Create nginx_proxy role

Used to configure hosts entries in the Gitea and Drone VMs, as well as the allowed webhooks config for Gitea.
2022-03-12 15:37:38 -06:00
parent b270a2c1fd
commit 0a953070fe
4 changed files with 54 additions and 7 deletions
--- a/site-cookbooks/kosmos_drone/recipes/default.rb
+++ b/site-cookbooks/kosmos_drone/recipes/default.rb
@@ -55,9 +55,24 @@ systemd_unit "drone.service" do
  action [:create, :enable, :start]
 end

+nginx_proxy_ip_addresses = []
+search(:node, "role:nginx_proxy").each do |node|
+  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+end
+
+nginx_proxy_ip_addresses.each do |ip_address|
+  IPAddr.new ip_address
+  hostsfile_entry ip_address do
+    hostname 'gitea.kosmos.org'
+    action :create
+  end
+rescue IPAddr::InvalidAddressError
+  next
+end
+
 firewall_rule 'drone' do
  port     [node["kosmos_drone"]["upstream_port"]]
-  source   "10.1.1.0/24"
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
  protocol :tcp
  command  :allow
 end
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -60,6 +60,27 @@ directory config_directory do
  mode "0750"
 end

+nginx_proxy_ip_addresses = []
+search(:node, "role:nginx_proxy").each do |node|
+  nginx_proxy_ip_addresses << node["knife_zero"]["host"]
+end
+
+node.default["kosmos_gitea"]["config"] = {
+  "webhook":  {
+    "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
+  }
+}
+
+nginx_proxy_ip_addresses.each do |ip_address|
+  IPAddr.new ip_address
+  hostsfile_entry ip_address do
+    hostname 'drone.kosmos.org'
+    action :create
+  end
+rescue IPAddr::InvalidAddressError
+  next
+end
+
 template "#{config_directory}/app.ini" do
  source "app.ini.erb"
  owner "git"
@@ -79,7 +100,7 @@ template "#{config_directory}/app.ini" do
            smtp_host: smtp_credentials["relayhost"],
            smtp_user: smtp_credentials["user_name"],
            smtp_password: smtp_credentials["password"],
-            config: node["kosmos_gitea"]["config"]
+            config: node.default["kosmos_gitea"]["config"]
  notifies :restart, "service[gitea]", :delayed
 end

@@ -109,7 +130,7 @@ end

 firewall_rule 'gitea' do
  port     [node["kosmos_gitea"]["port"]]
-  source   "10.1.1.0/24"
+  source   "10.1.1.0/24" # TODO only allow nginx proxy IPs
  protocol :tcp
  command  :allow
 end