Merge branch 'master' into feature/rskj_public_endpoint
This commit is contained in:
commit
35115b7391
|
@ -248,6 +248,10 @@ GEM
|
|||
|
||||
PLATFORMS
|
||||
x86_64-darwin-18
|
||||
x86_64-linux
|
||||
|
||||
DEPENDENCIES
|
||||
knife-zero
|
||||
|
||||
BUNDLED WITH
|
||||
2.2.15
|
||||
|
|
11
README.md
11
README.md
|
@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile:
|
|||
Vendor installed cookbooks to the `cookbooks/` dir:
|
||||
|
||||
berks vendor cookbooks/ --delete
|
||||
|
||||
### "Expired" TLS certificates
|
||||
|
||||
If you encounter expired TLS certificates during a Chef run (e.g. for remote
|
||||
files), the issue is likely that the certificate has been issued by Let's
|
||||
Encrypt and Chef is still using its own, outdated CA cert store (see
|
||||
[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for
|
||||
example).
|
||||
|
||||
As a hotfix, you can manually remove the "DST Root CA X3" cert from
|
||||
`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "rsk-mainnet-1",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "rsk-testnet-2",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -1,38 +0,0 @@
|
|||
{
|
||||
"id": "botka_freenode",
|
||||
"rs_logger_token": {
|
||||
"encrypted_data": "X/7BinesOs5sciifP2myTHzRyYA7q7GxHR92wlHKF1EnVD38GrfMxWFIUVsH\nYUjXr+mm\n",
|
||||
"iv": "XcqCyyfIsqNJiVfX\n",
|
||||
"auth_tag": "vPjh3was2w7pbDRYerGQFw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"nickserv_password": {
|
||||
"encrypted_data": "bOr4bTbmGIL6YHAycVQCHX3fDsEgvJPtSKYPDyzbMIqn\n",
|
||||
"iv": "hEmlqJ91R4Mxeab/\n",
|
||||
"auth_tag": "o8qf0GBVR23IrPYOANywFw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"gcm_api_key": {
|
||||
"encrypted_data": "flJe/qcddW54emG29ReJf5BqYyIEmpOK+dKabuZAx5t678Dt1CqLr/UmkeB+\nOcXwezOgr9qj3XHIVQ==\n",
|
||||
"iv": "fD46RYO1hpk9zb9q\n",
|
||||
"auth_tag": "ucPDMdVey1QeZmOmYEFiPw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"vapid_public_key": {
|
||||
"encrypted_data": "RkyN3Sx4Hme2cBJKMSvXxt6b1rW7liqAG/fLSLMi4aeR9EAMMRf6gEdOLJms\n1WSVx4RU2z7oRTvkD0zwmKwOtNNeyRaJ6zUh/eYnPviBdKMrxvLOXPaQam7O\nCLF9QMHpngCumMPQuaWpHg==\n",
|
||||
"iv": "WPqkc48gE/uJjLB9\n",
|
||||
"auth_tag": "UxAnYr9jdCy2V/1gnDC/Og==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"vapid_private_key": {
|
||||
"encrypted_data": "2O+ESjSSsw3Z4RgTx4AIA3QGYc+zpRY2j0DyEqF1Rdak3prc7bMKmTHy7MwP\nJXGS08Mye5Pnt6sk45TfhoE=\n",
|
||||
"iv": "8+PRuHXa73tLd3wf\n",
|
||||
"auth_tag": "ofPSsKrP7Lgt1qiPcZ8isQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
|
@ -0,0 +1,38 @@
|
|||
{
|
||||
"id": "botka_irc-libera-chat",
|
||||
"rs_logger_token": {
|
||||
"encrypted_data": "2CYA4uMDMcTA3/TnoUkZ/WoB573oFn5oZk6zJmgc0MwCjYlKxhOTO6JZV5NF\nrQh0b6DS\n",
|
||||
"iv": "ZDSklJrhSJknQTGJ\n",
|
||||
"auth_tag": "RZVkeuP7iu1a/HkeIyM9/Q==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"nickserv_password": {
|
||||
"encrypted_data": "NXPE0ouvPESbBVRDDg362LaHVfeOqo+BEh4PkE5XeA==\n",
|
||||
"iv": "4iESOnvAyMLF2TNs\n",
|
||||
"auth_tag": "PiJvYy++dZls1t+goXui2w==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"gcm_api_key": {
|
||||
"encrypted_data": "QaF+kUTZbx3fK9QXua9QPq0f8ACZbrj+FEvlcMiv9x469OMOxTHfL2+cF6X2\nyK+1zYtl8byiMdLmSQ==\n",
|
||||
"iv": "whutD4hY4htiEePI\n",
|
||||
"auth_tag": "EF19h8haFSNHsOM/oVkcRQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"vapid_public_key": {
|
||||
"encrypted_data": "dw1LEyE/hksxM+H0ExgIWXgrhFYzFo/dmps4/ct8mG2Se0ukYJ7OI5uJYI1E\nUaaZ+feqK2nic0GsnkaY++SI4Us+RNGoOu0J67CWooy8KIVdGGmxHx/rOI2L\n9S9zbo+8TE3KYBWrHa2jyw==\n",
|
||||
"iv": "PaqtzI+RgtL/VeKE\n",
|
||||
"auth_tag": "BPQcLAEWN4cPlrTylfwD/Q==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"vapid_private_key": {
|
||||
"encrypted_data": "Czly/hPyXa529rlxe3Ab3ea/Hg53iSW3Mpz1d8Aimuojih9GhWWFytY8YH9T\nwAINhXw7toST5o3LLjQjPkk=\n",
|
||||
"iv": "XZeA6abV1Fi9Q3wm\n",
|
||||
"auth_tag": "02zb8q+WDLj+mF+bJRWXxQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
|
@ -8,7 +8,7 @@
|
|||
"automatic": {
|
||||
"fqdn": "akkounts-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-54-generic",
|
||||
"os_version": "5.4.0-90-generic",
|
||||
"hostname": "akkounts-1",
|
||||
"ipaddress": "192.168.122.160",
|
||||
"roles": [
|
||||
|
|
|
@ -97,11 +97,7 @@
|
|||
"run_list": [
|
||||
"role[base]",
|
||||
"recipe[kosmos-ipfs]",
|
||||
"recipe[kosmos-hubot::botka_freenode]",
|
||||
"recipe[kosmos-hubot::hal8000]",
|
||||
"recipe[kosmos-hubot::hal8000_xmpp]",
|
||||
"recipe[sockethub]",
|
||||
"recipe[sockethub::proxy]",
|
||||
"recipe[kosmos-dirsrv]"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,6 +34,7 @@
|
|||
"kosmos_kvm::host",
|
||||
"kosmos-ejabberd::firewall",
|
||||
"kosmos_zerotier::firewall",
|
||||
"sockethub::_firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -85,6 +86,7 @@
|
|||
"recipe[kosmos_assets::nginx_site]",
|
||||
"recipe[kosmos_kvm::host]",
|
||||
"recipe[kosmos-ejabberd::firewall]",
|
||||
"recipe[kosmos_zerotier::firewall]"
|
||||
"recipe[kosmos_zerotier::firewall]",
|
||||
"recipe[sockethub::_firewall]"
|
||||
]
|
||||
}
|
|
@ -8,19 +8,23 @@
|
|||
"automatic": {
|
||||
"fqdn": "nodejs-2",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1031-kvm",
|
||||
"os_version": "5.4.0-1049-kvm",
|
||||
"hostname": "nodejs-2",
|
||||
"ipaddress": "192.168.122.243",
|
||||
"roles": [
|
||||
"kredits_github"
|
||||
"kredits_github",
|
||||
"sockethub"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos-hubot::wormhole",
|
||||
"kosmos-hubot::botka_irc-libera-chat",
|
||||
"kredits-github",
|
||||
"kredits-github::default",
|
||||
"kredits-github::nginx",
|
||||
"sockethub",
|
||||
"sockethub::default",
|
||||
"sockethub::proxy",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
@ -38,9 +42,12 @@
|
|||
"kosmos-nodejs::default",
|
||||
"nodejs::nodejs_from_package",
|
||||
"nodejs::repo",
|
||||
"kosmos-hubot::_user",
|
||||
"git::default",
|
||||
"git::package",
|
||||
"kosmos-redis::default",
|
||||
"redis::server",
|
||||
"redis::default",
|
||||
"backup::default",
|
||||
"logrotate::default",
|
||||
"kosmos-base::letsencrypt",
|
||||
"kosmos-nginx::default",
|
||||
"nginx::default",
|
||||
"nginx::package",
|
||||
|
@ -51,7 +58,9 @@
|
|||
"nginx::commons_script",
|
||||
"nginx::commons_conf",
|
||||
"kosmos-nginx::firewall",
|
||||
"kosmos-base::letsencrypt"
|
||||
"nodejs::npm",
|
||||
"nodejs::install",
|
||||
"sockethub::_firewall"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
|
@ -69,7 +78,8 @@
|
|||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[kosmos-hubot::wormhole]",
|
||||
"role[kredits_github]"
|
||||
"recipe[kosmos-hubot::botka_irc-libera-chat]",
|
||||
"role[kredits_github]",
|
||||
"role[sockethub]"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "rsk-mainnet-1",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.137"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "rsk-mainnet-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1048-kvm",
|
||||
"hostname": "rsk-mainnet-1",
|
||||
"ipaddress": "192.168.122.233",
|
||||
"roles": [
|
||||
"rsk_mainnet"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_rsk::rskj",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"firewall::default",
|
||||
"chef-sugar::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.6.18",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.6.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[rsk_mainnet]"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "rsk-testnet-2",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.214"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "rsk-testnet-2",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1048-kvm",
|
||||
"hostname": "rsk-testnet-2",
|
||||
"ipaddress": "192.168.122.29",
|
||||
"roles": [
|
||||
"rsk_testnet"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_rsk::rskj",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"firewall::default",
|
||||
"chef-sugar::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.6.18",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.6.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[rsk_testnet]"
|
||||
]
|
||||
}
|
|
@ -1,6 +0,0 @@
|
|||
name 'parity'
|
||||
|
||||
run_list %w(
|
||||
recipe[kosmos-parity::from_package]
|
||||
recipe[kosmos-parity::node_dev]
|
||||
)
|
|
@ -0,0 +1,11 @@
|
|||
name "rsk_mainnet"
|
||||
|
||||
run_list %w(
|
||||
kosmos_rsk::rskj
|
||||
)
|
||||
|
||||
override_attributes(
|
||||
:rskj => {
|
||||
:network => "mainnet"
|
||||
}
|
||||
)
|
|
@ -0,0 +1,5 @@
|
|||
name "rsk_testnet"
|
||||
|
||||
run_list %w(
|
||||
kosmos_rsk::rskj
|
||||
)
|
|
@ -0,0 +1,6 @@
|
|||
name "sockethub"
|
||||
|
||||
run_list %w(
|
||||
sockethub::default
|
||||
sockethub::proxy
|
||||
)
|
|
@ -1,7 +1,6 @@
|
|||
node.default['hal8000']['http_port'] = 8080
|
||||
|
||||
node.default['botka_freenode']['http_port'] = 8081
|
||||
node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org"
|
||||
node.default['botka_irc-libera-chat']['http_port'] = 8081
|
||||
|
||||
node.default['hal8000_xmpp']['http_port'] = 8082
|
||||
node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org"
|
||||
|
|
|
@ -0,0 +1,122 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-hubot
|
||||
# Recipe:: botka_irc-libera-chat
|
||||
#
|
||||
|
||||
app_name = "botka_irc-libera-chat"
|
||||
app_path = "/opt/#{app_name}"
|
||||
app_user = "hubot"
|
||||
app_group = "hubot"
|
||||
domain = "irc-libera-chat.botka.kosmos.chat"
|
||||
|
||||
build_essential app_name do
|
||||
compile_time true
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nodejs"
|
||||
include_recipe "kosmos-redis"
|
||||
|
||||
application app_path do
|
||||
data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name)
|
||||
|
||||
owner app_user
|
||||
group app_group
|
||||
|
||||
git do
|
||||
user app_user
|
||||
group app_group
|
||||
repository "https://gitea.kosmos.org/kosmos/botka.git"
|
||||
revision "master"
|
||||
end
|
||||
|
||||
file "#{app_path}/external-scripts.json" do
|
||||
mode "0640"
|
||||
owner app_user
|
||||
group app_group
|
||||
content [
|
||||
"hubot-help",
|
||||
"hubot-redis-brain",
|
||||
"hubot-remotestorage-logger",
|
||||
"hubot-web-push-notifications",
|
||||
].to_json
|
||||
end
|
||||
|
||||
npm_install do
|
||||
user app_user
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
template "/lib/systemd/system/#{app_name}.service" do
|
||||
source 'nodejs.systemd.service.erb'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
variables(
|
||||
user: app_user,
|
||||
group: app_group,
|
||||
app_dir: app_path,
|
||||
entry: "#{app_path}/bin/hubot -a irc",
|
||||
environment: {
|
||||
"HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info",
|
||||
"HUBOT_IRC_USESSL" => "true",
|
||||
"HUBOT_IRC_SERVER" => "irc.libera.chat",
|
||||
"HUBOT_IRC_PORT" => "6697",
|
||||
"HUBOT_IRC_NICK" => "botka",
|
||||
"HUBOT_IRC_NICKSERV_USERNAME" => "botka",
|
||||
"HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'],
|
||||
"HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon",
|
||||
"HUBOT_IRC_UNFLOOD" => "100",
|
||||
"HUBOT_RSS_PRINTSUMMARY" => "false",
|
||||
"HUBOT_RSS_PRINTERROR" => "false",
|
||||
"HUBOT_RSS_IRCCOLORS" => "true",
|
||||
"REDIS_URL" => "redis://localhost:6379/botka",
|
||||
"EXPRESS_PORT" => node[app_name]['http_port'],
|
||||
"HUBOT_AUTH_ADMIN" => "bkero,raucao",
|
||||
"HUBOT_HELP_REPLY_IN_PRIVATE" => "true",
|
||||
"RS_LOGGER_USER" => "kosmos@5apps.com",
|
||||
"RS_LOGGER_TOKEN" => data_bag['rs_logger_token'],
|
||||
"RS_LOGGER_SERVER_NAME" => "freenode",
|
||||
"RS_LOGGER_PUBLIC" => "true",
|
||||
"GCM_API_KEY" => data_bag['gcm_api_key'],
|
||||
"VAPID_SUBJECT" => "https://kosmos.org",
|
||||
"VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'],
|
||||
"VAPID_PRIVATE_KEY" => data_bag['vapid_private_key']
|
||||
}
|
||||
)
|
||||
notifies :run, "execute[systemctl daemon-reload]", :delayed
|
||||
notifies :restart, "service[#{app_name}]", :delayed
|
||||
end
|
||||
|
||||
service app_name do
|
||||
action [:enable, :start]
|
||||
end
|
||||
end
|
||||
|
||||
#
|
||||
# Nginx reverse proxy
|
||||
#
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source 'nginx_conf_hubot.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
variables express_port: node[app_name]['http_port'],
|
||||
server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
end
|
|
@ -2,27 +2,6 @@
|
|||
# Cookbook:: kosmos_drone
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
package "docker-compose"
|
||||
domain = "drone.kosmos.org"
|
||||
|
|
|
@ -2,7 +2,7 @@ version: '3'
|
|||
|
||||
services:
|
||||
drone-server:
|
||||
image: drone/drone:1
|
||||
image: drone/drone:2.5
|
||||
|
||||
ports:
|
||||
- "<%= @upstream_port %>:80"
|
||||
|
@ -19,7 +19,7 @@ services:
|
|||
- DRONE_RPC_SECRET=<%= @rpc_secret %>
|
||||
|
||||
drone-runner:
|
||||
image: drone/drone-runner-docker:1
|
||||
image: drone/drone-runner-docker:1.8
|
||||
|
||||
command: agent
|
||||
restart: always
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
gitea_version = "1.14.6"
|
||||
gitea_version = "1.15.6"
|
||||
node.default["kosmos_gitea"]["version"] = gitea_version
|
||||
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be"
|
||||
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
|
||||
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
|
|
|
@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do
|
|||
source "app.ini.erb"
|
||||
owner "git"
|
||||
group "git"
|
||||
mode "0640"
|
||||
mode "0600"
|
||||
sensitive true
|
||||
variables working_directory: working_directory,
|
||||
git_home_directory: git_home_directory,
|
||||
|
|
|
@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %>
|
|||
|
||||
[oauth2]
|
||||
JWT_SECRET = <%= @jwt_secret %>
|
||||
JWT_SIGNING_ALGORITHM = HS256
|
||||
|
||||
[security]
|
||||
INTERNAL_TOKEN = <%= @internal_token %>
|
||||
|
|
|
@ -1,2 +1,2 @@
|
|||
node.default['rskj']['version'] = '2.2.0~focal'
|
||||
node.default['rskj']['version'] = '3.0.1~focal'
|
||||
node.default['rskj']['network'] = 'testnet'
|
||||
|
|
|
@ -0,0 +1,7 @@
|
|||
include_recipe 'firewall'
|
||||
|
||||
firewall_rule 'rskj' do
|
||||
port [4444,50505]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
|
@ -30,10 +30,4 @@ service "rsk" do
|
|||
action [:enable, :start]
|
||||
end
|
||||
|
||||
include_recipe 'firewall'
|
||||
|
||||
firewall_rule 'rskj' do
|
||||
port [4444,50505]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
include_recipe 'kosmos_rsk::firewall'
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
node.default['sockethub']['port'] = '10551'
|
||||
node.default['sockethub']['external_port'] = '10550'
|
||||
node.default['sockethub']['revision'] = 'v3.0.1'
|
||||
node.default['sockethub']['version'] = '4.1.0'
|
||||
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
|
||||
node.default['sockethub']['debug_logs'] = 'sockethub*'
|
||||
|
|
|
@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org'
|
|||
license 'MIT'
|
||||
description 'Installs/Configures sockethub'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.1.1'
|
||||
version '0.2.0'
|
||||
|
||||
depends 'application_javascript'
|
||||
depends 'kosmos-redis'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos-nginx'
|
||||
|
|
|
@ -27,11 +27,15 @@
|
|||
include_recipe 'kosmos-nodejs'
|
||||
include_recipe 'kosmos-redis'
|
||||
|
||||
group "sockethub" do
|
||||
user = "sockethub"
|
||||
group = "sockethub"
|
||||
entry = "/usr/bin/sockethub"
|
||||
|
||||
group group do
|
||||
gid 7625
|
||||
end
|
||||
|
||||
user "sockethub" do
|
||||
user user do
|
||||
comment "sockethub user"
|
||||
uid 7625
|
||||
gid 7625
|
||||
|
@ -39,47 +43,43 @@ user "sockethub" do
|
|||
shell "/bin/bash"
|
||||
end
|
||||
|
||||
path_to_deploy = "/opt/sockethub"
|
||||
application path_to_deploy do
|
||||
owner "sockethub"
|
||||
group "sockethub"
|
||||
|
||||
git do
|
||||
user "sockethub"
|
||||
group "sockethub"
|
||||
repository 'https://github.com/sockethub/sockethub.git'
|
||||
revision node['sockethub']['revision']
|
||||
end
|
||||
|
||||
npm_install do
|
||||
user "sockethub"
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
template "/lib/systemd/system/sockethub_nodejs.service" do
|
||||
source 'nodejs.systemd.service.erb'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
variables(
|
||||
user: "sockethub",
|
||||
group: "sockethub",
|
||||
app_dir: path_to_deploy,
|
||||
entry: "/usr/bin/node /usr/bin/npm start",
|
||||
environment: { 'DEBUG' => '*',
|
||||
'PORT' => node['sockethub']['port'],
|
||||
# Use the second database (index starts at 0)
|
||||
'REDIS_URL' => "redis://localhost:6379/1" }
|
||||
)
|
||||
notifies :run, "execute[systemctl daemon-reload]", :delayed
|
||||
notifies :restart, "service[sockethub_nodejs]", :delayed
|
||||
end
|
||||
|
||||
service "sockethub_nodejs" do
|
||||
action [:enable, :start]
|
||||
end
|
||||
npm_package "sockethub" do
|
||||
version node['sockethub']['version']
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
environment_variables = {
|
||||
'PORT' => node['sockethub']['port'],
|
||||
# Use the second database (index starts at 0)
|
||||
'REDIS_URL' => "redis://localhost:6379/1"
|
||||
}
|
||||
unless node['sockethub']['debug_logs'].nil?
|
||||
environment_variables['DEBUG'] = node['sockethub']['debug_logs']
|
||||
end
|
||||
|
||||
environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ')
|
||||
|
||||
systemd_unit "sockethub_nodejs.service" do
|
||||
content <<-EOF
|
||||
[Unit]
|
||||
Description=Start sockethub
|
||||
Requires=redis-server.service
|
||||
After=redis-server.service
|
||||
|
||||
[Service]
|
||||
ExecStart=#{entry}
|
||||
User=#{user}
|
||||
Group=#{group}
|
||||
Environment=#{environment}
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
triggers_reload true
|
||||
action [:create, :enable, :start]
|
||||
end
|
||||
|
|
|
@ -26,8 +26,41 @@
|
|||
|
||||
include_recipe 'sockethub::_firewall'
|
||||
include_recipe 'kosmos-nginx'
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
server_name = node['sockethub']['nginx']['server_name']
|
||||
|
||||
nginx_post_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
systemctl reload nginx
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/post/nginx" do
|
||||
content nginx_post_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
|
||||
|
||||
template "/root/gandi_dns_certbot_hook.sh" do
|
||||
variables gandi_api_key: gandi_api_data_bag_item["key"]
|
||||
mode 0770
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
||||
# The systemd timer will take care of renewing
|
||||
execute "letsencrypt cert for sockethub" do
|
||||
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n"
|
||||
not_if do
|
||||
File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
|
||||
end
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
owner 'www-data'
|
||||
|
@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
|||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
# Legacy vhost
|
||||
nginx_site "sockethub" do
|
||||
action :disable
|
||||
end
|
||||
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
|
|
@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade {
|
|||
'' close;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @sockethub_external_port %> ssl http2;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% else -%>
|
||||
listen <%= @sockethub_external_port %>;
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
|
@ -32,7 +35,8 @@ server {
|
|||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
[Unit]
|
||||
Description=Start nodejs app
|
||||
Requires=redis-server.service
|
||||
After=redis-server.service
|
||||
|
||||
[Service]
|
||||
ExecStart=<%= @entry %>
|
||||
WorkingDirectory=<%= @app_dir %>
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
<% unless @environment.empty? -%>
|
||||
Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
|
||||
<% end -%>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
|
@ -0,0 +1,63 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
set -euf -o pipefail
|
||||
|
||||
# ************** USAGE **************
|
||||
#
|
||||
# Example usage (with this hook file saved in /root/):
|
||||
#
|
||||
# sudo su -
|
||||
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
|
||||
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
|
||||
#
|
||||
# This hook requires configuration, continue reading.
|
||||
#
|
||||
# ************** CONFIGURATION **************
|
||||
#
|
||||
# GANDI_API_KEY: Your Gandi Live API key
|
||||
#
|
||||
# PROVIDER_UPDATE_DELAY:
|
||||
# How many seconds to wait after updating your DNS records. This may be required,
|
||||
# depending on how slow your DNS host is to begin serving new DNS records after updating
|
||||
# them via the API. 30 seconds is a safe default, but some providers can be very slow
|
||||
# (e.g. Linode).
|
||||
#
|
||||
# Defaults to 30 seconds.
|
||||
#
|
||||
GANDI_API_KEY="<%= @gandi_api_key %>"
|
||||
PROVIDER_UPDATE_DELAY=30
|
||||
|
||||
regex='.*\.(.*\..*)'
|
||||
if [[ $CERTBOT_DOMAIN =~ $regex ]]
|
||||
then
|
||||
DOMAIN="${BASH_REMATCH[1]}"
|
||||
else
|
||||
DOMAIN="${CERTBOT_DOMAIN}"
|
||||
fi
|
||||
|
||||
# To be invoked via Certbot's --manual-auth-hook
|
||||
function auth {
|
||||
curl -s -D- -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
|
||||
\"rrset_type\": \"TXT\",
|
||||
\"rrset_ttl\": 3600,
|
||||
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
|
||||
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
|
||||
|
||||
|
||||
sleep ${PROVIDER_UPDATE_DELAY}
|
||||
}
|
||||
|
||||
# To be invoked via Certbot's --manual-cleanup-hook
|
||||
function cleanup {
|
||||
curl -s -X DELETE -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
|
||||
}
|
||||
|
||||
HANDLER=$1; shift;
|
||||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
||||
$HANDLER "$@"
|
||||
fi
|
Loading…
Reference in New Issue