From 22760e622b99d2cb7c83cbc1e09a05ff94e6a924 Mon Sep 17 00:00:00 2001 From: Dan Buch Date: Thu, 13 Feb 2020 11:03:11 -0500 Subject: [PATCH] Use cert bits from home directory to allow for safer+easier remote updates --- nginx-sites-default.conf.tpl | 4 ++-- spoke-app-provision | 16 ++++++++-------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/nginx-sites-default.conf.tpl b/nginx-sites-default.conf.tpl index 606a848..ecd0c18 100644 --- a/nginx-sites-default.conf.tpl +++ b/nginx-sites-default.conf.tpl @@ -5,8 +5,8 @@ server { listen 443 ssl; listen [::]:443 ssl; server_name ${server_name}; - ssl_certificate spoke.crt; - ssl_certificate_key spoke.key; + ssl_certificate /home/spoke/spoke.crt; + ssl_certificate_key /home/spoke/spoke.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; access_log /var/log/nginx/spoke.access.log combined; diff --git a/spoke-app-provision b/spoke-app-provision index 6ab01a9..f45e287 100755 --- a/spoke-app-provision +++ b/spoke-app-provision @@ -59,14 +59,6 @@ _run_system0() { psql -c "ALTER USER spoke WITH PASSWORD '\${DB_PASSWORD}';" PGSETUP - mv -v /tmp/spoke.crt /etc/nginx/spoke.crt - mv -v /tmp/spoke.key /etc/nginx/spoke.key - chmod 0600 /etc/nginx/spoke.crt /etc/nginx/spoke.key - cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default - ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default - sha1sum /etc/nginx/sites-available/default - systemctl restart nginx - if ! command -v yarn; then curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add - echo "deb https://dl.yarnpkg.com/debian/ stable main" | @@ -81,6 +73,14 @@ PGSETUP sudo chsh -s /bin/bash spoke sudo chown -R spoke:spoke /home/spoke + + mv -v /tmp/spoke.crt /home/spoke/spoke.crt + mv -v /tmp/spoke.key /home/spoke/spoke.key + chmod 0600 /home/spoke/spoke.crt /home/spoke/spoke.key + cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default + ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default + sha1sum /etc/nginx/sites-available/default + systemctl restart nginx } _run_system1() {