 dockerfiles/services/sslproxy/hosts/letsencrypt.conf
 delete mode 100644 dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf
 delete mode 100644 dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf

diff --git a/dockerfiles/services/letsencrypt/docker-compose-install.yml b/dockerfiles/services/letsencrypt/docker-compose-install.yml
new file mode 100644
index 0000000..cd9ae55
--- /dev/null
+++ b/dockerfiles/services/letsencrypt/docker-compose-install.yml
@@ -0,0 +1,47 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-install.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    ports:
+      - 83:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_TESTCERT: "false"
+      LETSENCRYPT_DEBUG: "true"
+      LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN10: www.xai-corp.net
+      LETSENCRYPT_DOMAIN11: mail.xai-corp.net
+    command:
+      - install
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M
diff --git a/dockerfiles/services/letsencrypt/docker-compose-update.yml b/dockerfiles/services/letsencrypt/docker-compose-update.yml
index 6e7aad5..d5a1b43 100644
--- a/dockerfiles/services/letsencrypt/docker-compose-update.yml
+++ b/dockerfiles/services/letsencrypt/docker-compose-update.yml
@@ -10,16 +10,15 @@ services:
 
   updates:
     image: "blacklabelops/letsencrypt"
-    container_name: letsencrypt_staging_updates
     ports:
-      - 80:80
+      - 83:80
 #      - 443:443
     volumes:
       - /opt/shared/letsencrypt:/etc/letsencrypt
     environment:
       LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
       LETSENCRYPT_HTTPS_ENABLED: "false"
-      LETSENCRYPT_TESTCERT: "true"
+      LETSENCRYPT_TESTCERT: "false"
       LETSENCRYPT_DEBUG: "true"
       LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
       LETSENCRYPT_DOMAIN1: xai-corp.net
@@ -31,10 +30,8 @@ services:
       LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
       LETSENCRYPT_DOMAIN8: sql.xai-corp.net
       LETSENCRYPT_DOMAIN9: office.xai-corp.net
-      LETSENCRYPT_DOMAIN9: www.xai-corp.net
-    command:
-      - install
-      - --expand
+      LETSENCRYPT_DOMAIN10: www.xai-corp.net
+      LETSENCRYPT_DOMAIN11: mail.xai-corp.net
 
     deploy:
       mode: replicated
@@ -43,5 +40,5 @@ services:
         condition: none
       resources:
         limits:
-          cpus: '0.1'
-          memory: 256M
+          cpus: '0.5'
+          memory: 16M
diff --git a/dockerfiles/services/letsencrypt/readme.md b/dockerfiles/services/letsencrypt/readme.md
index dcfff4c..df6fce7 100644
--- a/dockerfiles/services/letsencrypt/readme.md
+++ b/dockerfiles/services/letsencrypt/readme.md
@@ -9,7 +9,7 @@ todo: set this up as a cron
 #install new certs
 ```
 DOCKER_HOST=dkhost01:2376 docker run -d \
-    -p 80:80 \
+    -p 83:80 \
     --name letsencrypt \
     -e "LETSENCRYPT_HTTPS_ENABLED=false" \
     -v /opt/shared/letsencrypt-2:/etc/letsencrypt \
@@ -29,7 +29,7 @@ DOCKER_HOST=dkhost01:2376 docker run -d \
 
 ```
 DOCKER_HOST=dkhost01:2376 docker run -d \
-    -p 80:80 \
+    -p 83:80 \
     --name letsencrypt_updates \
     -e "LETSENCRYPT_HTTPS_ENABLED=false" \
     -v /opt/shared/letsencrypt-2:/etc/letsencrypt \
@@ -43,6 +43,6 @@ DOCKER_HOST=dkhost01:2376 docker run -d \
     -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
     -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
     -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
-    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN10=office.xai-corp.net" \
     blacklabelops/letsencrypt
 ```
diff --git a/dockerfiles/services/sslproxy/docker-compose-prod.yml b/dockerfiles/services/sslproxy/docker-compose-prod.yml
index 9ab9fcc..71b8d48 100644
--- a/dockerfiles/services/sslproxy/docker-compose-prod.yml
+++ b/dockerfiles/services/sslproxy/docker-compose-prod.yml
@@ -10,7 +10,7 @@ services:
   app:
     image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
     volumes:
-      - /etc/letsencrypt:/etc/letsencrypt:ro
+      - /opt/shared/letsencrypt-2:/etc/letsencrypt:ro
     ports:
       - "443:443"
 
diff --git a/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf
index 2e7787f..907ecec 100644
--- a/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/dkregistry.xai-corp.net.conf
@@ -11,8 +11,8 @@ map $upstream_http_docker_distribution_api_version $docker_distribution_api_vers
 server {
     listen  443 ssl;
     server_name dkregistry.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkregistry.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/dkregistry.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
     ssl_protocols TLSv1.1 TLSv1.2;
diff --git a/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf
index 3578999..df78772 100644
--- a/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf
@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name dkui.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
diff --git a/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf
index f98a3e4..f311c45 100644
--- a/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf
@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name fs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
diff --git a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf
index addc291..21410b0 100644
--- a/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf
@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name git.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
diff --git a/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf
index f4f09da..5c8fa84 100644
--- a/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf
@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name jenkins.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
diff --git a/dockerfiles/services/sslproxy/hosts/letsencrypt.conf b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf
new file mode 100644
index 0000000..de86b66
--- /dev/null
+++ b/dockerfiles/services/sslproxy/hosts/letsencrypt.conf
@@ -0,0 +1,13 @@
+# proxy for unsecured traffic for letsencrypt verification
+server {
+    listen  80 default_server;
+    server_name _
+
+    client_max_body_size 200m;
+
+    location / {
+        proxy_set_header Connection $http_connection;
+        proxy_pass http://dkhost.xai-corp.net:83;
+    }
+
+}
diff --git a/dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf
deleted file mode 100644
index a41b3dd..0000000
--- a/dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# logs.xai-corp.net
-server {
-    listen  443 ssl;
-    server_name logs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
-    #Strict-Transport-Security: max-age=15768000
-    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
-
-    location / {
-        proxy_set_header Connection $http_connection;
-        proxy_pass http://dkhost.xai-corp.net:10090;
-    }
-
-}
diff --git a/dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf
deleted file mode 100644
index c359dd7..0000000
--- a/dockerfiles/services/sslproxy/hosts/tripbuilder.xai-corp.net.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# tripbuilder.xai-corp.net
-server {
-    listen  443 ssl;
-    server_name tripbuilder.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/tripbuilder.xai-corp.net/cert.pem;
-    ssl_certificate_key /etc/letsencrypt/live/tripbuilder.xai-corp.net/privkey.pem;
-
-    #Strict-Transport-Security: max-age=15768000
-    add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;
-
-    location / {
-        proxy_pass http://dkhost.xai-corp.net:8080;
-    }
-}
diff --git a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf
index 4d0a89e..f07d15a 100644
--- a/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf
+++ b/dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf
@@ -2,8 +2,8 @@
 server {
     listen  443 ssl;
     server_name xaibox.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
+    ssl_certificate     /etc/letsencrypt/live/xai-corp.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/xai-corp.net/privkey.pem;
 
     client_max_body_size 200m;
 
diff --git a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
index 1f0e4f3..2e5c53a 100644
--- a/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
+++ b/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
@@ -9,7 +9,7 @@ $TTL 1D
 xai-corp.net.           IN NS   ns.xai-corp.net.
 xai-corp.net.           IN MX   0 mail.xai-corp.net.
 xai-corp.net.           IN TXT  "v=spf1 ip4:192.168.2.11/32 mx ptr mx:mail.xai-corp.net ~all"
-mail                    IN A    192.168.2.12
+;mail                    IN A    192.168.2.12
 
 gateway                 IN A    192.168.2.1
 wireless                IN A    192.168.2.3
@@ -57,3 +57,6 @@ mysql                   IN CNAME    dkhost
 tripbuilder             IN CNAME    dkhost
 xaibox                  IN CNAME    dkhost
 office                  IN CNAME    dkhost
+www                     IN CNAME    dkhost
+mail                    IN CNAME    dkhost
+; xai-corp.net.           IN CNAME    dkhost