kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 28 Pull Requests 4 Projects 2 Activity

Merge branch 'feature/62-hal8000_xmpp' of kosmos/chef into master

Browse Source
This commit is contained in:
gregkare 2019-05-10 08:04:07 +00:00 committed by Gitea
commit 0a3a2b5c2e
8 changed files with 323 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
data_bags/credentials/hal8000_freenode.json
View File

@ -1,33 +1,31 @@
{ {
"id": "hal8000_freenode", "id": "hal8000_freenode",
"nickserv_password": { "nickserv_password": {
"encrypted_data": "wVOuYDPJAjWN/Un+cB/bpKD7gJ4FOOfY6xSTwpOutMD+KmhgjEX4Z99G9rwv\nmeFoBiO3Z9O+C1BeIf3YGAgWnfBgNS5eRnGAxhkzsVyvpyo=\n", "encrypted_data": "rkCsvjS6EipHlxgxPdSiPVl6CCyjyy845P2ftSykmIW0+fxahTSOxbSMYJl8\n1DW6Go88ZE+eKKWIugp2nWDS+5Pnx58I\n",
"iv": "26SarumevOdpdim4omgXng==\n", "iv": "EvNcR0eqpZngoNJx\n",
"version": 1, "auth_tag": "kKFPUuff8llgVZYROTg/EA==\n",
"cipher": "aes-256-cbc" "version": 3,
}, "cipher": "aes-256-gcm"
"rs_logger_token": {
"encrypted_data": "A3z2klmsLGwmJmB4eMVKJu5yC2mjaQii7SAuYBSl/hVtrrWDqlqR5N6vqHSv\nMWoXhptuF+RBOL7wgg0DN08B8A==\n",
"iv": "hpQA2RgJhHytnvoxgsuAhw==\n",
"version": 1,
"cipher": "aes-256-cbc"
}, },
"webhook_token": { "webhook_token": {
"encrypted_data": "w/cC18Wte2w2j1mU9SkeepRxOm4zBgZKd7djU6N1t3i7YgjEhHMPeQmD4m8f\nxhes\n", "encrypted_data": "ItDsU9w6HCGS7ykQdkZEXQEZzPEt6bW42Fbh00AtZz+h7JmQ\n",
"iv": "dqFAa3sXHLePuH26YrJUxw==\n", "iv": "OdaAg/XoUMIEfQEQ\n",
"version": 1, "auth_tag": "9ThqnVhWEZbo4jF4lqa5TA==\n",
"cipher": "aes-256-cbc" "version": 3,
"cipher": "aes-256-gcm"
}, },
"kredits_webhook_token": { "kredits_webhook_token": {
"encrypted_data": "mBESEC0w2Q2wf8LRtHUtKAPDkqqt/xTjtoKCXVbu92xJedCccS51qZNcHp69\nw64Y\n", "encrypted_data": "kUp4XAQkwWFphQT1f4wsGVJJtmhBqrEiW6W1D1ONrpZ0z94=\n",
"iv": "iZX6EzyyFkTHvJ6nnUWT6Q==\n", "iv": "XiGtQlKn4BvAeaS1\n",
"version": 1, "auth_tag": "1hkTI7ccxBN4/6U4VF19WQ==\n",
"cipher": "aes-256-cbc" "version": 3,
"cipher": "aes-256-gcm"
}, },
"kredits_wallet_password": { "kredits_wallet_password": {
"encrypted_data": "6Lq61jWP1oRSLiI0JucQtCdGnPFeJOYpSMZ9nw6oIkWEFbdMXnrEnKNxYJax\n0abI\n", "encrypted_data": "mKcJBPto0OdPpBXB5x3ynxq01DA2CEz476lTAgjGjTNDHQ==\n",
"iv": "XMDv5T30HTK/BhsR1lH79g==\n", "iv": "LIvTZ+fx1suOcnjD\n",
"version": 1, "auth_tag": "mcjLU242nqtNn5XR7ku4BQ==\n",
"cipher": "aes-256-cbc" "version": 3,
"cipher": "aes-256-gcm"
} }
} }

31
data_bags/credentials/hal8000_xmpp.json Normal file
View File

@ -0,0 +1,31 @@
{
"id": "hal8000_xmpp",
"xmpp_password": {
"encrypted_data": "7pE9C6Tdjeg7ZFjtwzgPzC4ekSgPzN18A5ia5awJnKA=\n",
"iv": "p3RqfadD1sPKEof3\n",
"auth_tag": "4zYf0anagoLn5bF3Rt95BQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"webhook_token": {
"encrypted_data": "T6zu7cd5/PXZP56PwjIo5XIjUOJQQSvobvgIekCIB3SgyWQr\n",
"iv": "LwCkuGJP2eZC8S4Y\n",
"auth_tag": "qH5ckddELQR32z3oYxELMg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"kredits_webhook_token": {
"encrypted_data": "W6xJKRCsoX6qY3QJW/kR5I7Y9LNS1L5zB6X1oLzE71soQ/Y=\n",
"iv": "Piw00LKQysN3AVJN\n",
"auth_tag": "BwH/mJoBtqhA5wNXwFUM6w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"kredits_wallet_password": {
"encrypted_data": "dFKch6Gjt9oN21w15EeHvho1/f7+mZlKe/aOtoHJtmCgbw==\n",
"iv": "GCueL9BRmLFqlmDw\n",
"auth_tag": "Yq3nOeQenXz+c6VoLhZbQw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

4
nodes/barnard.kosmos.org.json
View File

@ -3,7 +3,9 @@
"role[base]", "role[base]",
"role[kredits_github]", "role[kredits_github]",
"kosmos-ipfs::cluster", "kosmos-ipfs::cluster",
"kosmos-hubot" "kosmos-hubot::botka_freenode",
"kosmos-hubot::hal8000",
"kosmos-hubot::hal8000_xmpp"
], ],
"automatic": { "automatic": {
"ipaddress": "barnard.kosmos.org" "ipaddress": "barnard.kosmos.org"

44
site-cookbooks/kosmos-hubot/attributes/default.rb
View File

@ -1,12 +1,36 @@
node.default['hal8000']['kredits']['ipfs_host'] = 'localhost' node.default['hal8000']['http_port'] = 8080
node.default['botka_freenode']['http_port'] = 8081
node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org"
node.default['hal8000_xmpp']['http_port'] = 8082
node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org"
node.default['hal8000_xmpp']['hubot_scripts'] = [
"hubot-help", "hubot-read-tweet", "hubot-redis-brain",
"hubot-rules", "hubot-shipit", "hubot-plusplus",
"hubot-tell", "hubot-seen", "hubot-rss-reader",
"hubot-incoming-webhook", "hubot-auth",
"hubot-kredits", "hubot-schedule"
]
node.default['hal8000_xmpp']['rooms'] = [
'kosmos@chat.kosmos.org',
'kosmos-dev@chat.kosmos.org',
'kredits@chat.kosmos.org',
]
node.default['hal8000_xmpp']['auth_admins'] = []
node.default['hal8000_xmpp']['kredits']['ipfs_host'] = 'localhost'
# Use the running ipfs-cluster, so adding documents adds and pins them on all # Use the running ipfs-cluster, so adding documents adds and pins them on all
# members of the cluster # members of the cluster
node.default['hal8000']['kredits']['ipfs_port'] = '9095' node.default['hal8000_xmpp']['kredits']['ipfs_port'] = '9095'
node.default['hal8000']['kredits']['ipfs_protocol'] = 'http' node.default['hal8000_xmpp']['kredits']['ipfs_protocol'] = 'http'
node.default['hal8000']['kredits']['room'] = '#kosmos' node.default['hal8000_xmpp']['kredits']['room'] = 'kredits@chat.kosmos.org'
node.default['hal8000']['kredits']['provider_url'] = 'https://rinkeby.infura.io/v3/c5e74367261d475ab935e2f0e726482f' node.default['hal8000_xmpp']['kredits']['provider_url'] = 'https://rinkeby.infura.io/v3/c5e74367261d475ab935e2f0e726482f'
node.default['hal8000']['kredits']['network_id'] = '4' node.default['hal8000_xmpp']['kredits']['network_id'] = '4'
node.default['hal8000']['kredits']['wallet_path'] = 'wallet.json' node.default['hal8000_xmpp']['kredits']['wallet_path'] = 'wallet.json'
node.default['hal8000']['kredits']['mediawiki_url'] = 'https://wiki.kosmos.org/' node.default['hal8000_xmpp']['kredits']['mediawiki_url'] = 'https://wiki.kosmos.org/'
node.default['hal8000']['kredits']['github_repo_blacklist'] = '67P/test-one-two' node.default['hal8000_xmpp']['kredits']['github_repo_blacklist'] = '67P/test-one-two'
node.default['hal8000']['kredits']['gitea_repo_blacklist'] = 'kosmos/test-one-two' node.default['hal8000_xmpp']['kredits']['gitea_repo_blacklist'] = 'kosmos/test-one-two'

104
site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
View File

@ -2,34 +2,55 @@
# Cookbook Name:: kosmos-hubot # Cookbook Name:: kosmos-hubot
# Recipe:: botka_freenode # Recipe:: botka_freenode
# #
# Copyright 2017-2018, Kosmos # Copyright:: 2019, Kosmos Developers
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
app_name = "botka_freenode"
app_path = "/opt/#{app_name}"
app_user = "hubot"
app_group = "hubot"
build_essential 'botka' do build_essential app_name do
compile_time true compile_time true
end end
include_recipe "kosmos-nodejs" include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis" include_recipe "kosmos-redis"
botka_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'botka_freenode') application app_path do
data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)
botka_freenode_path = "/opt/botka_freenode" owner app_user
application botka_freenode_path do group app_group
owner "hubot"
group "hubot"
git do git do
user "hubot" user app_user
group "hubot" group app_group
repository "https://github.com/67P/botka.git" repository "https://github.com/67P/botka.git"
revision "master" revision "master"
end end
file "#{name}/external-scripts.json" do file "#{app_path}/external-scripts.json" do
mode "0640" mode "0640"
owner "hubot" owner app_user
group "hubot" group app_group
content [ content [
"hubot-help", "hubot-help",
"hubot-redis-brain", "hubot-redis-brain",
@ -39,7 +60,7 @@ application botka_freenode_path do
end end
npm_install do npm_install do
user "hubot" user app_user
end end
execute "systemctl daemon-reload" do execute "systemctl daemon-reload" do
@ -47,46 +68,46 @@ application botka_freenode_path do
action :nothing action :nothing
end end
template "/lib/systemd/system/botka_freenode_nodejs.service" do template "/lib/systemd/system/#{app_name}.service" do
source 'nodejs.systemd.service.erb' source 'nodejs.systemd.service.erb'
owner 'root' owner 'root'
group 'root' group 'root'
mode '0644' mode '0644'
variables( variables(
user: "hubot", user: app_user,
group: "hubot", group: app_group,
app_dir: botka_freenode_path, app_dir: app_path,
entry: "#{botka_freenode_path}/bin/hubot -a irc", entry: "#{app_path}/bin/hubot -a irc",
environment: { environment: {
"HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info",
"HUBOT_IRC_SERVER" => "irc.freenode.net", "HUBOT_IRC_SERVER" => "irc.freenode.net",
"HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#opensourcedesign,#openknot,#emberjs,#mastodon,#indieweb,#lnd", "HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#opensourcedesign,#openknot,#emberjs,#mastodon,#indieweb,#lnd",
"HUBOT_IRC_NICK" => "botka", "HUBOT_IRC_NICK" => "botka",
"HUBOT_IRC_NICKSERV_USERNAME" => "botka", "HUBOT_IRC_NICKSERV_USERNAME" => "botka",
"HUBOT_IRC_NICKSERV_PASSWORD" => botka_freenode_data_bag_item['nickserv_password'], "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'],
"HUBOT_IRC_UNFLOOD" => "100", "HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false", "HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_PRINTERROR" => "false",
"HUBOT_RSS_IRCCOLORS" => "true", "HUBOT_RSS_IRCCOLORS" => "true",
# "HUBOT_LOG_LEVEL" => "error", "REDIS_URL" => "redis://localhost:6379/botka",
"EXPRESS_PORT" => "8081", "EXPRESS_PORT" => node[app_name]['http_port'],
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao", "HUBOT_AUTH_ADMIN" => "derbumi,galfert,gregkare,slvrbckt,raucao",
"HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
"RS_LOGGER_USER" => "kosmos@5apps.com", "RS_LOGGER_USER" => "kosmos@5apps.com",
"RS_LOGGER_TOKEN" => botka_freenode_data_bag_item['rs_logger_token'], "RS_LOGGER_TOKEN" => data_bag['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "freenode", "RS_LOGGER_SERVER_NAME" => "freenode",
"RS_LOGGER_PUBLIC" => "true", "RS_LOGGER_PUBLIC" => "true",
"GCM_API_KEY" => botka_freenode_data_bag_item['gcm_api_key'], "GCM_API_KEY" => data_bag['gcm_api_key'],
"VAPID_SUBJECT" => "https://kosmos.org", "VAPID_SUBJECT" => "https://kosmos.org",
"VAPID_PUBLIC_KEY" => botka_freenode_data_bag_item['vapid_public_key'], "VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'],
"VAPID_PRIVATE_KEY" => botka_freenode_data_bag_item['vapid_private_key'], "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key']
"REDIS_URL" => "redis://localhost:6379/botka"
} }
) )
notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[botka_freenode_nodejs]", :delayed notifies :restart, "service[#{app_name}]", :delayed
end end
service "botka_freenode_nodejs" do service app_name do
action [:enable, :start] action [:enable, :start]
end end
end end
@ -95,34 +116,23 @@ end
# Nginx reverse proxy # Nginx reverse proxy
# #
unless node.chef_environment == "development" unless node.chef_environment == "development"
express_port = 8081
express_domain = "freenode.botka.kosmos.org"
include_recipe "kosmos-base::letsencrypt" include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx" include_recipe "kosmos-nginx"
template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
source 'nginx_conf_hubot.erb' source 'nginx_conf_hubot.erb'
owner node["nginx"]["user"] owner node["nginx"]["user"]
mode 0640 mode 0640
variables express_port: express_port, variables express_port: node[app_name]['http_port'],
server_name: express_domain, server_name: node[app_name]['domain'],
ssl_cert: "/etc/letsencrypt/live/#{express_domain}/fullchain.pem", ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{express_domain}/privkey.pem" ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed notifies :reload, 'service[nginx]', :delayed
end end
nginx_site express_domain do nginx_site node[app_name]['domain'] do
action :enable action :enable
end end
nginx_certbot_site express_domain nginx_certbot_site node[app_name]['domain']
include_recipe "firewall"
firewall_rule 'hubot_express_botka_freenode' do
port express_port
protocol :tcp
command :allow
end
end end

49
site-cookbooks/kosmos-hubot/recipes/hal8000.rb
View File

@ -2,7 +2,25 @@
# Cookbook Name:: kosmos-hubot # Cookbook Name:: kosmos-hubot
# Recipe:: hal8000 # Recipe:: hal8000
# #
# Copyright 2017-2018, Kosmos # Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# #
build_essential 'hal8000' do build_essential 'hal8000' do
@ -13,18 +31,10 @@ include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis" include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user" include_recipe "kosmos-hubot::_user"
# Needed for hubot-kredits
include_recipe "kosmos-ipfs"
unless node.chef_environment == "development" unless node.chef_environment == "development"
include_recipe 'firewall' include_recipe 'firewall'
firewall_rule 'hubot_express_hal8000_freenode' do firewall_rule 'hubot_express_hal8000_freenode' do
port 8080 port node['hal8000']['http_port']
protocol :tcp
command :allow
end
firewall_rule 'ipfs_swarm_p2p' do
port 4001
protocol :tcp protocol :tcp
command :allow command :allow
end end
@ -60,7 +70,6 @@ application hal8000_path do
"hubot-rss-reader", "hubot-rss-reader",
"hubot-incoming-webhook", "hubot-incoming-webhook",
"hubot-auth", "hubot-auth",
"hubot-kredits",
"hubot-schedule" "hubot-schedule"
].to_json ].to_json
end end
@ -96,33 +105,17 @@ application hal8000_path do
"HUBOT_RSS_PRINTERROR" => "false", "HUBOT_RSS_PRINTERROR" => "false",
"HUBOT_RSS_IRCCOLORS" => "true", "HUBOT_RSS_IRCCOLORS" => "true",
"HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma", "HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma",
"EXPRESS_PORT" => "8080",
"HUBOT_RSS_HEADER" => "Update:", "HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,slvrbckt,raucao", "HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,slvrbckt,raucao",
"HUBOT_HELP_REPLY_IN_PRIVATE" => "true", "HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
"WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['webhook_token'], "WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['webhook_token'],
"IPFS_API_HOST" => node['hal8000']['kredits']['ipfs_host'], "EXPRESS_PORT" => node['hal8000']['http_port']
"IPFS_API_PORT" => node['hal8000']['kredits']['ipfs_port'],
"IPFS_API_PROTOCOL" => node['hal8000']['kredits']['ipfs_protocol'],
"KREDITS_ROOM" => node['hal8000']['kredits']['room'],
"KREDITS_WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['kredits_webhook_token'],
"KREDITS_PROVIDER_URL" => node['hal8000']['kredits']['provider_url'],
"KREDITS_NETWORK_ID" => node['hal8000']['kredits']['network_id'],
"KREDITS_WALLET_PATH" => node['hal8000']['kredits']['wallet_path'],
"KREDITS_WALLET_PASSWORD" => hal8000_freenode_data_bag_item['kredits_wallet_password'],
"KREDITS_MEDIAWIKI_URL" => node['hal8000']['kredits']['mediawiki_url'],
"KREDITS_GITHUB_REPO_BLACKLIST" => node['hal8000']['kredits']['github_repo_blacklist'],
"KREDITS_GITEA_REPO_BLACKLIST" => node['hal8000']['kredits']['gitea_repo_blacklist']
} }
) )
notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[hal8000_nodejs]", :delayed notifies :restart, "service[hal8000_nodejs]", :delayed
end end
cookbook_file "#{name}/wallet.json" do
source "wallet.json"
end
service "hal8000_nodejs" do service "hal8000_nodejs" do
action [:enable, :start] action [:enable, :start]
end end

155
site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb Normal file
View File

@ -0,0 +1,155 @@
#
# Cookbook Name:: kosmos-hubot
# Recipe:: hal8000_xmpp
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
app_name = "hal8000_xmpp"
app_path = "/opt/#{app_name}"
app_user = "hubot"
app_group = "hubot"
build_essential app_name do
compile_time true
end
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user"
# Needed for hubot-kredits
include_recipe "kosmos-ipfs"
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule 'ipfs_swarm_p2p' do
port 4001
protocol :tcp
command :allow
end
end
application app_path do
data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)
owner app_user
group app_group
git do
user app_user
group app_group
repository "https://github.com/67P/hal8000.git"
revision "master"
end
file "#{app_path}/external-scripts.json" do
mode "0640"
owner app_user
group app_group
content node[app_name]['hubot_scripts'].to_json
end
npm_install do
user app_user
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/#{app_name}.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: app_user,
group: app_user,
app_dir: app_path,
entry: "#{app_path}/bin/hubot -a xmpp --name hal8000",
environment: {
"HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info",
"HUBOT_XMPP_USERNAME" => "hal8000@kosmos.org/hubot",
"HUBOT_XMPP_PASSWORD" => data_bag['xmpp_password'],
"HUBOT_XMPP_HOST" => "xmpp.kosmos.org",
"HUBOT_XMPP_ROOMS" => node[app_name]['rooms'].join(','),
"HUBOT_AUTH_ADMIN" => node[app_name]['auth_admins'].join(','),
"HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_PRINTERROR" => "false",
"HUBOT_RSS_IRCCOLORS" => "true",
"HUBOT_PLUSPLUS_POINTS_TERM" => "karma,karma",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
"REDIS_URL" => "redis://localhost:6379/#{app_name}",
"EXPRESS_PORT" => node[app_name]['http_port'],
"WEBHOOK_TOKEN" => data_bag['webhook_token'],
"IPFS_API_HOST" => node[app_name]['kredits']['ipfs_host'],
"IPFS_API_PORT" => node[app_name]['kredits']['ipfs_port'],
"IPFS_API_PROTOCOL" => node[app_name]['kredits']['ipfs_protocol'],
"KREDITS_ROOM" => node[app_name]['kredits']['room'],
"KREDITS_WEBHOOK_TOKEN" => data_bag['kredits_webhook_token'],
"KREDITS_PROVIDER_URL" => node[app_name]['kredits']['provider_url'],
"KREDITS_NETWORK_ID" => node[app_name]['kredits']['network_id'],
"KREDITS_WALLET_PATH" => node[app_name]['kredits']['wallet_path'],
"KREDITS_WALLET_PASSWORD" => data_bag['kredits_wallet_password'],
"KREDITS_MEDIAWIKI_URL" => node[app_name]['kredits']['mediawiki_url'],
"KREDITS_GITHUB_REPO_BLACKLIST" => node[app_name]['kredits']['github_repo_blacklist'],
"KREDITS_GITEA_REPO_BLACKLIST" => node[app_name]['kredits']['gitea_repo_blacklist']
}
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[#{app_name}]", :delayed
end
cookbook_file "#{app_path}/wallet.json" do
source "wallet.json"
end
service app_name do
action [:enable, :start]
end
end
#
# Nginx reverse proxy
#
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx"
template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
source 'nginx_conf_hubot.erb'
owner node["nginx"]["user"]
mode 0640
variables express_port: node[app_name]['http_port'],
server_name: node[app_name]['domain'],
ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site node[app_name]['domain'] do
action :enable
end
nginx_certbot_site node[app_name]['domain']
end

4
site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
View File

@ -8,10 +8,10 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server { server {
listen 443 ssl http2; listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
server_name <%= @server_name %>; server_name <%= @server_name %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;