From 027d0ed570c50112c0da4aad88422bf480b7f864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 16:12:33 +0200 Subject: [PATCH] Migrate IPFS proxies to openresty --- nodes/draco.kosmos.org.json | 4 +++- roles/openresty_proxy.rb | 2 +- site-cookbooks/kosmos-ipfs/metadata.rb | 2 +- .../recipes/nginx_public_gateway.rb | 18 ++++++------------ .../default/nginx_conf_ipfs.kosmos.org.erb | 7 +++---- 5 files changed, 14 insertions(+), 19 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index c4383f5..810ed1f 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -48,6 +48,7 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", + "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", "kosmos_encfs", @@ -83,7 +84,8 @@ "git::default", "git::package", "kosmos-base::letsencrypt", - "firewall::default" + "firewall::default", + "fail2ban::default" ], "platform": "ubuntu", "platform_version": "20.04", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 5f379f0..c3502d0 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -28,7 +28,6 @@ default_run_list = %w( kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp - kosmos-ipfs::nginx_public_gateway ) production_run_list = %w( @@ -43,6 +42,7 @@ production_run_list = %w( kosmos-akkounts::nginx kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub + kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx ) diff --git a/site-cookbooks/kosmos-ipfs/metadata.rb b/site-cookbooks/kosmos-ipfs/metadata.rb index 65947e0..9341d73 100644 --- a/site-cookbooks/kosmos-ipfs/metadata.rb +++ b/site-cookbooks/kosmos-ipfs/metadata.rb @@ -9,6 +9,6 @@ version '0.3.0' depends 'ipfs' depends 'fail2ban' depends 'kosmos-base' -depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'firewall' diff --git a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb index c20efe3..c62708a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb @@ -3,7 +3,6 @@ # Recipe:: nginx_public_gateway # -include_recipe "kosmos-nginx" include_recipe 'firewall' domain = node["kosmos-ipfs"]["nginx"]["domain"] @@ -13,12 +12,13 @@ search(:node, "role:ipfs_gateway").each do |node| ipfs_node_ip_addresses << node["knife_zero"]["host"] end -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{domain}.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_#{domain}.erb" variables server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", @@ -26,12 +26,6 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do ipfs_gateway_port: node['kosmos-ipfs']['gateway_port'], ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'], upstream_hosts: ipfs_node_ip_addresses - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end firewall_rule 'ipfs_api' do diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index 6f0d69b..f54cea3 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -10,10 +10,9 @@ upstream _ipfs_api { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name <%= @server_name %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; access_log /var/log/nginx/<%= @server_name %>.access.log; error_log /var/log/nginx/<%= @server_name %>.error.log; @@ -28,7 +27,7 @@ server { server { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen <%= @ipfs_external_api_port %> ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %><%= @ipfs_external_api_port %> ssl http2; <% else -%> listen <%= @ipfs_external_api_port %>; <% end -%>