Upgrade Sockethub, move proxy to LB/host

2022-03-18 11:10:46 -06:00 · 2022-03-18 11:10:46 -06:00 · 0cda379c19
commit 0cda379c19
parent 9cb77c54db
11 changed files with 35 additions and 116 deletions
--- a/nodes/barnard.kosmos.org.json
+++ b/nodes/barnard.kosmos.org.json
@ -25,9 +25,6 @@
      "kosmos-hubot::botka_freenode",
      "kosmos-hubot::hal8000",
      "kosmos-hubot::hal8000_xmpp",
-      "sockethub",
-      "sockethub::default",
-      "sockethub::proxy",
      "kosmos-dirsrv",
      "kosmos-dirsrv::default",
      "apt::default",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -24,6 +24,7 @@
      "kosmos_gitea::nginx",
      "kosmos_website",
      "kosmos_website::default",
+      "sockethub::proxy",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
--- a/nodes/nodejs-2.json
+++ b/nodes/nodejs-2.json
@ -79,7 +79,6 @@
  "run_list": [
    "recipe[kosmos-base]",
    "recipe[kosmos-hubot::botka_irc-libera-chat]",
-    "role[kredits_github]",
-    "role[sockethub]"
+    "role[kredits_github]"
  ]
-}
+}
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@ -6,6 +6,7 @@ default_run_list = %w(
  kosmos_drone::nginx
  kosmos_gitea::nginx
  kosmos_website::default
+  sockethub::proxy
 )

 env_run_lists(
--- a/roles/sockethub.rb
+++ b/roles/sockethub.rb
@ -6,5 +6,4 @@ default_attributes 'sockethub' => {

 run_list %w(
  sockethub::default
-  sockethub::proxy
 )
--- a/site-cookbooks/sockethub/attributes/default.rb
+++ b/site-cookbooks/sockethub/attributes/default.rb
@ -1,4 +1,4 @@
-node.default['sockethub']['port']                 = '10551'
+node.default['sockethub']['port']                 = '10550'
 node.default['sockethub']['external_port']        = '10550'
 node.default['sockethub']['version']              = '4.1.0'
 node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
--- a/site-cookbooks/sockethub/recipes/default.rb
+++ b/site-cookbooks/sockethub/recipes/default.rb
@ -5,6 +5,7 @@

 include_recipe 'kosmos-nodejs'
 include_recipe 'kosmos-redis'
+include_recipe "kosmos-base::firewall"

 user  = "sockethub"
 group = "sockethub"
@ -62,3 +63,12 @@ WantedBy=multi-user.target
  triggers_reload true
  action [:create, :enable, :start]
 end
+
+unless node.chef_environment == "development"
+  firewall_rule 'sockethub' do
+    port     [node['sockethub']['port'].to_i]
+    source   "10.1.1.0/24"
+    protocol :tcp
+    command  :allow
+  end
+end
--- a/site-cookbooks/sockethub/recipes/firewall.rb
+++ b/site-cookbooks/sockethub/recipes/firewall.rb
@ -1,14 +0,0 @@
-#
-# Cookbook Name:: sockethub
-# Recipe:: firewall
-#
-
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::firewall"
-
-  firewall_rule 'sockethub' do
-    port     node['sockethub']['external_port'].to_i
-    protocol :tcp
-    command  :allow
-  end
-end
--- a/site-cookbooks/sockethub/recipes/proxy.rb
+++ b/site-cookbooks/sockethub/recipes/proxy.rb
@ -3,50 +3,30 @@
 # Recipe:: proxy
 #

-include_recipe 'sockethub::firewall'
 include_recipe 'kosmos-nginx'
-include_recipe "kosmos-base::letsencrypt"
+include_recipe "kosmos-base::firewall"

 server_name = node['sockethub']['nginx']['server_name']

-nginx_post_hook = <<-EOF
-#!/usr/bin/env bash
+nginx_certbot_site server_name

-set -e
-
-systemctl reload nginx
-EOF
-
-file "/etc/letsencrypt/renewal-hooks/post/nginx" do
-  content nginx_post_hook
-  mode 0755
-  owner "root"
-  group "root"
+upstream_hosts = []
+search(:node, "role:sockethub").each do |n|
+  upstream_hosts << "#{n["knife_zero"]["host"]}:#{node['sockethub']['port']}"
 end

-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
-
-template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
-end
-
-# Generate a Let's Encrypt cert (only if no cert has been generated before).
-# The systemd timer will take care of renewing
-execute "letsencrypt cert for sockethub" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name}  -n"
-  not_if do
-    File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
-  end
+if upstream_hosts.empty?
+  Chef::Log.warn('No server with "sockethub" role. Stopping here.')
+  return
 end

 template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
  source 'nginx_conf_sockethub.erb'
  owner 'www-data'
  mode 0640
-  variables sockethub_port:          node['sockethub']['port'],
+  variables server_name:             server_name,
+            upstream_hosts:          upstream_hosts,
            sockethub_external_port: node['sockethub']['external_port'],
-            server_name:             server_name,
            ssl_cert:                "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
            ssl_key:                 "/etc/letsencrypt/live/#{server_name}/privkey.pem"
  notifies :reload, 'service[nginx]', :delayed
@ -56,3 +36,10 @@ nginx_site server_name do
  action :enable
 end

+unless node.chef_environment == "development"
+  firewall_rule 'sockethub' do
+    port     node['sockethub']['external_port'].to_i
+    protocol :tcp
+    command  :allow
+  end
+end
--- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
+++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
@ -1,6 +1,8 @@
 # Generated by Chef
 upstream _sockethub {
-  server   localhost:<%= @sockethub_port %>;
+  <% @upstream_hosts.each do |upstream_host| -%>
+  server   <%= upstream_host %>;
+  <% end -%>
 }

 map $http_upgrade $connection_upgrade {
--- a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb
+++ b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb
@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-
-set -euf -o pipefail
-
-# ************** USAGE **************
-#
-# Example usage (with this hook file saved in /root/):
-#
-#   sudo su -
-#   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
-#     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
-#
-# This hook requires configuration, continue reading.
-#
-# ************** CONFIGURATION **************
-#
-# GANDI_API_KEY: Your Gandi Live API key
-#
-# PROVIDER_UPDATE_DELAY:
-#   How many seconds to wait after updating your DNS records. This may be required,
-#   depending on how slow your DNS host is to begin serving new DNS records after updating
-#   them via the API. 30 seconds is a safe default, but some providers can be very slow
-#   (e.g. Linode).
-#
-#   Defaults to 30 seconds.
-#
-GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=30
-
-regex='.*\.(.*\..*)'
-if [[ $CERTBOT_DOMAIN =~ $regex ]]
-then
-  DOMAIN="${BASH_REMATCH[1]}"
-else
-  DOMAIN="${CERTBOT_DOMAIN}"
-fi
-
-# To be invoked via Certbot's --manual-auth-hook
-function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
-
-
-    sleep ${PROVIDER_UPDATE_DELAY}
-}
-
-# To be invoked via Certbot's --manual-cleanup-hook
-function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
-}
-
-HANDLER=$1; shift;
-if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
-  $HANDLER "$@"
-fi