From 584aab76a771ece3ed3f5c5459dfc21281bfaee9 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:28:39 +0200 Subject: [PATCH 01/12] Add hal8000_xmpp recipe Also, configure express ports in attributes, so they are both easy to see at once, as well as override per node/env. --- data_bags/credentials/hal8000_xmpp.json | 31 ++++ .../kosmos-hubot/attributes/default.rb | 47 ++++-- .../kosmos-hubot/recipes/botka_freenode.rb | 6 +- .../kosmos-hubot/recipes/hal8000.rb | 24 +++- .../kosmos-hubot/recipes/hal8000_xmpp.rb | 136 ++++++++++++++++++ 5 files changed, 227 insertions(+), 17 deletions(-) create mode 100644 data_bags/credentials/hal8000_xmpp.json create mode 100644 site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb diff --git a/data_bags/credentials/hal8000_xmpp.json b/data_bags/credentials/hal8000_xmpp.json new file mode 100644 index 0000000..c9eccfa --- /dev/null +++ b/data_bags/credentials/hal8000_xmpp.json @@ -0,0 +1,31 @@ +{ + "id": "hal8000_xmpp", + "xmpp_password": { + "encrypted_data": "7pE9C6Tdjeg7ZFjtwzgPzC4ekSgPzN18A5ia5awJnKA=\n", + "iv": "p3RqfadD1sPKEof3\n", + "auth_tag": "4zYf0anagoLn5bF3Rt95BQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "webhook_token": { + "encrypted_data": "T6zu7cd5/PXZP56PwjIo5XIjUOJQQSvobvgIekCIB3SgyWQr\n", + "iv": "LwCkuGJP2eZC8S4Y\n", + "auth_tag": "qH5ckddELQR32z3oYxELMg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "kredits_webhook_token": { + "encrypted_data": "W6xJKRCsoX6qY3QJW/kR5I7Y9LNS1L5zB6X1oLzE71soQ/Y=\n", + "iv": "Piw00LKQysN3AVJN\n", + "auth_tag": "BwH/mJoBtqhA5wNXwFUM6w==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "kredits_wallet_password": { + "encrypted_data": "dFKch6Gjt9oN21w15EeHvho1/f7+mZlKe/aOtoHJtmCgbw==\n", + "iv": "GCueL9BRmLFqlmDw\n", + "auth_tag": "Yq3nOeQenXz+c6VoLhZbQw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-hubot/attributes/default.rb b/site-cookbooks/kosmos-hubot/attributes/default.rb index 69ecded..9e089b0 100644 --- a/site-cookbooks/kosmos-hubot/attributes/default.rb +++ b/site-cookbooks/kosmos-hubot/attributes/default.rb @@ -1,12 +1,39 @@ -node.default['hal8000']['kredits']['ipfs_host'] = 'localhost' +node.default['hal8000']['http_port'] = 8080 +node.default['botka_freenode']['http_port'] = 8081 +node.default['hal8000_xmpp']['http_port'] = 8082 + +node.default['hal8000_xmpp']['hubot_scripts'] = [ + "hubot-help", + "hubot-read-tweet", + "hubot-redis-brain", + "hubot-rules", + "hubot-shipit", + "hubot-plusplus", + "hubot-tell", + "hubot-seen", + "hubot-rss-reader", + "hubot-incoming-webhook", + "hubot-auth", + "hubot-kredits", + "hubot-schedule" +] + +node.default['hal8000_xmpp']['rooms'] = [ + 'kosmos@chat.kosmos.org' + # 'kosmos-dev@chat.kosmos.org', +] + +node.default['hal8000_xmpp']['auth_admins'] = [] + +node.default['hal8000_xmpp']['kredits']['ipfs_host'] = 'localhost' # Use the running ipfs-cluster, so adding documents adds and pins them on all # members of the cluster -node.default['hal8000']['kredits']['ipfs_port'] = '9095' -node.default['hal8000']['kredits']['ipfs_protocol'] = 'http' -node.default['hal8000']['kredits']['room'] = '#kosmos' -node.default['hal8000']['kredits']['provider_url'] = 'https://rinkeby.infura.io/v3/c5e74367261d475ab935e2f0e726482f' -node.default['hal8000']['kredits']['network_id'] = '4' -node.default['hal8000']['kredits']['wallet_path'] = 'wallet.json' -node.default['hal8000']['kredits']['mediawiki_url'] = 'https://wiki.kosmos.org/' -node.default['hal8000']['kredits']['github_repo_blacklist'] = '67P/test-one-two' -node.default['hal8000']['kredits']['gitea_repo_blacklist'] = 'kosmos/test-one-two' +node.default['hal8000_xmpp']['kredits']['ipfs_port'] = '9095' +node.default['hal8000_xmpp']['kredits']['ipfs_protocol'] = 'http' +node.default['hal8000_xmpp']['kredits']['room'] = 'kosmos@chat.kosmos.org' +node.default['hal8000_xmpp']['kredits']['provider_url'] = 'https://rinkeby.infura.io/v3/c5e74367261d475ab935e2f0e726482f' +node.default['hal8000_xmpp']['kredits']['network_id'] = '4' +node.default['hal8000_xmpp']['kredits']['wallet_path'] = 'wallet.json' +node.default['hal8000_xmpp']['kredits']['mediawiki_url'] = 'https://wiki.kosmos.org/' +node.default['hal8000_xmpp']['kredits']['github_repo_blacklist'] = '67P/test-one-two' +node.default['hal8000_xmpp']['kredits']['gitea_repo_blacklist'] = 'kosmos/test-one-two' diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index 4024294..05868fa 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -68,7 +68,7 @@ application botka_freenode_path do "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", # "HUBOT_LOG_LEVEL" => "error", - "EXPRESS_PORT" => "8081", + "EXPRESS_PORT" => node[app_name]['http_port'], "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "RS_LOGGER_USER" => "kosmos@5apps.com", @@ -95,18 +95,16 @@ end # Nginx reverse proxy # unless node.chef_environment == "development" - express_port = 8081 express_domain = "freenode.botka.kosmos.org" include_recipe "kosmos-base::letsencrypt" - include_recipe "kosmos-nginx" template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do source 'nginx_conf_hubot.erb' owner node["nginx"]["user"] mode 0640 - variables express_port: express_port, + variables express_port: node[app_name]['http_port'], server_name: express_domain, ssl_cert: "/etc/letsencrypt/live/#{express_domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{express_domain}/privkey.pem" diff --git a/site-cookbooks/kosmos-hubot/recipes/hal8000.rb b/site-cookbooks/kosmos-hubot/recipes/hal8000.rb index 4b78f71..26d3199 100644 --- a/site-cookbooks/kosmos-hubot/recipes/hal8000.rb +++ b/site-cookbooks/kosmos-hubot/recipes/hal8000.rb @@ -2,7 +2,25 @@ # Cookbook Name:: kosmos-hubot # Recipe:: hal8000 # -# Copyright 2017-2018, Kosmos +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. # build_essential 'hal8000' do @@ -19,7 +37,7 @@ include_recipe "kosmos-ipfs" unless node.chef_environment == "development" include_recipe 'firewall' firewall_rule 'hubot_express_hal8000_freenode' do - port 8080 + port node['hal8000']['http_port'] protocol :tcp command :allow end @@ -96,7 +114,7 @@ application hal8000_path do "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", "HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma", - "EXPRESS_PORT" => "8080", + "EXPRESS_PORT" => node['hal8000']['http_port'], "HUBOT_RSS_HEADER" => "Update:", "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,slvrbckt,raucao", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", diff --git a/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb new file mode 100644 index 0000000..fd2fc75 --- /dev/null +++ b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb @@ -0,0 +1,136 @@ +# +# Cookbook Name:: kosmos-hubot +# Recipe:: hal8000_xmpp +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# +app_name = "hal8000_xmpp" +app_path = "/opt/#{app_name}" +app_user = "hubot" +app_group = "hubot" + +build_essential app_name do + compile_time true +end + +include_recipe "kosmos-nodejs" +include_recipe "kosmos-redis" +include_recipe "kosmos-hubot::_user" + +# Needed for hubot-kredits +include_recipe "kosmos-ipfs" + +application app_path do + data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name) + + owner app_user + group app_group + + git do + user app_user + group app_group + repository "https://github.com/67P/hal8000.git" + revision "master" + end + + file "#{app_path}/external-scripts.json" do + mode "0640" + owner app_user + group app_group + content node[app_name]['hubot_scripts'].to_json + end + + npm_install do + user app_user + end + + execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing + end + + template "/lib/systemd/system/#{app_name}.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: app_user, + group: app_user, + app_dir: app_path, + entry: "#{app_path}/bin/hubot -a xmpp --name hal8000", + environment: { + "HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info", + "HUBOT_XMPP_USERNAME" => "hal8000@kosmos.org/hubot", + "HUBOT_XMPP_PASSWORD" => data_bag['xmpp_password'], + "HUBOT_XMPP_HOST" => "xmpp.kosmos.org", + "HUBOT_XMPP_ROOMS" => node[app_name]['rooms'].join(','), + "HUBOT_AUTH_ADMIN" => node[app_name]['auth_admins'].join(','), + "HUBOT_RSS_PRINTSUMMARY" => "false", + "HUBOT_RSS_PRINTERROR" => "false", + "HUBOT_RSS_IRCCOLORS" => "true", + "HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma", + "HUBOT_RSS_HEADER" => "Update:", + "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", + "EXPRESS_PORT" => node[app_name]['http_port'], + "WEBHOOK_TOKEN" => data_bag['webhook_token'], + "IPFS_API_HOST" => node[app_name]['kredits']['ipfs_host'], + "IPFS_API_PORT" => node[app_name]['kredits']['ipfs_port'], + "IPFS_API_PROTOCOL" => node[app_name]['kredits']['ipfs_protocol'], + "KREDITS_ROOM" => node[app_name]['kredits']['room'], + "KREDITS_WEBHOOK_TOKEN" => data_bag['kredits_webhook_token'], + "KREDITS_PROVIDER_URL" => node[app_name]['kredits']['provider_url'], + "KREDITS_NETWORK_ID" => node[app_name]['kredits']['network_id'], + "KREDITS_WALLET_PATH" => node[app_name]['kredits']['wallet_path'], + "KREDITS_WALLET_PASSWORD" => data_bag['kredits_wallet_password'], + "KREDITS_MEDIAWIKI_URL" => node[app_name]['kredits']['mediawiki_url'], + "KREDITS_GITHUB_REPO_BLACKLIST" => node[app_name]['kredits']['github_repo_blacklist'], + "KREDITS_GITEA_REPO_BLACKLIST" => node[app_name]['kredits']['gitea_repo_blacklist'] + } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[#{app_name}]", :delayed + end + + cookbook_file "#{app_path}/wallet.json" do + source "wallet.json" + end + + service app_name do + action [:enable, :start] + end +end + +unless node.chef_environment == "development" + include_recipe 'firewall' + + firewall_rule "hubot_express_#{app_name}" do + port node[app_name]['http_port'] + protocol :tcp + command :allow + end + + firewall_rule 'ipfs_swarm_p2p' do + port 4001 + protocol :tcp + command :allow + end +end From fe1821739c75f2c86f646536d8866b2636343450 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:29:50 +0200 Subject: [PATCH 02/12] Remove obsolete port opening We have an nginx reverse proxy for botka instead. --- site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index 05868fa..b7c76f1 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -116,11 +116,4 @@ unless node.chef_environment == "development" end nginx_certbot_site express_domain - - include_recipe "firewall" - firewall_rule 'hubot_express_botka_freenode' do - port express_port - protocol :tcp - command :allow - end end From 5f8b274cf99bf530a5b102161c7611a4b1d2dd96 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:31:05 +0200 Subject: [PATCH 03/12] Use MIT license --- .../kosmos-hubot/recipes/botka_freenode.rb | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index b7c76f1..30ceeb8 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -2,7 +2,25 @@ # Cookbook Name:: kosmos-hubot # Recipe:: botka_freenode # -# Copyright 2017-2018, Kosmos +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. # build_essential 'botka' do From 36cfeab15dc179f405019a54c0d7a832d13f8f58 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:31:48 +0200 Subject: [PATCH 04/12] Remove obsolete credential item rs-logger is run by botka, not hal8000. --- data_bags/credentials/hal8000_freenode.json | 42 ++++++++++----------- 1 file changed, 20 insertions(+), 22 deletions(-) diff --git a/data_bags/credentials/hal8000_freenode.json b/data_bags/credentials/hal8000_freenode.json index f6a531f..4e09a1a 100644 --- a/data_bags/credentials/hal8000_freenode.json +++ b/data_bags/credentials/hal8000_freenode.json @@ -1,33 +1,31 @@ { "id": "hal8000_freenode", "nickserv_password": { - "encrypted_data": "wVOuYDPJAjWN/Un+cB/bpKD7gJ4FOOfY6xSTwpOutMD+KmhgjEX4Z99G9rwv\nmeFoBiO3Z9O+C1BeIf3YGAgWnfBgNS5eRnGAxhkzsVyvpyo=\n", - "iv": "26SarumevOdpdim4omgXng==\n", - "version": 1, - "cipher": "aes-256-cbc" - }, - "rs_logger_token": { - "encrypted_data": "A3z2klmsLGwmJmB4eMVKJu5yC2mjaQii7SAuYBSl/hVtrrWDqlqR5N6vqHSv\nMWoXhptuF+RBOL7wgg0DN08B8A==\n", - "iv": "hpQA2RgJhHytnvoxgsuAhw==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "rkCsvjS6EipHlxgxPdSiPVl6CCyjyy845P2ftSykmIW0+fxahTSOxbSMYJl8\n1DW6Go88ZE+eKKWIugp2nWDS+5Pnx58I\n", + "iv": "EvNcR0eqpZngoNJx\n", + "auth_tag": "kKFPUuff8llgVZYROTg/EA==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "webhook_token": { - "encrypted_data": "w/cC18Wte2w2j1mU9SkeepRxOm4zBgZKd7djU6N1t3i7YgjEhHMPeQmD4m8f\nxhes\n", - "iv": "dqFAa3sXHLePuH26YrJUxw==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "ItDsU9w6HCGS7ykQdkZEXQEZzPEt6bW42Fbh00AtZz+h7JmQ\n", + "iv": "OdaAg/XoUMIEfQEQ\n", + "auth_tag": "9ThqnVhWEZbo4jF4lqa5TA==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "kredits_webhook_token": { - "encrypted_data": "mBESEC0w2Q2wf8LRtHUtKAPDkqqt/xTjtoKCXVbu92xJedCccS51qZNcHp69\nw64Y\n", - "iv": "iZX6EzyyFkTHvJ6nnUWT6Q==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "kUp4XAQkwWFphQT1f4wsGVJJtmhBqrEiW6W1D1ONrpZ0z94=\n", + "iv": "XiGtQlKn4BvAeaS1\n", + "auth_tag": "1hkTI7ccxBN4/6U4VF19WQ==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "kredits_wallet_password": { - "encrypted_data": "6Lq61jWP1oRSLiI0JucQtCdGnPFeJOYpSMZ9nw6oIkWEFbdMXnrEnKNxYJax\n0abI\n", - "iv": "XMDv5T30HTK/BhsR1lH79g==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "mKcJBPto0OdPpBXB5x3ynxq01DA2CEz476lTAgjGjTNDHQ==\n", + "iv": "LIvTZ+fx1suOcnjD\n", + "auth_tag": "mcjLU242nqtNn5XR7ku4BQ==\n", + "version": 3, + "cipher": "aes-256-gcm" } } \ No newline at end of file From e8f325b41b7134ecb52fef5b2a28d09da09a1ab6 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:43:02 +0200 Subject: [PATCH 05/12] Refactor botka recipe --- .../kosmos-hubot/attributes/default.rb | 33 +++++---- .../kosmos-hubot/recipes/botka_freenode.rb | 67 ++++++++++--------- 2 files changed, 49 insertions(+), 51 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/attributes/default.rb b/site-cookbooks/kosmos-hubot/attributes/default.rb index 9e089b0..b6ec003 100644 --- a/site-cookbooks/kosmos-hubot/attributes/default.rb +++ b/site-cookbooks/kosmos-hubot/attributes/default.rb @@ -1,26 +1,23 @@ -node.default['hal8000']['http_port'] = 8080 +node.default['hal8000']['http_port'] = 8080 + node.default['botka_freenode']['http_port'] = 8081 -node.default['hal8000_xmpp']['http_port'] = 8082 +node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org" + +node.default['hal8000_xmpp']['http_port'] = 8082 +node.default['hal8000_xmpp']['domain'] = "xmpp.hal8000.kosmos.org" node.default['hal8000_xmpp']['hubot_scripts'] = [ - "hubot-help", - "hubot-read-tweet", - "hubot-redis-brain", - "hubot-rules", - "hubot-shipit", - "hubot-plusplus", - "hubot-tell", - "hubot-seen", - "hubot-rss-reader", - "hubot-incoming-webhook", - "hubot-auth", - "hubot-kredits", - "hubot-schedule" + "hubot-help", "hubot-read-tweet", "hubot-redis-brain", + "hubot-rules", "hubot-shipit", "hubot-plusplus", + "hubot-tell", "hubot-seen", "hubot-rss-reader", + "hubot-incoming-webhook", "hubot-auth", + "hubot-kredits", "hubot-schedule" ] node.default['hal8000_xmpp']['rooms'] = [ - 'kosmos@chat.kosmos.org' - # 'kosmos-dev@chat.kosmos.org', + 'kosmos@chat.kosmos.org', + 'kosmos-dev@chat.kosmos.org', + 'kredits@chat.kosmos.org', ] node.default['hal8000_xmpp']['auth_admins'] = [] @@ -30,7 +27,7 @@ node.default['hal8000_xmpp']['kredits']['ipfs_host'] = 'localhost' # members of the cluster node.default['hal8000_xmpp']['kredits']['ipfs_port'] = '9095' node.default['hal8000_xmpp']['kredits']['ipfs_protocol'] = 'http' -node.default['hal8000_xmpp']['kredits']['room'] = 'kosmos@chat.kosmos.org' +node.default['hal8000_xmpp']['kredits']['room'] = 'kredits@chat.kosmos.org' node.default['hal8000_xmpp']['kredits']['provider_url'] = 'https://rinkeby.infura.io/v3/c5e74367261d475ab935e2f0e726482f' node.default['hal8000_xmpp']['kredits']['network_id'] = '4' node.default['hal8000_xmpp']['kredits']['wallet_path'] = 'wallet.json' diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index 30ceeb8..b74b4d8 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -22,32 +22,35 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. # +app_name = "botka_freenode" +app_path = "/opt/#{app_name}" +app_user = "hubot" +app_group = "hubot" -build_essential 'botka' do +build_essential app_name do compile_time true end include_recipe "kosmos-nodejs" include_recipe "kosmos-redis" -botka_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'botka_freenode') +application app_path do + data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name) -botka_freenode_path = "/opt/botka_freenode" -application botka_freenode_path do - owner "hubot" - group "hubot" + owner app_user + group app_group git do - user "hubot" - group "hubot" + user app_user + group app_group repository "https://github.com/67P/botka.git" revision "master" end - file "#{name}/external-scripts.json" do + file "#{app_path}/external-scripts.json" do mode "0640" - owner "hubot" - group "hubot" + owner app_user + group app_group content [ "hubot-help", "hubot-redis-brain", @@ -57,7 +60,7 @@ application botka_freenode_path do end npm_install do - user "hubot" + user app_user end execute "systemctl daemon-reload" do @@ -65,46 +68,46 @@ application botka_freenode_path do action :nothing end - template "/lib/systemd/system/botka_freenode_nodejs.service" do + template "/lib/systemd/system/#{app_name}.service" do source 'nodejs.systemd.service.erb' owner 'root' group 'root' mode '0644' variables( - user: "hubot", - group: "hubot", - app_dir: botka_freenode_path, - entry: "#{botka_freenode_path}/bin/hubot -a irc", + user: app_user, + group: app_group, + app_dir: app_path, + entry: "#{app_path}/bin/hubot -a irc", environment: { + "HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info", "HUBOT_IRC_SERVER" => "irc.freenode.net", "HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#opensourcedesign,#openknot,#emberjs,#mastodon,#indieweb,#lnd", "HUBOT_IRC_NICK" => "botka", "HUBOT_IRC_NICKSERV_USERNAME" => "botka", - "HUBOT_IRC_NICKSERV_PASSWORD" => botka_freenode_data_bag_item['nickserv_password'], + "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'], "HUBOT_IRC_UNFLOOD" => "100", "HUBOT_RSS_PRINTSUMMARY" => "false", "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", - # "HUBOT_LOG_LEVEL" => "error", "EXPRESS_PORT" => node[app_name]['http_port'], "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "RS_LOGGER_USER" => "kosmos@5apps.com", - "RS_LOGGER_TOKEN" => botka_freenode_data_bag_item['rs_logger_token'], + "RS_LOGGER_TOKEN" => data_bag['rs_logger_token'], "RS_LOGGER_SERVER_NAME" => "freenode", "RS_LOGGER_PUBLIC" => "true", - "GCM_API_KEY" => botka_freenode_data_bag_item['gcm_api_key'], + "GCM_API_KEY" => data_bag['gcm_api_key'], "VAPID_SUBJECT" => "https://kosmos.org", - "VAPID_PUBLIC_KEY" => botka_freenode_data_bag_item['vapid_public_key'], - "VAPID_PRIVATE_KEY" => botka_freenode_data_bag_item['vapid_private_key'], + "VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'], + "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key'], "REDIS_URL" => "redis://localhost:6379/botka" } ) notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[botka_freenode_nodejs]", :delayed + notifies :restart, "service[#{app_name}]", :delayed end - service "botka_freenode_nodejs" do + service app_name do action [:enable, :start] end end @@ -113,25 +116,23 @@ end # Nginx reverse proxy # unless node.chef_environment == "development" - express_domain = "freenode.botka.kosmos.org" - include_recipe "kosmos-base::letsencrypt" include_recipe "kosmos-nginx" - template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do + template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do source 'nginx_conf_hubot.erb' owner node["nginx"]["user"] mode 0640 variables express_port: node[app_name]['http_port'], - server_name: express_domain, - ssl_cert: "/etc/letsencrypt/live/#{express_domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{express_domain}/privkey.pem" + server_name: node[app_name]['domain'], + ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem" notifies :reload, 'service[nginx]', :delayed end - nginx_site express_domain do + nginx_site node[app_name]['domain'] do action :enable end - nginx_certbot_site express_domain + nginx_certbot_site node[app_name]['domain'] end From f3f0d0deb2b3e63ce008180eb96ce175a20344c2 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 9 May 2019 23:43:21 +0200 Subject: [PATCH 06/12] Add nginx site for hal8000_xmpp --- .../kosmos-hubot/recipes/hal8000_xmpp.rb | 36 ++++++++++++++----- 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb index fd2fc75..cd92579 100644 --- a/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb +++ b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb @@ -38,6 +38,15 @@ include_recipe "kosmos-hubot::_user" # Needed for hubot-kredits include_recipe "kosmos-ipfs" +unless node.chef_environment == "development" + include_recipe 'firewall' + firewall_rule 'ipfs_swarm_p2p' do + port 4001 + protocol :tcp + command :allow + end +end + application app_path do data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name) @@ -119,18 +128,27 @@ application app_path do end end +# +# Nginx reverse proxy +# unless node.chef_environment == "development" - include_recipe 'firewall' + include_recipe "kosmos-base::letsencrypt" + include_recipe "kosmos-nginx" - firewall_rule "hubot_express_#{app_name}" do - port node[app_name]['http_port'] - protocol :tcp - command :allow + template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: node[app_name]['http_port'], + server_name: node[app_name]['domain'], + ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed end - firewall_rule 'ipfs_swarm_p2p' do - port 4001 - protocol :tcp - command :allow + nginx_site node[app_name]['domain'] do + action :enable end + + nginx_certbot_site node[app_name]['domain'] end From 9661980235248da176537f7bf18457fb19a17767 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:00:35 +0200 Subject: [PATCH 07/12] Change bot domain --- site-cookbooks/kosmos-hubot/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-hubot/attributes/default.rb b/site-cookbooks/kosmos-hubot/attributes/default.rb index b6ec003..f4339af 100644 --- a/site-cookbooks/kosmos-hubot/attributes/default.rb +++ b/site-cookbooks/kosmos-hubot/attributes/default.rb @@ -4,7 +4,7 @@ node.default['botka_freenode']['http_port'] = 8081 node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org" node.default['hal8000_xmpp']['http_port'] = 8082 -node.default['hal8000_xmpp']['domain'] = "xmpp.hal8000.kosmos.org" +node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org" node.default['hal8000_xmpp']['hubot_scripts'] = [ "hubot-help", "hubot-read-tweet", "hubot-redis-brain", From 4a480931a5ad6ea5ae36925091951b972ca00cc9 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:00:53 +0200 Subject: [PATCH 08/12] Fix bug in nginx config Server name isn't recognized when adding a header directive before like this. --- .../kosmos-hubot/templates/default/nginx_conf_hubot.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index a143bcd..e7848c1 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -8,10 +8,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { listen 443 ssl http2; - add_header Strict-Transport-Security "max-age=15768000"; - server_name <%= @server_name %>; + add_header Strict-Transport-Security "max-age=15768000"; + access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; From b29a007533613987da527edb5f1e04dbada9fd87 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:01:43 +0200 Subject: [PATCH 09/12] Use different Redis database for new bot --- site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb index cd92579..159b305 100644 --- a/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb +++ b/site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb @@ -99,6 +99,7 @@ application app_path do "HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma", "HUBOT_RSS_HEADER" => "Update:", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", + "REDIS_URL" => "redis://localhost:6379/#{app_name}", "EXPRESS_PORT" => node[app_name]['http_port'], "WEBHOOK_TOKEN" => data_bag['webhook_token'], "IPFS_API_HOST" => node[app_name]['kredits']['ipfs_host'], From 7afc2f57747ea33459b132274b18b9f4d4865aa7 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:02:08 +0200 Subject: [PATCH 10/12] Remove old hubot admins from botka --- site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb index b74b4d8..a974cd4 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb @@ -89,8 +89,9 @@ application app_path do "HUBOT_RSS_PRINTSUMMARY" => "false", "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", + "REDIS_URL" => "redis://localhost:6379/botka", "EXPRESS_PORT" => node[app_name]['http_port'], - "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao", + "HUBOT_AUTH_ADMIN" => "derbumi,galfert,gregkare,slvrbckt,raucao", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "RS_LOGGER_USER" => "kosmos@5apps.com", "RS_LOGGER_TOKEN" => data_bag['rs_logger_token'], @@ -99,8 +100,7 @@ application app_path do "GCM_API_KEY" => data_bag['gcm_api_key'], "VAPID_SUBJECT" => "https://kosmos.org", "VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'], - "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key'], - "REDIS_URL" => "redis://localhost:6379/botka" + "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key'] } ) notifies :run, "execute[systemctl daemon-reload]", :delayed From 3fbea864c1a0f7a1096f08ddd475a2d5aea67951 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:08:29 +0200 Subject: [PATCH 11/12] Remove hubot-kredits from IRC hal8000 --- .../kosmos-hubot/recipes/hal8000.rb | 27 +------------------ 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/hal8000.rb b/site-cookbooks/kosmos-hubot/recipes/hal8000.rb index 26d3199..87e92c6 100644 --- a/site-cookbooks/kosmos-hubot/recipes/hal8000.rb +++ b/site-cookbooks/kosmos-hubot/recipes/hal8000.rb @@ -31,9 +31,6 @@ include_recipe "kosmos-nodejs" include_recipe "kosmos-redis" include_recipe "kosmos-hubot::_user" -# Needed for hubot-kredits -include_recipe "kosmos-ipfs" - unless node.chef_environment == "development" include_recipe 'firewall' firewall_rule 'hubot_express_hal8000_freenode' do @@ -41,11 +38,6 @@ unless node.chef_environment == "development" protocol :tcp command :allow end - firewall_rule 'ipfs_swarm_p2p' do - port 4001 - protocol :tcp - command :allow - end end hal8000_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_freenode') @@ -78,7 +70,6 @@ application hal8000_path do "hubot-rss-reader", "hubot-incoming-webhook", "hubot-auth", - "hubot-kredits", "hubot-schedule" ].to_json end @@ -114,33 +105,17 @@ application hal8000_path do "HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_IRCCOLORS" => "true", "HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma", - "EXPRESS_PORT" => node['hal8000']['http_port'], "HUBOT_RSS_HEADER" => "Update:", "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,slvrbckt,raucao", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['webhook_token'], - "IPFS_API_HOST" => node['hal8000']['kredits']['ipfs_host'], - "IPFS_API_PORT" => node['hal8000']['kredits']['ipfs_port'], - "IPFS_API_PROTOCOL" => node['hal8000']['kredits']['ipfs_protocol'], - "KREDITS_ROOM" => node['hal8000']['kredits']['room'], - "KREDITS_WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['kredits_webhook_token'], - "KREDITS_PROVIDER_URL" => node['hal8000']['kredits']['provider_url'], - "KREDITS_NETWORK_ID" => node['hal8000']['kredits']['network_id'], - "KREDITS_WALLET_PATH" => node['hal8000']['kredits']['wallet_path'], - "KREDITS_WALLET_PASSWORD" => hal8000_freenode_data_bag_item['kredits_wallet_password'], - "KREDITS_MEDIAWIKI_URL" => node['hal8000']['kredits']['mediawiki_url'], - "KREDITS_GITHUB_REPO_BLACKLIST" => node['hal8000']['kredits']['github_repo_blacklist'], - "KREDITS_GITEA_REPO_BLACKLIST" => node['hal8000']['kredits']['gitea_repo_blacklist'] + "EXPRESS_PORT" => node['hal8000']['http_port'] } ) notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :restart, "service[hal8000_nodejs]", :delayed end - cookbook_file "#{name}/wallet.json" do - source "wallet.json" - end - service "hal8000_nodejs" do action [:enable, :start] end From 5521457d095c269d7b5d15970bd2bd919055cac5 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 10 May 2019 07:22:01 +0200 Subject: [PATCH 12/12] Add hal8000_xmpp to barnard's runlist Also, switch to explicit recipe definitions for the other bots. --- nodes/barnard.kosmos.org.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json index d1aa027..0790fc7 100644 --- a/nodes/barnard.kosmos.org.json +++ b/nodes/barnard.kosmos.org.json @@ -3,7 +3,9 @@ "role[base]", "role[kredits_github]", "kosmos-ipfs::cluster", - "kosmos-hubot" + "kosmos-hubot::botka_freenode", + "kosmos-hubot::hal8000", + "kosmos-hubot::hal8000_xmpp" ], "automatic": { "ipaddress": "barnard.kosmos.org"