diff --git a/data_bags/credentials/kredits-github.json b/data_bags/credentials/kredits-github.json new file mode 100644 index 0000000..cda8c04 --- /dev/null +++ b/data_bags/credentials/kredits-github.json @@ -0,0 +1,24 @@ +{ + "id": "kredits-github", + "app_id": { + "encrypted_data": "DVvsNFAlZIO1NMmo1dVbA05MYdyJfPG9\n", + "iv": "JP4lpX3pFT8l43Hl\n", + "auth_tag": "EncRbtgQigRvLIfbMS+IxQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "private_key": { + "encrypted_data": "nV2ecoeWtL/TIM9grbsDAVh34gkaE/bJFc7qebUA9fOU40eeC7xMQst9pBZ+\nIfok2Y4Q0+ABQEKTrilfhSAOA+Hck66W2k1oNdCKXRcNb40T0Y01L77nNdzO\n0b6+uzopQ9oe2M5PF283gk8JWWQV9qED4eKpXEyU8prooA26KabXSrnsMESU\nIztULMsHNhUbDPHBRiEA6q/YUKlw8R++Sh9BcOjjeAEK+pueiARDh+yNMfJV\nomZRWfqncLlryDY6g+hbWEy5Oh+uMD8Th7zhbO//5dPOP1T6ZJjzHfhVQw+v\ng8txFD505yCBKiv70K4cHy9dF+ExFzJBcgr42gJ60gzShemZywAxOCDIc2yz\nFSEVwxGlxYRs5PLHhOT+KCaDzE7w5JmHDyMzv0j+IJnUtPPeInUUI9CNw42F\nmXygqGaY2BmJXAqYtCqEeMsZBtXijqu3TY3mmqxudupxethRrXZ9uZ0I3Ohf\nw6BCnqTw/sT3JkBxtNRQeEQvF+2G8ysXyLujkbqAyWiT+fCmS14FhisEOr8H\n6ojfRGb5iHHScG5wTwXn6tr4de9jjVk5Hrth3Rj46ZImMd1lzROPYyIcWFlS\no57Y3nmF6j7pjDBz++nInnpGlzPG+17sG4OSp6t0t93Vwkr8q9WNQjLo0Jqc\nLNaziU1ke3g+ZpKnHhUwJ2sCyVk4xvVD98hx4lhwCPzKghGQhWu6Vo2YfN79\nhSMjNw5N/3WFxdb5EuF4vYWOFitBvogPkAusZjrexlhUmGIS2qf+jlKvo6yD\nIl8CrCYZttj1UnyCuDmftIXTY9/7czBDQgq+vHlT33e7hNLHD7tFDeTEaz0t\nS+/I0+BgEnKv7aQHSSKExg3ZNc86yqfREKNsKxf4O6YiceBP7r/0qqFR6VBH\nIOQpUwK2e6cv70VmmtoEIjIpRZIOScrVVc1w2QlCj7xH9WfdEG9GSft3uHqd\nqbpegChVNuq2tEq7DoAC8ednjzbYdka4bpGJCqF6zm1c48WaL0G6VBLioi/r\nwFhCNi6AOEYkX0v3wovxME1aodfzBiu1Q6nEuzflZthr+1zERZXXaXY59VZ8\nqzWnLd5Xd/SxvvODY67fdykP90Kn94Xf+6XD9r72ch3S3ZqoWi66YFyqZ5Aa\n0LVKK+nCUwlGWjdgzcEcGx5OOyvbqm2VVnwWo2HuVk/iTzkrppF9y5nvFWUc\n6FfDdGWytkmzRH3KBZ9GKqgrIrswUmsSoIHESugVouJ+QfbFZZLLQS/0p4wH\nPFT8H8GSUvg8CEbap4JRW3R/+yspqSXipfIH5TrKr6NkyggWSE7EMNYq41eU\nuFWtwqX/z8x0SVVo+thAXkgg7KcZrZ9W4LdSGnfrx90QGZ0/K9Xs27pPY8R1\nSUNpaUc3S4Vxt28ualRBksuiIXT9AJGPGQf5UOgpOzBmDFw0GSjZdzz33tLL\n49Ymktapc6mC1FCxkJO3e+pI/I34+FcD9oiVea5v0Gg1cuuZInGJBYrq0PBE\nTaz0w2e8X/eQ2fVnQlUgmHlPcOugtoK8sLEO2+HDyBmIx9ypCfqFo6tu+MHG\nZTRp1GFmifYKUMnGvyxgo7mMFuSJtzgF/UR4PddbfX9yFAxPUTzM2Ba4s9um\nBZXKQoQB/dS9wXhmZVme9Yjq/D1d8w3wosSOcDV3apNerDxegbFqt8ugYbtQ\nmy35aHCXU560Xi1uyWBggRXsoWSsb3RZhNbTz6vsvsly9kj6pSUtxbAiwvwI\nrZuGwvNUgYHdXaHdQAqyCAiIF3KJfQGTyk2di26BZ3K8eTnP3tKbTT157Adf\nOt4e+sHhfmacjmXN9FFuOlLddOk45Y7YSRDwGgqS3NqTSo21GAPBSDqfwqkr\neG76OKxoijCMYeJQ6h0lqh8lXYO5h376BdbUMvZfiy8PzkfbCZ9j45b/jHQD\n8CSWz+T8LmQM4Mg69MZn3zAYOSrPQj9DMbwuQshqe19qRlrexRRemWATvkSO\nYchQJ2891WGn7WZ2vrd9VpEdiXdC6JmCpDfoBBJ3JcaknTrNx7VBPc/48rli\nIlso0fzzxTGIrJjFbYL38Br20/qZcXzOO+YJXuHY+n5vuZ2870yPck4r1vUX\n6HSRALY768YGSLNWwfg9sDfbOcpfxKrnrNJxF5Nz7cGN63CKm1e6GZG+vSX+\nNBkumwPGyUWtLJO+JE8l6yivOZeq01W+XOjSh8NzrQJ3Tt2XVhuqWy+ruXS0\nA9O2/tdI2pu0ed63TVaWL/ULYrfXtHtCOYyjc5ulIwX7+L9LXU2I9zmycp0u\n3eR50MpHBgGSCyk=\n", + "iv": "IlCQ6yNhvGFeTJlP\n", + "auth_tag": "bItEhCOGVHB2HMzWKuyExg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "webhook_secret": { + "encrypted_data": "5aUw9uwoX7BmUXCXLjJ82VtEOAAaneldYMUnv2XJqL+XUNokmdf/tQwTjI7R\n8Ov1+sXCp2R073apPUk=\n", + "iv": "6VeynEodre6uhBE7\n", + "auth_tag": "kRGFN3q+N0NKPwoLRrtgtw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json new file mode 100644 index 0000000..67856da --- /dev/null +++ b/nodes/barnard.kosmos.org.json @@ -0,0 +1,9 @@ +{ + "run_list": [ + "role[base]", + "kredits-github" + ], + "automatic": { + "ipaddress": "barnard.kosmos.org" + } +} diff --git a/site-cookbooks/kredits-github/CHANGELOG.md b/site-cookbooks/kredits-github/CHANGELOG.md new file mode 100644 index 0000000..f1e847a --- /dev/null +++ b/site-cookbooks/kredits-github/CHANGELOG.md @@ -0,0 +1,6 @@ +kredits-github CHANGELOG +======================== + +0.1.0 +----- +- [Râu Cao] - Initial release of kredits-github diff --git a/site-cookbooks/kredits-github/LICENSE b/site-cookbooks/kredits-github/LICENSE new file mode 100644 index 0000000..f3b5d1c --- /dev/null +++ b/site-cookbooks/kredits-github/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2019 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kredits-github/README.md b/site-cookbooks/kredits-github/README.md new file mode 100644 index 0000000..39e43f5 --- /dev/null +++ b/site-cookbooks/kredits-github/README.md @@ -0,0 +1,31 @@ +kredits-github Cookbook +======================= + +This cookbook installs [kredits-github](https://github.com/67P/kredits-github). + +Attributes +---------- + +#### kredits-github::default + + + + + + + + + + + + + + + + + + + +
KeyTypeDescriptionDefault
['sockethub']['port']IntegerThe local port to run sockethub on10551
['sockethub']['external_port']IntegerThe external port to run sockethub on. This will also open the port on the firewall10550
+ +Right now the nginx vhost is hardcoded: sockethub.kosmos.org diff --git a/site-cookbooks/kredits-github/attributes/default.rb b/site-cookbooks/kredits-github/attributes/default.rb new file mode 100644 index 0000000..d024a64 --- /dev/null +++ b/site-cookbooks/kredits-github/attributes/default.rb @@ -0,0 +1,3 @@ +node.default['kredits-github']['port'] = '3000' +node.default['kredits-github']['revision'] = 'master' +node.default['kredits-github']['domain'] = 'kredits-github.kosmos.org' diff --git a/site-cookbooks/kredits-github/metadata.rb b/site-cookbooks/kredits-github/metadata.rb new file mode 100644 index 0000000..eb57f47 --- /dev/null +++ b/site-cookbooks/kredits-github/metadata.rb @@ -0,0 +1,12 @@ +name 'kredits-github' +maintainer 'Kosmos' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures kredits-github' +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version '0.1.0' + +depends 'application_javascript' +depends 'kosmos-nodejs' +depends 'kosmos-nginx' +depends 'firewall' diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb new file mode 100644 index 0000000..1512879 --- /dev/null +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -0,0 +1,96 @@ +# +# Cookbook Name:: sockethub +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'kosmos-nodejs' +include_recipe 'kredits-github::nginx' + +app_name = "kredits-github" +deploy_user = "deploy" +deploy_group = "deploy" +credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) + +group deploy_group + +user deploy_user do + group deploy_group + manage_home true + shell "/bin/bash" + comment "deploy user" +end + +path_to_deploy = "/opt/#{app_name}" +application path_to_deploy do + owner deploy_user + group deploy_group + + git do + user deploy_user + group deploy_group + repository "https://github.com/67P/#{app_name}.git" + revision node[app_name]['revision'] + end + + npm_install do + user deploy_user + end + + execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing + end + + file "#{path_to_deploy}/github_app_key.pem" do + content credentials['private_key'] + owner deploy_user + group deploy_group + mode '0440' + end + + template "/lib/systemd/system/#{app_name}.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: deploy_user, + group: deploy_group, + app_dir: path_to_deploy, + entry: "/usr/bin/node /usr/bin/npm start", + environment: { + 'LOG_LEVEL' => "debug", + 'APP_ID' => credentials['app_id'], + 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", + 'WEBHOOK_SECRET' => credentials['webhook_secret'], + } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[#{app_name}]", :delayed + end + + service app_name do + action [:enable, :start] + end +end diff --git a/site-cookbooks/kredits-github/recipes/nginx.rb b/site-cookbooks/kredits-github/recipes/nginx.rb new file mode 100644 index 0000000..54b576a --- /dev/null +++ b/site-cookbooks/kredits-github/recipes/nginx.rb @@ -0,0 +1,46 @@ +# +# Cookbook Name:: kredits-github +# Recipe:: nginx +# +# The MIT License (MIT) +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'kosmos-nginx' +server_name = node['kredits-github']['domain'] + +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do + source 'nginx_conf.erb' + owner 'www-data' + mode 0640 + variables app_name: "kredits-github", + nodejs_port: node['kredits-github']['port'], + server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site server_name do + action :enable +end + +nginx_certbot_site server_name diff --git a/site-cookbooks/kredits-github/templates/default/nginx_conf.erb b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb new file mode 100644 index 0000000..70aefb8 --- /dev/null +++ b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb @@ -0,0 +1,26 @@ +# Generated by Chef +upstream _<%= @app_name %> { + server localhost:<%= @nodejs_port %>; +} + +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +server { + listen 443 ssl http2; + add_header Strict-Transport-Security "max-age=15768000"; + + server_name <%= @server_name %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json; + error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn; + + gzip on; + + location / { + proxy_buffers 1024 8k; # Increase number of buffers. Default is 8 + proxy_pass http://_<%= @app_name %>; + } + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; +} +<% end -%> diff --git a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb new file mode 100644 index 0000000..a20fb92 --- /dev/null +++ b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb @@ -0,0 +1,17 @@ +[Unit] +Description=Start nodejs app +Requires=nginx.service +After=nginx.service + +[Service] +ExecStart=<%= @entry %> +WorkingDirectory=<%= @app_dir %> +User=<%= @user %> +Group=<%= @group %> +<% unless @environment.empty? -%> +Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> +<% end -%> +Restart=always + +[Install] +WantedBy=multi-user.target