kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Configure/deploy new akkounts app

Browse Source
This commit is contained in:
Basti 2020-11-20 23:22:42 +01:00
parent df524bd068
commit 3306cf0f21
Signed by untrusted user: basti
GPG Key ID: 9F88009D31D99C72
9 changed files with 191 additions and 133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
data_bags/credentials/akkounts.json Normal file
View File

@ -0,0 +1,17 @@
{
"id": "akkounts",
"postgresql_password": {
"encrypted_data": "Vt/jXxrJPbJbEl8Nw9EdVymoId21hdzHxA0zwEfAkA==\n",
"iv": "rV3dOjUhPsrdhF59\n",
"auth_tag": "GwuMLjf5zqTxLUIKb7ZKjA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "GjtdLy59dThzWYbEUD9Ss4G9vC3tcVgWDWLz3AoUl/jjJfSP2ym7ErjYwJhl\nE+1J2T3+\n",
"iv": "7PJXyCr2ozJHsMWZ\n",
"auth_tag": "nuW914Rh3Cn+ldGMc1JdGw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

7
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@ -1,3 +1,4 @@
node.default['akkounts-api']['revision'] = 'master' node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
node.default['akkounts-api']['port'] = 3200 node.default['akkounts']['revision'] = 'master'
node.default['akkounts-api']['server_name'] = 'api.accounts.kosmos.org' node.default['akkounts']['port'] = 3000
node.default['akkounts']['domain'] = 'accounts.kosmos.org'

17
site-cookbooks/kosmos-akkounts/metadata.rb
View File

@ -2,13 +2,16 @@ name 'kosmos-akkounts'
maintainer 'Kosmos Developers' maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org' maintainer_email 'mail@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures kosmos-akkounts' description 'Installs/configures kosmos-akkounts'
long_description 'Installs/Configures kosmos-akkounts' long_description 'Installs/configures kosmos-akkounts'
version '0.1.0' version '0.2.0'
chef_version '>= 14.0' chef_version '>= 14.0'
depends 'application_javascript'
depends 'application_git'
depends 'kosmos-nodejs'
depends 'kosmos-mastodon'
depends 'kosmos-nginx' depends 'kosmos-nginx'
depends "kosmos-nodejs"
depends "poise-ruby-build"
depends "application"
depends 'application_git'
depends "postgresql"
depends "kosmos-postgresql"
depends "backup"

150
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@ -3,8 +3,7 @@
# Recipe:: default # Recipe:: default
# #
# The MIT License (MIT) # The MIT License (MIT)
# # Copyright:: 2020, Kosmos Developers
# Copyright:: 2019, Kosmos Developers
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal # of this software and associated documentation files (the "Software"), to deal
@ -23,12 +22,11 @@
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE. # THE SOFTWARE.
#
include_recipe 'kosmos-nodejs' app_name = "akkounts"
app_name = "akkounts-api"
deploy_user = "deploy" deploy_user = "deploy"
deploy_group = "deploy" deploy_group = "deploy"
deploy_path = "/opt/#{app_name}"
credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) credentials = Chef::EncryptedDataBagItem.load('credentials', app_name)
group deploy_group group deploy_group
@ -37,75 +35,115 @@ user deploy_user do
group deploy_group group deploy_group
manage_home true manage_home true
shell "/bin/bash" shell "/bin/bash"
comment "deploy user"
end end
path_to_deploy = "/opt/#{app_name}" package "libpq-dev"
application path_to_deploy do
include_recipe 'kosmos-nodejs'
npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.6.6"
bundle_path = "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
systemd_unit "akkounts.service" do
content({
Unit: {
Description: "Kosmos account management",
Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
After: "network.target"
},
Service: {
Type: "simple",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "RAILS_ENV=#{rails_env}",
ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop",
ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
PIDFile: "#{deploy_path}/tmp/puma.pid",
TimeoutSec: "10",
Restart: "always",
},
Install: {
WantedBy: "multi-user.target"
}
})
verify false
triggers_reload true
action [:create, :enable]
end
application deploy_path do
owner deploy_user owner deploy_user
group deploy_group group deploy_group
# Take care of application restarts manually, in the git resource # Take care of application restarts manually, in the git resource
action_on_update false action_on_update false
environment "HOME" => deploy_path,
"PATH" => "/opt/ruby_build/builds/#{ruby_version}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
ruby_runtime ruby_version do
provider :ruby_build
version ruby_version
end
git do git do
user deploy_user user deploy_user
group deploy_group group deploy_group
repository "https://github.com/67P/#{app_name}.git" repository node[app_name]["repo"]
revision node[app_name]['revision'] revision node[app_name]["revision"]
# Restart service on deployments # Restart services on deployments
notifies :restart, "application[#{path_to_deploy}]", :delayed notifies :restart, "application[#{deploy_path}]", :delayed
end end
npm_install do file "#{deploy_path}/config/master.key" do
user deploy_user content credentials['rails_master_key']
end mode '0400'
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
template "#{path_to_deploy}/.env" do
source "dotenv.erb"
sensitive true
owner deploy_user owner deploy_user
group deploy_group group deploy_group
variables btcpay_url: "https://btcpay.kosmos.org",
btcpay_privkey: credentials["btcpay_privkey"],
btcpay_merchant: credentials["btcpay_merchant"],
btcpay_store_id: credentials["btcpay_store_id"],
btcpay_webhook_host: "https://#{node[app_name]["server_name"]}",
btcpay_webhook_token: credentials["btcpay_webhook_token"],
smtp_host: "smtp.mailgun.org",
smtp_use_tls: true,
smtp_username: smtp_credentials['user_name'],
smtp_password: smtp_credentials['password'],
mastodon_host: "https://#{node["kosmos-mastodon"]["server_name"]}",
mastodon_auth_token: credentials["mastodon_auth_token"]
mode '0440'
# Restart service when the config changes
notifies :restart, "application[#{path_to_deploy}]", :delayed
end end
template "/lib/systemd/system/#{app_name}.service" do execute "bundle install" do
source 'nodejs.systemd.service.erb' environment "HOME" => deploy_path
owner 'root' user deploy_user
group 'root' cwd deploy_path
mode '0640' command "/opt/ruby_build/builds/#{ruby_version}/bin/bundle install --without development,test --deployment"
variables(
user: deploy_user,
group: deploy_group,
app_dir: path_to_deploy,
entry: "/usr/bin/env node release/index.js"
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[#{app_name}]", :delayed
end end
service app_name do execute "yarn install" do
environment "HOME" => deploy_path, "NODE_ENV" => "production"
user deploy_user
cwd deploy_path
command "yarn install --pure-lockfile"
end
execute 'rake db:migrate' do
environment "RAILS_ENV" => rails_env, "HOME" => deploy_path
user deploy_user
group deploy_group
cwd deploy_path
command "PATH=\"/opt/ruby_build/builds/#{ruby_version}/bin:$PATH\" bundle exec rake db:migrate"
end
execute 'rake assets:precompile' do
environment "RAILS_ENV" => rails_env, "HOME" => deploy_path
user deploy_user
group deploy_group
cwd deploy_path
command "PATH=\"/opt/ruby_build/builds/#{ruby_version}/bin:$PATH\" bundle exec rake assets:precompile"
end
service "akkounts" do
action [:enable, :start] action [:enable, :start]
end end
end end

19
site-cookbooks/kosmos-akkounts/recipes/nginx.rb
View File

@ -4,7 +4,7 @@
# #
# The MIT License (MIT) # The MIT License (MIT)
# #
# Copyright:: 2019, Kosmos Developers # Copyright:: 2020, Kosmos Developers
# #
# Permission is hereby granted, free of charge, to any person obtaining a copy # Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal # of this software and associated documentation files (the "Software"), to deal
@ -25,22 +25,23 @@
# THE SOFTWARE. # THE SOFTWARE.
include_recipe "kosmos-nginx" include_recipe "kosmos-nginx"
app_name = "akkounts-api" app_name = "akkounts"
server_name = node[app_name]["server_name"] domain = node[app_name]["domain"]
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_#{app_name}.erb" source "nginx_conf_#{app_name}.erb"
owner 'www-data' owner 'www-data'
mode 0640 mode 0640
variables port: node[app_name]['port'], variables port: node[app_name]['port'],
server_name: server_name, domain: domain,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", root_dir: "/opt/#{app_name}/public",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed notifies :reload, 'service[nginx]', :delayed
end end
nginx_site server_name do nginx_site domain do
action :enable action :enable
end end
nginx_certbot_site server_name nginx_certbot_site domain

13
site-cookbooks/kosmos-akkounts/templates/dotenv.erb
View File

@ -1,13 +0,0 @@
BTCPAY_URL=<%= @btcpay_url %>
BTCPAY_PRIVKEY=<%= @btcpay_privkey %>
BTCPAY_MERCHANT=<%= @btcpay_merchant %>
BTCPAY_STORE_ID=<%= @btcpay_store_id %>
BTCPAY_WEBHOOK_HOST=<%= @btcpay_webhook_host %>
BTCPAY_WEBHOOK_TOKEN=<%= @btcpay_webhook_token %>
SMTP_HOST=<%= @smtp_host %>
SMTP_USE_TLS=true
SMTP_USERNAME=<%= @smtp_username %>
SMTP_PASSWORD=<%= @smtp_password %>
MASTODON_HOST=<%= @mastodon_host %>
MASTODON_AUTH_TOKEN=<%= @mastodon_auth_token %>
PORT=<%= node['akkounts-api']['port'] %>

28
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb
View File

@ -1,28 +0,0 @@
# Generated by Chef
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
upstream _akkounts {
server localhost:<%= @port %>;
}
server {
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_pass http://_akkounts;
proxy_http_version 1.1;
}
}
<% end -%>

54
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb Normal file
View File

@ -0,0 +1,54 @@
# Generated by Chef
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
upstream _akkounts {
server localhost:<%= @port %>;
}
server {
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
server_name <%= @domain %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
root <%= @root_dir %>;
location ~ ^/(assets|packs|images|javascripts|stylesheets|swfs|system)/ {
access_log off;
gzip_static on;
expires max;
add_header Cache-Control public;
}
try_files $uri/index.html $uri @app;
location @app {
# an HTTP header important enough to have its own Wikipedia entry:
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if and only if you use HTTPS, this helps Rack
# set the proper protocol for doing redirects:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client right along so redirects
# can be set properly within the Rack application
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_pass http://_akkounts;
proxy_http_version 1.1;
}
}
<% end -%>

15
site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb
View File

@ -1,15 +0,0 @@
[Unit]
Description=Start nodejs app
[Service]
ExecStart=<%= @entry %>
WorkingDirectory=<%= @app_dir %>
User=<%= @user %>
Group=<%= @group %>
<% if @environment -%>
Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
<% end -%>
Restart=always
[Install]
WantedBy=multi-user.target