From 29a5947d18ba3b84d8573de854bd840f538f3909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 25 Mar 2020 12:43:39 +0100 Subject: [PATCH 01/24] Deploy Sockethub from the npm package This is currently 3.1.4 and is set as an attribute. The recipe is very simple now, it installs the npm package, and the systemd service runs /usr/bin/sockethub and sets the environment variables Closes #145 --- .../sockethub/attributes/default.rb | 2 +- site-cookbooks/sockethub/metadata.rb | 3 +- site-cookbooks/sockethub/recipes/default.rb | 72 ++++++++----------- .../default/nginx_conf_sockethub.erb | 8 ++- .../default/nodejs.systemd.service.erb | 1 - 5 files changed, 37 insertions(+), 49 deletions(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 7935b9b..c3a9599 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,4 +1,4 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['revision'] = 'v3.0.1' +node.default['sockethub']['version'] = '3.1.4' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' diff --git a/site-cookbooks/sockethub/metadata.rb b/site-cookbooks/sockethub/metadata.rb index 0c5347b..db2d286 100644 --- a/site-cookbooks/sockethub/metadata.rb +++ b/site-cookbooks/sockethub/metadata.rb @@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures sockethub' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.2.0' -depends 'application_javascript' depends 'kosmos-redis' depends 'kosmos-nodejs' depends 'kosmos-nginx' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index df30690..156ada0 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -39,47 +39,33 @@ user "sockethub" do shell "/bin/bash" end -path_to_deploy = "/opt/sockethub" -application path_to_deploy do - owner "sockethub" - group "sockethub" - - git do - user "sockethub" - group "sockethub" - repository 'https://github.com/sockethub/sockethub.git' - revision node['sockethub']['revision'] - end - - npm_install do - user "sockethub" - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - template "/lib/systemd/system/sockethub_nodejs.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0644' - variables( - user: "sockethub", - group: "sockethub", - app_dir: path_to_deploy, - entry: "/usr/bin/node /usr/bin/npm start", - environment: { 'DEBUG' => '*', - 'PORT' => node['sockethub']['port'], - # Use the second database (index starts at 0) - 'REDIS_URL' => "redis://localhost:6379/1" } - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[sockethub_nodejs]", :delayed - end - - service "sockethub_nodejs" do - action [:enable, :start] - end +npm_package "sockethub" do + version node['sockethub']['version'] +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +template "/lib/systemd/system/sockethub_nodejs.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: "sockethub", + group: "sockethub", + entry: "/usr/bin/sockethub", + environment: { 'DEBUG' => '*', + 'PORT' => node['sockethub']['port'], + # Use the second database (index starts at 0) + 'REDIS_URL' => "redis://localhost:6379/1" } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[sockethub_nodejs]", :delayed +end + +service "sockethub_nodejs" do + action [:enable, :start] end diff --git a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb index 4ed2689..a25bd84 100644 --- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb +++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb @@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade { '' close; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen <%= @sockethub_external_port %> ssl http2; add_header Strict-Transport-Security "max-age=15768000"; + <% else -%> + listen <%= @sockethub_external_port %>; + <% end -%> server_name <%= @server_name %>; @@ -32,7 +35,8 @@ server { proxy_set_header Connection $connection_upgrade; } + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; + <% end -%> } -<% end -%> diff --git a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb index 8dc98a9..2c42623 100644 --- a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb +++ b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb @@ -5,7 +5,6 @@ After=redis-server.service [Service] ExecStart=<%= @entry %> -WorkingDirectory=<%= @app_dir %> User=<%= @user %> Group=<%= @group %> <% unless @environment.empty? -%> From 43736cd8e9c78d970af99898e5aab77ba974bfd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 25 Mar 2020 17:51:28 +0100 Subject: [PATCH 02/24] Move the debug logs env variable to an attribute Set it to 'sockethub*' for now as Nick advised, see https://gitea.kosmos.org/kosmos/chef/issues/91 --- site-cookbooks/sockethub/attributes/default.rb | 1 + site-cookbooks/sockethub/recipes/default.rb | 14 ++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index c3a9599..5d74c1a 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -2,3 +2,4 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' node.default['sockethub']['version'] = '3.1.4' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' +node.default['sockethub']['debug_logs'] = 'sockethub*' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index 156ada0..052a927 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -48,6 +48,15 @@ execute "systemctl daemon-reload" do action :nothing end +environment_variables = { + 'PORT' => node['sockethub']['port'], + # Use the second database (index starts at 0) + 'REDIS_URL' => "redis://localhost:6379/1" +} +unless node['sockethub']['debug_logs'].nil? + environment_variables['DEBUG'] = node['sockethub']['debug_logs'] +end + template "/lib/systemd/system/sockethub_nodejs.service" do source 'nodejs.systemd.service.erb' owner 'root' @@ -57,10 +66,7 @@ template "/lib/systemd/system/sockethub_nodejs.service" do user: "sockethub", group: "sockethub", entry: "/usr/bin/sockethub", - environment: { 'DEBUG' => '*', - 'PORT' => node['sockethub']['port'], - # Use the second database (index starts at 0) - 'REDIS_URL' => "redis://localhost:6379/1" } + environment: environment_variables ) notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :restart, "service[sockethub_nodejs]", :delayed From e9c86081f7fdfdb1464fbb365b736698dc963734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:32:11 +0200 Subject: [PATCH 03/24] Update sockethub to the latest npm release --- site-cookbooks/sockethub/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 5d74c1a..c852d3b 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,5 +1,5 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['version'] = '3.1.4' +node.default['sockethub']['version'] = '4.0.1' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' node.default['sockethub']['debug_logs'] = 'sockethub*' From d135b3873c3c05c8cdaa065ced017ea8f7d1a936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:32:33 +0200 Subject: [PATCH 04/24] Switch to a systemd unit Chef resource --- site-cookbooks/sockethub/recipes/default.rb | 44 +++++++++++-------- .../default/nodejs.systemd.service.erb | 16 ------- 2 files changed, 26 insertions(+), 34 deletions(-) delete mode 100644 site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index 052a927..59f6412 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -27,11 +27,15 @@ include_recipe 'kosmos-nodejs' include_recipe 'kosmos-redis' -group "sockethub" do +user = "sockethub" +group = "sockethub" +entry = "/usr/bin/sockethub" + +group group do gid 7625 end -user "sockethub" do +user user do comment "sockethub user" uid 7625 gid 7625 @@ -57,21 +61,25 @@ unless node['sockethub']['debug_logs'].nil? environment_variables['DEBUG'] = node['sockethub']['debug_logs'] end -template "/lib/systemd/system/sockethub_nodejs.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0644' - variables( - user: "sockethub", - group: "sockethub", - entry: "/usr/bin/sockethub", - environment: environment_variables - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[sockethub_nodejs]", :delayed -end +environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ') -service "sockethub_nodejs" do - action [:enable, :start] +systemd_unit "sockethub_nodejs.service" do + content <<-EOF +[Unit] +Description=Start sockethub +Requires=redis-server.service +After=redis-server.service + +[Service] +ExecStart=#{entry} +User=#{user} +Group=#{group} +Environment=#{environment} +Restart=always + +[Install] +WantedBy=multi-user.target + EOF + triggers_reload true + action [:create, :enable, :start] end diff --git a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb deleted file mode 100644 index 2c42623..0000000 --- a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Start nodejs app -Requires=redis-server.service -After=redis-server.service - -[Service] -ExecStart=<%= @entry %> -User=<%= @user %> -Group=<%= @group %> -<% unless @environment.empty? -%> -Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> -<% end -%> -Restart=always - -[Install] -WantedBy=multi-user.target From 7c2aae66501139277cbf817255635f8eae7b25a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:52:58 +0200 Subject: [PATCH 05/24] Add sockethub to nodejs-2's run list --- nodes/nodejs-2.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 17fcf80..85d5115 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -21,6 +21,8 @@ "kredits-github", "kredits-github::default", "kredits-github::nginx", + "sockethub", + "sockethub::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -51,6 +53,13 @@ "nginx::commons_script", "nginx::commons_conf", "kosmos-nginx::firewall", + "kosmos-redis::default", + "redis::server", + "redis::default", + "backup::default", + "logrotate::default", + "nodejs::npm", + "nodejs::install", "kosmos-base::letsencrypt" ], "platform": "ubuntu", @@ -70,6 +79,7 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos-hubot::wormhole]", - "role[kredits_github]" + "role[kredits_github]", + "recipe[sockethub::default]" ] } \ No newline at end of file From b5e7e4ab8574ed41a37572a279f86f8475304ce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:13:35 +0200 Subject: [PATCH 06/24] Use DNS validation to generate/renew the TLS cert --- site-cookbooks/sockethub/recipes/proxy.rb | 39 ++++++++++-- .../templates/gandi_dns_certbot_hook.sh.erb | 63 +++++++++++++++++++ 2 files changed, 96 insertions(+), 6 deletions(-) create mode 100755 site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index b707693..29c753c 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -26,8 +26,41 @@ include_recipe 'sockethub::_firewall' include_recipe 'kosmos-nginx' +include_recipe "kosmos-base::letsencrypt" + server_name = node['sockethub']['nginx']['server_name'] +nginx_post_hook = <<-EOF +#!/usr/bin/env bash + +set -e + +systemctl reload nginx +EOF + +file "/etc/letsencrypt/renewal-hooks/post/nginx" do + content nginx_post_hook + mode 0755 + owner "root" + group "root" +end + +gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') + +template "/root/gandi_dns_certbot_hook.sh" do + variables gandi_api_key: gandi_api_data_bag_item["key"] + mode 0770 +end + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for sockethub" do + command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n" + not_if do + File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem") + end +end + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_sockethub.erb' owner 'www-data' @@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do notifies :reload, 'service[nginx]', :delayed end -# Legacy vhost -nginx_site "sockethub" do - action :disable -end - nginx_site server_name do action :enable end -nginx_certbot_site server_name diff --git a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb new file mode 100755 index 0000000..d0ed9dc --- /dev/null +++ b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# + +set -euf -o pipefail + +# ************** USAGE ************** +# +# Example usage (with this hook file saved in /root/): +# +# sudo su - +# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \ +# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup" +# +# This hook requires configuration, continue reading. +# +# ************** CONFIGURATION ************** +# +# GANDI_API_KEY: Your Gandi Live API key +# +# PROVIDER_UPDATE_DELAY: +# How many seconds to wait after updating your DNS records. This may be required, +# depending on how slow your DNS host is to begin serving new DNS records after updating +# them via the API. 30 seconds is a safe default, but some providers can be very slow +# (e.g. Linode). +# +# Defaults to 30 seconds. +# +GANDI_API_KEY="<%= @gandi_api_key %>" +PROVIDER_UPDATE_DELAY=30 + +regex='.*\.(.*\..*)' +if [[ $CERTBOT_DOMAIN =~ $regex ]] +then + DOMAIN="${BASH_REMATCH[1]}" +else + DOMAIN="${CERTBOT_DOMAIN}" +fi + +# To be invoked via Certbot's --manual-auth-hook +function auth { + curl -s -D- -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", + \"rrset_type\": \"TXT\", + \"rrset_ttl\": 3600, + \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \ + "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records" + + + sleep ${PROVIDER_UPDATE_DELAY} +} + +# To be invoked via Certbot's --manual-cleanup-hook +function cleanup { + curl -s -X DELETE -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT +} + +HANDLER=$1; shift; +if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then + $HANDLER "$@" +fi From eed27713ff27a221a7b9c3d36c5c39a82788615c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:07 +0200 Subject: [PATCH 07/24] Add the sockethub firewall rule to centaurus --- nodes/centaurus.kosmos.org.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 539fe71..70f42cc 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -34,6 +34,7 @@ "kosmos_kvm::host", "kosmos-ejabberd::firewall", "kosmos_zerotier::firewall", + "sockethub::_firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -85,6 +86,7 @@ "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", - "recipe[kosmos_zerotier::firewall]" + "recipe[kosmos_zerotier::firewall]", + "recipe[sockethub::_firewall]" ] } \ No newline at end of file From 383a46676e5605046c8c85c22d0201bbd1875daf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:28 +0200 Subject: [PATCH 08/24] Create a role for sockethub --- roles/sockethub.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/sockethub.rb diff --git a/roles/sockethub.rb b/roles/sockethub.rb new file mode 100644 index 0000000..277bd23 --- /dev/null +++ b/roles/sockethub.rb @@ -0,0 +1,6 @@ +name "sockethub" + +run_list %w( + sockethub::default + sockethub::proxy +) From e00d6c3a86f40e063e233c055c19437ca3344398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:38 +0200 Subject: [PATCH 09/24] Use the sockethub role in the run list --- nodes/nodejs-2.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 85d5115..f470672 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -12,7 +12,8 @@ "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ - "kredits_github" + "kredits_github", + "sockethub" ], "recipes": [ "kosmos-base", @@ -23,6 +24,7 @@ "kredits-github::nginx", "sockethub", "sockethub::default", + "sockethub::proxy", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -60,6 +62,7 @@ "logrotate::default", "nodejs::npm", "nodejs::install", + "sockethub::_firewall", "kosmos-base::letsencrypt" ], "platform": "ubuntu", @@ -80,6 +83,6 @@ "recipe[kosmos-base]", "recipe[kosmos-hubot::wormhole]", "role[kredits_github]", - "recipe[sockethub::default]" + "role[sockethub]" ] } \ No newline at end of file From 2a5d68cda969db9ca1ac80cce6eba019ee8c2b37 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 3 Sep 2021 10:28:07 +0200 Subject: [PATCH 10/24] Update Sockethub to 4.1.0 Tested/running on `nodejs-2`. --- site-cookbooks/sockethub/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index c852d3b..18a135b 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,5 +1,5 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['version'] = '4.0.1' +node.default['sockethub']['version'] = '4.1.0' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' node.default['sockethub']['debug_logs'] = 'sockethub*' From abec4be8ffd94310f33d3dbbdf407ad28388e4bd Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 3 Sep 2021 10:29:32 +0200 Subject: [PATCH 11/24] Update Gemfile.lock --- Gemfile.lock | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Gemfile.lock b/Gemfile.lock index 555c830..73984d3 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -248,6 +248,10 @@ GEM PLATFORMS x86_64-darwin-18 + x86_64-linux DEPENDENCIES knife-zero + +BUNDLED WITH + 2.2.15 From ee0a587dad0f15bad78ccc0e491318e38f9db2cd Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 13 Sep 2021 18:21:46 +0200 Subject: [PATCH 12/24] Upgrade botka, deploy for Libera.Chat to nodejs-2 Note: Temporarily disables wormhole, because it's still on Freenode, where its credentials have been deleted by the new "management". --- data_bags/credentials/botka_freenode.json | 38 ------ .../credentials/botka_irc-libera-chat.json | 38 ++++++ nodes/barnard.kosmos.org.json | 6 +- nodes/nodejs-2.json | 23 ++-- .../kosmos-hubot/attributes/default.rb | 3 +- .../recipes/botka_irc-libera-chat.rb | 120 ++++++++++++++++++ 6 files changed, 170 insertions(+), 58 deletions(-) delete mode 100644 data_bags/credentials/botka_freenode.json create mode 100644 data_bags/credentials/botka_irc-libera-chat.json create mode 100644 site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb diff --git a/data_bags/credentials/botka_freenode.json b/data_bags/credentials/botka_freenode.json deleted file mode 100644 index a72d4ae..0000000 --- a/data_bags/credentials/botka_freenode.json +++ /dev/null @@ -1,38 +0,0 @@ -{ - "id": "botka_freenode", - "rs_logger_token": { - "encrypted_data": "X/7BinesOs5sciifP2myTHzRyYA7q7GxHR92wlHKF1EnVD38GrfMxWFIUVsH\nYUjXr+mm\n", - "iv": "XcqCyyfIsqNJiVfX\n", - "auth_tag": "vPjh3was2w7pbDRYerGQFw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "nickserv_password": { - "encrypted_data": "bOr4bTbmGIL6YHAycVQCHX3fDsEgvJPtSKYPDyzbMIqn\n", - "iv": "hEmlqJ91R4Mxeab/\n", - "auth_tag": "o8qf0GBVR23IrPYOANywFw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "gcm_api_key": { - "encrypted_data": "flJe/qcddW54emG29ReJf5BqYyIEmpOK+dKabuZAx5t678Dt1CqLr/UmkeB+\nOcXwezOgr9qj3XHIVQ==\n", - "iv": "fD46RYO1hpk9zb9q\n", - "auth_tag": "ucPDMdVey1QeZmOmYEFiPw==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "vapid_public_key": { - "encrypted_data": "RkyN3Sx4Hme2cBJKMSvXxt6b1rW7liqAG/fLSLMi4aeR9EAMMRf6gEdOLJms\n1WSVx4RU2z7oRTvkD0zwmKwOtNNeyRaJ6zUh/eYnPviBdKMrxvLOXPaQam7O\nCLF9QMHpngCumMPQuaWpHg==\n", - "iv": "WPqkc48gE/uJjLB9\n", - "auth_tag": "UxAnYr9jdCy2V/1gnDC/Og==\n", - "version": 3, - "cipher": "aes-256-gcm" - }, - "vapid_private_key": { - "encrypted_data": "2O+ESjSSsw3Z4RgTx4AIA3QGYc+zpRY2j0DyEqF1Rdak3prc7bMKmTHy7MwP\nJXGS08Mye5Pnt6sk45TfhoE=\n", - "iv": "8+PRuHXa73tLd3wf\n", - "auth_tag": "ofPSsKrP7Lgt1qiPcZ8isQ==\n", - "version": 3, - "cipher": "aes-256-gcm" - } -} \ No newline at end of file diff --git a/data_bags/credentials/botka_irc-libera-chat.json b/data_bags/credentials/botka_irc-libera-chat.json new file mode 100644 index 0000000..96547eb --- /dev/null +++ b/data_bags/credentials/botka_irc-libera-chat.json @@ -0,0 +1,38 @@ +{ + "id": "botka_irc-libera-chat", + "rs_logger_token": { + "encrypted_data": "2CYA4uMDMcTA3/TnoUkZ/WoB573oFn5oZk6zJmgc0MwCjYlKxhOTO6JZV5NF\nrQh0b6DS\n", + "iv": "ZDSklJrhSJknQTGJ\n", + "auth_tag": "RZVkeuP7iu1a/HkeIyM9/Q==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "nickserv_password": { + "encrypted_data": "NXPE0ouvPESbBVRDDg362LaHVfeOqo+BEh4PkE5XeA==\n", + "iv": "4iESOnvAyMLF2TNs\n", + "auth_tag": "PiJvYy++dZls1t+goXui2w==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "gcm_api_key": { + "encrypted_data": "QaF+kUTZbx3fK9QXua9QPq0f8ACZbrj+FEvlcMiv9x469OMOxTHfL2+cF6X2\nyK+1zYtl8byiMdLmSQ==\n", + "iv": "whutD4hY4htiEePI\n", + "auth_tag": "EF19h8haFSNHsOM/oVkcRQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "vapid_public_key": { + "encrypted_data": "dw1LEyE/hksxM+H0ExgIWXgrhFYzFo/dmps4/ct8mG2Se0ukYJ7OI5uJYI1E\nUaaZ+feqK2nic0GsnkaY++SI4Us+RNGoOu0J67CWooy8KIVdGGmxHx/rOI2L\n9S9zbo+8TE3KYBWrHa2jyw==\n", + "iv": "PaqtzI+RgtL/VeKE\n", + "auth_tag": "BPQcLAEWN4cPlrTylfwD/Q==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "vapid_private_key": { + "encrypted_data": "Czly/hPyXa529rlxe3Ab3ea/Hg53iSW3Mpz1d8Aimuojih9GhWWFytY8YH9T\nwAINhXw7toST5o3LLjQjPkk=\n", + "iv": "XZeA6abV1Fi9Q3wm\n", + "auth_tag": "02zb8q+WDLj+mF+bJRWXxQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json index c0055b0..9de80d0 100644 --- a/nodes/barnard.kosmos.org.json +++ b/nodes/barnard.kosmos.org.json @@ -97,11 +97,7 @@ "run_list": [ "role[base]", "recipe[kosmos-ipfs]", - "recipe[kosmos-hubot::botka_freenode]", - "recipe[kosmos-hubot::hal8000]", "recipe[kosmos-hubot::hal8000_xmpp]", - "recipe[sockethub]", - "recipe[sockethub::proxy]", "recipe[kosmos-dirsrv]" ] -} \ No newline at end of file +} diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index f470672..241fb7e 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "nodejs-2", "os": "linux", - "os_version": "5.4.0-1031-kvm", + "os_version": "5.4.0-1045-kvm", "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ @@ -18,7 +18,7 @@ "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-hubot::wormhole", + "kosmos-hubot::botka_irc-libera-chat", "kredits-github", "kredits-github::default", "kredits-github::nginx", @@ -42,9 +42,12 @@ "kosmos-nodejs::default", "nodejs::nodejs_from_package", "nodejs::repo", - "kosmos-hubot::_user", - "git::default", - "git::package", + "kosmos-redis::default", + "redis::server", + "redis::default", + "backup::default", + "logrotate::default", + "kosmos-base::letsencrypt", "kosmos-nginx::default", "nginx::default", "nginx::package", @@ -55,15 +58,9 @@ "nginx::commons_script", "nginx::commons_conf", "kosmos-nginx::firewall", - "kosmos-redis::default", - "redis::server", - "redis::default", - "backup::default", - "logrotate::default", "nodejs::npm", "nodejs::install", - "sockethub::_firewall", - "kosmos-base::letsencrypt" + "sockethub::_firewall" ], "platform": "ubuntu", "platform_version": "20.04", @@ -81,7 +78,7 @@ }, "run_list": [ "recipe[kosmos-base]", - "recipe[kosmos-hubot::wormhole]", + "recipe[kosmos-hubot::botka_irc-libera-chat]", "role[kredits_github]", "role[sockethub]" ] diff --git a/site-cookbooks/kosmos-hubot/attributes/default.rb b/site-cookbooks/kosmos-hubot/attributes/default.rb index 9172f36..250134f 100644 --- a/site-cookbooks/kosmos-hubot/attributes/default.rb +++ b/site-cookbooks/kosmos-hubot/attributes/default.rb @@ -1,7 +1,6 @@ node.default['hal8000']['http_port'] = 8080 -node.default['botka_freenode']['http_port'] = 8081 -node.default['botka_freenode']['domain'] = "freenode.botka.kosmos.org" +node.default['botka_irc-libera-chat']['http_port'] = 8081 node.default['hal8000_xmpp']['http_port'] = 8082 node.default['hal8000_xmpp']['domain'] = "hal8000.chat.kosmos.org" diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb new file mode 100644 index 0000000..1326552 --- /dev/null +++ b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb @@ -0,0 +1,120 @@ +# +# Cookbook Name:: kosmos-hubot +# Recipe:: botka_irc-libera-chat +# + +app_name = "botka_irc-libera-chat" +app_path = "/opt/#{app_name}" +app_user = "hubot" +app_group = "hubot" +domain = "irc-libera-chat.botka.kosmos.chat" + +build_essential app_name do + compile_time true +end + +include_recipe "kosmos-nodejs" +include_recipe "kosmos-redis" + +application app_path do + data_bag = Chef::EncryptedDataBagItem.load('credentials', app_name) + + owner app_user + group app_group + + git do + user app_user + group app_group + repository "https://gitea.kosmos.org/kosmos/botka.git" + revision "master" + end + + file "#{app_path}/external-scripts.json" do + mode "0640" + owner app_user + group app_group + content [ + "hubot-help", + "hubot-redis-brain", + "hubot-remotestorage-logger", + "hubot-web-push-notifications", + ].to_json + end + + npm_install do + user app_user + end + + execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing + end + + template "/lib/systemd/system/#{app_name}.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: app_user, + group: app_group, + app_dir: app_path, + entry: "#{app_path}/bin/hubot -a irc", + environment: { + "HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info", + "HUBOT_IRC_SERVER" => "irc.libera.chat", + "HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon", + "HUBOT_IRC_NICK" => "botka", + "HUBOT_IRC_NICKSERV_USERNAME" => "botka", + "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'], + "HUBOT_IRC_UNFLOOD" => "100", + "HUBOT_RSS_PRINTSUMMARY" => "false", + "HUBOT_RSS_PRINTERROR" => "false", + "HUBOT_RSS_IRCCOLORS" => "true", + "REDIS_URL" => "redis://localhost:6379/botka", + "EXPRESS_PORT" => node[app_name]['http_port'], + "HUBOT_AUTH_ADMIN" => "bkero,raucao", + "HUBOT_HELP_REPLY_IN_PRIVATE" => "true", + "RS_LOGGER_USER" => "kosmos@5apps.com", + "RS_LOGGER_TOKEN" => data_bag['rs_logger_token'], + "RS_LOGGER_SERVER_NAME" => "freenode", + "RS_LOGGER_PUBLIC" => "true", + "GCM_API_KEY" => data_bag['gcm_api_key'], + "VAPID_SUBJECT" => "https://kosmos.org", + "VAPID_PUBLIC_KEY" => data_bag['vapid_public_key'], + "VAPID_PRIVATE_KEY" => data_bag['vapid_private_key'] + } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[#{app_name}]", :delayed + end + + service app_name do + action [:enable, :start] + end +end + +# +# Nginx reverse proxy +# +unless node.chef_environment == "development" + include_recipe "kosmos-base::letsencrypt" + include_recipe "kosmos-nginx" + + template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: node[app_name]['http_port'], + server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site domain do + action :enable + end + + nginx_certbot_site domain +end From ca13acb99f1831aa82c9336262138a6e8d030d3a Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 13:59:42 +0200 Subject: [PATCH 13/24] Remove obsolete Parity role --- roles/parity.rb | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 roles/parity.rb diff --git a/roles/parity.rb b/roles/parity.rb deleted file mode 100644 index 69e1f1a..0000000 --- a/roles/parity.rb +++ /dev/null @@ -1,6 +0,0 @@ -name 'parity' - -run_list %w( - recipe[kosmos-parity::from_package] - recipe[kosmos-parity::node_dev] -) From 5dd44fc28383785bbe1d64f43e0eef3147fa5f27 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:00:09 +0200 Subject: [PATCH 14/24] Add new RSK VM node configs --- clients/rsk-mainnet-1.json | 4 +++ clients/rsk-testnet-2.json | 4 +++ nodes/rsk-mainnet-1.json | 57 ++++++++++++++++++++++++++++++++++++++ nodes/rsk-testnet-2.json | 57 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 clients/rsk-mainnet-1.json create mode 100644 clients/rsk-testnet-2.json create mode 100644 nodes/rsk-mainnet-1.json create mode 100644 nodes/rsk-testnet-2.json diff --git a/clients/rsk-mainnet-1.json b/clients/rsk-mainnet-1.json new file mode 100644 index 0000000..7422123 --- /dev/null +++ b/clients/rsk-mainnet-1.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-mainnet-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/rsk-testnet-2.json b/clients/rsk-testnet-2.json new file mode 100644 index 0000000..2739bd0 --- /dev/null +++ b/clients/rsk-testnet-2.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-testnet-2", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/nodes/rsk-mainnet-1.json b/nodes/rsk-mainnet-1.json new file mode 100644 index 0000000..efc92a3 --- /dev/null +++ b/nodes/rsk-mainnet-1.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-mainnet-1", + "normal": { + "knife_zero": { + "host": "10.1.1.137" + } + }, + "automatic": { + "fqdn": "rsk-mainnet-1", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-mainnet-1", + "ipaddress": "192.168.122.233", + "roles": [ + "rsk_mainnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_mainnet]" + ] +} \ No newline at end of file diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json new file mode 100644 index 0000000..5735317 --- /dev/null +++ b/nodes/rsk-testnet-2.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-testnet-2", + "normal": { + "knife_zero": { + "host": "10.1.1.214" + } + }, + "automatic": { + "fqdn": "rsk-testnet-2", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-testnet-2", + "ipaddress": "192.168.122.29", + "roles": [ + "rsk_testnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_testnet]" + ] +} \ No newline at end of file From ce7a7d5f83987c773b2d514064e43760dc6a8e1f Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:01:39 +0200 Subject: [PATCH 15/24] Update RSKj version --- site-cookbooks/kosmos_rsk/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index 48cc220..608edad 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,2 @@ -node.default['rskj']['version'] = '2.2.0~focal' +node.default['rskj']['version'] = '3.0.1~focal' node.default['rskj']['network'] = 'testnet' From 83202747cf706220fe23b35a94132b39a436368d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:02:41 +0200 Subject: [PATCH 16/24] Move RSKj firewall config to own recipe --- site-cookbooks/kosmos_rsk/recipes/firewall.rb | 7 +++++++ site-cookbooks/kosmos_rsk/recipes/rskj.rb | 8 +------- 2 files changed, 8 insertions(+), 7 deletions(-) create mode 100644 site-cookbooks/kosmos_rsk/recipes/firewall.rb diff --git a/site-cookbooks/kosmos_rsk/recipes/firewall.rb b/site-cookbooks/kosmos_rsk/recipes/firewall.rb new file mode 100644 index 0000000..b1c9bcf --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/firewall.rb @@ -0,0 +1,7 @@ +include_recipe 'firewall' + +firewall_rule 'rskj' do + port [4444,50505] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos_rsk/recipes/rskj.rb b/site-cookbooks/kosmos_rsk/recipes/rskj.rb index 0ec4a5d..ea9a7ab 100644 --- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb +++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb @@ -30,10 +30,4 @@ service "rsk" do action [:enable, :start] end -include_recipe 'firewall' - -firewall_rule 'rskj' do - port [4444,50505] - protocol :tcp - command :allow -end +include_recipe 'kosmos_rsk::firewall' From e6ad9865bc6c769467b2a61c7a302ad11f210c50 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 22 Oct 2021 14:02:56 +0200 Subject: [PATCH 17/24] Add roles for RSK testnet/mainnet --- roles/rsk_mainnet.rb | 11 +++++++++++ roles/rsk_testnet.rb | 5 +++++ 2 files changed, 16 insertions(+) create mode 100644 roles/rsk_mainnet.rb create mode 100644 roles/rsk_testnet.rb diff --git a/roles/rsk_mainnet.rb b/roles/rsk_mainnet.rb new file mode 100644 index 0000000..cfa58c1 --- /dev/null +++ b/roles/rsk_mainnet.rb @@ -0,0 +1,11 @@ +name "rsk_mainnet" + +run_list %w( + kosmos_rsk::rskj +) + +override_attributes( + :rskj => { + :network => "mainnet" + } +) diff --git a/roles/rsk_testnet.rb b/roles/rsk_testnet.rb new file mode 100644 index 0000000..281b45d --- /dev/null +++ b/roles/rsk_testnet.rb @@ -0,0 +1,5 @@ +name "rsk_testnet" + +run_list %w( + kosmos_rsk::rskj +) From ca33dbe624ffb25be5fe8adde2c9105e1304eede Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sat, 23 Oct 2021 11:28:29 +0200 Subject: [PATCH 18/24] Improve botka IRC config Use TLS, specify port. --- site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb index 1326552..5f569ec 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb @@ -62,11 +62,13 @@ application app_path do entry: "#{app_path}/bin/hubot -a irc", environment: { "HUBOT_LOG_LEVEL" => node.chef_environment == "development" ? "debug" : "info", + "HUBOT_IRC_USESSL" => "true", "HUBOT_IRC_SERVER" => "irc.libera.chat", - "HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon", + "HUBOT_IRC_PORT" => "6697", "HUBOT_IRC_NICK" => "botka", "HUBOT_IRC_NICKSERV_USERNAME" => "botka", "HUBOT_IRC_NICKSERV_PASSWORD" => data_bag['nickserv_password'], + "HUBOT_IRC_ROOMS" => "#kosmos,#kosmos-dev,#kosmos-random,#remotestorage,#hackerbeach,#unhosted,#sockethub,#mastodon", "HUBOT_IRC_UNFLOOD" => "100", "HUBOT_RSS_PRINTSUMMARY" => "false", "HUBOT_RSS_PRINTERROR" => "false", From b911ec92c9a9301ec3a63d3df6cf215aea9f4064 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 16 Nov 2021 13:23:25 -0600 Subject: [PATCH 19/24] Update node info --- nodes/nodejs-2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 241fb7e..67f0e7d 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "nodejs-2", "os": "linux", - "os_version": "5.4.0-1045-kvm", + "os_version": "5.4.0-1049-kvm", "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ From f93909da70151ed82685784cb20f5497a6ed751b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 22 Nov 2021 23:46:36 -0600 Subject: [PATCH 20/24] Update akkounts-1 node info --- nodes/akkounts-1.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 411d304..93a1617 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "akkounts-1", "os": "linux", - "os_version": "5.4.0-54-generic", + "os_version": "5.4.0-90-generic", "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ From 24f94bdb026f2a154976c04dbc6085499ebb1c46 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 16:44:48 -0600 Subject: [PATCH 21/24] Upgrade Gitea to 1.15.6 Configures the JWT signing algorithm to be the old, less secure algorithm, until we update the token for Drone CI (and any other OAuth apps). closes #338 --- site-cookbooks/kosmos_gitea/attributes/default.rb | 4 ++-- site-cookbooks/kosmos_gitea/recipes/default.rb | 2 +- site-cookbooks/kosmos_gitea/templates/default/app.ini.erb | 1 + 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 5ede51d..a2d7925 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,6 +1,6 @@ -gitea_version = "1.14.6" +gitea_version = "1.15.6" node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" -node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b" +node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 22d148e..9a2bddf 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do source "app.ini.erb" owner "git" group "git" - mode "0640" + mode "0600" sensitive true variables working_directory: working_directory, git_home_directory: git_home_directory, diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 04eab6e..e013a0d 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %> [oauth2] JWT_SECRET = <%= @jwt_secret %> +JWT_SIGNING_ALGORITHM = HS256 [security] INTERNAL_TOKEN = <%= @internal_token %> From 9656399e9d701326459bd846a4e4b0875595d44b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 17:27:48 -0600 Subject: [PATCH 22/24] Remove superfluous license header --- .../kosmos_drone/recipes/default.rb | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index f8629fc..a0a2017 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook:: kosmos_drone # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package "docker-compose" domain = "drone.kosmos.org" From 5717d11f7eabfff1342d26fe68b741cf4362818b Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 17:28:02 -0600 Subject: [PATCH 23/24] Upgrade Drone CI to latest version closes #356 --- site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 7854ce8..049a061 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:1 + image: drone/drone:2.5 ports: - "<%= @upstream_port %>:80" @@ -19,7 +19,7 @@ services: - DRONE_RPC_SECRET=<%= @rpc_secret %> drone-runner: - image: drone/drone-runner-docker:1 + image: drone/drone-runner-docker:1.8 command: agent restart: always From 1e6c40b1366916312ae96556451084091890d95d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 25 Nov 2021 19:37:48 -0600 Subject: [PATCH 24/24] Update README --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 7ff3f92..31772d0 100644 --- a/README.md +++ b/README.md @@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile: Vendor installed cookbooks to the `cookbooks/` dir: berks vendor cookbooks/ --delete + +### "Expired" TLS certificates + +If you encounter expired TLS certificates during a Chef run (e.g. for remote +files), the issue is likely that the certificate has been issued by Let's +Encrypt and Chef is still using its own, outdated CA cert store (see +[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for +example). + +As a hotfix, you can manually remove the "DST Root CA X3" cert from +`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge.