Add the initial kosmos-akkounts cookbook to deploy akkounts-api

Includes a recipe to set up nginx as a reverse proxy with a TLS
certificate for api.accounts.kosmos.org

Closes #18
Closes #20

nodes/barnard.kosmos.org.json

@@ -101,6 +101,8 @@
     "recipe[kosmos-hubot::hal8000_xmpp]",
     "recipe[kosmos-hubot::wormhole]",
     "recipe[sockethub]",
-    "recipe[sockethub::proxy]"
+    "recipe[sockethub::proxy]",
+    "recipe[kosmos-akkounts]",
+    "recipe[kosmos-akkounts::nginx]"
   ]
 }

site-cookbooks/kosmos-akkounts/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos-akkounts/CHANGELOG.md

@@ -0,0 +1,5 @@
+# kosmos-akkounts CHANGELOG
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos-akkounts/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2019 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos-akkounts/README.md

@@ -0,0 +1,5 @@
+# kosmos-akkounts
+
+Deploy akkounts-api from GitHub (https://github.com/67P/akkounts-api). It will
+run on port 3200. The nginx recipe sets up a reverse proxy and Let's Encrypt
+TLS certificate

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -0,0 +1,3 @@
+node.default['akkounts-api']['revision'] = 'master'
+node.default['akkounts-api']['port'] = 3200
+node.default['akkounts-api']['server_name'] = 'api.accounts.kosmos.org'

site-cookbooks/kosmos-akkounts/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos-akkounts/metadata.rb

@@ -0,0 +1,14 @@
+name 'kosmos-akkounts'
+maintainer 'Kosmos Developers'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/Configures kosmos-akkounts'
+long_description 'Installs/Configures kosmos-akkounts'
+version '0.1.0'
+chef_version '>= 14.0'
+
+depends 'application_javascript'
+depends 'application_git'
+depends 'kosmos-nodejs'
+depends 'kosmos-mastodon'
+depends 'kosmos-nginx'

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -0,0 +1,119 @@
+#
+# Cookbook:: kosmos-akkounts
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2019, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'kosmos-nodejs'
+
+app_name     = "akkounts-api"
+deploy_user  = "deploy"
+deploy_group = "deploy"
+credentials  = Chef::EncryptedDataBagItem.load('credentials', app_name)
+
+group deploy_group
+
+user deploy_user do
+  group       deploy_group
+  manage_home true
+  shell       "/bin/bash"
+  comment     "deploy user"
+end
+
+path_to_deploy = "/opt/#{app_name}"
+application path_to_deploy do
+  owner deploy_user
+  group deploy_group
+
+  # Take care of application restarts manually, in the git resource
+  action_on_update false
+
+  git do
+    user  deploy_user
+    group deploy_group
+    repository "https://github.com/67P/#{app_name}.git"
+    revision   node[app_name]['revision']
+    # Restart service on deployments
+    notifies :restart, "application[#{path_to_deploy}]", :delayed
+  end
+
+  npm_install do
+    user deploy_user
+    production false # typescript is a dev dependency
+  end
+
+  execute "compile app" do
+    command "npm run compile:app"
+    environment "HOME" => "/home/#{deploy_user}"
+    user deploy_user
+    cwd path_to_deploy
+  end
+
+  execute "systemctl daemon-reload" do
+    command "systemctl daemon-reload"
+    action :nothing
+  end
+
+  smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
+
+  template "#{path_to_deploy}/.env" do
+    source "dotenv.erb"
+    sensitive true
+    owner deploy_user
+    group deploy_group
+    variables btcpay_url: "https://btcpay.kosmos.org",
+              btcpay_privkey: credentials["btcpay_privkey"],
+              btcpay_merchant: "btcpay_merchant",
+              btcpay_store_id: "btcpay_store_id",
+              btcpay_webhook_host: "https://btcpay.kosmos.org/webhook",
+              btcpay_webhook_token: credentials["btcpay_webhook_token"],
+              smtp_host: "smtp.mailgun.org",
+              smtp_use_tls: true,
+              smtp_username: smtp_credentials['user_name'],
+              smtp_password: smtp_credentials['password'],
+              mastodon_host: "https://#{node["kosmos-mastodon"]["server_name"]}",
+              mastodon_auth_token: credentials["mastodon_auth_token"]
+    mode '0440'
+    # Restart service when the config changes
+    notifies :restart, "application[#{path_to_deploy}]", :delayed
+  end
+
+  template "/lib/systemd/system/#{app_name}.service" do
+    source 'nodejs.systemd.service.erb'
+    owner 'root'
+    group 'root'
+    mode '0640'
+    variables(
+      user: deploy_user,
+      group: deploy_group,
+      app_dir: path_to_deploy,
+      entry: "/usr/bin/env node dist/app/index.js"
+    )
+    notifies :run, "execute[systemctl daemon-reload]", :delayed
+    notifies :restart, "service[#{app_name}]", :delayed
+  end
+
+  service app_name do
+    action [:enable, :start]
+  end
+end

site-cookbooks/kosmos-akkounts/recipes/nginx.rb

@@ -0,0 +1,46 @@
+#
+# Cookbook Name:: kosmos-akkounts
+# Recipe:: nginx
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2019, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-nginx"
+app_name     = "akkounts-api"
+server_name = node[app_name]["server_name"]
+
+template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+  source "nginx_conf_#{app_name}.erb"
+  owner 'www-data'
+  mode 0640
+  variables port:          node[app_name]['port'],
+            server_name:             server_name,
+            ssl_cert:                "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:                 "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name

site-cookbooks/kosmos-akkounts/templates/dotenv.erb

@@ -0,0 +1,13 @@
+BTCPAY_URL=<%= @btcpay_url %>
+BTCPAY_PRIVKEY=<%= @btcpay_privkey %>
+BTCPAY_MERCHANT=<%= @btcpay_merchant %>
+BTCPAY_STORE_ID=<%= @btcpay_store_id %>
+BTCPAY_WEBHOOK_HOST=<%= @btcpay_webhook_host %>
+BTCPAY_WEBHOOK_TOKEN=<%= @btcpay_webhook_token %>
+SMTP_HOST=<%= @smtp_host %>
+SMTP_USE_TLS=true
+SMTP_USERNAME=<%= @smtp_username %>
+SMTP_PASSWORD=<%= @smtp_password %>
+MASTODON_HOST=<%= @mastodon_host %>
+MASTODON_AUTH_TOKEN=<%= @mastodon_auth_token %>
+PORT=<%= node['akkounts-api']['port'] %>

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb

@@ -0,0 +1,35 @@
+# Generated by Chef
+upstream _akkounts {
+  server   localhost:<%= @port %>;
+}
+
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  '' close;
+}
+
+server {
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+  <% else -%>
+  listen 80;
+  <% end -%>
+
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
+
+  location / {
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    proxy_pass http://_akkounts;
+    proxy_http_version 1.1;
+   }
+
+}

site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb

@@ -0,0 +1,15 @@
+[Unit]
+Description=Start nodejs app
+
+[Service]
+ExecStart=<%= @entry %>
+WorkingDirectory=<%= @app_dir %>
+User=<%= @user %>
+Group=<%= @group %>
+<% if @environment -%>
+Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
+<% end -%>
+Restart=always
+
+[Install]
+WantedBy=multi-user.target