Merge branch 'master' into feature/rskj_public_endpoint

Gemfile.lock

@@ -248,6 +248,10 @@ GEM
 
 PLATFORMS
   x86_64-darwin-18
+  x86_64-linux
 
 DEPENDENCIES
   knife-zero
+
+BUNDLED WITH
+   2.2.15

README.md

@@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile:
 Vendor installed cookbooks to the `cookbooks/` dir:
 
     berks vendor cookbooks/ --delete
+
+### "Expired" TLS certificates
+
+If you encounter expired TLS certificates during a Chef run (e.g. for remote
+files), the issue is likely that the certificate has been issued by Let's
+Encrypt and Chef is still using its own, outdated CA cert store (see
+[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
+example).
+
+As a hotfix, you can manually remove the "DST Root CA X3" cert from
+`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.

clients/rsk-mainnet-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-mainnet-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/rsk-testnet-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "rsk-testnet-2",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/botka_freenode.json

@@ -1,38 +0,0 @@
-{
-  "id": "botka_freenode",
-  "rs_logger_token": {
-    "encrypted_data": "X/7BinesOs5sciifP2myTHzRyYA7q7GxHR92wlHKF1EnVD38GrfMxWFIUVsH\nYUjXr+mm\n",
-    "iv": "XcqCyyfIsqNJiVfX\n",
-    "auth_tag": "vPjh3was2w7pbDRYerGQFw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "nickserv_password": {
-    "encrypted_data": "bOr4bTbmGIL6YHAycVQCHX3fDsEgvJPtSKYPDyzbMIqn\n",
-    "iv": "hEmlqJ91R4Mxeab/\n",
-    "auth_tag": "o8qf0GBVR23IrPYOANywFw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "gcm_api_key": {
-    "encrypted_data": "flJe/qcddW54emG29ReJf5BqYyIEmpOK+dKabuZAx5t678Dt1CqLr/UmkeB+\nOcXwezOgr9qj3XHIVQ==\n",
-    "iv": "fD46RYO1hpk9zb9q\n",
-    "auth_tag": "ucPDMdVey1QeZmOmYEFiPw==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "vapid_public_key": {
-    "encrypted_data": "RkyN3Sx4Hme2cBJKMSvXxt6b1rW7liqAG/fLSLMi4aeR9EAMMRf6gEdOLJms\n1WSVx4RU2z7oRTvkD0zwmKwOtNNeyRaJ6zUh/eYnPviBdKMrxvLOXPaQam7O\nCLF9QMHpngCumMPQuaWpHg==\n",
-    "iv": "WPqkc48gE/uJjLB9\n",
-    "auth_tag": "UxAnYr9jdCy2V/1gnDC/Og==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "vapid_private_key": {
-    "encrypted_data": "2O+ESjSSsw3Z4RgTx4AIA3QGYc+zpRY2j0DyEqF1Rdak3prc7bMKmTHy7MwP\nJXGS08Mye5Pnt6sk45TfhoE=\n",
-    "iv": "8+PRuHXa73tLd3wf\n",
-    "auth_tag": "ofPSsKrP7Lgt1qiPcZ8isQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  }
-}

data_bags/credentials/botka_irc-libera-chat.json

@@ -0,0 +1,38 @@
+{
+  "id": "botka_irc-libera-chat",
+  "rs_logger_token": {
+    "encrypted_data": "2CYA4uMDMcTA3/TnoUkZ/WoB573oFn5oZk6zJmgc0MwCjYlKxhOTO6JZV5NF\nrQh0b6DS\n",
+    "iv": "ZDSklJrhSJknQTGJ\n",
+    "auth_tag": "RZVkeuP7iu1a/HkeIyM9/Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "nickserv_password": {
+    "encrypted_data": "NXPE0ouvPESbBVRDDg362LaHVfeOqo+BEh4PkE5XeA==\n",
+    "iv": "4iESOnvAyMLF2TNs\n",
+    "auth_tag": "PiJvYy++dZls1t+goXui2w==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "gcm_api_key": {
+    "encrypted_data": "QaF+kUTZbx3fK9QXua9QPq0f8ACZbrj+FEvlcMiv9x469OMOxTHfL2+cF6X2\nyK+1zYtl8byiMdLmSQ==\n",
+    "iv": "whutD4hY4htiEePI\n",
+    "auth_tag": "EF19h8haFSNHsOM/oVkcRQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "vapid_public_key": {
+    "encrypted_data": "dw1LEyE/hksxM+H0ExgIWXgrhFYzFo/dmps4/ct8mG2Se0ukYJ7OI5uJYI1E\nUaaZ+feqK2nic0GsnkaY++SI4Us+RNGoOu0J67CWooy8KIVdGGmxHx/rOI2L\n9S9zbo+8TE3KYBWrHa2jyw==\n",
+    "iv": "PaqtzI+RgtL/VeKE\n",
+    "auth_tag": "BPQcLAEWN4cPlrTylfwD/Q==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "vapid_private_key": {
+    "encrypted_data": "Czly/hPyXa529rlxe3Ab3ea/Hg53iSW3Mpz1d8Aimuojih9GhWWFytY8YH9T\nwAINhXw7toST5o3LLjQjPkk=\n",
+    "iv": "XZeA6abV1Fi9Q3wm\n",
+    "auth_tag": "02zb8q+WDLj+mF+bJRWXxQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

nodes/akkounts-1.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "akkounts-1",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-90-generic",
     "hostname": "akkounts-1",
     "ipaddress": "192.168.122.160",
     "roles": [

nodes/barnard.kosmos.org.json

@@ -97,11 +97,7 @@
   "run_list": [
     "role[base]",
     "recipe[kosmos-ipfs]",
-    "recipe[kosmos-hubot::botka_freenode]",
-    "recipe[kosmos-hubot::hal8000]",
     "recipe[kosmos-hubot::hal8000_xmpp]",
-    "recipe[sockethub]",
-    "recipe[sockethub::proxy]",
     "recipe[kosmos-dirsrv]"
   ]
-}
+}

nodes/centaurus.kosmos.org.json

@@ -34,6 +34,7 @@
       "kosmos_kvm::host",
       "kosmos-ejabberd::firewall",
       "kosmos_zerotier::firewall",
+      "sockethub::_firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -85,6 +86,7 @@
     "recipe[kosmos_assets::nginx_site]",
     "recipe[kosmos_kvm::host]",
     "recipe[kosmos-ejabberd::firewall]",
-    "recipe[kosmos_zerotier::firewall]"
+    "recipe[kosmos_zerotier::firewall]",
+    "recipe[sockethub::_firewall]"
   ]
 }

nodes/nodejs-2.json

@@ -8,19 +8,23 @@
   "automatic": {
     "fqdn": "nodejs-2",
     "os": "linux",
-    "os_version": "5.4.0-1031-kvm",
+    "os_version": "5.4.0-1049-kvm",
     "hostname": "nodejs-2",
     "ipaddress": "192.168.122.243",
     "roles": [
-      "kredits_github"
+      "kredits_github",
+      "sockethub"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
-      "kosmos-hubot::wormhole",
+      "kosmos-hubot::botka_irc-libera-chat",
       "kredits-github",
       "kredits-github::default",
       "kredits-github::nginx",
+      "sockethub",
+      "sockethub::default",
+      "sockethub::proxy",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -38,9 +42,12 @@
       "kosmos-nodejs::default",
       "nodejs::nodejs_from_package",
       "nodejs::repo",
-      "kosmos-hubot::_user",
-      "git::default",
-      "git::package",
+      "kosmos-redis::default",
+      "redis::server",
+      "redis::default",
+      "backup::default",
+      "logrotate::default",
+      "kosmos-base::letsencrypt",
       "kosmos-nginx::default",
       "nginx::default",
       "nginx::package",
@@ -51,7 +58,9 @@
       "nginx::commons_script",
       "nginx::commons_conf",
       "kosmos-nginx::firewall",
-      "kosmos-base::letsencrypt"
+      "nodejs::npm",
+      "nodejs::install",
+      "sockethub::_firewall"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -69,7 +78,8 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "recipe[kosmos-hubot::wormhole]",
-    "role[kredits_github]"
+    "recipe[kosmos-hubot::botka_irc-libera-chat]",
+    "role[kredits_github]",
+    "role[sockethub]"
   ]
 }

nodes/rsk-mainnet-1.json

@@ -0,0 +1,57 @@
+{
+  "name": "rsk-mainnet-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.137"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-mainnet-1",
+    "os": "linux",
+    "os_version": "5.4.0-1048-kvm",
+    "hostname": "rsk-mainnet-1",
+    "ipaddress": "192.168.122.233",
+    "roles": [
+      "rsk_mainnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.6.18",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.6.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[rsk_mainnet]"
+  ]
+}

nodes/rsk-testnet-2.json

@@ -0,0 +1,57 @@
+{
+  "name": "rsk-testnet-2",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.214"
+    }
+  },
+  "automatic": {
+    "fqdn": "rsk-testnet-2",
+    "os": "linux",
+    "os_version": "5.4.0-1048-kvm",
+    "hostname": "rsk-testnet-2",
+    "ipaddress": "192.168.122.29",
+    "roles": [
+      "rsk_testnet"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_rsk::rskj",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.6.18",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.6.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[rsk_testnet]"
+  ]
+}

roles/parity.rb

@@ -1,6 +0,0 @@
-name 'parity'
-
-run_list %w(
-  recipe[kosmos-parity::from_package]
-  recipe[kosmos-parity::node_dev]
-)

roles/rsk_mainnet.rb

@@ -0,0 +1,11 @@
+name "rsk_mainnet"
+
+run_list %w(
+  kosmos_rsk::rskj
+)
+
+override_attributes(
+  :rskj => {
+    :network => "mainnet"
+  }
+)

roles/rsk_testnet.rb

@@ -0,0 +1,5 @@
+name "rsk_testnet"
+
+run_list %w(
+  kosmos_rsk::rskj
+)

roles/sockethub.rb

@@ -0,0 +1,6 @@
+name "sockethub"
+
+run_list %w(
+  sockethub::default
+  sockethub::proxy
+)

site-cookbooks/kosmos-hubot/attributes/default.rb

@@ -1,7 +1,6 @@
 node.default['hal8000']['http_port'] = 8080
 
-node.default['botka_freenode']['http_port'] = 8081
-node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org"
+node.default['botka_irc-libera-chat']['http_port'] = 8081
 
 node.default['hal8000_xmpp']['http_port'] = 8082
 node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org"

site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb

@@ -0,0 +1,122 @@
+#
+# Cookbook Name:: kosmos-hubot
+# Recipe:: botka_irc-libera-chat
+#
+
+app_name  = "botka_irc-libera-chat"
+app_path  = "/opt/#{app_name}"
+app_user  = "hubot"
+app_group = "hubot"
+domain    = "irc-libera-chat.botka.kosmos.chat"
+
+build_essential app_name do
+  compile_time true
+end
+
+include_recipe "kosmos-nodejs"
+include_recipe "kosmos-redis"
+
+application app_path do
+  data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)
+
+  owner app_user
+  group app_group
+
+  git do
+    user       app_user
+    group      app_group
+    repository "https://gitea.kosmos.org/kosmos/botka.git"
+    revision   "master"
+  end
+
+  file "#{app_path}/external-scripts.json" do
+    mode  "0640"
+    owner app_user
+    group app_group
+    content [
+      "hubot-help",
+      "hubot-redis-brain",
+      "hubot-remotestorage-logger",
+      "hubot-web-push-notifications",
+    ].to_json
+  end
+
+  npm_install do
+    user app_user
+  end
+
+  execute "systemctl daemon-reload" do
+    command "systemctl daemon-reload"
+    action :nothing
+  end
+
+  template "/lib/systemd/system/#{app_name}.service" do
+    source 'nodejs.systemd.service.erb'
+    owner 'root'
+    group 'root'
+    mode '0644'
+    variables(
+      user: app_user,
+      group: app_group,
+      app_dir: app_path,
+      entry: "#{app_path}/bin/hubot -a irc",
+      environment: {
+        "HUBOT_LOG_LEVEL"             => node.chef_environment == "development" ? "debug" : "info",
+        "HUBOT_IRC_USESSL"            => "true",
+        "HUBOT_IRC_SERVER"            => "irc.libera.chat",
+        "HUBOT_IRC_PORT"              => "6697",
+        "HUBOT_IRC_NICK"              => "botka",
+        "HUBOT_IRC_NICKSERV_USERNAME" => "botka",
+        "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'],
+        "HUBOT_IRC_ROOMS"             => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon",
+        "HUBOT_IRC_UNFLOOD"           => "100",
+        "HUBOT_RSS_PRINTSUMMARY"      => "false",
+        "HUBOT_RSS_PRINTERROR"        => "false",
+        "HUBOT_RSS_IRCCOLORS"         => "true",
+        "REDIS_URL"                   => "redis://localhost:6379/botka",
+        "EXPRESS_PORT"                => node[app_name]['http_port'],
+        "HUBOT_AUTH_ADMIN"            => "bkero,raucao",
+        "HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
+        "RS_LOGGER_USER"              => "kosmos@5apps.com",
+        "RS_LOGGER_TOKEN"             => data_bag['rs_logger_token'],
+        "RS_LOGGER_SERVER_NAME"       => "freenode",
+        "RS_LOGGER_PUBLIC"            => "true",
+        "GCM_API_KEY"                 => data_bag['gcm_api_key'],
+        "VAPID_SUBJECT"               => "https://kosmos.org",
+        "VAPID_PUBLIC_KEY"            => data_bag['vapid_public_key'],
+        "VAPID_PRIVATE_KEY"           => data_bag['vapid_private_key']
+      }
+    )
+    notifies :run, "execute[systemctl daemon-reload]", :delayed
+    notifies :restart, "service[#{app_name}]", :delayed
+  end
+
+  service app_name do
+    action [:enable, :start]
+  end
+end
+
+#
+# Nginx reverse proxy
+#
+unless node.chef_environment == "development"
+  include_recipe "kosmos-base::letsencrypt"
+  include_recipe "kosmos-nginx"
+
+  template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+    source 'nginx_conf_hubot.erb'
+    owner node["nginx"]["user"]
+    mode 0640
+    variables express_port: node[app_name]['http_port'],
+              server_name:  domain,
+              ssl_cert:     "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+              ssl_key:      "/etc/letsencrypt/live/#{domain}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site domain do
+    action :enable
+  end
+
+  nginx_certbot_site domain
+end

site-cookbooks/kosmos_drone/recipes/default.rb

@@ -2,27 +2,6 @@
 # Cookbook:: kosmos_drone
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 package "docker-compose"
 domain = "drone.kosmos.org"

site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb

@@ -2,7 +2,7 @@ version: '3'
 
 services:
   drone-server:
-    image: drone/drone:1
+    image: drone/drone:2.5
 
     ports:
       - "<%= @upstream_port %>:80"
@@ -19,7 +19,7 @@ services:
       - DRONE_RPC_SECRET=<%= @rpc_secret %>
 
   drone-runner:
-    image: drone/drone-runner-docker:1
+    image: drone/drone-runner-docker:1.8
 
     command: agent
     restart: always

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,6 +1,6 @@
-gitea_version = "1.14.6"
+gitea_version = "1.15.6"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b"
+node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do
   source "app.ini.erb"
   owner "git"
   group "git"
-  mode "0640"
+  mode "0600"
   sensitive true
   variables working_directory: working_directory,
             git_home_directory: git_home_directory,

site-cookbooks/kosmos_gitea/templates/default/app.ini.erb

@@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %>
 
 [oauth2]
 JWT_SECRET = <%= @jwt_secret %>
+JWT_SIGNING_ALGORITHM = HS256
 
 [security]
 INTERNAL_TOKEN = <%= @internal_token %>

site-cookbooks/kosmos_rsk/attributes/default.rb

@@ -1,2 +1,2 @@
-node.default['rskj']['version'] = '2.2.0~focal'
+node.default['rskj']['version'] = '3.0.1~focal'
 node.default['rskj']['network'] = 'testnet'

site-cookbooks/kosmos_rsk/recipes/firewall.rb

@@ -0,0 +1,7 @@
+include_recipe 'firewall'
+
+firewall_rule 'rskj' do
+  port     [4444,50505]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_rsk/recipes/rskj.rb

@@ -30,10 +30,4 @@ service "rsk" do
   action [:enable, :start]
 end
 
-include_recipe 'firewall'
-
-firewall_rule 'rskj' do
-  port     [4444,50505]
-  protocol :tcp
-  command  :allow
-end
+include_recipe 'kosmos_rsk::firewall'

site-cookbooks/sockethub/attributes/default.rb

@@ -1,4 +1,5 @@
 node.default['sockethub']['port']                 = '10551'
 node.default['sockethub']['external_port']        = '10550'
-node.default['sockethub']['revision']             = 'v3.0.1'
+node.default['sockethub']['version']              = '4.1.0'
 node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
+node.default['sockethub']['debug_logs']           = 'sockethub*'

site-cookbooks/sockethub/metadata.rb

@@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org'
 license          'MIT'
 description      'Installs/Configures sockethub'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
-version          '0.1.1'
+version          '0.2.0'
 
-depends 'application_javascript'
 depends 'kosmos-redis'
 depends 'kosmos-nodejs'
 depends 'kosmos-nginx'

site-cookbooks/sockethub/recipes/default.rb

@@ -27,11 +27,15 @@
 include_recipe 'kosmos-nodejs'
 include_recipe 'kosmos-redis'
 
-group "sockethub" do
+user  = "sockethub"
+group = "sockethub"
+entry = "/usr/bin/sockethub"
+
+group group do
   gid 7625
 end
 
-user "sockethub" do
+user user do
   comment     "sockethub user"
   uid         7625
   gid         7625
@@ -39,47 +43,43 @@ user "sockethub" do
   shell       "/bin/bash"
 end
 
-path_to_deploy = "/opt/sockethub"
-application path_to_deploy do
-  owner "sockethub"
-  group "sockethub"
-
-  git do
-    user  "sockethub"
-    group "sockethub"
-    repository 'https://github.com/sockethub/sockethub.git'
-    revision   node['sockethub']['revision']
-  end
-
-  npm_install do
-    user  "sockethub"
-  end
-
-  execute "systemctl daemon-reload" do
-    command "systemctl daemon-reload"
-    action :nothing
-  end
-
-  template "/lib/systemd/system/sockethub_nodejs.service" do
-    source 'nodejs.systemd.service.erb'
-    owner 'root'
-    group 'root'
-    mode '0644'
-    variables(
-      user: "sockethub",
-      group: "sockethub",
-      app_dir: path_to_deploy,
-      entry: "/usr/bin/node /usr/bin/npm start",
-      environment: { 'DEBUG' => '*',
-                     'PORT' => node['sockethub']['port'],
-                     # Use the second database (index starts at 0)
-                     'REDIS_URL' => "redis://localhost:6379/1" }
-    )
-    notifies :run, "execute[systemctl daemon-reload]", :delayed
-    notifies :restart, "service[sockethub_nodejs]", :delayed
-  end
-
-  service "sockethub_nodejs" do
-    action [:enable, :start]
-  end
+npm_package "sockethub" do
+  version node['sockethub']['version']
+end
+
+execute "systemctl daemon-reload" do
+  command "systemctl daemon-reload"
+  action :nothing
+end
+
+environment_variables = {
+  'PORT' => node['sockethub']['port'],
+  # Use the second database (index starts at 0)
+  'REDIS_URL' => "redis://localhost:6379/1"
+}
+unless node['sockethub']['debug_logs'].nil?
+  environment_variables['DEBUG'] = node['sockethub']['debug_logs']
+end
+
+environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ')
+
+systemd_unit "sockethub_nodejs.service" do
+  content <<-EOF
+[Unit]
+Description=Start sockethub
+Requires=redis-server.service
+After=redis-server.service
+
+[Service]
+ExecStart=#{entry}
+User=#{user}
+Group=#{group}
+Environment=#{environment}
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
+  EOF
+  triggers_reload true
+  action [:create, :enable, :start]
 end

site-cookbooks/sockethub/recipes/proxy.rb

@@ -26,8 +26,41 @@
 
 include_recipe 'sockethub::_firewall'
 include_recipe 'kosmos-nginx'
+include_recipe "kosmos-base::letsencrypt"
+
 server_name = node['sockethub']['nginx']['server_name']
 
+nginx_post_hook = <<-EOF
+#!/usr/bin/env bash
+
+set -e
+
+systemctl reload nginx
+EOF
+
+file "/etc/letsencrypt/renewal-hooks/post/nginx" do
+  content nginx_post_hook
+  mode 0755
+  owner "root"
+  group "root"
+end
+
+gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+
+template "/root/gandi_dns_certbot_hook.sh" do
+  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  mode 0770
+end
+
+# Generate a Let's Encrypt cert (only if no cert has been generated before).
+# The systemd timer will take care of renewing
+execute "letsencrypt cert for sockethub" do
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name}  -n"
+  not_if do
+    File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
+  end
+end
+
 template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
   source 'nginx_conf_sockethub.erb'
   owner 'www-data'
@@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
   notifies :reload, 'service[nginx]', :delayed
 end
 
-# Legacy vhost
-nginx_site "sockethub" do
-  action :disable
-end
-
 nginx_site server_name do
   action :enable
 end
 
-nginx_certbot_site server_name

site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb

@@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade {
   '' close;
 }
 
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   listen <%= @sockethub_external_port %> ssl http2;
   add_header Strict-Transport-Security "max-age=15768000";
+  <% else -%>
+  listen <%= @sockethub_external_port %>;
+  <% end -%>
 
   server_name <%= @server_name %>;
 
@@ -32,7 +35,8 @@ server {
     proxy_set_header Connection $connection_upgrade;
    }
 
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
   ssl_certificate <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
+  <% end -%>
 }
-<% end -%>

site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb

@@ -1,17 +0,0 @@
-[Unit]
-Description=Start nodejs app
-Requires=redis-server.service
-After=redis-server.service
-
-[Service]
-ExecStart=<%= @entry %>
-WorkingDirectory=<%= @app_dir %>
-User=<%= @user %>
-Group=<%= @group %>
-<% unless @environment.empty? -%>
-Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
-<% end -%>
-Restart=always
-
-[Install]
-WantedBy=multi-user.target

site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+#
+
+set -euf -o pipefail
+
+# ************** USAGE **************
+#
+# Example usage (with this hook file saved in /root/):
+#
+#   sudo su -
+#   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
+#     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
+#
+# This hook requires configuration, continue reading.
+#
+# ************** CONFIGURATION **************
+#
+# GANDI_API_KEY: Your Gandi Live API key
+#
+# PROVIDER_UPDATE_DELAY:
+#   How many seconds to wait after updating your DNS records. This may be required,
+#   depending on how slow your DNS host is to begin serving new DNS records after updating
+#   them via the API. 30 seconds is a safe default, but some providers can be very slow
+#   (e.g. Linode).
+#
+#   Defaults to 30 seconds.
+#
+GANDI_API_KEY="<%= @gandi_api_key %>"
+PROVIDER_UPDATE_DELAY=30
+
+regex='.*\.(.*\..*)'
+if [[ $CERTBOT_DOMAIN =~ $regex ]]
+then
+  DOMAIN="${BASH_REMATCH[1]}"
+else
+  DOMAIN="${CERTBOT_DOMAIN}"
+fi
+
+# To be invoked via Certbot's --manual-auth-hook
+function auth {
+    curl -s -D- -H "Content-Type: application/json" \
+        -H "X-Api-Key: ${GANDI_API_KEY}" \
+        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
+             \"rrset_type\": \"TXT\",
+             \"rrset_ttl\": 3600,
+             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
+        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
+
+
+    sleep ${PROVIDER_UPDATE_DELAY}
+}
+
+# To be invoked via Certbot's --manual-cleanup-hook
+function cleanup {
+    curl -s -X DELETE -H "Content-Type: application/json" \
+        -H "X-Api-Key: ${GANDI_API_KEY}" \
+        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
+}
+
+HANDLER=$1; shift;
+if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
+  $HANDLER "$@"
+fi