Merge pull request 'Set up nginx proxy for akkounts/kredits API' (#412) from feature/kredits_api into master

Reviewed-on: #412
2022-05-27 13:30:40 +00:00 · 2022-05-27 13:30:40 +00:00 · 3261be556d
parent 6a85c2d5c6 a93c5e5af6
commit 3261be556d
9 changed files with 94 additions and 33 deletions
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -25,6 +25,7 @@
      "kosmos_website",
      "kosmos_website::default",
      "kosmos-ejabberd::nginx",
+      "kosmos-akkounts::nginx_api",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -57,14 +58,13 @@
    "platform_version": "20.04",
    "cloud": null,
    "chef_packages": {
-      "chef": {
-        "version": "17.5.22",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib",
-        "chef_effortless": null
-      },
      "ohai": {
-        "version": "17.5.2",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai"
+        "version": "15.12.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+      },
+      "chef": {
+        "version": "15.14.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
      }
    }
  },
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@ -7,6 +7,7 @@ default_run_list = %w(
  kosmos_gitea::nginx
  kosmos_website::default
  kosmos-ejabberd::nginx
+  kosmos-akkounts::nginx_api
 )

 env_run_lists(
--- a/site-cookbooks/kosmos-akkounts/attributes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb
@ -2,3 +2,5 @@ node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git
 node.default['akkounts']['revision'] = 'master'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
+
+node.default['akkounts_api']['domain'] = 'api.kosmos.org'
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@ -175,4 +175,12 @@ rescue IPAddr::InvalidAddressError
  next
 end

+# TODO move to nginx proxy
 include_recipe 'kosmos-akkounts::nginx'
+
+firewall_rule "Akkounts private access" do
+  command  :allow
+  port     node["akkounts"]["port"]
+  protocol :tcp
+  source   "10.1.1.0/24"
+end
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
@ -2,32 +2,13 @@
 # Cookbook Name:: kosmos-akkounts
 # Recipe:: nginx
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.

 include_recipe "kosmos-nginx"
 app_name    = "akkounts"
 domain      = node[app_name]["domain"]

+nginx_certbot_site domain
+
 template "#{node['nginx']['dir']}/sites-available/#{domain}" do
  source "nginx_conf_#{app_name}.erb"
  owner 'www-data'
@ -43,5 +24,3 @@ end
 nginx_site domain do
  action :enable
 end
-
-nginx_certbot_site domain
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
@ -0,0 +1,30 @@
+#
+# Cookbook Name:: kosmos-akkounts
+# Recipe:: nginx_api
+#
+
+include_recipe "kosmos-nginx"
+domain = node["akkounts_api"]["domain"]
+
+nginx_certbot_site domain
+
+upstream_hosts = []
+search(:node, "role:akkounts").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_akkounts_api.erb"
+  owner "www-data"
+  mode 0640
+  variables domain: domain,
+            upstream_port: node["akkounts"]["port"],
+            upstream_hosts: upstream_hosts,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@ -0,0 +1,33 @@
+# Generated by Chef
+upstream _akkounts {
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header 'Strict-Transport-Security' 'max-age=31536000';
+
+  location /kredits/ {
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET' always;
+    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+    proxy_ssl_server_name on;
+    proxy_buffers 1024 8k;
+    proxy_http_version 1.1;
+
+    proxy_pass http://_akkounts/api/kredits/;
+  }
+}
--- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
+++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb
@ -97,13 +97,23 @@ systemd_unit 'btcpayserver.service' do
  action [:create, :enable, :start]
 end

+firewall_rule "BTCPay API private access" do
+  command  :allow
+  port     23001
+  protocol :tcp
+  source   "10.1.1.0/24"
+end
+
 #
 # HTTPS Reverse Proxy
+# TODO move to separate recipe, nginx proxy role
 #

 include_recipe "kosmos-nginx"
 server_name = node["btcpay"]["domain"]

+nginx_certbot_site server_name
+
 template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
  source "nginx_conf_btcpayserver.erb"
  owner node["nginx"]["user"]
@ -118,5 +128,3 @@ end
 nginx_site server_name do
  action :enable
 end
-
-nginx_certbot_site server_name
--- a/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb
+++ b/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb
@ -1,6 +1,6 @@
 network=<%= @bitcoin_network %>
 port=<%= @btcpay_port %>
-bind=127.0.0.1
+bind=0.0.0.0
 chains=btc
 postgres=User ID=<%= @postgres_user %>;Password=<%= @postgres_password %>;Host=<%= @postgres_host %>;Port=<%= @postgres_port %>;Database=<%= @postgres_database %>;
 debuglog=<%= @btcpay_log_path %>