Merge pull request 'Migrate Discourse to new VM on fornax' (#389) from chore/migrate_discourse into master

Reviewed-on: #389

clients/discourse-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "discourse-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJBhKUtTcmjP8eG4aLNF\n9UfNU9lRIFhfywjFJjtXoYdNaUatZHE3s1HKND0SjJs5BRQbZBEKLxTHCgnPZD4U\nlRgZ65JtHwi+JNM6ac4TQm5JYKA++KxX7FtOiJV6oGX6foNoFVHrGi+fhTlLE9hL\npHRQWTpM8ErpUEj3VHez+k6KT1Mr3QO5T9L5kqu1BdTYwtyfXJE0VfyDKz/rwrvc\ngPvZd167p8YCTu/rWLG9X8tag+ySUR9cmlEn5sCsBLmq56Zurf0VIe/0tuGPI8DP\nAVc4dIXHsfGuKLwBfFPSDy9YbI7F8gbaD05UnUVn60IWPmWsE19K/iIc/OnJZwRO\nkQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

nodes/centaurus.kosmos.org.json

@@ -83,7 +83,6 @@
     "recipe[kosmos-base]",
     "recipe[kosmos_encfs]",
     "role[gitea]",
-    "role[discourse]",
     "role[drone]",
     "recipe[kosmos_assets::nginx_site]",
     "recipe[kosmos_kvm::host]",
@@ -92,4 +91,4 @@
     "recipe[kosmos_zerotier::firewall]",
     "recipe[sockethub::_firewall]"
   ]
-}
+}

nodes/discourse-1.json

@@ -0,0 +1,58 @@
+{
+  "name": "discourse-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.20"
+    }
+  },
+  "automatic": {
+    "fqdn": "discourse-1",
+    "os": "linux",
+    "os_version": "5.4.0-1055-kvm",
+    "hostname": "discourse-1",
+    "ipaddress": "192.168.122.148",
+    "roles": [
+      "discourse"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_discourse",
+      "kosmos_discourse::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.9.46",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.46/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[discourse]"
+  ]
+}

nodes/fornax.kosmos.org.json

@@ -2,7 +2,7 @@
   "name": "fornax.kosmos.org",
   "normal": {
     "knife_zero": {
-      "host": "fornax.kosmos.org"
+      "host": "10.1.1.187"
     }
   },
   "automatic": {
@@ -18,10 +18,12 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::host",
+      "kosmos_discourse::nginx",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
       "ntp::default",
+      "ntp::apparmor",
       "kosmos-base::systemd_emails",
       "apt::unattended-upgrades",
       "kosmos-base::firewall",
@@ -30,7 +32,18 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -49,6 +62,7 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "recipe[kosmos_kvm::host]"
+    "recipe[kosmos_kvm::host]",
+    "recipe[kosmos_discourse::nginx]"
   ]
-}
+}

site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb

@@ -9,6 +9,8 @@ property :site, String
 action :create do
   return if node.chef_environment == "development"
 
+  package "snapd"
+
   domain = new_resource.domain
   site = new_resource.site || domain
   root_directory = "/var/www/#{domain}"

site-cookbooks/kosmos_discourse/metadata.rb

@@ -8,3 +8,4 @@ version '0.1.0'
 chef_version '>= 14.0'
 
 depends "kosmos-nginx"
+depends 'firewall'

site-cookbooks/kosmos_discourse/recipes/default.rb

@@ -2,30 +2,8 @@
 # Cookbook:: kosmos_discourse
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 package "docker-compose"
-domain = "community.kosmos.org"
 deploy_path = "/opt/discourse"
 
 repo = "https://github.com/discourse/discourse_docker"
@@ -55,20 +33,11 @@ systemd_unit "discourse.service" do
   action [:create, :enable]
 end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:   domain,
-            ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port: 3001
+include_recipe 'firewall'
 
-  notifies :reload, 'service[nginx]', :delayed
+firewall_rule 'discourse' do
+  port     [3001]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
 end
-
-nginx_site domain do
-  action :enable
-end
-
-nginx_certbot_site domain

site-cookbooks/kosmos_discourse/recipes/nginx.rb

@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos_discourse
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+domain = "community.kosmos.org"
+
+upstream_ip_addresses = []
+search(:node, "role:discourse").each do |n|
+  upstream_ip_addresses << n["knife_zero"]["host"]
+end
+# No Discourse host, stop here
+return if upstream_ip_addresses.empty?
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf.erb"
+  owner 'www-data'
+  mode 0640
+  variables server_name:           domain,
+            ssl_cert:              "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:               "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_port:         3001,
+            upstream_ip_addresses: upstream_ip_addresses
+
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -1,6 +1,8 @@
 # Generated by Chef
 upstream _discourse {
-  server   localhost:<%= @upstream_port %>;
+  <% @upstream_ip_addresses.each do |upstream_ip_address| -%>
+  server   <%= upstream_ip_address %>:<%= @upstream_port %>;
+  <% end -%>
 }
 
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
@@ -16,7 +18,6 @@ server {
 
   # Send real IP to the Docker container
   set_real_ip_from 127.0.0.1;
-  set_real_ip_from 172.17.0.1;
   real_ip_header X-Forwarded-For;
 
   client_max_body_size 20M;