From 0cda379c196cc40359aca088588bd4ccaa310040 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 18 Mar 2022 11:10:46 -0600 Subject: [PATCH] Upgrade Sockethub, move proxy to LB/host --- nodes/barnard.kosmos.org.json | 3 - nodes/fornax.kosmos.org.json | 1 + nodes/nodejs-2.json | 5 +- roles/nginx_proxy.rb | 1 + roles/sockethub.rb | 1 - .../sockethub/attributes/default.rb | 2 +- site-cookbooks/sockethub/recipes/default.rb | 10 +++ site-cookbooks/sockethub/recipes/firewall.rb | 14 ----- site-cookbooks/sockethub/recipes/proxy.rb | 47 +++++--------- .../default/nginx_conf_sockethub.erb | 4 +- .../templates/gandi_dns_certbot_hook.sh.erb | 63 ------------------- 11 files changed, 35 insertions(+), 116 deletions(-) delete mode 100644 site-cookbooks/sockethub/recipes/firewall.rb delete mode 100755 site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json index 9de80d0..618de69 100644 --- a/nodes/barnard.kosmos.org.json +++ b/nodes/barnard.kosmos.org.json @@ -25,9 +25,6 @@ "kosmos-hubot::botka_freenode", "kosmos-hubot::hal8000", "kosmos-hubot::hal8000_xmpp", - "sockethub", - "sockethub::default", - "sockethub::proxy", "kosmos-dirsrv", "kosmos-dirsrv::default", "apt::default", diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index e4965b7..9a613dc 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -24,6 +24,7 @@ "kosmos_gitea::nginx", "kosmos_website", "kosmos_website::default", + "sockethub::proxy", "apt::default", "timezone_iii::default", "timezone_iii::debian", diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 67f0e7d..02c68ab 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -79,7 +79,6 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos-hubot::botka_irc-libera-chat]", - "role[kredits_github]", - "role[sockethub]" + "role[kredits_github]" ] -} \ No newline at end of file +} diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 8b428e2..d9f5a6c 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -6,6 +6,7 @@ default_run_list = %w( kosmos_drone::nginx kosmos_gitea::nginx kosmos_website::default + sockethub::proxy ) env_run_lists( diff --git a/roles/sockethub.rb b/roles/sockethub.rb index 27d7584..da94041 100644 --- a/roles/sockethub.rb +++ b/roles/sockethub.rb @@ -6,5 +6,4 @@ default_attributes 'sockethub' => { run_list %w( sockethub::default - sockethub::proxy ) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 18a135b..e33b6c8 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,4 +1,4 @@ -node.default['sockethub']['port'] = '10551' +node.default['sockethub']['port'] = '10550' node.default['sockethub']['external_port'] = '10550' node.default['sockethub']['version'] = '4.1.0' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index eaf9568..f51bef3 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -5,6 +5,7 @@ include_recipe 'kosmos-nodejs' include_recipe 'kosmos-redis' +include_recipe "kosmos-base::firewall" user = "sockethub" group = "sockethub" @@ -62,3 +63,12 @@ WantedBy=multi-user.target triggers_reload true action [:create, :enable, :start] end + +unless node.chef_environment == "development" + firewall_rule 'sockethub' do + port [node['sockethub']['port'].to_i] + source "10.1.1.0/24" + protocol :tcp + command :allow + end +end diff --git a/site-cookbooks/sockethub/recipes/firewall.rb b/site-cookbooks/sockethub/recipes/firewall.rb deleted file mode 100644 index 08f58b0..0000000 --- a/site-cookbooks/sockethub/recipes/firewall.rb +++ /dev/null @@ -1,14 +0,0 @@ -# -# Cookbook Name:: sockethub -# Recipe:: firewall -# - -unless node.chef_environment == "development" - include_recipe "kosmos-base::firewall" - - firewall_rule 'sockethub' do - port node['sockethub']['external_port'].to_i - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index a62b5fd..9a5cd2d 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -3,50 +3,30 @@ # Recipe:: proxy # -include_recipe 'sockethub::firewall' include_recipe 'kosmos-nginx' -include_recipe "kosmos-base::letsencrypt" +include_recipe "kosmos-base::firewall" server_name = node['sockethub']['nginx']['server_name'] -nginx_post_hook = <<-EOF -#!/usr/bin/env bash +nginx_certbot_site server_name -set -e - -systemctl reload nginx -EOF - -file "/etc/letsencrypt/renewal-hooks/post/nginx" do - content nginx_post_hook - mode 0755 - owner "root" - group "root" +upstream_hosts = [] +search(:node, "role:sockethub").each do |n| + upstream_hosts << "#{n["knife_zero"]["host"]}:#{node['sockethub']['port']}" end -gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') - -template "/root/gandi_dns_certbot_hook.sh" do - variables gandi_api_key: gandi_api_data_bag_item["key"] - mode 0770 -end - -# Generate a Let's Encrypt cert (only if no cert has been generated before). -# The systemd timer will take care of renewing -execute "letsencrypt cert for sockethub" do - command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n" - not_if do - File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem") - end +if upstream_hosts.empty? + Chef::Log.warn('No server with "sockethub" role. Stopping here.') + return end template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_sockethub.erb' owner 'www-data' mode 0640 - variables sockethub_port: node['sockethub']['port'], + variables server_name: server_name, + upstream_hosts: upstream_hosts, sockethub_external_port: node['sockethub']['external_port'], - server_name: server_name, ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" notifies :reload, 'service[nginx]', :delayed @@ -56,3 +36,10 @@ nginx_site server_name do action :enable end +unless node.chef_environment == "development" + firewall_rule 'sockethub' do + port node['sockethub']['external_port'].to_i + protocol :tcp + command :allow + end +end diff --git a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb index a25bd84..dad962e 100644 --- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb +++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb @@ -1,6 +1,8 @@ # Generated by Chef upstream _sockethub { - server localhost:<%= @sockethub_port %>; + <% @upstream_hosts.each do |upstream_host| -%> + server <%= upstream_host %>; + <% end -%> } map $http_upgrade $connection_upgrade { diff --git a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb deleted file mode 100755 index d0ed9dc..0000000 --- a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb +++ /dev/null @@ -1,63 +0,0 @@ -#!/usr/bin/env bash -# - -set -euf -o pipefail - -# ************** USAGE ************** -# -# Example usage (with this hook file saved in /root/): -# -# sudo su - -# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \ -# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup" -# -# This hook requires configuration, continue reading. -# -# ************** CONFIGURATION ************** -# -# GANDI_API_KEY: Your Gandi Live API key -# -# PROVIDER_UPDATE_DELAY: -# How many seconds to wait after updating your DNS records. This may be required, -# depending on how slow your DNS host is to begin serving new DNS records after updating -# them via the API. 30 seconds is a safe default, but some providers can be very slow -# (e.g. Linode). -# -# Defaults to 30 seconds. -# -GANDI_API_KEY="<%= @gandi_api_key %>" -PROVIDER_UPDATE_DELAY=30 - -regex='.*\.(.*\..*)' -if [[ $CERTBOT_DOMAIN =~ $regex ]] -then - DOMAIN="${BASH_REMATCH[1]}" -else - DOMAIN="${CERTBOT_DOMAIN}" -fi - -# To be invoked via Certbot's --manual-auth-hook -function auth { - curl -s -D- -H "Content-Type: application/json" \ - -H "X-Api-Key: ${GANDI_API_KEY}" \ - -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", - \"rrset_type\": \"TXT\", - \"rrset_ttl\": 3600, - \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \ - "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records" - - - sleep ${PROVIDER_UPDATE_DELAY} -} - -# To be invoked via Certbot's --manual-cleanup-hook -function cleanup { - curl -s -X DELETE -H "Content-Type: application/json" \ - -H "X-Api-Key: ${GANDI_API_KEY}" \ - https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT -} - -HANDLER=$1; shift; -if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then - $HANDLER "$@" -fi