Upgrade Sockethub, move proxy to LB/host

site-cookbooks/sockethub/recipes/default.rb

@@ -5,6 +5,7 @@
 
 include_recipe 'kosmos-nodejs'
 include_recipe 'kosmos-redis'
+include_recipe "kosmos-base::firewall"
 
 user  = "sockethub"
 group = "sockethub"
@@ -62,3 +63,12 @@ WantedBy=multi-user.target
   triggers_reload true
   action [:create, :enable, :start]
 end
+
+unless node.chef_environment == "development"
+  firewall_rule 'sockethub' do
+    port     [node['sockethub']['port'].to_i]
+    source   "10.1.1.0/24"
+    protocol :tcp
+    command  :allow
+  end
+end

site-cookbooks/sockethub/recipes/firewall.rb

@@ -1,14 +0,0 @@
-#
-# Cookbook Name:: sockethub
-# Recipe:: firewall
-#
-
-unless node.chef_environment == "development"
-  include_recipe "kosmos-base::firewall"
-
-  firewall_rule 'sockethub' do
-    port     node['sockethub']['external_port'].to_i
-    protocol :tcp
-    command  :allow
-  end
-end

site-cookbooks/sockethub/recipes/proxy.rb

@@ -3,50 +3,30 @@
 # Recipe:: proxy
 #
 
-include_recipe 'sockethub::firewall'
 include_recipe 'kosmos-nginx'
-include_recipe "kosmos-base::letsencrypt"
+include_recipe "kosmos-base::firewall"
 
 server_name = node['sockethub']['nginx']['server_name']
 
-nginx_post_hook = <<-EOF
-#!/usr/bin/env bash
+nginx_certbot_site server_name
 
-set -e
-
-systemctl reload nginx
-EOF
-
-file "/etc/letsencrypt/renewal-hooks/post/nginx" do
-  content nginx_post_hook
-  mode 0755
-  owner "root"
-  group "root"
+upstream_hosts = []
+search(:node, "role:sockethub").each do |n|
+  upstream_hosts << "#{n["knife_zero"]["host"]}:#{node['sockethub']['port']}"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
-
-template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
-  mode 0770
-end
-
-# Generate a Let's Encrypt cert (only if no cert has been generated before).
-# The systemd timer will take care of renewing
-execute "letsencrypt cert for sockethub" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name}  -n"
-  not_if do
-    File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
-  end
+if upstream_hosts.empty?
+  Chef::Log.warn('No server with "sockethub" role. Stopping here.')
+  return
 end
 
 template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
   source 'nginx_conf_sockethub.erb'
   owner 'www-data'
   mode 0640
-  variables sockethub_port:          node['sockethub']['port'],
+  variables server_name:             server_name,
+            upstream_hosts:          upstream_hosts,
             sockethub_external_port: node['sockethub']['external_port'],
-            server_name:             server_name,
             ssl_cert:                "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
             ssl_key:                 "/etc/letsencrypt/live/#{server_name}/privkey.pem"
   notifies :reload, 'service[nginx]', :delayed
@@ -56,3 +36,10 @@ nginx_site server_name do
   action :enable
 end
 
+unless node.chef_environment == "development"
+  firewall_rule 'sockethub' do
+    port     node['sockethub']['external_port'].to_i
+    protocol :tcp
+    command  :allow
+  end
+end