Migrate accounts API proxy to openresty

2023-07-26 14:52:37 +02:00 · 2023-07-26 14:52:37 +02:00 · 1bad2939de
commit 1bad2939de
parent 7b5d46c813
4 changed files with 13 additions and 16 deletions
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -38,7 +38,6 @@
      "kosmos_openresty::default",
      "kosmos_openresty::firewall",
      "kosmos_assets::nginx_site",
-      "kosmos-akkounts::nginx",
      "kosmos_discourse::nginx",
      "kosmos_drone::nginx",
      "kosmos_gitea::nginx",
@ -46,6 +45,8 @@
      "kosmos_rsk::nginx_mainnet",
      "kosmos_website",
      "kosmos_website::default",
+      "kosmos-akkounts::nginx",
+      "kosmos-akkounts::nginx_api",
      "kosmos_encfs",
      "kosmos_encfs::default",
      "kosmos-ejabberd::firewall",
@ -69,6 +70,7 @@
      "hostname::default",
      "openresty::apt_package",
      "openresty::ohai_plugin",
+      "openresty::commons_cleanup",
      "openresty::commons_user",
      "openresty::commons_dir",
      "openresty::commons_script",
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@ -25,7 +25,6 @@ default_run_list = %w(
  kosmos_garage::firewall_rpc
  kosmos_garage::nginx_web

-  kosmos-akkounts::nginx_api
  kosmos-bitcoin::nginx_lndhub
  kosmos-ejabberd::nginx
  kosmos-hubot::nginx_botka_irc-libera-chat
@ -38,13 +37,14 @@ default_run_list = %w(
 production_run_list = %w(
  role[openresty]
  kosmos_assets::nginx_site
-  kosmos-akkounts::nginx
  kosmos_discourse::nginx
  kosmos_drone::nginx
  kosmos_gitea::nginx
  kosmos_rsk::nginx_testnet
  kosmos_rsk::nginx_mainnet
  kosmos_website::default
+  kosmos-akkounts::nginx
+  kosmos-akkounts::nginx_api
 )

 env_run_lists(
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
@ -3,29 +3,24 @@
 # Recipe:: nginx_api
 #

-include_recipe "kosmos-nginx"
 domain = node["akkounts_api"]["domain"]

-nginx_certbot_site domain
-
 upstream_hosts = []
 search(:node, "role:akkounts").each do |node|
  upstream_hosts << node["knife_zero"]["host"]
 end
 upstream_hosts.push("localhost") if upstream_hosts.empty?

-template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
-  source "nginx_conf_akkounts_api.erb"
-  owner "www-data"
-  mode 0640
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain do
+  template "nginx_conf_akkounts_api.erb"
  variables domain: domain,
            upstream_port: node["akkounts"]["port"],
            upstream_hosts: upstream_hosts,
            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
-  notifies :reload, "service[nginx]", :delayed
-end
-
-nginx_site domain do
-  action :enable
 end
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@ -6,7 +6,7 @@ upstream _akkounts_api {
 }

 server {
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;