From c4d43b7f4e4073cc14e966fb7627d5da5e9cde0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 11:54:33 +0100 Subject: [PATCH 1/9] Make Mastodon services listen on private IP in prod And allow access to them from the private network --- nodes/mastodon-3.json | 1 + .../kosmos-mastodon/attributes/default.rb | 5 ++-- site-cookbooks/kosmos-mastodon/metadata.rb | 25 ++++++++++--------- .../kosmos-mastodon/recipes/default.rb | 25 ++++++++++++++++++- .../mastodon-streaming.systemd.service.erb | 1 + .../default/mastodon-web.systemd.service.erb | 3 ++- 6 files changed, 44 insertions(+), 16 deletions(-) diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index fe1625b..411a0a5 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -1,5 +1,6 @@ { "name": "mastodon-3", + "chef_environment": "production", "normal": { "knife_zero": { "host": "10.1.1.30" diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index e5fb368..f2f2f0d 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -1,11 +1,12 @@ node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git" node.default["kosmos-mastodon"]["revision"] = "kosmos-production" node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon" -node.default["kosmos-mastodon"]["puma_port"] = 3000 -node.default["kosmos-mastodon"]["streaming_port"] = 4000 node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 +node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1" +node.default["kosmos-mastodon"]["app_port"] = 3000 +node.default["kosmos-mastodon"]["streaming_port"] = 4000 # Allocate this amount of RAM to the Java heap for Elasticsearch node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m" diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index dc23b66..fa0b6f4 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -2,19 +2,20 @@ name 'kosmos-mastodon' maintainer 'Kosmos' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos-mastodon' +description 'Installs/Configures Mastodon' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) version '0.2.1' -depends "kosmos-nginx" -depends "kosmos-nodejs" +depends 'application' +depends 'application_git' +depends 'backup' +depends 'elasticsearch' +depends 'java' +depends 'firewall' depends 'redisio' -depends "poise-ruby-build" -depends "application" -depends "application_git" -depends "postgresql" -depends "kosmos_postgresql" -depends "backup" -depends "elasticsearch" -depends "tor-full" -depends "java" +depends 'tor-full' +depends 'poise-ruby-build' +depends 'postgresql' +depends 'kosmos-nginx' +depends 'kosmos-nodejs' +depends 'kosmos_postgresql' diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index e61f1ee..5a2c4b9 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -7,6 +7,7 @@ include_recipe "kosmos-nodejs" include_recipe "java" include_recipe 'redisio::default' include_recipe 'redisio::enable' +include_recipe 'firewall' elasticsearch_user 'elasticsearch' @@ -44,6 +45,12 @@ mastodon_path = node["kosmos-mastodon"]["directory"] mastodon_user = "mastodon" +bind_ip = if node.chef_environment == "production" + node["knife_zero"]["host"] + else + node["kosmos-mastodon"]["bind_ip"] + end + group mastodon_user do gid 62786 end @@ -77,7 +84,8 @@ template "/lib/systemd/system/mastodon-web.service" do source "mastodon-web.systemd.service.erb" variables user: mastodon_user, app_dir: mastodon_path, - port: node["kosmos-mastodon"]["puma_port"], + bind: bind_ip, + port: node["kosmos-mastodon"]["app_port"], bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle" notifies :run, "execute[systemctl daemon-reload]", :immediately notifies :restart, "service[mastodon-web]", :delayed @@ -113,6 +121,7 @@ template "/lib/systemd/system/mastodon-streaming.service" do source "mastodon-streaming.systemd.service.erb" variables user: mastodon_user, app_dir: mastodon_path, + bind: bind_ip, port: node["kosmos-mastodon"]["streaming_port"] notifies :run, "execute[systemctl daemon-reload]", :immediately notifies :restart, "service[mastodon-streaming]", :delayed @@ -215,3 +224,17 @@ application mastodon_path do action [:enable, :start] end end + +firewall_rule 'mastodon_app' do + port node['kosmos-mastodon']['app_port'] + source "10.1.1.0/24" + protocol :tcp + command :allow +end + +firewall_rule 'mastodon_streaming' do + port node['kosmos-mastodon']['streaming_port'] + source "10.1.1.0/24" + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb index dfdc7ff..9c62a28 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb @@ -6,6 +6,7 @@ Type=simple User=<%= @user %> WorkingDirectory=<%= @app_dir %> Environment="NODE_ENV=production" +Environment="BIND=<%= @bind %>" Environment="PORT=<%= @port %>" ExecStart=/usr/bin/npm run start TimeoutSec=15 diff --git a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb index 59625d0..93a694e 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb @@ -9,7 +9,8 @@ User=<%= @user %> PIDFile=<%= @app_dir %>/tmp/puma.pid WorkingDirectory=<%= @app_dir %> Environment="RAILS_ENV=production" -Environment="PORT=3000" +Environment="BIND=<%= @bind %>" +Environment="PORT=<%= @port %>" Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" ExecStart=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid ExecStop=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid stop From 83513dbd9d7a9a648e8e8fbeac97ca69465339d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 11:58:22 +0100 Subject: [PATCH 2/9] Remove request limits for ipfs proxy In favor of fail2ban --- .../templates/default/nginx_conf_ipfs.kosmos.org.erb | 3 --- 1 file changed, 3 deletions(-) diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index 4343925..92fb220 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -9,8 +9,6 @@ upstream _ipfs_api { <% end %> } -limit_req_zone $binary_remote_addr zone=ipfsgateway:10m rate=10r/s; - server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -21,7 +19,6 @@ server { error_log /var/log/nginx/<%= @server_name %>.error.log; location /ipfs { - limit_req zone=ipfsgateway burst=20 nodelay; proxy_pass http://_ipfs_gateway/ipfs; } From 83e55c84a21089125c91ca9e78bea4586c2f233b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 12:00:01 +0100 Subject: [PATCH 3/9] Use domain name for log file paths --- .../kosmos-mastodon/templates/default/nginx_conf_shared.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb index 1a4e6c6..5c43265 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb @@ -1,5 +1,5 @@ -access_log "/var/log/nginx/mastodon.access.log"; -error_log "/var/log/nginx/mastodon.error.log"; +access_log "/var/log/nginx/<%= @server_name %>.access.log"; +error_log "/var/log/nginx/<%= @server_name %>.error.log"; keepalive_timeout 70; From 66f5217a4101abb9462cbe1592845c10457a20b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 12:02:17 +0100 Subject: [PATCH 4/9] Refactor Mastodon nginx recipe for proxy usage Works both as local deployment and proxy (via roles and environments) * Use upstreams for proxy_pass * Access static assets from proxy, configure caching for them * Move Tor config to environment, install via role * ... --- roles/nginx_proxy.rb | 20 ++++++- .../kosmos-mastodon/attributes/default.rb | 17 +++--- .../kosmos-mastodon/recipes/nginx.rb | 55 ++++++++++--------- .../templates/default/env.production.erb | 3 + .../templates/default/nginx_conf_mastodon.erb | 29 +++++++--- .../templates/default/nginx_conf_shared.erb | 13 +++-- 6 files changed, 85 insertions(+), 52 deletions(-) diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 13dbba2..0edd22b 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -1,17 +1,35 @@ name "nginx_proxy" +override_attributes( + 'nginx' => { + 'server_names_hash_bucket_size' => 128 + }, + 'tor' => { + 'HiddenServices' => { + 'web' => { + 'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443'] + } + } + } +) + default_run_list = %w( + tor-full kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx kosmos_gitea::nginx kosmos_website::default - kosmos-ejabberd::nginx kosmos-akkounts::nginx_api + kosmos-ejabberd::nginx kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway + kosmos-mastodon::nginx remotestorage_discourse::nginx + kosmos_garage::default + kosmos_garage::firewall_rpc + kosmos_garage::nginx_web ) env_run_lists( diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index f2f2f0d..890f74e 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -1,17 +1,14 @@ -node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git" -node.default["kosmos-mastodon"]["revision"] = "kosmos-production" -node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon" -node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" -node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" -node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 +node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git" +node.default["kosmos-mastodon"]["revision"] = "kosmos-production" +node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon" node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1" node.default["kosmos-mastodon"]["app_port"] = 3000 node.default["kosmos-mastodon"]["streaming_port"] = 4000 +node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" +node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" +node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 +node.default["kosmos-mastodon"]["onion_address"] = nil # Allocate this amount of RAM to the Java heap for Elasticsearch node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m" node.override["redisio"]["version"] = "6.2.6" - -node.override["tor"]["HiddenServices"]["mastodon"] = { - "HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"] -} diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 84caba4..34575d0 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -3,12 +3,23 @@ # Recipe:: nginx # -mastodon_path = node["kosmos-mastodon"]["directory"] -server_name = node["kosmos-mastodon"]["server_name"] - -node.override['nginx']['server_names_hash_bucket_size'] = 128 include_recipe "kosmos-nginx" +app_dir = node["kosmos-mastodon"]["directory"] +server_name = node["kosmos-mastodon"]["server_name"] +is_proxy = node.roles.include?('nginx_proxy') rescue nil +upstream_hosts = [] + +if is_proxy + web_root_dir = "/var/www/#{server_name}/public" + search(:node, "role:mastodon").each do |node| + upstream_hosts << node["knife_zero"]["host"] + end +else + web_root_dir = "#{app_dir}/public" + upstream_hosts << "localhost" +end + directory "#{node['nginx']['dir']}/snippets" do action :create owner 'www-data' @@ -19,40 +30,30 @@ template "#{node['nginx']['dir']}/snippets/mastodon.conf" do source 'nginx_conf_shared.erb' owner 'www-data' mode 0640 - variables streaming_port: node["kosmos-mastodon"]["streaming_port"], - puma_port: node["kosmos-mastodon"]["puma_port"], - mastodon_path: mastodon_path + variables web_root_dir: web_root_dir, + server_name: server_name notifies :reload, 'service[nginx]', :delayed end -onion_address = File.read("/var/lib/tor/mastodon/hostname").strip rescue nil +nginx_certbot_site server_name + +onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_mastodon.erb' owner 'www-data' mode 0640 - variables server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", - shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", - onion_address: onion_address + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", + shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", + app_port: node["kosmos-mastodon"]["app_port"], + streaming_port: node["kosmos-mastodon"]["streaming_port"], + onion_address: onion_address, + upstream_hosts: upstream_hosts notifies :reload, 'service[nginx]', :delayed end -# Legacy vhost -nginx_site "mastodon" do - action :disable -end - nginx_site server_name do action :enable end - -nginx_certbot_site server_name - -# -# Tor hidden service -# -# The attributes for the hidden service are set in attributes/default.rb, due -# to the way the tor-full cookbook builds the path to the hidden service dir -include_recipe "tor-full" diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb index 7cb7adc..ff190d3 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb @@ -32,6 +32,9 @@ SMTP_FROM_ADDRESS=<%= @smtp_from_address %> # Optional asset host for multi-server setups # CDN_HOST=assets.example.com +# Serve static files (to nginx proxy) +RAILS_SERVE_STATIC_FILES=true + # S3 (optional) S3_ENABLED=true S3_BUCKET=<%= @s3_bucket %> diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 7c7c26d..619f03d 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -1,17 +1,24 @@ -<% if @onion_address %> -server { - listen 80; - server_name mastodon.<%= @onion_address %>; - include <%= @shared_config_path %>; -} +upstream mastodon_app { +<% @upstream_hosts.each do |host| %> + server <%= host %>:<%= @app_port %>; <% end %> +} + +upstream mastodon_streaming { +<% @upstream_hosts.each do |host| %> + server <%= host %>:<%= @streaming_port %>; +<% end %> +} map $http_upgrade $connection_upgrade { default upgrade; '' close; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) %> +proxy_cache_path /var/cache/nginx/mastodon levels=1:2 + keys_zone=mastodon_cache:10m + max_size=1g inactive=120m use_temp_path=off; + server { listen 443 ssl http2; listen [::]:443 ssl http2; @@ -22,11 +29,17 @@ server { ssl_certificate_key <%= @ssl_key %>; add_header Strict-Transport-Security "max-age=31536000"; +<% if @onion_address %> add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri; -} <% end %> +} <% if @onion_address %> +server { + listen 80; + server_name mastodon.<%= @onion_address %>; + include <%= @shared_config_path %>; +} server { listen 443 ssl http2; server_name mastodon.<%= @onion_address %>; diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb index 5c43265..3083dd4 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb @@ -6,7 +6,7 @@ keepalive_timeout 70; sendfile on; client_max_body_size 0; -root <%= @mastodon_path %>/public; +root <%= @web_root_dir %>; gzip on; gzip_disable "msie6"; @@ -19,20 +19,21 @@ gzip_types text/plain text/css application/json application/javascript text/xml location / { # If the maintenance file is present, show maintenance page - if (-f <%= @mastodon_path %>/public/maintenance.html) { + if (-f <%= @web_root_dir %>/maintenance.html) { return 503; } - try_files $uri @proxy; } location /sw.js { add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; + try_files $uri @proxy; } location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) { add_header Cache-Control "public, max-age=31536000, immutable"; + proxy_cache mastodon_cache; try_files $uri @proxy; } @@ -44,7 +45,7 @@ location @proxy { proxy_set_header Proxy ""; proxy_pass_header Server; - proxy_pass http://localhost:<%= @puma_port %>; + proxy_pass http://mastodon_app; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; @@ -61,7 +62,7 @@ location /api/v1/streaming { proxy_set_header X-Forwarded-Proto https; proxy_set_header Proxy ""; - proxy_pass http://localhost:<%= @streaming_port %>; + proxy_pass http://mastodon_streaming; proxy_buffering off; proxy_redirect off; proxy_http_version 1.1; @@ -75,5 +76,5 @@ error_page 500 501 502 504 /500.html; error_page 503 /maintenance.html; location = /maintenance.html { - root <%= @mastodon_path %>/public; + root <%= @web_root_dir %>; } From f3ca307e64202761ad303ab8d2515b2a310917f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 12:06:25 +0100 Subject: [PATCH 5/9] Fix Tor access Configure alternate_domains for Rails app to re-enable Tor access (was throwing 403s without this config) --- environments/production.json | 5 +++++ site-cookbooks/kosmos-mastodon/attributes/default.rb | 1 + site-cookbooks/kosmos-mastodon/recipes/default.rb | 2 +- .../kosmos-mastodon/templates/default/env.production.erb | 1 + 4 files changed, 8 insertions(+), 1 deletion(-) diff --git a/environments/production.json b/environments/production.json index ac5f7e6..635c0f3 100644 --- a/environments/production.json +++ b/environments/production.json @@ -16,6 +16,11 @@ "use_ssl": "false" } } + }, + "kosmos-mastodon": { + "alternate_domains": [ + "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion" + ] } } } \ No newline at end of file diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index 890f74e..c3a5406 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -5,6 +5,7 @@ node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1" node.default["kosmos-mastodon"]["app_port"] = 3000 node.default["kosmos-mastodon"]["streaming_port"] = 4000 node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" +node.default["kosmos-mastodon"]["alternate_domains"] = [] node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 node.default["kosmos-mastodon"]["onion_address"] = nil diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 5a2c4b9..3798384 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -42,7 +42,6 @@ elasticsearch_service 'elasticsearch' postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') mastodon_path = node["kosmos-mastodon"]["directory"] - mastodon_user = "mastodon" bind_ip = if node.chef_environment == "production" @@ -160,6 +159,7 @@ application mastodon_path do group mastodon_user variables redis_url: node["kosmos-mastodon"]["redis_url"], domain: node["kosmos-mastodon"]["server_name"], + alternate_domains: node["kosmos-mastodon"]["alternate_domains"], paperclip_secret: mastodon_credentials['paperclip_secret'], secret_key_base: mastodon_credentials['secret_key_base'], otp_secret: mastodon_credentials['otp_secret'], diff --git a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb index ff190d3..5fb076b 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/env.production.erb @@ -58,3 +58,4 @@ ES_HOST=localhost ES_PORT=9200 ALLOW_ACCESS_TO_HIDDEN_SERVICE=true +ALTERNATE_DOMAINS='<%= @alternate_domains.join(" ") %>' From 5d05d5c187ac95550bd92c04ebb553646d7f915c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 12:07:54 +0100 Subject: [PATCH 6/9] Move Mastodon nginx to proxy/LB --- nodes/fornax.kosmos.org.json | 10 +++++++++- nodes/mastodon-3.json | 17 +++-------------- roles/mastodon.rb | 1 - 3 files changed, 12 insertions(+), 16 deletions(-) diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 57701b7..b3683d7 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -1,5 +1,6 @@ { "name": "fornax.kosmos.org", + "chef_environment": "production", "normal": { "knife_zero": { "host": "10.1.1.147" @@ -25,18 +26,25 @@ "kosmos-base::default", "kosmos_kvm::host", "kosmos_kvm::backup", + "tor-full", + "tor-full::default", "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", "kosmos_gitea::nginx", "kosmos_website", "kosmos_website::default", - "kosmos-ejabberd::nginx", "kosmos-akkounts::nginx_api", + "kosmos-ejabberd::nginx", "kosmos-hubot::nginx_botka_irc-libera-chat", "kosmos-hubot::nginx_hal8000_xmpp", "kosmos-ipfs::nginx_public_gateway", + "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", + "kosmos_garage::nginx_web", "kosmos_zerotier::controller", "kosmos_zerotier::firewall", "kosmos_zerotier::zncui", diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index 411a0a5..18e8250 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -24,7 +24,6 @@ "kosmos_postgresql::hostsfile", "kosmos-mastodon", "kosmos-mastodon::default", - "kosmos-mastodon::nginx", "kosmos-mastodon::backup", "apt::default", "timezone_iii::default", @@ -56,24 +55,14 @@ "redisio::disable_os_default", "redisio::configure", "redisio::enable", + "firewall::default", + "chef-sugar::default", "nodejs::npm", "nodejs::install", - "kosmos-nginx::default", - "nginx::default", - "nginx::package", - "nginx::ohai_plugin", - "nginx::repo", - "nginx::commons", - "nginx::commons_dir", - "nginx::commons_script", - "nginx::commons_conf", - "kosmos-nginx::firewall", - "tor-full::default", "backup::default", "logrotate::default", "git::default", - "git::package", - "kosmos-base::letsencrypt" + "git::package" ], "platform": "ubuntu", "platform_version": "20.04", diff --git a/roles/mastodon.rb b/roles/mastodon.rb index a69e384..ab0be5d 100644 --- a/roles/mastodon.rb +++ b/roles/mastodon.rb @@ -3,6 +3,5 @@ name "mastodon" run_list %w( role[postgresql_client] kosmos-mastodon - kosmos-mastodon::nginx kosmos-mastodon::backup ) From cdd3f026c41815007dc323540c5d421fce234a7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Thu, 1 Dec 2022 15:04:39 +0100 Subject: [PATCH 7/9] Always use config for skipping post-deployment migrations --- site-cookbooks/kosmos-mastodon/recipes/default.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 3798384..832de4f 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -192,7 +192,6 @@ application mastodon_path do end execute 'rake db:migrate' do - # environment "RAILS_ENV" => "production", "HOME" => mastodon_path#, "SKIP_POST_DEPLOYMENT_MIGRATIONS" => "true" environment "RAILS_ENV" => "production", "HOME" => mastodon_path, "SKIP_POST_DEPLOYMENT_MIGRATIONS" => "true" user mastodon_user group mastodon_user From 2ecb4e23854e76ca1f5ae17a262431a9b3fb5f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Thu, 1 Dec 2022 15:29:38 +0100 Subject: [PATCH 8/9] Upgrade Ruby to 3.0.4 --- nodes/mastodon-3.json | 1 + site-cookbooks/kosmos-mastodon/recipes/default.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index 18e8250..eef0506 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -61,6 +61,7 @@ "nodejs::install", "backup::default", "logrotate::default", + "poise-git::default", "git::default", "git::package" ], diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 832de4f..2b47544 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -70,7 +70,7 @@ npm_package "yarn" do version "1.22.4" end -ruby_version = "3.0.3" +ruby_version = "3.0.4" execute "systemctl daemon-reload" do command "systemctl daemon-reload" From a460302728f8b57674d11da26b5a7cd62b608d19 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Thu, 1 Dec 2022 17:08:17 +0100 Subject: [PATCH 9/9] Add missing sidekiq queue --- nodes/mastodon-3.json | 1 - .../templates/default/mastodon-sidekiq.systemd.service.erb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/nodes/mastodon-3.json b/nodes/mastodon-3.json index eef0506..18e8250 100644 --- a/nodes/mastodon-3.json +++ b/nodes/mastodon-3.json @@ -61,7 +61,6 @@ "nodejs::install", "backup::default", "logrotate::default", - "poise-git::default", "git::default", "git::package" ], diff --git a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb index eea08fd..73d758e 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb @@ -10,7 +10,7 @@ WorkingDirectory=<%= @app_dir %> Environment="RAILS_ENV=production" Environment="DB_POOL=50" Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2" -ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push +ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push -q ingress TimeoutSec=15 Restart=always