Added SSL cert generation and installation. Moved variables to ENV

2025-05-20 12:45:55 -05:00
parent 5bc7a72a92
commit 732667cf64
8 changed files with 102 additions and 6 deletions
--- a/infrastructure/stack.py
+++ b/infrastructure/stack.py
@@ -11,7 +11,15 @@ from aws_cdk import (
 from constructs import Construct

 class IptvUpdaterStack(Stack):
-    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
+    def __init__(
+            self,
+            scope: Construct,
+            construct_id: str,
+            freedns_user: str,
+            freedns_password: str,
+            domain_name: str,
+            **kwargs
+        ) -> None:
        super().__init__(scope, construct_id, **kwargs)

        # Create VPC
@@ -151,11 +159,20 @@ class IptvUpdaterStack(Stack):

        # Creates a userdata object for Linux hosts
        userdata = ec2.UserData.for_linux()
+        
+        # Add environment variables for acme.sh from parameters
+        userdata.add_commands(
+            f'export FREEDNS_User="{freedns_user}"',
+            f'export FREEDNS_Password="{freedns_password}"',
+            f'export DOMAIN_NAME="{domain_name}"'
+        )
+        
        # Adds one or more commands to the userdata object.
        userdata.add_commands(
            f'echo "COGNITO_USER_POOL_ID={user_pool.user_pool_id}" >> /etc/environment',
            f'echo "COGNITO_CLIENT_ID={client.user_pool_client_id}" >> /etc/environment',
-            f'echo "COGNITO_CLIENT_SECRET={client.user_pool_client_secret.to_string()}" >> /etc/environment'
+            f'echo "COGNITO_CLIENT_SECRET={client.user_pool_client_secret.to_string()}" >> /etc/environment',
+            f'echo "DOMAIN_NAME={domain_name}" >> /etc/environment'
        )
        userdata.add_commands(str(userdata_file, 'utf-8'))

--- a/infrastructure/userdata.sh
+++ b/infrastructure/userdata.sh
@@ -32,11 +32,33 @@ Restart=always
 WantedBy=multi-user.target
 EOF

+# Install and configure acme.sh
+curl https://get.acme.sh | sh -s email=stefano@fiorinis.com
+
+# Configure acme.sh to use DNS API for FreeDNS
+. "/root/.acme.sh/acme.sh.env"
+acme.sh --issue --dns dns_freedns -d ${DOMAIN_NAME} -d *.${DOMAIN_NAME}
+sudo mkdir -p /etc/nginx/ssl
+acme.sh --install-cert -d ${DOMAIN_NAME} -d *.${DOMAIN_NAME} \
+    --key-file /etc/nginx/ssl/${DOMAIN_NAME}.pem \
+    --fullchain-file /etc/nginx/ssl/cert.pem \
+    --reloadcmd "service nginx force-reload"
+
 # Create nginx config
 cat << 'EOF' > /etc/nginx/conf.d/iptvUpdater.conf
 server {
    listen 80;
-    server_name $HOSTNAME;
+    server_name ${DOMAIN_NAME} *.${DOMAIN_NAME};
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl;
+    server_name ${DOMAIN_NAME} *.${DOMAIN_NAME};
+
+    ssl_certificate /etc/nginx/ssl/cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/${DOMAIN_NAME}.pem;
+
    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;