From 7a8fb1bc7843a15501122ccfbf1ce5031ecd9795 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 17 Feb 2022 13:02:10 -0600 Subject: [PATCH 01/11] Add new Discourse VM --- clients/discourse-1.json | 4 +++ nodes/discourse-1.json | 53 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 clients/discourse-1.json create mode 100644 nodes/discourse-1.json diff --git a/clients/discourse-1.json b/clients/discourse-1.json new file mode 100644 index 0000000..404ea0c --- /dev/null +++ b/clients/discourse-1.json @@ -0,0 +1,4 @@ +{ + "name": "discourse-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxJBhKUtTcmjP8eG4aLNF\n9UfNU9lRIFhfywjFJjtXoYdNaUatZHE3s1HKND0SjJs5BRQbZBEKLxTHCgnPZD4U\nlRgZ65JtHwi+JNM6ac4TQm5JYKA++KxX7FtOiJV6oGX6foNoFVHrGi+fhTlLE9hL\npHRQWTpM8ErpUEj3VHez+k6KT1Mr3QO5T9L5kqu1BdTYwtyfXJE0VfyDKz/rwrvc\ngPvZd167p8YCTu/rWLG9X8tag+ySUR9cmlEn5sCsBLmq56Zurf0VIe/0tuGPI8DP\nAVc4dIXHsfGuKLwBfFPSDy9YbI7F8gbaD05UnUVn60IWPmWsE19K/iIc/OnJZwRO\nkQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/discourse-1.json b/nodes/discourse-1.json new file mode 100644 index 0000000..e0d1024 --- /dev/null +++ b/nodes/discourse-1.json @@ -0,0 +1,53 @@ +{ + "name": "discourse-1", + "normal": { + "knife_zero": { + "host": "10.1.1.20" + } + }, + "automatic": { + "fqdn": "discourse-1", + "os": "linux", + "os_version": "5.4.0-1049-kvm", + "hostname": "discourse-1", + "ipaddress": "192.168.122.148", + "roles": [ + + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.9.46", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.46/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]" + ] +} \ No newline at end of file From e8f46db49ce50622846da13910833b67a773579b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 18:14:33 +0100 Subject: [PATCH 02/11] Extract the nginx config for discourse to a recipe Get the upstream servers automatically from Chef nodes --- .../kosmos_discourse/recipes/default.rb | 40 ------------------- .../kosmos_discourse/recipes/nginx.rb | 32 +++++++++++++++ .../kosmos_discourse/templates/nginx_conf.erb | 4 +- 3 files changed, 35 insertions(+), 41 deletions(-) create mode 100644 site-cookbooks/kosmos_discourse/recipes/nginx.rb diff --git a/site-cookbooks/kosmos_discourse/recipes/default.rb b/site-cookbooks/kosmos_discourse/recipes/default.rb index 5e65960..de204a8 100644 --- a/site-cookbooks/kosmos_discourse/recipes/default.rb +++ b/site-cookbooks/kosmos_discourse/recipes/default.rb @@ -2,30 +2,8 @@ # Cookbook:: kosmos_discourse # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package "docker-compose" -domain = "community.kosmos.org" deploy_path = "/opt/discourse" repo = "https://github.com/discourse/discourse_docker" @@ -54,21 +32,3 @@ systemd_unit "discourse.service" do }}) action [:create, :enable] end - -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: 3001 - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end - -nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_discourse/recipes/nginx.rb b/site-cookbooks/kosmos_discourse/recipes/nginx.rb new file mode 100644 index 0000000..9621fa6 --- /dev/null +++ b/site-cookbooks/kosmos_discourse/recipes/nginx.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos_discourse +# Recipe:: nginx +# + +domain = "community.kosmos.org" + +upstream_ip_addresses = [] +search(:node, "role:discourse").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +return if upstream_ip_addresses.empty? + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: 3001, + upstream_ip_addresses: upstream_ip_addresses + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end + +nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb index a1d639c..6d7427d 100644 --- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb @@ -1,6 +1,8 @@ # Generated by Chef upstream _discourse { - server localhost:<%= @upstream_port %>; + <% @upstream_ip_addresses.each do |upstream_ip_address| -%> + server <%= upstream_ip_address %>:<%= @upstream_port %>; + <% end -%> } <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> From 79f623de4ee502f70b77cf04ac024dcd1753cb29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 18:15:33 +0100 Subject: [PATCH 03/11] Prepare fornax and discourse-1 for the discourse migration --- nodes/discourse-1.json | 5 +++-- nodes/fornax.kosmos.org.json | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/nodes/discourse-1.json b/nodes/discourse-1.json index e0d1024..d030b2b 100644 --- a/nodes/discourse-1.json +++ b/nodes/discourse-1.json @@ -48,6 +48,7 @@ } }, "run_list": [ - "recipe[kosmos-base]" + "recipe[kosmos-base]", + "role[discourse]" ] -} \ No newline at end of file +} diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 853710e..2a4d048 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -49,6 +49,7 @@ }, "run_list": [ "recipe[kosmos-base]", - "recipe[kosmos_kvm::host]" + "recipe[kosmos_kvm::host]", + "recipe[kosmos_discourse::nginx]" ] -} \ No newline at end of file +} From 163b12efbc192ec80392dd6154c18923516db541 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 18 Feb 2022 12:22:15 -0600 Subject: [PATCH 04/11] Add firewall rule for Discourse --- site-cookbooks/kosmos_discourse/metadata.rb | 1 + site-cookbooks/kosmos_discourse/recipes/default.rb | 9 +++++++++ 2 files changed, 10 insertions(+) diff --git a/site-cookbooks/kosmos_discourse/metadata.rb b/site-cookbooks/kosmos_discourse/metadata.rb index 76a2e83..d8aa80e 100644 --- a/site-cookbooks/kosmos_discourse/metadata.rb +++ b/site-cookbooks/kosmos_discourse/metadata.rb @@ -8,3 +8,4 @@ version '0.1.0' chef_version '>= 14.0' depends "kosmos-nginx" +depends 'firewall' diff --git a/site-cookbooks/kosmos_discourse/recipes/default.rb b/site-cookbooks/kosmos_discourse/recipes/default.rb index de204a8..b60c210 100644 --- a/site-cookbooks/kosmos_discourse/recipes/default.rb +++ b/site-cookbooks/kosmos_discourse/recipes/default.rb @@ -32,3 +32,12 @@ systemd_unit "discourse.service" do }}) action [:create, :enable] end + +include_recipe 'firewall' + +firewall_rule 'discourse' do + port [3001] + source "10.1.1.0/24" + protocol :tcp + command :allow +end From 910817a7d4ddba82d2678f08ba47808422bdb75d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 18 Feb 2022 12:23:14 -0600 Subject: [PATCH 05/11] Create certbot site before normal site --- site-cookbooks/kosmos_discourse/recipes/nginx.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_discourse/recipes/nginx.rb b/site-cookbooks/kosmos_discourse/recipes/nginx.rb index 9621fa6..3f7602d 100644 --- a/site-cookbooks/kosmos_discourse/recipes/nginx.rb +++ b/site-cookbooks/kosmos_discourse/recipes/nginx.rb @@ -12,6 +12,8 @@ end # No Discourse host, stop here return if upstream_ip_addresses.empty? +nginx_certbot_site domain + template "#{node['nginx']['dir']}/sites-available/#{domain}" do source "nginx_conf.erb" owner 'www-data' @@ -28,5 +30,3 @@ end nginx_site domain do action :enable end - -nginx_certbot_site domain From 5b2ae82ce6bf185bc8e25c0863a8c596fa496fb6 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 18 Feb 2022 12:23:37 -0600 Subject: [PATCH 06/11] Remove obsolete IP from nginx config --- site-cookbooks/kosmos_discourse/templates/nginx_conf.erb | 1 - 1 file changed, 1 deletion(-) diff --git a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb index 6d7427d..9db6621 100644 --- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb @@ -18,7 +18,6 @@ server { # Send real IP to the Docker container set_real_ip_from 127.0.0.1; - set_real_ip_from 172.17.0.1; real_ip_header X-Forwarded-For; client_max_body_size 20M; From 31631ddc4adf27ed41fee64eea704659d09c3985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 19:39:04 +0100 Subject: [PATCH 07/11] Add missing recipe --- site-cookbooks/kosmos_discourse/recipes/nginx.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos_discourse/recipes/nginx.rb b/site-cookbooks/kosmos_discourse/recipes/nginx.rb index 3f7602d..9bd3b4c 100644 --- a/site-cookbooks/kosmos_discourse/recipes/nginx.rb +++ b/site-cookbooks/kosmos_discourse/recipes/nginx.rb @@ -3,6 +3,8 @@ # Recipe:: nginx # +include_recipe "kosmos-nginx" + domain = "community.kosmos.org" upstream_ip_addresses = [] From 7582cafb77dd3777d2d04a9250cb93e6ca16a90f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 19:42:43 +0100 Subject: [PATCH 08/11] Explicitly install snapd package It was not installed on fornax for example --- site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb index 8dc974e..05adb45 100644 --- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb +++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb @@ -9,6 +9,8 @@ property :site, String action :create do return if node.chef_environment == "development" + package "snapd" + domain = new_resource.domain site = new_resource.site || domain root_directory = "/var/www/#{domain}" From 98547088f1d8a7062515fb90c642d5040cbfc3ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 19:58:59 +0100 Subject: [PATCH 09/11] Add the zerotier IP for fornax --- nodes/fornax.kosmos.org.json | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 2a4d048..cb290db 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -2,7 +2,7 @@ "name": "fornax.kosmos.org", "normal": { "knife_zero": { - "host": "fornax.kosmos.org" + "host": "10.1.1.187" } }, "automatic": { @@ -18,10 +18,12 @@ "kosmos-base", "kosmos-base::default", "kosmos_kvm::host", + "kosmos_discourse::nginx", "apt::default", "timezone_iii::default", "timezone_iii::debian", "ntp::default", + "ntp::apparmor", "kosmos-base::systemd_emails", "apt::unattended-upgrades", "kosmos-base::firewall", @@ -30,7 +32,18 @@ "postfix::_common", "postfix::_attributes", "postfix::sasl_auth", - "hostname::default" + "hostname::default", + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "kosmos-nginx::firewall", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", From 58f2544a9e54841c36c39c396503414129309691 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 19:59:17 +0100 Subject: [PATCH 10/11] Remove the discourse role from centaurus --- nodes/centaurus.kosmos.org.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 44d05a7..c617ef4 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -83,7 +83,6 @@ "recipe[kosmos-base]", "recipe[kosmos_encfs]", "role[gitea]", - "role[discourse]", "role[drone]", "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", @@ -92,4 +91,4 @@ "recipe[kosmos_zerotier::firewall]", "recipe[sockethub::_firewall]" ] -} \ No newline at end of file +} From ee6bde5b2347285aee72c9ff1475b1f42d6b9f1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 18 Feb 2022 20:00:18 +0100 Subject: [PATCH 11/11] Update discourse-1 node after running Chef --- nodes/discourse-1.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/nodes/discourse-1.json b/nodes/discourse-1.json index d030b2b..e2cad15 100644 --- a/nodes/discourse-1.json +++ b/nodes/discourse-1.json @@ -8,15 +8,17 @@ "automatic": { "fqdn": "discourse-1", "os": "linux", - "os_version": "5.4.0-1049-kvm", + "os_version": "5.4.0-1055-kvm", "hostname": "discourse-1", "ipaddress": "192.168.122.148", "roles": [ - + "discourse" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_discourse", + "kosmos_discourse::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -30,7 +32,9 @@ "postfix::_common", "postfix::_attributes", "postfix::sasl_auth", - "hostname::default" + "hostname::default", + "firewall::default", + "chef-sugar::default" ], "platform": "ubuntu", "platform_version": "20.04",