Only make changes in setup-app and -cert if previous config does not already exist

Author: andrew-nowak

README.md

@@ -122,18 +122,22 @@ Stops, if running, and starts nginx.
 #### `setup-cert`
 
 ```bash
-dev-nginx setup-cert demo-frontend.foobar.co.uk
+dev-nginx setup-cert demo-frontend.foobar.co.uk [--force]
 ```
 
 Uses `mkcert` to issue a certificate for a domain, writing it to `~/.gu/mkcert` and symlinking it into the directory nginx is installed.
+By default will do nothing if a certificate has been issued, installed and remains valid for the next 14 days. Include the `--force` flag
+to issue a new certificate if required.
 
 #### `setup-app`
 
 ```bash
-dev-nginx setup-app /path/to/nginx-mapping.yml
+dev-nginx setup-app [--force] /path/to/nginx-mapping.yml
 ```
 
 Generates config for nginx proxy site(s) from a config file, issues the certificate(s) and restarts nginx.
+By default will do nothing if config already exists and matches what would be generated. Include the `--force` flag to
+install config and issue new certificates if required.
 
 ##### Config format
 

script/setup-app

@@ -3,16 +3,18 @@
 require 'yaml'
 require 'fileutils'
 
-if ARGV.size != 1
-    puts "usage: setup-app <config.yml>"
+if ARGV.size != 1 and ARGV.size != 2
+    puts "usage: setup-app [--force] <config.yml>"
     exit(1)
 end
 
 HERE=File.dirname(__FILE__)
 DEFAULT_DOMAIN_ROOT = "local.dev-gutools.co.uk"
 NGINX_DIR = `#{HERE}/locate-nginx`.chomp
 
-config_file = ARGV[0]
+config_file = ARGV[0] != "--force" ? ARGV[0] : ARGV[1]
+
+force = ARGV[0] == "--force" or ARGV[1] == "--force"
 
 config = YAML.load_file(config_file)
 name = config['name']
@@ -24,32 +26,32 @@ FileUtils.mkdir_p(dest_dir)
 
 dest = File.join(dest_dir, "#{name}.conf")
 
-file = File.open(dest, 'w') do |file|
+server_config = ""
 
-    config['mappings'].each do |mapping|
+config['mappings'].each do |mapping|
 
-        domain_root = mapping['domain-root'] || global_domain_root
-        path = mapping['path'] || ''
-        websocket = mapping['websocket']
+  domain_root = mapping['domain-root'] || global_domain_root
+  path = mapping['path'] || ''
+  websocket = mapping['websocket']
 
-        domain = if mapping['prefix'] then "#{mapping['prefix']}.#{domain_root}" else "#{domain_root}" end
+  domain = if mapping['prefix'] then "#{mapping['prefix']}.#{domain_root}" else "#{domain_root}" end
 
-        client_max_body_size = mapping['client_max_body_size']
+  client_max_body_size = mapping['client_max_body_size']
 
-        file.write <<-EOS
+  server_config << <<-EOS
 server {
   listen #{port};
   server_name #{domain};
 EOS
-        if client_max_body_size
-          file.write <<-EOS
+  if client_max_body_size
+    server_config << <<-EOS
   client_max_body_size #{client_max_body_size};
 
-          EOS
-        end
+EOS
+  end
 
-        if websocket
-            file.write <<-EOS
+  if websocket
+    server_config << <<-EOS
 
     location #{websocket} {
       proxy_pass http://localhost:#{mapping['port']}#{websocket};
@@ -60,9 +62,9 @@ EOS
       proxy_buffering off;
     }
 EOS
-        end
+  end
 
-	file.write <<-EOS
+  server_config << <<-EOS
 
   location / {
     proxy_http_version 1.1;
@@ -77,8 +79,8 @@ EOS
 
 EOS
 
-        if ssl
-            file.write <<-EOS
+  if ssl
+    server_config << <<-EOS
   ssl_certificate     #{domain}.crt;
   ssl_certificate_key #{domain}.key;
 
@@ -88,15 +90,15 @@ EOS
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;
 EOS
-        end
+  end
 
-        file.write <<-EOS
+  server_config << <<-EOS
 }
 
 EOS
 
-        if ssl
-          file.write <<-EOS
+  if ssl
+    server_config << <<-EOS
 server {
   listen 80;
   server_name #{domain};
@@ -106,13 +108,27 @@ server {
 }
 
 EOS
-        end
-        if ssl
-          `#{HERE}/setup-cert #{domain}`
-        end
-    end
+  end
+  if ssl
+    opts = force ? "--force" : ""
+    `#{HERE}/setup-cert #{domain} #{opts}`
+  end
 end
 
-puts "Restarting nginx. This needs sudo permission, please enter password when prompted."
-`#{HERE}/restart-nginx`
-puts "Done."
+begin
+  old_server_config = File.read(dest)
+rescue
+  old_server_config = ""
+end
+
+if force or old_server_config != server_config
+  file = File.open(dest, 'w') do |file|
+    file.write server_config
+    puts "Restarting nginx. This needs sudo permission, please enter password when prompted."
+    `#{HERE}/restart-nginx`
+    puts "Done."
+  end
+else
+  puts "Found existing nginx configuration for this app, so doing nothing."
+  puts "Rerun with --force to force installation of new configuration if required."
+end

script/setup-cert

@@ -45,14 +45,24 @@ DOMAIN=$1
 KEY_FILE=${CERT_DIRECTORY}/${DOMAIN}.key
 CERT_FILE=${CERT_DIRECTORY}/${DOMAIN}.crt
 
-mkcert -install
+# test certificate has been created, and installed, and does not expire in next 14 days
+if [[ "$2" != "--force" ]] && \
+  [[ -r "$CERT_FILE" ]] && \
+  [[ -r "${NGINX_HOME}/${DOMAIN}.crt" ]] && \
+  >/dev/null 2>&1 openssl x509 -in "$CERT_FILE" -noout -checkend 1209600
+then
+  echo -e "🔐 Found existing certificate for: ${YELLOW}${DOMAIN}${NC}"
+  echo -e "Rerun with --force to recreate if needed."
+else
+  mkcert -install
 
-echo -e "🔐 Creating certificate for: ${YELLOW}${DOMAIN}${NC}"
-mkdir -p ${CERT_DIRECTORY}
-mkcert -key-file=${KEY_FILE} -cert-file=${CERT_FILE} ${DOMAIN}
+  echo -e "🔐 Creating certificate for: ${YELLOW}${DOMAIN}${NC}"
+  mkdir -p ${CERT_DIRECTORY}
+  mkcert -key-file=${KEY_FILE} -cert-file=${CERT_FILE} ${DOMAIN}
 
-echo -e "Symlinking the certificate for nginx at ${NGINX_HOME}"
-ln -sf ${KEY_FILE} ${NGINX_HOME}/${DOMAIN}.key
-ln -sf ${CERT_FILE} ${NGINX_HOME}/${DOMAIN}.crt
+  echo -e "Symlinking the certificate for nginx at ${NGINX_HOME}"
+  ln -sf ${KEY_FILE} ${NGINX_HOME}/${DOMAIN}.key
+  ln -sf ${CERT_FILE} ${NGINX_HOME}/${DOMAIN}.crt
 
-echo -e "🚀 ${YELLOW}Done. Please restart nginx.${NC}"
+  echo -e "🚀 ${YELLOW}Done. Please restart nginx.${NC}"
+fi