diff --git a/Gemfile.lock b/Gemfile.lock index 555c830..73984d3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -248,6 +248,10 @@ GEM PLATFORMS x86_64-darwin-18 + x86_64-linux DEPENDENCIES knife-zero + +BUNDLED WITH + 2.2.15 diff --git a/README.md b/README.md index 7ff3f92..31772d0 100644 --- a/README.md +++ b/README.md @@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile: Vendor installed cookbooks to the `cookbooks/` dir: berks vendor cookbooks/ --delete + +### "Expired" TLS certificates + +If you encounter expired TLS certificates during a Chef run (e.g. for remote +files), the issue is likely that the certificate has been issued by Let's +Encrypt and Chef is still using its own, outdated CA cert store (see +[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for +example). + +As a hotfix, you can manually remove the "DST Root CA X3" cert from +`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge. diff --git a/clients/rsk-mainnet-1.json b/clients/rsk-mainnet-1.json new file mode 100644 index 0000000..7422123 --- /dev/null +++ b/clients/rsk-mainnet-1.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-mainnet-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/rsk-testnet-2.json b/clients/rsk-testnet-2.json new file mode 100644 index 0000000..2739bd0 --- /dev/null +++ b/clients/rsk-testnet-2.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-testnet-2", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/botka_freenode.json b/data_bags/credentials/botka_freenode.json deleted file mode 100644 index a72d4ae..0000000 --- a/data_bags/credentials/botka_freenode.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "id": "botka_freenode", - "rs_logger_token": { - "encrypted_data": "X/7BinesOs5sciifP2myTHzRyYA7q7GxHR92wlHKF1EnVD38GrfMxWFIUVsH\nYUjXr+mm\n", - "iv": "XcqCyyfIsqNJiVfX\n", - "auth_tag": "vPjh3was2w7pbDRYerGQFw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "nickserv_password": { - "encrypted_data": "bOr4bTbmGIL6YHAycVQCHX3fDsEgvJPtSKYPDyzbMIqn\n", - "iv": "hEmlqJ91R4Mxeab/\n", - "auth_tag": "o8qf0GBVR23IrPYOANywFw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "gcm_api_key": { - "encrypted_data": "flJe/qcddW54emG29ReJf5BqYyIEmpOK+dKabuZAx5t678Dt1CqLr/UmkeB+\nOcXwezOgr9qj3XHIVQ==\n", - "iv": "fD46RYO1hpk9zb9q\n", - "auth_tag": "ucPDMdVey1QeZmOmYEFiPw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "vapid_public_key": { - "encrypted_data": "RkyN3Sx4Hme2cBJKMSvXxt6b1rW7liqAG/fLSLMi4aeR9EAMMRf6gEdOLJms\n1WSVx4RU2z7oRTvkD0zwmKwOtNNeyRaJ6zUh/eYnPviBdKMrxvLOXPaQam7O\nCLF9QMHpngCumMPQuaWpHg==\n", - "iv": "WPqkc48gE/uJjLB9\n", - "auth_tag": "UxAnYr9jdCy2V/1gnDC/Og==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "vapid_private_key": { - "encrypted_data": "2O+ESjSSsw3Z4RgTx4AIA3QGYc+zpRY2j0DyEqF1Rdak3prc7bMKmTHy7MwP\nJXGS08Mye5Pnt6sk45TfhoE=\n", - "iv": "8+PRuHXa73tLd3wf\n", - "auth_tag": "ofPSsKrP7Lgt1qiPcZ8isQ==\n", - "version": 3, - "cipher": "aes-256-gcm" - } -} \ No newline at end of file diff --git a/data_bags/credentials/botka_irc-libera-chat.json b/data_bags/credentials/botka_irc-libera-chat.json new file mode 100644 index 0000000..96547eb --- /dev/null +++ b/data_bags/credentials/botka_irc-libera-chat.json @@ -0,0 +1,38 @@ +{ + "id": "botka_irc-libera-chat", + "rs_logger_token": { + "encrypted_data": "2CYA4uMDMcTA3/TnoUkZ/WoB573oFn5oZk6zJmgc0MwCjYlKxhOTO6JZV5NF\nrQh0b6DS\n", + "iv": "ZDSklJrhSJknQTGJ\n", + "auth_tag": "RZVkeuP7iu1a/HkeIyM9/Q==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "nickserv_password": { + "encrypted_data": "NXPE0ouvPESbBVRDDg362LaHVfeOqo+BEh4PkE5XeA==\n", + "iv": "4iESOnvAyMLF2TNs\n", + "auth_tag": "PiJvYy++dZls1t+goXui2w==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "gcm_api_key": { + "encrypted_data": "QaF+kUTZbx3fK9QXua9QPq0f8ACZbrj+FEvlcMiv9x469OMOxTHfL2+cF6X2\nyK+1zYtl8byiMdLmSQ==\n", + "iv": "whutD4hY4htiEePI\n", + "auth_tag": "EF19h8haFSNHsOM/oVkcRQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "vapid_public_key": { + "encrypted_data": "dw1LEyE/hksxM+H0ExgIWXgrhFYzFo/dmps4/ct8mG2Se0ukYJ7OI5uJYI1E\nUaaZ+feqK2nic0GsnkaY++SI4Us+RNGoOu0J67CWooy8KIVdGGmxHx/rOI2L\n9S9zbo+8TE3KYBWrHa2jyw==\n", + "iv": "PaqtzI+RgtL/VeKE\n", + "auth_tag": "BPQcLAEWN4cPlrTylfwD/Q==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "vapid_private_key": { + "encrypted_data": "Czly/hPyXa529rlxe3Ab3ea/Hg53iSW3Mpz1d8Aimuojih9GhWWFytY8YH9T\nwAINhXw7toST5o3LLjQjPkk=\n", + "iv": "XZeA6abV1Fi9Q3wm\n", + "auth_tag": "02zb8q+WDLj+mF+bJRWXxQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 411d304..93a1617 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "akkounts-1", "os": "linux", - "os_version": "5.4.0-54-generic", + "os_version": "5.4.0-90-generic", "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json index c0055b0..9de80d0 100644 --- a/nodes/barnard.kosmos.org.json +++ b/nodes/barnard.kosmos.org.json @@ -97,11 +97,7 @@ "run_list": [ "role[base]", "recipe[kosmos-ipfs]", - "recipe[kosmos-hubot::botka_freenode]", - "recipe[kosmos-hubot::hal8000]", "recipe[kosmos-hubot::hal8000_xmpp]", - "recipe[sockethub]", - "recipe[sockethub::proxy]", "recipe[kosmos-dirsrv]" ] -} \ No newline at end of file +} diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 539fe71..70f42cc 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -34,6 +34,7 @@ "kosmos_kvm::host", "kosmos-ejabberd::firewall", "kosmos_zerotier::firewall", + "sockethub::_firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -85,6 +86,7 @@ "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", - "recipe[kosmos_zerotier::firewall]" + "recipe[kosmos_zerotier::firewall]", + "recipe[sockethub::_firewall]" ] } \ No newline at end of file diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 17fcf80..67f0e7d 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -8,19 +8,23 @@ "automatic": { "fqdn": "nodejs-2", "os": "linux", - "os_version": "5.4.0-1031-kvm", + "os_version": "5.4.0-1049-kvm", "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ - "kredits_github" + "kredits_github", + "sockethub" ], "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-hubot::wormhole", + "kosmos-hubot::botka_irc-libera-chat", "kredits-github", "kredits-github::default", "kredits-github::nginx", + "sockethub", + "sockethub::default", + "sockethub::proxy", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -38,9 +42,12 @@ "kosmos-nodejs::default", "nodejs::nodejs_from_package", "nodejs::repo", - "kosmos-hubot::_user", - "git::default", - "git::package", + "kosmos-redis::default", + "redis::server", + "redis::default", + "backup::default", + "logrotate::default", + "kosmos-base::letsencrypt", "kosmos-nginx::default", "nginx::default", "nginx::package", @@ -51,7 +58,9 @@ "nginx::commons_script", "nginx::commons_conf", "kosmos-nginx::firewall", - "kosmos-base::letsencrypt" + "nodejs::npm", + "nodejs::install", + "sockethub::_firewall" ], "platform": "ubuntu", "platform_version": "20.04", @@ -69,7 +78,8 @@ }, "run_list": [ "recipe[kosmos-base]", - "recipe[kosmos-hubot::wormhole]", - "role[kredits_github]" + "recipe[kosmos-hubot::botka_irc-libera-chat]", + "role[kredits_github]", + "role[sockethub]" ] } \ No newline at end of file diff --git a/nodes/rsk-mainnet-1.json b/nodes/rsk-mainnet-1.json new file mode 100644 index 0000000..efc92a3 --- /dev/null +++ b/nodes/rsk-mainnet-1.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-mainnet-1", + "normal": { + "knife_zero": { + "host": "10.1.1.137" + } + }, + "automatic": { + "fqdn": "rsk-mainnet-1", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-mainnet-1", + "ipaddress": "192.168.122.233", + "roles": [ + "rsk_mainnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_mainnet]" + ] +} \ No newline at end of file diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json new file mode 100644 index 0000000..5735317 --- /dev/null +++ b/nodes/rsk-testnet-2.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-testnet-2", + "normal": { + "knife_zero": { + "host": "10.1.1.214" + } + }, + "automatic": { + "fqdn": "rsk-testnet-2", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-testnet-2", + "ipaddress": "192.168.122.29", + "roles": [ + "rsk_testnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_testnet]" + ] +} \ No newline at end of file diff --git a/roles/parity.rb b/roles/parity.rb deleted file mode 100644 index 69e1f1a..0000000 --- a/roles/parity.rb +++ /dev/null @@ -1,6 +0,0 @@ -name 'parity' - -run_list %w( - recipe[kosmos-parity::from_package] - recipe[kosmos-parity::node_dev] -) diff --git a/roles/rsk_mainnet.rb b/roles/rsk_mainnet.rb new file mode 100644 index 0000000..cfa58c1 --- /dev/null +++ b/roles/rsk_mainnet.rb @@ -0,0 +1,11 @@ +name "rsk_mainnet" + +run_list %w( + kosmos_rsk::rskj +) + +override_attributes( + :rskj => { + :network => "mainnet" + } +) diff --git a/roles/rsk_testnet.rb b/roles/rsk_testnet.rb new file mode 100644 index 0000000..281b45d --- /dev/null +++ b/roles/rsk_testnet.rb @@ -0,0 +1,5 @@ +name "rsk_testnet" + +run_list %w( + kosmos_rsk::rskj +) diff --git a/roles/sockethub.rb b/roles/sockethub.rb new file mode 100644 index 0000000..277bd23 --- /dev/null +++ b/roles/sockethub.rb @@ -0,0 +1,6 @@ +name "sockethub" + +run_list %w( + sockethub::default + sockethub::proxy +) diff --git a/site-cookbooks/kosmos-hubot/attributes/default.rb b/site-cookbooks/kosmos-hubot/attributes/default.rb index 9172f36..250134f 100644 --- a/site-cookbooks/kosmos-hubot/attributes/default.rb +++ b/site-cookbooks/kosmos-hubot/attributes/default.rb @@ -1,7 +1,6 @@ node.default['hal8000']['http_port'] = 8080 -node.default['botka_freenode']['http_port'] = 8081 -node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org" +node.default['botka_irc-libera-chat']['http_port'] = 8081 node.default['hal8000_xmpp']['http_port'] = 8082 node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org" diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb new file mode 100644 index 0000000..5f569ec --- /dev/null +++ b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb @@ -0,0 +1,122 @@ +# +# Cookbook Name:: kosmos-hubot +# Recipe:: botka_irc-libera-chat +# + +app_name = "botka_irc-libera-chat" +app_path = "/opt/#{app_name}" +app_user = "hubot" +app_group = "hubot" +domain = "irc-libera-chat.botka.kosmos.chat" + +build_essential app_name do + compile_time true +end + +include_recipe "kosmos-nodejs" +include_recipe "kosmos-redis" + +application app_path do + data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name) + + owner app_user + group app_group + + git do + user app_user + group app_group + repository "https://gitea.kosmos.org/kosmos/botka.git" + revision "master" + end + + file "#{app_path}/external-scripts.json" do + mode "0640" + owner app_user + group app_group + content [ + "hubot-help", + "hubot-redis-brain", + "hubot-remotestorage-logger", + "hubot-web-push-notifications", + ].to_json + end + + npm_install do + user app_user + end + + execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing + end + + template "/lib/systemd/system/#{app_name}.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: app_user, + group: app_group, + app_dir: app_path, + entry: "#{app_path}/bin/hubot -a irc", + environment: { + "HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info", + "HUBOT_IRC_USESSL" => "true", + "HUBOT_IRC_SERVER" => "irc.libera.chat", + "HUBOT_IRC_PORT" => "6697", + "HUBOT_IRC_NICK" => "botka", + "HUBOT_IRC_NICKSERV_USERNAME" => "botka", + "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'], + "HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon", + "HUBOT_IRC_UNFLOOD" => "100", + "HUBOT_RSS_PRINTSUMMARY" => "false", + "HUBOT_RSS_PRINTERROR" => "false", + "HUBOT_RSS_IRCCOLORS" => "true", + "REDIS_URL" => "redis://localhost:6379/botka", + "EXPRESS_PORT" => node[app_name]['http_port'], + "HUBOT_AUTH_ADMIN" => "bkero,raucao", + "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", + "RS_LOGGER_USER" => "kosmos@5apps.com", + "RS_LOGGER_TOKEN" => data_bag['rs_logger_token'], + "RS_LOGGER_SERVER_NAME" => "freenode", + "RS_LOGGER_PUBLIC" => "true", + "GCM_API_KEY" => data_bag['gcm_api_key'], + "VAPID_SUBJECT" => "https://kosmos.org", + "VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'], + "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key'] + } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[#{app_name}]", :delayed + end + + service app_name do + action [:enable, :start] + end +end + +# +# Nginx reverse proxy +# +unless node.chef_environment == "development" + include_recipe "kosmos-base::letsencrypt" + include_recipe "kosmos-nginx" + + template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: node[app_name]['http_port'], + server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site domain do + action :enable + end + + nginx_certbot_site domain +end diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index f8629fc..a0a2017 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook:: kosmos_drone # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package "docker-compose" domain = "drone.kosmos.org" diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 7854ce8..049a061 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:1 + image: drone/drone:2.5 ports: - "<%= @upstream_port %>:80" @@ -19,7 +19,7 @@ services: - DRONE_RPC_SECRET=<%= @rpc_secret %> drone-runner: - image: drone/drone-runner-docker:1 + image: drone/drone-runner-docker:1.8 command: agent restart: always diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 5ede51d..a2d7925 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,6 +1,6 @@ -gitea_version = "1.14.6" +gitea_version = "1.15.6" node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" -node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b" +node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 22d148e..9a2bddf 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do source "app.ini.erb" owner "git" group "git" - mode "0640" + mode "0600" sensitive true variables working_directory: working_directory, git_home_directory: git_home_directory, diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 04eab6e..e013a0d 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %> [oauth2] JWT_SECRET = <%= @jwt_secret %> +JWT_SIGNING_ALGORITHM = HS256 [security] INTERNAL_TOKEN = <%= @internal_token %> diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index 48cc220..608edad 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,2 @@ -node.default['rskj']['version'] = '2.2.0~focal' +node.default['rskj']['version'] = '3.0.1~focal' node.default['rskj']['network'] = 'testnet' diff --git a/site-cookbooks/kosmos_rsk/recipes/firewall.rb b/site-cookbooks/kosmos_rsk/recipes/firewall.rb new file mode 100644 index 0000000..b1c9bcf --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/firewall.rb @@ -0,0 +1,7 @@ +include_recipe 'firewall' + +firewall_rule 'rskj' do + port [4444,50505] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos_rsk/recipes/rskj.rb b/site-cookbooks/kosmos_rsk/recipes/rskj.rb index 0ec4a5d..ea9a7ab 100644 --- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb +++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb @@ -30,10 +30,4 @@ service "rsk" do action [:enable, :start] end -include_recipe 'firewall' - -firewall_rule 'rskj' do - port [4444,50505] - protocol :tcp - command :allow -end +include_recipe 'kosmos_rsk::firewall' diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 7935b9b..18a135b 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,4 +1,5 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['revision'] = 'v3.0.1' +node.default['sockethub']['version'] = '4.1.0' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' +node.default['sockethub']['debug_logs'] = 'sockethub*' diff --git a/site-cookbooks/sockethub/metadata.rb b/site-cookbooks/sockethub/metadata.rb index 0c5347b..db2d286 100644 --- a/site-cookbooks/sockethub/metadata.rb +++ b/site-cookbooks/sockethub/metadata.rb @@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures sockethub' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.2.0' -depends 'application_javascript' depends 'kosmos-redis' depends 'kosmos-nodejs' depends 'kosmos-nginx' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index df30690..59f6412 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -27,11 +27,15 @@ include_recipe 'kosmos-nodejs' include_recipe 'kosmos-redis' -group "sockethub" do +user = "sockethub" +group = "sockethub" +entry = "/usr/bin/sockethub" + +group group do gid 7625 end -user "sockethub" do +user user do comment "sockethub user" uid 7625 gid 7625 @@ -39,47 +43,43 @@ user "sockethub" do shell "/bin/bash" end -path_to_deploy = "/opt/sockethub" -application path_to_deploy do - owner "sockethub" - group "sockethub" - - git do - user "sockethub" - group "sockethub" - repository 'https://github.com/sockethub/sockethub.git' - revision node['sockethub']['revision'] - end - - npm_install do - user "sockethub" - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - template "/lib/systemd/system/sockethub_nodejs.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0644' - variables( - user: "sockethub", - group: "sockethub", - app_dir: path_to_deploy, - entry: "/usr/bin/node /usr/bin/npm start", - environment: { 'DEBUG' => '*', - 'PORT' => node['sockethub']['port'], - # Use the second database (index starts at 0) - 'REDIS_URL' => "redis://localhost:6379/1" } - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[sockethub_nodejs]", :delayed - end - - service "sockethub_nodejs" do - action [:enable, :start] - end +npm_package "sockethub" do + version node['sockethub']['version'] +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +environment_variables = { + 'PORT' => node['sockethub']['port'], + # Use the second database (index starts at 0) + 'REDIS_URL' => "redis://localhost:6379/1" +} +unless node['sockethub']['debug_logs'].nil? + environment_variables['DEBUG'] = node['sockethub']['debug_logs'] +end + +environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ') + +systemd_unit "sockethub_nodejs.service" do + content <<-EOF +[Unit] +Description=Start sockethub +Requires=redis-server.service +After=redis-server.service + +[Service] +ExecStart=#{entry} +User=#{user} +Group=#{group} +Environment=#{environment} +Restart=always + +[Install] +WantedBy=multi-user.target + EOF + triggers_reload true + action [:create, :enable, :start] end diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index b707693..29c753c 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -26,8 +26,41 @@ include_recipe 'sockethub::_firewall' include_recipe 'kosmos-nginx' +include_recipe "kosmos-base::letsencrypt" + server_name = node['sockethub']['nginx']['server_name'] +nginx_post_hook = <<-EOF +#!/usr/bin/env bash + +set -e + +systemctl reload nginx +EOF + +file "/etc/letsencrypt/renewal-hooks/post/nginx" do + content nginx_post_hook + mode 0755 + owner "root" + group "root" +end + +gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') + +template "/root/gandi_dns_certbot_hook.sh" do + variables gandi_api_key: gandi_api_data_bag_item["key"] + mode 0770 +end + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for sockethub" do + command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n" + not_if do + File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem") + end +end + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_sockethub.erb' owner 'www-data' @@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do notifies :reload, 'service[nginx]', :delayed end -# Legacy vhost -nginx_site "sockethub" do - action :disable -end - nginx_site server_name do action :enable end -nginx_certbot_site server_name diff --git a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb index 4ed2689..a25bd84 100644 --- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb +++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb @@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade { '' close; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen <%= @sockethub_external_port %> ssl http2; add_header Strict-Transport-Security "max-age=15768000"; + <% else -%> + listen <%= @sockethub_external_port %>; + <% end -%> server_name <%= @server_name %>; @@ -32,7 +35,8 @@ server { proxy_set_header Connection $connection_upgrade; } + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; + <% end -%> } -<% end -%> diff --git a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb deleted file mode 100644 index 8dc98a9..0000000 --- a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb +++ /dev/null @@ -1,17 +0,0 @@ -[Unit] -Description=Start nodejs app -Requires=redis-server.service -After=redis-server.service - -[Service] -ExecStart=<%= @entry %> -WorkingDirectory=<%= @app_dir %> -User=<%= @user %> -Group=<%= @group %> -<% unless @environment.empty? -%> -Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> -<% end -%> -Restart=always - -[Install] -WantedBy=multi-user.target diff --git a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb new file mode 100755 index 0000000..d0ed9dc --- /dev/null +++ b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# + +set -euf -o pipefail + +# ************** USAGE ************** +# +# Example usage (with this hook file saved in /root/): +# +# sudo su - +# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \ +# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup" +# +# This hook requires configuration, continue reading. +# +# ************** CONFIGURATION ************** +# +# GANDI_API_KEY: Your Gandi Live API key +# +# PROVIDER_UPDATE_DELAY: +# How many seconds to wait after updating your DNS records. This may be required, +# depending on how slow your DNS host is to begin serving new DNS records after updating +# them via the API. 30 seconds is a safe default, but some providers can be very slow +# (e.g. Linode). +# +# Defaults to 30 seconds. +# +GANDI_API_KEY="<%= @gandi_api_key %>" +PROVIDER_UPDATE_DELAY=30 + +regex='.*\.(.*\..*)' +if [[ $CERTBOT_DOMAIN =~ $regex ]] +then + DOMAIN="${BASH_REMATCH[1]}" +else + DOMAIN="${CERTBOT_DOMAIN}" +fi + +# To be invoked via Certbot's --manual-auth-hook +function auth { + curl -s -D- -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", + \"rrset_type\": \"TXT\", + \"rrset_ttl\": 3600, + \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \ + "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records" + + + sleep ${PROVIDER_UPDATE_DELAY} +} + +# To be invoked via Certbot's --manual-cleanup-hook +function cleanup { + curl -s -X DELETE -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT +} + +HANDLER=$1; shift; +if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then + $HANDLER "$@" +fi