The nodes requiring certificates are:
-* CLUSTER.DOMAIN
-* collections.CLUSTER.DOMAIN
-* \*.collections.CLUSTER.DOMAIN
-* download.CLUSTER.DOMAIN
-* keep.CLUSTER.DOMAIN
-* workbench.CLUSTER.DOMAIN
-* workbench2.CLUSTER.DOMAIN
-* ws.CLUSTER.DOMAIN
+* DOMAIN
+* collections.DOMAIN
+* controller.DOMAIN
+* \*.collections.DOMAIN
+* grafana.DOMAIN
+* download.DOMAIN
+* keep.DOMAIN
+* prometheus.DOMAIN
+* shell.DOMAIN
+* workbench.DOMAIN
+* workbench2.DOMAIN
+* ws.DOMAIN
They can be individual certificates or a wildcard certificate for all of them.
resources:
virtual_machines:
shell:
- name: shell.__CLUSTER__.__DOMAIN__
+ name: shell.__DOMAIN__
backend: __SHELL_INT_IP__
port: 4200
Services:
Controller:
- ExternalURL: 'https://__CLUSTER__.__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__'
+ ExternalURL: 'https://__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__'
InternalURLs:
'http://localhost:8003': {}
DispatchCloud:
InternalURLs:
'http://__CONTROLLER_INT_IP__:9005': {}
Keepproxy:
- ExternalURL: 'https://keep.__CLUSTER__.__DOMAIN__:__KEEP_EXT_SSL_PORT__'
+ ExternalURL: 'https://keep.__DOMAIN__:__KEEP_EXT_SSL_PORT__'
InternalURLs:
'http://localhost:25107': {}
Keepstore:
InternalURLs:
'http://localhost:8004': {}
WebDAV:
- ExternalURL: 'https://*.collections.__CLUSTER__.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__/'
+ ExternalURL: 'https://*.collections.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__/'
InternalURLs:
'http://__KEEPWEB_INT_IP__:9002': {}
WebDAVDownload:
- ExternalURL: 'https://download.__CLUSTER__.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__'
+ ExternalURL: 'https://download.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__'
WebShell:
- ExternalURL: 'https://webshell.__CLUSTER__.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__'
+ ExternalURL: 'https://webshell.__DOMAIN__:__KEEPWEB_EXT_SSL_PORT__'
Websocket:
- ExternalURL: 'wss://ws.__CLUSTER__.__DOMAIN__/websocket'
+ ExternalURL: 'wss://ws.__DOMAIN__/websocket'
InternalURLs:
'http://localhost:8005': {}
Workbench1:
- ExternalURL: 'https://workbench.__CLUSTER__.__DOMAIN__:__WORKBENCH1_EXT_SSL_PORT__'
+ ExternalURL: 'https://workbench.__DOMAIN__:__WORKBENCH1_EXT_SSL_PORT__'
Workbench2:
- ExternalURL: 'https://workbench2.__CLUSTER__.__DOMAIN__:__WORKBENCH2_EXT_SSL_PORT__'
+ ExternalURL: 'https://workbench2.__DOMAIN__:__WORKBENCH2_EXT_SSL_PORT__'
InstanceTypes:
t3small:
- pkg: grafana
config:
default:
- instance_name: __CLUSTER__.__DOMAIN__
+ instance_name: __DOMAIN__
security:
admin_user: {{ "__MONITORING_USERNAME__" | yaml_dquote }}
admin_password: {{ "__MONITORING_PASSWORD__" | yaml_dquote }}
protocol: http
http_addr: 127.0.0.1
http_port: 3000
- domain: grafana.__CLUSTER__.__DOMAIN__
- root_url: https://grafana.__CLUSTER__.__DOMAIN__
+ domain: grafana.__DOMAIN__
+ root_url: https://grafana.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- controller.__CLUSTER__.__DOMAIN__:
- - __CLUSTER__.__DOMAIN__
+ controller.__DOMAIN__:
+ - __DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- grafana.__CLUSTER__.__DOMAIN__:
- - grafana.__CLUSTER__.__DOMAIN__
+ grafana.__DOMAIN__:
+ - grafana.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- keepproxy.__CLUSTER__.__DOMAIN__:
- - keep.__CLUSTER__.__DOMAIN__
+ keepproxy.__DOMAIN__:
+ - keep.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- download.__CLUSTER__.__DOMAIN__:
- - download.__CLUSTER__.__DOMAIN__
- collections.__CLUSTER__.__DOMAIN__:
- - collections.__CLUSTER__.__DOMAIN__
- - '*.collections.__CLUSTER__.__DOMAIN__'
+ download.__DOMAIN__:
+ - download.__DOMAIN__
+ collections.__DOMAIN__:
+ - collections.__DOMAIN__
+ - '*.collections.__DOMAIN__'
### LETSENCRYPT
letsencrypt:
domainsets:
- prometheus.__CLUSTER__.__DOMAIN__:
- - prometheus.__CLUSTER__.__DOMAIN__
+ prometheus.__DOMAIN__:
+ - prometheus.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- webshell.__CLUSTER__.__DOMAIN__:
- - webshell.__CLUSTER__.__DOMAIN__
+ webshell.__DOMAIN__:
+ - webshell.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- websocket.__CLUSTER__.__DOMAIN__:
- - ws.__CLUSTER__.__DOMAIN__
+ websocket.__DOMAIN__:
+ - ws.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- workbench2.__CLUSTER__.__DOMAIN__:
- - workbench2.__CLUSTER__.__DOMAIN__
+ workbench2.__DOMAIN__:
+ - workbench2.__DOMAIN__
### LETSENCRYPT
letsencrypt:
domainsets:
- workbench.__CLUSTER__.__DOMAIN__:
- - workbench.__CLUSTER__.__DOMAIN__
+ workbench.__DOMAIN__:
+ - workbench.__DOMAIN__
- server_name: api
- root: /var/www/arvados-api/current/public
- index: index.html index.htm
- - access_log: /var/log/nginx/api.__CLUSTER__.__DOMAIN__-upstream.access.log combined
- - error_log: /var/log/nginx/api.__CLUSTER__.__DOMAIN__-upstream.error.log
+ - access_log: /var/log/nginx/api.__DOMAIN__-upstream.access.log combined
+ - error_log: /var/log/nginx/api.__DOMAIN__-upstream.error.log
- passenger_enabled: 'on'
- client_max_body_size: 128m
overwrite: true
config:
- server:
- - server_name: '~^(.*\.)?collections\.__CLUSTER__\.__DOMAIN__'
+ - server_name: '~^(.*\.)?collections\.__DOMAIN__'
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: '~^(.*\.)?collections\.__CLUSTER__\.__DOMAIN__'
+ - server_name: '~^(.*\.)?collections\.__DOMAIN__'
- listen:
- __KEEPWEB_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/collections.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/collections.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: __CLUSTER__.__DOMAIN__
+ - server_name: __DOMAIN__
- listen:
- 80 default
- location /.well-known:
__CERT_REQUIRES__
config:
- server:
- - server_name: __CLUSTER__.__DOMAIN__
+ - server_name: __DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/controller.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/controller.__DOMAIN__.error.log
- client_max_body_size: 128m
overwrite: true
config:
- server:
- - server_name: download.__CLUSTER__.__DOMAIN__
+ - server_name: download.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: download.__CLUSTER__.__DOMAIN__
+ - server_name: download.__DOMAIN__
- listen:
- __KEEPWEB_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/download.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/download.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: grafana.__CLUSTER__.__DOMAIN__
+ - server_name: grafana.__DOMAIN__
- listen:
- 80
- location /.well-known:
__CERT_REQUIRES__
config:
- server:
- - server_name: grafana.__CLUSTER__.__DOMAIN__
+ - server_name: grafana.__DOMAIN__
- listen:
- 443 http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/grafana.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/grafana.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/grafana.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/grafana.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: keep.__CLUSTER__.__DOMAIN__
+ - server_name: keep.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: keep.__CLUSTER__.__DOMAIN__
+ - server_name: keep.__DOMAIN__
- listen:
- __KEEP_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/keepproxy.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/keepproxy.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: prometheus.__CLUSTER__.__DOMAIN__
+ - server_name: prometheus.__DOMAIN__
- listen:
- 80
- location /.well-known:
__CERT_REQUIRES__
config:
- server:
- - server_name: prometheus.__CLUSTER__.__DOMAIN__
+ - server_name: prometheus.__DOMAIN__
- listen:
- 443 http2 ssl
- index: index.html index.htm
{%- endif %}
- auth_basic: '"Restricted Area"'
- auth_basic_user_file: htpasswd
- - access_log: /var/log/nginx/prometheus.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/prometheus.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/prometheus.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/prometheus.__DOMAIN__.error.log
### STREAMS
http:
upstream webshell_upstream:
- - server: 'shell.__CLUSTER__.__DOMAIN__:4200 fail_timeout=10s'
+ - server: 'shell.__DOMAIN__:4200 fail_timeout=10s'
### SITES
servers:
overwrite: true
config:
- server:
- - server_name: webshell.__CLUSTER__.__DOMAIN__
+ - server_name: webshell.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: webshell.__CLUSTER__.__DOMAIN__
+ - server_name: webshell.__DOMAIN__
- listen:
- __WEBSHELL_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
- - location /shell.__CLUSTER__.__DOMAIN__:
+ - location /shell.__DOMAIN__:
- proxy_pass: 'http://webshell_upstream'
- proxy_read_timeout: 90
- proxy_connect_timeout: 90
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/webshell.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/webshell.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: ws.__CLUSTER__.__DOMAIN__
+ - server_name: ws.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: ws.__CLUSTER__.__DOMAIN__
+ - server_name: ws.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/ws.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/ws.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: workbench2.__CLUSTER__.__DOMAIN__
+ - server_name: workbench2.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
- 'if (-f $document_root/maintenance.html)':
- return: 503
- location /config.json:
- - return: {{ "200 '" ~ '{"API_HOST":"__CLUSTER__.__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
+ - return: {{ "200 '" ~ '{"API_HOST":"__DOMAIN__:__CONTROLLER_EXT_SSL_PORT__"}' ~ "'" }}
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/workbench2.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench2.__DOMAIN__.error.log
overwrite: true
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- 80
- location /:
__CERT_REQUIRES__
config:
- server:
- - server_name: workbench.__CLUSTER__.__DOMAIN__
+ - server_name: workbench.__DOMAIN__
- listen:
- __CONTROLLER_EXT_SSL_PORT__ http2 ssl
- index: index.html index.htm
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
+ - access_log: /var/log/nginx/workbench.__DOMAIN__.access.log combined
+ - error_log: /var/log/nginx/workbench.__DOMAIN__.error.log
arvados_workbench_upstream:
enabled: true
- index: index.html index.htm
- passenger_enabled: 'on'
# yamllint disable-line rule:line-length
- - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.access.log combined
- - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__-upstream.error.log
+ - access_log: /var/log/nginx/workbench.__DOMAIN__-upstream.access.log combined
+ - error_log: /var/log/nginx/workbench.__DOMAIN__-upstream.error.log
bearer_token: __MANAGEMENT_TOKEN__
scheme: https
static_configs:
- - targets: ['ws.__CLUSTER__.__DOMAIN__:443']
+ - targets: ['ws.__DOMAIN__:443']
labels:
instance: ws.__CLUSTER__
cluster: __CLUSTER__
bearer_token: __MANAGEMENT_TOKEN__
scheme: https
static_configs:
- - targets: ['__CLUSTER__.__DOMAIN__:443']
+ - targets: ['__DOMAIN__:443']
labels:
instance: controller.__CLUSTER__
cluster: __CLUSTER__
bearer_token: __MANAGEMENT_TOKEN__
scheme: https
static_configs:
- - targets: ['keep.__CLUSTER__.__DOMAIN__:443']
+ - targets: ['keep.__DOMAIN__:443']
labels:
instance: keep-web.__CLUSTER__
cluster: __CLUSTER__
'workbench',
'shell',
] %}
- - targets: [ "{{ node }}.__CLUSTER__.__DOMAIN__:9100" ]
+ - targets: [ "{{ node }}.__DOMAIN__:9100" ]
labels:
instance: "{{ node }}.__CLUSTER__"
cluster: __CLUSTER__
exit 1
fi
- export ARVADOS_API_HOST="${CLUSTER}.${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}"
+ export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}"
export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN"
arvados-client diagnostics $LOCATION
# The Arvados cluster ID, needs to be 5 lowercase alphanumeric characters.
CLUSTER="cluster_fixme_or_this_wont_work"
-# The domain name you want to give to your cluster's hosts
-# the end result hostnames will be $SERVICE.$CLUSTER.$DOMAIN
+# The domain name you want to give to your cluster's hosts;
+# the end result hostnames will be $SERVICE.$DOMAIN
DOMAIN="domain_fixme_or_this_wont_work"
# For multi-node installs, the ssh log in for each node
INITIAL_USER=admin
# If not specified, the initial user email will be composed as
-# INITIAL_USER@CLUSTER.DOMAIN
+# INITIAL_USER@DOMAIN
INITIAL_USER_EMAIL="admin@cluster_fixme_or_this_wont_work.domain_fixme_or_this_wont_work"
INITIAL_USER_PASSWORD="fixmepassword"
# installer from the outside of the cluster's local network and still reach
# the internal servers for configuration deployment.
# Comment out to disable.
-USE_SSH_JUMPHOST="controller.${CLUSTER}.${DOMAIN}"
+USE_SSH_JUMPHOST="controller.${DOMAIN}"
# YOU SHOULD CHANGE THESE TO SOME RANDOM STRINGS
BLOB_SIGNING_KEY=fixmeblobsigningkeymushaveatleast32characters
# installer.sh will log in to each of these nodes and then provision
# it for the specified roles.
NODES=(
- [controller.${CLUSTER}.${DOMAIN}]=database,api,controller,websocket,dispatcher,keepbalance
- [workbench.${CLUSTER}.${DOMAIN}]=monitoring,workbench,workbench2,webshell,keepproxy,keepweb
- [keep0.${CLUSTER}.${DOMAIN}]=keepstore
- [shell.${CLUSTER}.${DOMAIN}]=shell
+ [controller.${DOMAIN}]=database,api,controller,websocket,dispatcher,keepbalance
+ [workbench.${DOMAIN}]=monitoring,workbench,workbench2,webshell,keepproxy,keepweb
+ [keep0.${DOMAIN}]=keepstore
+ [shell.${DOMAIN}]=shell
)
# Host SSL port where you want to point your browser to access Arvados
USE_SINGLE_HOSTNAME="no"
# We set this variable, anyway, so sed lines do not fail and we don't need to add more
# conditionals
- HOSTNAME_EXT="${CLUSTER}.${DOMAIN}"
+ HOSTNAME_EXT="${DOMAIN}"
fi
if [ "${DUMP_CONFIG}" = "yes" ]; then
CERT_NAME=${HOSTNAME_EXT}
else
# We are in a multiple-hostnames env
- CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
+ CERT_NAME=${c}.${DOMAIN}
fi
# As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls
for SVC in grafana prometheus; do
grep -q "letsencrypt_${SVC}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${SVC}_configuration" >> ${P_DIR}/top.sls
- sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${CLUSTER}.${DOMAIN}*/g;
- s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
- s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+ sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${DOMAIN}*/g;
+ s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/fullchain.pem#g;
+ s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/privkey.pem#g" \
${P_DIR}/nginx_${SVC}_configuration.sls
done
if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
# Special case for keepweb
if [ ${R} = "keepweb" ]; then
for kwsub in download collections; do
- sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g;
- s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
- s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+ sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${DOMAIN}*/g;
+ s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/fullchain.pem#g;
+ s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/privkey.pem#g" \
${P_DIR}/nginx_${kwsub}_configuration.sls
done
else
- sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g;
- s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
- s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
+ sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${DOMAIN}*/g;
+ s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${DOMAIN}/fullchain.pem#g;
+ s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${DOMAIN}/privkey.pem#g" \
${P_DIR}/nginx_${R}_configuration.sls
fi
else
# Leave a copy of the Arvados CA so the user can copy it where it's required
if [ "${SSL_MODE}" = "self-signed" ]; then
- echo "Copying the Arvados CA certificate '${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it"
+ echo "Copying the Arvados CA certificate '${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it"
if [ "x${VAGRANT}" = "xyes" ]; then
- cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
+ cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${DOMAIN}-arvados-snakeoil-ca.pem
else
- cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt
+ cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${DOMAIN}-arvados-snakeoil-ca.crt
fi
fi