kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Merge branch 'master' into new_ldap_server

Browse Source
This commit is contained in:
Basti
2022-04-28 09:23:18 +02:00
parent 3cc11e58d3 71f9b06d28
commit 1da5ef4979
241 changed files with 4770 additions and 2404 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
site-cookbooks/backup/recipes/default.rb
View File

@@ -2,26 +2,6 @@
# Cookbook Name:: backup
# Recipe:: default
#
# Copyright 2012, Appcache Ltd / 5apps.com
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
build_essential 'backup gem'

2
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -27,7 +27,7 @@ npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.6.6"
ruby_version = "2.7.5"
bundle_path = "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"

21
site-cookbooks/kosmos-base/recipes/firewall.rb
View File

@@ -2,27 +2,6 @@
# Cookbook Name:: kosmos-base
# Recipe:: firewall
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# enable default firewall
firewall 'default'

23
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@@ -29,7 +29,7 @@ node.default['bitcoin']['conf'] = {
node.default['bitcoin']['tor_enabled'] = true
node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning'
node.default['c-lightning']['revision'] = 'v0.10.0'
node.default['c-lightning']['revision'] = 'v0.10.2'
node.default['c-lightning']['source_dir'] = '/opt/c-lightning'
node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning"
node.default['c-lightning']['alias'] = 'ln3.kosmos.org'
@@ -38,7 +38,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.13.1-beta'
node.default['lnd']['revision'] = 'v0.14.1-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -52,12 +52,23 @@ node.default['lnd']['basefee'] = '1000'
node.default['lnd']['feerate'] = '50'
node.default['lnd']['auto_unlock'] = true # requires credentials/lnd data bag item
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.6'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
node.default['boltz']['grpc_port'] = '9002'
node.default['boltz']['rest_disabled'] = 'false'
node.default['boltz']['rest_host'] = '127.0.0.1'
node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.11.0'
node.default['rtl']['revision'] = 'v0.12.1'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
node.default['lndhub']['repo'] = 'https://github.com/bumi/LndHub.git'
node.default['lndhub']['repo'] = 'https://gitea.kosmos.org/kosmos/lndhub.git'
node.default['lndhub']['revision'] = 'master'
node.default['lndhub']['port'] = '3023'
node.default['lndhub']['domain'] = 'lndhub.kosmos.org'
@@ -66,13 +77,13 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
node.default['nbxplorer']['revision'] = 'v2.1.52'
node.default['nbxplorer']['revision'] = 'v2.2.20'
node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
node.default['nbxplorer']['port'] = '24445'
node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
node.default['btcpay']['revision'] = 'v1.1.2'
node.default['btcpay']['revision'] = 'v1.3.7'
node.default['btcpay']['source_dir'] = '/opt/btcpay'
node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"

29
site-cookbooks/kosmos-bitcoin/recipes/aws-client.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: aws-client
#
package "awscli"
directory "/root/.aws"
credentials = Chef::EncryptedDataBagItem.load('credentials', 'backup')
file "/root/.aws/config" do
mode "600"
content lazy { <<-EOF
[default]
region = #{credentials["s3_region"]}
EOF
}
end
file "/root/.aws/credentials" do
mode "600"
content lazy { <<-EOF
[default]
aws_access_key_id = #{credentials["s3_access_key_id"]}
aws_secret_access_key = #{credentials["s3_secret_access_key"]}
EOF
}
end

87
site-cookbooks/kosmos-bitcoin/recipes/boltz.rb Normal file
View File

@@ -0,0 +1,87 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
include_recipe "git"
include_recipe "kosmos-bitcoin::golang"
git node['boltz']['source_dir'] do
repository node['boltz']['repo']
revision node['boltz']['revision']
action :sync
notifies :run, 'bash[compile_and_install_boltz]', :immediately
end
bash "compile_and_install_boltz" do
cwd node['boltz']['source_dir']
code <<-EOH
go mod vendor && \
make build && \
make install
EOH
action :nothing
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
boltz_dir = node['boltz']['boltz_dir']
lnd_dir = node['lnd']['lnd_dir']
directory boltz_dir do
owner bitcoin_user
group bitcoin_group
mode '0750'
action :create
end
template "#{boltz_dir}/boltz.toml" do
source "boltz.toml.erb"
owner bitcoin_user
group bitcoin_group
mode '0640'
variables lnd_grpc_host: '127.0.0.1',
lnd_grpc_port: '10009',
lnd_macaroon_path: "#{lnd_dir}/data/chain/bitcoin/mainnet/admin.macaroon",
lnd_tlscert_path: "#{lnd_dir}/tls.cert",
boltz_config: node['boltz']
notifies :restart, "systemd_unit[boltzd.service]", :delayed
end
systemd_unit 'boltzd.service' do
content({
Unit: {
Description: 'Boltz Daemon',
Documentation: ['https://lnd.docs.boltz.exchange'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/boltz/boltzd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
LimitNOFILE: '128000',
PrivateTmp: true,
ProtectSystem: 'full',
NoNewPrivileges: true,
PrivateDevices: true,
MemoryDenyWriteExecute: true
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['boltz'] = [node['boltz']['boltz_dir']]
include_recipe 'backup'
end

2
site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb
View File

@@ -30,4 +30,4 @@ execute 'apt_update' do
action :nothing
end
apt_package 'dotnet-sdk-3.1'
apt_package 'dotnet-sdk-6.0'

13
site-cookbooks/kosmos-bitcoin/recipes/golang.rb Normal file
View File

@@ -0,0 +1,13 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: boltz
#
# Internal recipe for managing the Go installation in one place
#
node.override['golang']['version'] = "1.17.4"
include_recipe "golang"
link '/usr/local/bin/go' do
to '/usr/local/go/bin/go'
end

47
site-cookbooks/kosmos-bitcoin/recipes/lnd-scb-s3.rb Normal file
View File

@@ -0,0 +1,47 @@
#
# Cookbook:: kosmos-bitcoin
# Recipe:: lnd-scb-s3
#
# Static Channel Backup for LND channel states
#
include_recipe "kosmos-bitcoin::aws-client"
package "inotify-tools"
backup_script_path = "/opt/lnd-channel-backup-s3.sh"
template backup_script_path do
source "lnd-channel-backup-s3.sh.erb"
mode '0740'
variables lnd_dir: node['lnd']['lnd_dir'],
bitcoin_network: node['bitcoin']['network'],
s3_bucket: node['backup']['s3']['bucket'],
s3_scb_dir: "#{node['name']}/lnd/#{node['bitcoin']['network']}"
notifies :restart, "systemd_unit[lnd-channel-backup.service]", :delayed
end
systemd_unit 'lnd-channel-backup.service' do
content({
Unit: {
Description: 'LND Static Channel Backup',
Documentation: ['https://gist.github.com/alexbosworth/2c5e185aedbdac45a03655b709e255a3'],
Requires: 'lnd.service',
After: 'lnd.service'
},
Service: {
User: 'root',
Group: 'root',
Type: 'simple',
ExecStart: backup_script_path,
Restart: 'always',
RestartSec: 1
},
Install: {
WantedBy: 'multi-user.target'
}
})
verify false
triggers_reload true
action [:create, :enable, :start]
end

15
site-cookbooks/kosmos-bitcoin/recipes/lnd.rb
View File

@@ -4,7 +4,7 @@
#
include_recipe "git"
include_recipe "golang"
include_recipe "kosmos-bitcoin::golang"
git node['lnd']['source_dir'] do
repository node['lnd']['repo']
@@ -17,7 +17,7 @@ bash "compile_lnd" do
cwd node['lnd']['source_dir']
code <<-EOH
source /etc/profile.d/golang.sh
make clean && make && make install tags="signrpc walletrpc chainrpc invoicesrpc"
make clean && make && make install tags="signrpc walletrpc chainrpc invoicesrpc routerrpc"
EOH
action :nothing
notifies :restart, "systemd_unit[lnd.service]", :delayed
@@ -62,6 +62,7 @@ template "#{lnd_dir}/lnd.conf" do
lnd_feerate: node['lnd']['feerate'],
lnd_dir: lnd_dir,
auto_unlock: node['lnd']['auto_unlock'],
tor_enabled: node['bitcoin']['tor_enabled'],
bitcoin_datadir: node['bitcoin']['datadir'],
bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'],
bitcoin_rpc_password: bitcoin_credentials["rpcpassword"],
@@ -71,9 +72,6 @@ template "#{lnd_dir}/lnd.conf" do
notifies :restart, "systemd_unit[lnd.service]", :delayed
end
exec_flags = ""
exec_flags += "--tor.active --tor.v3" if node['bitcoin']['tor_enabled']
systemd_unit 'lnd.service' do
content({
Unit: {
@@ -86,7 +84,7 @@ systemd_unit 'lnd.service' do
User: bitcoin_user,
Group: bitcoin_group,
Type: 'simple',
ExecStart: "/opt/go/bin/lnd #{exec_flags}",
ExecStart: "/opt/go/bin/lnd",
Restart: 'always',
RestartSec: '30',
TimeoutSec: '240',
@@ -116,3 +114,8 @@ if node['bitcoin']['tor_enabled']
node.override['tor']['ControlPort'] = 9051
node.override['tor']['CookieAuthentication'] = true
end
unless node.chef_environment == 'development'
node.override['backup']['archives']['lnd'] = [node['lnd']['lnd_dir']]
include_recipe 'backup'
end

6
site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb
View File

@@ -11,7 +11,6 @@ app_dir = "/opt/#{app_name}"
lnd_dir = node['lnd']['lnd_dir']
bitcoin_user = node['bitcoin']['username']
bitcoin_group = node['bitcoin']['usergroup']
bitcoin_credentials = Chef::EncryptedDataBagItem.load('credentials', 'bitcoin')
application app_dir do
owner bitcoin_user
@@ -46,10 +45,7 @@ application app_dir do
owner bitcoin_user
group bitcoin_group
mode '0600'
variables bitcoin_rpc_host: node['bitcoin']['conf']['rpcbind'],
bitcoin_rpc_user: node['bitcoin']['conf']['rpcuser'],
bitcoin_rpc_pass: bitcoin_credentials["rpcpassword"],
lnd_rpc_host: '127.0.0.1:10009'
variables lnd_rpc_host: '127.0.0.1:10009'
notifies :restart, "systemd_unit[lndhub.service]", :delayed
end

10
site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
View File

@@ -43,7 +43,13 @@ rtl_config = {
}
],
multiPassHashed: credentials["multiPassHashed"]
}.to_json
}
if node['boltz']
# TODO adapt for multi-node usage
rtl_config[:nodes][0][:Authentication][:boltzMacaroonPath] = "#{node['boltz']['boltz_dir']}/macaroons"
rtl_config[:nodes][0][:Settings][:boltzServerUrl] = "https://#{node['boltz']['rest_host']}:#{node['boltz']['rest_port']}"
end
application rtl_dir do
owner bitcoin_user
@@ -65,7 +71,7 @@ application rtl_dir do
owner bitcoin_user
group bitcoin_group
mode '0640'
content rtl_config
content rtl_config.to_json
notifies :restart, "systemd_unit[rtl.service]", :delayed
end

32
site-cookbooks/kosmos-bitcoin/templates/boltz.toml.erb Normal file
View File

@@ -0,0 +1,32 @@
[LND]
# Host of the gRPC interface of LND
host = "<%= @lnd_grpc_host %>"
# Port of the gRPC interface of LND
port = <%= @lnd_grpc_port %>
# Path to a macaroon file of LND
# The daemon needs to have permission to read various endpoints, generate addresses and pay invoices
macaroon = "<%= @lnd_macaroon_path %>"
# Path to the TLS certificate of LND
certificate = "<%= @lnd_tlscert_path %>"
[RPC]
# Host of the gRPC interface
host = "<%= @boltz_config['grpc_host'] %>"
# Port of the gRPC interface
port = <%= @boltz_config['grpc_port'] %>
# Whether the REST proxy for the gRPC interface should be disabled
restDisabled = <%= @boltz_config['rest_disabled'] %>
# Host of the REST proxy
restHost = "<%= @boltz_config['rest_host'] %>"
# Port of the REST proxy
restPort = <%= @boltz_config['rest_port'] %>
# Whether the macaroon authentication for the gRPC and REST interface should be disabled
noMacaroons = <%= @boltz_config['no_macaroons'] %>

7
site-cookbooks/kosmos-bitcoin/templates/lnd-channel-backup-s3.sh.erb Normal file
View File

@@ -0,0 +1,7 @@
#!/bin/bash
set -xe -o pipefail
while true; do
inotifywait <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup
aws s3 cp <%= @lnd_dir %>/data/chain/bitcoin/<%= @bitcoin_network %>/channel.backup "s3://<%= @s3_bucket %>/<%= @s3_scb_dir %>/channel.backup"
done

8
site-cookbooks/kosmos-bitcoin/templates/lnd.conf.erb
View File

@@ -25,3 +25,11 @@ bitcoind.rpcuser=<%= @bitcoin_rpc_user %>
bitcoind.rpcpass=<%= @bitcoin_rpc_password %>
bitcoind.zmqpubrawblock=<%= @bitcoin_zmqpubrawblock %>
bitcoind.zmqpubrawtx=<%= @bitcoin_zmqpubrawtx %>
<% if @tor_enabled %>
[tor]
tor.active=true
tor.v3=true
tor.streamisolation=false
tor.skip-proxy-for-clearnet-targets=true
<% end %>

7
site-cookbooks/kosmos-bitcoin/templates/lndhub.config.js.erb
View File

@@ -1,12 +1,9 @@
let config = {
enableUpdateDescribeGraph: false,
postRateLimit: 100,
rateLimit: 200,
postRateLimit: 10000,
rateLimit: 10000,
forwardReserveFee: 0.01, // default 0.01
intraHubFee: 0.003, // default 0.003
bitcoind: {
rpc: 'http://<%= @bitcoin_rpc_user %>:<%= @bitcoin_rpc_pass %>@<%= @bitcoin_rpc_host %>/wallet/wallet.dat',
},
redis: {
port: 6379,
host: '127.0.0.1',

1
site-cookbooks/kosmos-ejabberd/metadata.rb
View File

@@ -26,3 +26,4 @@ depends "kosmos_postgresql"
depends "backup"
depends "firewall"
depends "tor-full"
depends "hostsfile"

49
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -2,27 +2,6 @@
# Cookbook:: kosmos-ejabberd
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
ejabberd_credentials = data_bag_item("credentials", "ejabberd")
@@ -50,15 +29,25 @@ file "/opt/ejabberd/.erlang.cookie" do
content ejabberd_credentials['erlang_cookie']
end
ejabberd_nodes = search(:node, "role:ejabberd")
ejabberd_nodes.each do |n|
ip_address = n["knife_zero"]["host"]
IPAddr.new ip_address
hostsfile_entry ip_address do
hostname n["hostname"]
action :create
end
rescue IPAddr::InvalidAddressError
next
end
ejabberd_hostnames = ejabberd_nodes.map { |n| n["hostname"] }
file "/opt/ejabberd/.hosts.erlang" do
mode "0644"
owner "ejabberd"
group "ejabberd"
content <<-EOF
"andromeda.kosmos.org".
"centaurus.kosmos.org".
"draco.kosmos.org".
EOF
content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
end
ruby_block "configure ERLANG_NODE" do
@@ -66,7 +55,7 @@ ruby_block "configure ERLANG_NODE" do
file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
file.search_file_replace_line(
%r{#ERLANG_NODE=ejabberd@localhost},
"ERLAND_NODE=#{node['kosmos-ejabberd']['erlang_node']}"
"ERLANG_NODE=ejabberd@#{node['name']}"
)
file.write_file
end
@@ -159,8 +148,8 @@ hosts.each do |host|
end
akkounts_ip_addresses = []
search(:node, "role:akkounts").each do |node|
akkounts_ip_addresses << node["knife_zero"]["host"]
search(:node, "role:akkounts").each do |n|
akkounts_ip_addresses << n["knife_zero"]["host"]
end
template "/opt/ejabberd/conf/ejabberd.yml" do
@@ -170,7 +159,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
variables hosts: hosts,
admin_users: admin_users,
stun_auth_realm: "kosmos.org",
turn_ip_address: node['ipaddress'],
turn_ip_address: node["knife_zero"]["host"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
akkounts_ip_addresses: akkounts_ip_addresses

24
site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
View File

@@ -2,28 +2,6 @@
# Cookbook:: kosmos-ejabberd
# Recipe:: firewall
#
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "kosmos-base::firewall"
firewall_rule "ejabberd" do
@@ -34,12 +12,14 @@ end
firewall_rule 'ejabberd_cluster' do
port [4369]
source "10.1.1.0/24"
protocol :tcp
command :allow
end
firewall_rule 'erlang_cluster' do
port [4200..4210]
source "10.1.1.0/24"
protocol :tcp
command :allow
end

2
site-cookbooks/kosmos-hubot/metadata.rb
View File

@@ -7,8 +7,8 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.2.0'
depends 'kosmos-nodejs'
depends 'kosmos-redis'
depends 'firewall'
depends 'application_javascript'
depends 'kosmos-ipfs'
depends 'git'
depends 'redisio'

3
site-cookbooks/kosmos-hubot/recipes/botka_freenode.rb
View File

@@ -12,8 +12,9 @@ build_essential app_name do
compile_time true
end
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
application app_path do
data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)

25
site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb
View File

@@ -13,11 +13,13 @@ build_essential app_name do
compile_time true
end
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user"
application app_path do
data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)
credentials = Chef::EncryptedDataBagItem.load('credentials', app_name)
owner app_user
group app_group
@@ -63,11 +65,12 @@ application app_path do
environment: {
"HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info",
"HUBOT_IRC_USESSL" => "true",
"HUBOT_IRC_SERVER" => "irc.libera.chat",
"HUBOT_IRC_PORT" => "6697",
"HUBOT_IRC_SERVER" => credentials["znc_host"],
"HUBOT_IRC_PORT" => credentials["znc_port"],
"HUBOT_IRC_NICK" => "botka",
"HUBOT_IRC_NICKSERV_USERNAME" => "botka",
"HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'],
"HUBOT_IRC_USERNAME" => credentials['znc_user'],
"HUBOT_IRC_PASSWORD" => credentials['znc_password'],
"HUBOT_IRC_REALNAME" => "botka (kosmos)",
"HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon",
"HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false",
@@ -78,13 +81,13 @@ application app_path do
"HUBOT_AUTH_ADMIN" => "bkero,raucao",
"HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
"RS_LOGGER_USER" => "kosmos@5apps.com",
"RS_LOGGER_TOKEN" => data_bag['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "freenode",
"RS_LOGGER_TOKEN" => credentials['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "irc.libera.chat",
"RS_LOGGER_PUBLIC" => "true",
"GCM_API_KEY" => data_bag['gcm_api_key'],
"GCM_API_KEY" => credentials['gcm_api_key'],
"VAPID_SUBJECT" => "https://kosmos.org",
"VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'],
"VAPID_PRIVATE_KEY" => data_bag['vapid_private_key']
"VAPID_PUBLIC_KEY" => credentials['vapid_public_key'],
"VAPID_PRIVATE_KEY" => credentials['vapid_private_key']
}
)
notifies :run, "execute[systemctl daemon-reload]", :delayed

3
site-cookbooks/kosmos-hubot/recipes/default.rb
View File

@@ -3,8 +3,9 @@
# Recipe:: default
#
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user"
include_recipe "kosmos-hubot::hal8000"

3
site-cookbooks/kosmos-hubot/recipes/hal8000.rb
View File

@@ -7,8 +7,9 @@ build_essential 'hal8000' do
compile_time true
end
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user"
unless node.chef_environment == "development"

3
site-cookbooks/kosmos-hubot/recipes/hal8000_xmpp.rb
View File

@@ -12,8 +12,9 @@ build_essential app_name do
compile_time true
end
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "kosmos-hubot::_user"
# Needed for hubot-kredits

4
site-cookbooks/kosmos-hubot/templates/default/nodejs.systemd.service.erb
View File

@@ -1,8 +1,8 @@
[Unit]
Description=Start nodejs app
<% unless @without_redis %>
Requires=redis-server.service
After=redis-server.service
Requires=redis@6379.service
After=redis@6379.service
<% end %>
[Service]

4
site-cookbooks/kosmos-mastodon/attributes/default.rb
View File

@@ -1,3 +1,5 @@
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "kosmos-production"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["puma_port"] = 3000
node.default["kosmos-mastodon"]["streaming_port"] = 4000
@@ -7,6 +9,8 @@ node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
# Allocate this amount of RAM to the Java heap for Elasticsearch
node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
node.override["redisio"]["version"] = "6.2.6"
node.override["tor"]["HiddenServices"]["mastodon"] = {
"HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"]
}

2
site-cookbooks/kosmos-mastodon/metadata.rb
View File

@@ -8,7 +8,7 @@ version '0.2.1'
depends "kosmos-nginx"
depends "kosmos-nodejs"
depends "kosmos-redis"
depends 'redisio'
depends "poise-ruby-build"
depends "application"
depends "application_git"

27
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@@ -4,8 +4,9 @@
#
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
include_recipe "java"
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
elasticsearch_user 'elasticsearch'
@@ -46,7 +47,7 @@ npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.6.6"
ruby_version = "2.7.2"
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
@@ -77,6 +78,18 @@ template "/lib/systemd/system/mastodon-sidekiq.service" do
notifies :restart, "service[mastodon-sidekiq]", :delayed
end
# mastodon-sidekiq-scheduler service
#
template "/lib/systemd/system/mastodon-sidekiq-scheduler.service" do
source "mastodon-sidekiq-scheduler.systemd.service.erb"
variables user: mastodon_user,
app_dir: mastodon_path,
bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle",
sidekiq_threads: 1
notifies :run, "execute[systemctl daemon-reload]", :immediately
notifies :restart, "service[mastodon-sidekiq-scheduler]", :delayed
end
# mastodon-streaming service
#
template "/lib/systemd/system/mastodon-streaming.service" do
@@ -106,8 +119,8 @@ application mastodon_path do
git do
user mastodon_user
group mastodon_user
repository "https://gitea.kosmos.org/kosmos/mastodon.git"
revision "production"
repository node["kosmos-mastodon"]["repo"]
revision node["kosmos-mastodon"]["revision"]
# Restart services on deployments
notifies :restart, "application[#{mastodon_path}]", :delayed
end
@@ -153,7 +166,7 @@ application mastodon_path do
end
execute 'rake db:migrate' do
environment "RAILS_ENV" => "production", "HOME" => mastodon_path
environment "RAILS_ENV" => "production", "HOME" => mastodon_path#, "SKIP_POST_DEPLOYMENT_MIGRATIONS" => "true"
user mastodon_user
group mastodon_user
cwd mastodon_path
@@ -176,6 +189,10 @@ application mastodon_path do
action [:enable, :start]
end
service "mastodon-sidekiq-scheduler" do
action [:enable, :start]
end
service "mastodon-streaming" do
action [:enable, :start]
end

17
site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq-scheduler.systemd.service.erb Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=mastodon-sidekiq-scheduler
Requires=redis@6379.service
After=redis@6379.service
[Service]
Type=simple
User=<%= @user %>
WorkingDirectory=<%= @app_dir %>
Environment="RAILS_ENV=production"
Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q scheduler
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target

6
site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb
View File

@@ -1,7 +1,7 @@
[Unit]
Description=mastodon-sidekiq
Requires=redis-server.service
After=redis-server.service
Requires=redis@6379.service
After=redis@6379.service
[Service]
Type=simple
@@ -9,7 +9,7 @@ User=<%= @user %>
WorkingDirectory=<%= @app_dir %>
Environment="RAILS_ENV=production"
Environment="DB_POOL=50"
Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1"
Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push
TimeoutSec=15
Restart=always

6
site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb
View File

@@ -1,7 +1,7 @@
[Unit]
Description=mastodon-web
Requires=redis-server.service
After=redis-server.service
Requires=redis@6379.service
After=redis@6379.service
[Service]
Type=simple
@@ -10,7 +10,7 @@ PIDFile=<%= @app_dir %>/tmp/puma.pid
WorkingDirectory=<%= @app_dir %>
Environment="RAILS_ENV=production"
Environment="PORT=3000"
Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.1"
Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
ExecStart=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid
ExecStop=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid stop
ExecReload=<%= @bundle_path %> exec pumactl -F config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid phased-restart

35
site-cookbooks/kosmos-nginx/recipes/default.rb
View File

@@ -2,27 +2,6 @@
# Cookbook Name:: kosmos-nginx
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
node.override['nginx']['default_site_enabled'] = false
node.override['nginx']['server_tokens'] = 'off'
@@ -86,3 +65,17 @@ end
unless node.chef_environment == "development"
include_recipe "kosmos-nginx::firewall"
end
ruby_block "nginx configuration" do
block do
file = Chef::Util::FileEdit.new("/etc/nginx/nginx.conf")
file.insert_line_if_no_match(/stream {/, <<-EOF
stream {
include /etc/nginx/streams-enabled/*;
}
EOF
)
file.write_file
end
notifies :reload, 'ohai[reload_nginx]', :immediately
end

2
site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb
View File

@@ -9,6 +9,8 @@ property :site, String
action :create do
return if node.chef_environment == "development"
package "snapd"
domain = new_resource.domain
site = new_resource.site || domain
root_directory = "/var/www/#{domain}"

23
site-cookbooks/kosmos-nodejs/recipes/default.rb
View File

@@ -2,29 +2,8 @@
# Cookbook Name:: kosmos-nodejs
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_12.x"
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_14.x"
# Allows upgrading
node.override["nodejs"]["package_action"]["nodejs"] = :upgrade
include_recipe "nodejs::nodejs_from_package"

1
site-cookbooks/kosmos_discourse/metadata.rb
View File

@@ -8,3 +8,4 @@ version '0.1.0'
chef_version '>= 14.0'
depends "kosmos-nginx"
depends 'firewall'

45
site-cookbooks/kosmos_discourse/recipes/default.rb
View File

@@ -2,37 +2,15 @@
# Cookbook:: kosmos_discourse
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
package "docker-compose"
domain = "community.kosmos.org"
deploy_path = "/opt/discourse"
repo = "https://github.com/discourse/discourse_docker"
git deploy_path do
repository repo
revision "master"
revision "main"
end
systemd_unit "discourse.service" do
@@ -55,20 +33,11 @@ systemd_unit "discourse.service" do
action [:create, :enable]
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: 3001
include_recipe 'firewall'
notifies :reload, 'service[nginx]', :delayed
firewall_rule 'discourse' do
port [3001]
source "10.1.1.0/24"
protocol :tcp
command :allow
end
nginx_site domain do
action :enable
end
nginx_certbot_site domain

34
site-cookbooks/kosmos_discourse/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,34 @@
#
# Cookbook:: kosmos_discourse
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
domain = "community.kosmos.org"
upstream_ip_addresses = []
search(:node, "role:discourse").each do |n|
upstream_ip_addresses << n["knife_zero"]["host"]
end
# No Discourse host, stop here
return if upstream_ip_addresses.empty?
nginx_certbot_site domain
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: 3001,
upstream_ip_addresses: upstream_ip_addresses
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

5
site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
View File

@@ -1,6 +1,8 @@
# Generated by Chef
upstream _discourse {
server localhost:<%= @upstream_port %>;
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
server <%= upstream_ip_address %>:<%= @upstream_port %>;
<% end -%>
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
@@ -16,7 +18,6 @@ server {
# Send real IP to the Docker container
set_real_ip_from 127.0.0.1;
set_real_ip_from 172.17.0.1;
real_ip_header X-Forwarded-For;
client_max_body_size 20M;

2
site-cookbooks/kosmos_drone/attributes/default.rb Normal file
View File

@@ -0,0 +1,2 @@
node.default["kosmos_drone"]["domain"] = "drone.kosmos.org"
node.default["kosmos_drone"]["upstream_port"] = 80

1
site-cookbooks/kosmos_drone/metadata.rb
View File

@@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone'
version '0.1.0'
chef_version '>= 14.0'
depends "firewall"
depends "kosmos-nginx"
depends "kosmos_gitea"

39
site-cookbooks/kosmos_drone/recipes/default.rb
View File

@@ -4,10 +4,17 @@
#
package "docker-compose"
domain = "drone.kosmos.org"
deploy_path = "/opt/drone"
upstream_port = 3002
credentials = data_bag_item("credentials", "drone")
drone_credentials = data_bag_item('credentials', 'drone')
postgres_config = {
username: "drone",
password: drone_credentials["postgresql_password"],
host: "pg.kosmos.local",
port: 5432,
database: "drone"
}
directory deploy_path do
action :create
@@ -17,13 +24,16 @@ template "#{deploy_path}/docker-compose.yml" do
source "docker-compose.yml.erb"
sensitive true
mode 0640
variables upstream_port: upstream_port,
domain: domain,
variables domain: node["kosmos_drone"]["domain"],
upstream_port: node["kosmos_drone"]["upstream_port"],
gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}",
client_id: credentials['client_id'],
client_secret: credentials['client_secret'],
rpc_secret: credentials['rpc_secret'],
database_secret: credentials['database_secret'],
postgres: postgres_config,
max_procs: 4
notifies :restart, "systemd_unit[drone.service]", :delayed
end
systemd_unit "drone.service" do
@@ -45,20 +55,9 @@ systemd_unit "drone.service" do
action [:create, :enable, :start]
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: upstream_port
notifies :reload, 'service[nginx]', :delayed
firewall_rule 'drone' do
port [node["kosmos_drone"]["upstream_port"]]
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
protocol :tcp
command :allow
end
nginx_site domain do
action :enable
end
nginx_certbot_site domain

32
site-cookbooks/kosmos_drone/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,32 @@
#
# Cookbook:: kosmos_drone
# Recipe:: nginx
#
domain = node["kosmos_drone"]["domain"]
upstream_ip_addresses = []
search(:node, "role:drone").each do |n|
upstream_ip_addresses << n["knife_zero"]["host"]
end
# No Discourse host, stop here
return if upstream_ip_addresses.empty?
nginx_certbot_site domain
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
upstream_ip_addresses: upstream_ip_addresses,
upstream_port: node["kosmos_drone"]["upstream_port"],
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

16
site-cookbooks/kosmos_drone/recipes/pg_db.rb Normal file
View File

@@ -0,0 +1,16 @@
#
# Cookbook:: kosmos_drone
# Recipe:: pg_db
#
drone_credentials = data_bag_item("credentials", "drone")
postgresql_user "drone" do
action :create
password drone_credentials["postgresql_password"]
end
postgresql_database "drone" do
owner "drone"
action :create
end

5
site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb
View File

@@ -2,7 +2,7 @@ version: '3'
services:
drone-server:
image: drone/drone:2.5
image: drone/drone:2.11
ports:
- "<%= @upstream_port %>:80"
@@ -17,6 +17,9 @@ services:
- DRONE_SERVER_HOST=<%= @domain %>
- DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly
- DRONE_RPC_SECRET=<%= @rpc_secret %>
- DRONE_DATABASE_DRIVER=postgres
- DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable
- DRONE_DATABASE_SECRET=<%= @database_secret %>
drone-runner:
image: drone/drone-runner-docker:1.8

4
site-cookbooks/kosmos_drone/templates/nginx_conf.erb
View File

@@ -1,7 +1,9 @@
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
# Generated by Chef
upstream _drone {
server localhost:<%= @upstream_port %>;
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
server <%= upstream_ip_address %>:<%= @upstream_port %>;
<% end -%>
}
server {

11
site-cookbooks/kosmos_gitea/attributes/default.rb
View File

@@ -1,6 +1,13 @@
gitea_version = "1.15.6"
gitea_version = "1.16.5"
node.default["kosmos_gitea"]["version"] = gitea_version
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be"
node.default["kosmos_gitea"]["binary_checksum"] = "c0fb4107dc4debf08e6e27fd3383e06dc232ccb410123179c7ae8d7cec60765f"
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
node.default["kosmos_gitea"]["port"] = 3000
node.default["kosmos_gitea"]["config"] = {
"webhook": {
"allowed_host_list" => "external,127.0.1.1"
}
}

1
site-cookbooks/kosmos_gitea/metadata.rb
View File

@@ -19,6 +19,7 @@ chef_version '>= 14.0'
#
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
depends "firewall"
depends "kosmos-nginx"
depends "kosmos_postgresql"
depends "backup"

21
site-cookbooks/kosmos_gitea/recipes/backup.rb
View File

@@ -4,26 +4,7 @@
#
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]]

46
site-cookbooks/kosmos_gitea/recipes/default.rb
View File

@@ -3,9 +3,6 @@
# Recipe:: default
#
include_recipe "kosmos-nginx"
domain = node["kosmos_gitea"]["nginx"]["domain"]
working_directory = node["kosmos_gitea"]["working_directory"]
git_home_directory = "/home/git"
repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -63,15 +60,17 @@ directory config_directory do
mode "0750"
end
# Copy the self-signed root certificate to the system certificate store. Gitea
# will find it there automatically
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt"
file root_cert_path do
content postgresql_data_bag_item['ssl_root_cert']
mode "0644"
nginx_proxy_ip_addresses = []
search(:node, "role:nginx_proxy").each do |node|
nginx_proxy_ip_addresses << node["knife_zero"]["host"]
end
node.default["kosmos_gitea"]["config"] = {
"webhook": {
"allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}"
}
}
template "#{config_directory}/app.ini" do
source "app.ini.erb"
owner "git"
@@ -90,7 +89,8 @@ template "#{config_directory}/app.ini" do
postgresql_password: gitea_data_bag_item["postgresql_password"],
smtp_host: smtp_credentials["relayhost"],
smtp_user: smtp_credentials["user_name"],
smtp_password: smtp_credentials["password"]
smtp_password: smtp_credentials["password"],
config: node["kosmos_gitea"]["config"]
notifies :restart, "service[gitea]", :delayed
end
@@ -118,20 +118,16 @@ service "gitea" do
action [:enable, :start]
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: 3000
notifies :reload, 'service[nginx]', :delayed
firewall_rule 'gitea' do
port [node["kosmos_gitea"]["port"]]
source "10.1.1.0/24" # TODO only allow nginx proxy IPs
protocol :tcp
command :allow
end
nginx_site domain do
action :enable
# Hack-fix until we can disable auto-generation of archives
# TODO https://gitea.kosmos.org/kosmos/chef/issues/395
cron 'delete auto-generated repo file archives' do
minute '*/15'
command 'rm -rf /var/lib/gitea/data/repo-archive/* >/dev/null 2>&1'
end
nginx_certbot_site domain

52
site-cookbooks/kosmos_gitea/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,52 @@
#
# Cookbook:: kosmos_gitea
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
domain = node["kosmos_gitea"]["nginx"]["domain"]
# upstream_ip_addresses = []
# search(:node, "role:gitea").each do |n|
# upstream_ip_addresses << n["knife_zero"]["host"]
# end
begin
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
rescue
Chef::Log.warn('No server with "gitea" role. Stopping here.')
return
end
nginx_certbot_site domain
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_web.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_ip_address,
upstream_port: node["kosmos_gitea"]["port"]
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
template "#{node['nginx']['dir']}/streams-available/ssh" do
source "nginx_conf_ssh.erb"
owner 'www-data'
mode 0640
variables domain: domain,
upstream_host: upstream_ip_address
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ssh" do
action :enable
end

1
site-cookbooks/kosmos_gitea/recipes/pg_db.rb
View File

@@ -2,7 +2,6 @@
# Cookbook:: kosmos_gitea
# Recipe:: pg_db
#
# Copyright:: 2020, Kosmos Developers, All Rights Reserved.
gitea_data_bag_item = data_bag_item("credentials", "gitea")

9
site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
View File

@@ -44,10 +44,6 @@ FROM = gitea@kosmos.org
USER = <%= @smtp_user %>
PASSWD = <%= @smtp_password %>
[oauth2]
JWT_SECRET = <%= @jwt_secret %>
JWT_SIGNING_ALGORITHM = HS256
[security]
INTERNAL_TOKEN = <%= @internal_token %>
INSTALL_LOCK = true
@@ -85,3 +81,8 @@ ALLOWED_TYPES = image/gif|image/jpeg|image/png|application/zip|application/gzip
MAX_SIZE = 10
; ; Max number of files per upload. Defaults to 5
MAX_FILES = 5
<% if c = @config["webhook"] %>
[webhook]
<% if c["allowed_host_list"] %>ALLOWED_HOST_LIST = <%= c["allowed_host_list"] %><% end %>
<% end %>

8
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb Normal file
View File

@@ -0,0 +1,8 @@
upstream _gitea_ssh {
server <%= @upstream_host %>:22;
}
server {
listen 148.251.83.201:22;
proxy_pass _gitea_ssh;
}

8
site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb → site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@@ -1,6 +1,6 @@
# Generated by Chef
upstream _gitea {
server localhost:<%= @upstream_port %>;
upstream _gitea_web {
server <%= @upstream_host %>:<%= @upstream_port %>;
}
server {
@@ -26,14 +26,14 @@ server {
location ~ ^/(avatars|repo-avatars)/.*$ {
proxy_buffers 1024 8k;
proxy_pass http://_gitea;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
expires 30d;
}
location / {
proxy_buffers 1024 8k;
proxy_pass http://_gitea;
proxy_pass http://_gitea_web;
proxy_http_version 1.1;
}
}

6
site-cookbooks/kosmos_kvm/recipes/host.rb
View File

@@ -24,3 +24,9 @@ cookbook_file "/usr/local/sbin/create_vm" do
source "create_vm"
mode "0750"
end
firewall_rule 'ssh-alt-port' do
port [2222]
protocol :tcp
command :allow
end

2
site-cookbooks/kosmos_rsk/attributes/default.rb
View File

@@ -1,2 +1,2 @@
node.default['rskj']['version'] = '3.0.1~focal'
node.default['rskj']['version'] = '3.2.0~focal'
node.default['rskj']['network'] = 'testnet'

1
site-cookbooks/kosmos_website/metadata.rb
View File

@@ -8,3 +8,4 @@ version '1.0.0'
chef_version '>= 15.10' if respond_to?(:chef_version)
depends "kosmos-nginx"
depends 'git'

1
site-cookbooks/kosmos_website/recipes/default.rb
View File

@@ -4,6 +4,7 @@
#
include_recipe "kosmos-nginx"
include_recipe "git"
domain = node["kosmos_website"]["domain"]

2
site-cookbooks/kosmos_zerotier/attributes/default.rb
View File

@@ -3,4 +3,4 @@ node.default['kosmos_zerotier']['server_port'] = 9993
node.default['ztncui']['version'] = '0.6.6'
node.default['ztncui']['checksum'] = 'fa83679266a571c10e13b11293ebfb9d1c3515019f2af1e7dd066b5a37411018'
node.default['ztncui']['http_all_interfaces'] = true
node.default['ztncui']['http_allow_access_from'] = '10.1.1.0/24'
node.default['ztncui']['http_allow_access_from'] = ['10.1.1.0/24','10.2.2.0/24']

14
site-cookbooks/kosmos_zerotier/recipes/zncui.rb
View File

@@ -28,11 +28,13 @@ end
include_recipe 'kosmos-base::firewall'
if node['ztncui']['http_allow_access_from']
firewall_rule 'zncui_http' do
port 3000
protocol :tcp
command :allow
source node['ztncui']['http_allow_access_from']
if ip_addresses = node['ztncui']['http_allow_access_from']
ip_addresses.each_with_index do |ip_address, i|
firewall_rule "zncui_http_#{i}" do
port 3000
protocol :tcp
command :allow
source ip_address
end
end
end

4
site-cookbooks/sockethub/metadata.rb
View File

@@ -6,7 +6,7 @@ description 'Installs/Configures sockethub'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.2.0'
depends 'kosmos-redis'
depends 'firewall'
depends 'redisio'
depends 'kosmos-nodejs'
depends 'kosmos-nginx'
depends 'firewall'

36
site-cookbooks/sockethub/recipes/_firewall.rb
View File

@@ -1,36 +0,0 @@
#
# Cookbook Name:: sockethub
# Recipe:: _firewall
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
unless node.chef_environment == "development"
include_recipe "kosmos-base::firewall"
firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i
protocol :tcp
command :allow
end
end

28
site-cookbooks/sockethub/recipes/default.rb
View File

@@ -2,30 +2,10 @@
# Cookbook Name:: sockethub
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
include_recipe 'kosmos-nodejs'
include_recipe 'kosmos-redis'
user = "sockethub"
group = "sockethub"
@@ -67,8 +47,8 @@ systemd_unit "sockethub_nodejs.service" do
content <<-EOF
[Unit]
Description=Start sockethub
Requires=redis-server.service
After=redis-server.service
Requires=redis@6379.service
After=redis@6379.service
[Service]
ExecStart=#{entry}

14
site-cookbooks/sockethub/recipes/firewall.rb Normal file
View File

@@ -0,0 +1,14 @@
#
# Cookbook Name:: sockethub
# Recipe:: firewall
#
unless node.chef_environment == "development"
include_recipe "kosmos-base::firewall"
firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i
protocol :tcp
command :allow
end
end

23
site-cookbooks/sockethub/recipes/proxy.rb
View File

@@ -2,29 +2,8 @@
# Cookbook Name:: sockethub
# Recipe:: proxy
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe 'sockethub::_firewall'
include_recipe 'sockethub::firewall'
include_recipe 'kosmos-nginx'
include_recipe "kosmos-base::letsencrypt"