From 74cf26846eab6b5ebc0a0f89f76dd1dbf93a7dcd Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 12 Jan 2021 18:06:16 +0100 Subject: [PATCH 01/13] Fix ejabberd API permission for akkounts VMs It should have been using a /32, not a /8 subnet, in order to only allow the akkounts VM(s) to use the API endpoints without further authorization. --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index e1dca82..a46759d 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -177,7 +177,7 @@ api_permissions: "akkounts": who: <% @akkounts_ip_addresses.each do |ip| -%> - - ip: "<%= ip %>/8" + - ip: "<%= ip %>/32" <% end -%> what: - "add_rosteritem" From c4fa9e6ec195c457debdf9313be5d242c89edc8c Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 12 Jan 2021 18:41:31 +0100 Subject: [PATCH 02/13] Remove extra license headers And update year in LICENSE file --- site-cookbooks/kosmos-mastodon/LICENSE | 2 +- .../kosmos-mastodon/recipes/default.rb | 21 ------------------- .../kosmos-mastodon/recipes/nginx.rb | 21 ------------------- .../kosmos-mastodon/recipes/pg_db.rb | 21 ------------------- 4 files changed, 1 insertion(+), 64 deletions(-) diff --git a/site-cookbooks/kosmos-mastodon/LICENSE b/site-cookbooks/kosmos-mastodon/LICENSE index f3b5d1c..967d43c 100644 --- a/site-cookbooks/kosmos-mastodon/LICENSE +++ b/site-cookbooks/kosmos-mastodon/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2019 Kosmos Developers +Copyright (c) 2019-2021 Kosmos Developers Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 053b232..50c7098 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-mastodon # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. include_recipe "kosmos-nodejs" include_recipe "kosmos-redis" diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 268e973..fde87cd 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-mastodon # Recipe:: nginx # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. mastodon_path = node["kosmos-mastodon"]["directory"] server_name = node["kosmos-mastodon"]["server_name"] diff --git a/site-cookbooks/kosmos-mastodon/recipes/pg_db.rb b/site-cookbooks/kosmos-mastodon/recipes/pg_db.rb index 4f0ee9f..af15e80 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/pg_db.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/pg_db.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-mastodon # Recipe:: pg_db # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') From 4d0259493f972c55b13dbd51e81ae15916a48ab5 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 09:48:23 +0100 Subject: [PATCH 03/13] Update system package dependencies for 20.04 --- site-cookbooks/kosmos-mastodon/recipes/default.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index 50c7098..ee9d5d6 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -42,8 +42,9 @@ user mastodon_user do home mastodon_path end -package %w(imagemagick ffmpeg libxml2-dev libxslt1-dev file git curl pkg-config - libprotobuf-dev protobuf-compiler libidn11 libidn11-dev libjemalloc1) +package %w(build-essential imagemagick ffmpeg libxml2-dev libxslt1-dev file git + curl pkg-config libprotobuf-dev protobuf-compiler libidn11 + libidn11-dev libjemalloc2 libpq-dev) npm_package "yarn" do version "1.22.4" From 9d13acd41ae7662a1588af4539fa8e691e4fc4e0 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 09:49:03 +0100 Subject: [PATCH 04/13] Don't fail on first run, when Tor hostname missing --- site-cookbooks/kosmos-mastodon/recipes/nginx.rb | 4 +++- .../kosmos-mastodon/templates/default/nginx_conf_mastodon.erb | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index fde87cd..65717a1 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -24,6 +24,8 @@ template "#{node['nginx']['dir']}/snippets/mastodon.conf" do notifies :reload, 'service[nginx]', :delayed end +onion_address = File.read("/var/lib/tor/mastodon/hostname").strip rescue nil + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_mastodon.erb' owner 'www-data' @@ -32,7 +34,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", - onion_address: File.read("/var/lib/tor/mastodon/hostname").strip + onion_address: onion_address notifies :reload, 'service[nginx]', :delayed end diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index c07686e..20d2efa 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -1,8 +1,10 @@ +<% if @onion_address %> server { listen 80; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; } +<% end %> map $http_upgrade $connection_upgrade { default upgrade; From 047526e0fcf9c921abcb9e205423e6258ae6cfe6 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 09:49:49 +0100 Subject: [PATCH 05/13] Don't configure HTTPS site when certs missing --- .../templates/default/nginx_conf_mastodon.erb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 20d2efa..6991f7a 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -11,17 +11,16 @@ map $http_upgrade $connection_upgrade { '' close; } +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) %> server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; include <%= @shared_config_path %>; - <% if File.exist?(@ssl_cert) && - File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - <% end -%> add_header Strict-Transport-Security "max-age=31536000"; } +<% end %> From c622f81572cc5a5d8e59adeffb19a14e90b04edc Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 09:50:10 +0100 Subject: [PATCH 06/13] Remove extra license header --- .../kosmos-redis/recipes/default.rb | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/site-cookbooks/kosmos-redis/recipes/default.rb b/site-cookbooks/kosmos-redis/recipes/default.rb index d5ee76d..06e440d 100644 --- a/site-cookbooks/kosmos-redis/recipes/default.rb +++ b/site-cookbooks/kosmos-redis/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-redis # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. node.override['redis']['unixsocket'] = '' include_recipe 'redis::server' From 62320106cb727686bc054b58856cc5ed8e8dc478 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 09:50:37 +0100 Subject: [PATCH 07/13] Set up mastodon-1 VM --- nodes/mastodon-1.json | 86 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 nodes/mastodon-1.json diff --git a/nodes/mastodon-1.json b/nodes/mastodon-1.json new file mode 100644 index 0000000..c1a7a49 --- /dev/null +++ b/nodes/mastodon-1.json @@ -0,0 +1,86 @@ +{ + "name": "mastodon-1", + "normal": { + "knife_zero": { + "host": "10.1.1.156" + } + }, + "automatic": { + "fqdn": "mastodon-1", + "os": "linux", + "os_version": "5.4.0-1031-kvm", + "hostname": "mastodon-1", + "ipaddress": "192.168.122.197", + "roles": [ + "mastodon", + "postgresql_client" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos-mastodon", + "kosmos-mastodon::default", + "kosmos-mastodon::nginx", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "kosmos-nodejs::default", + "nodejs::nodejs_from_package", + "nodejs::repo", + "kosmos-redis::default", + "redis::server", + "redis::default", + "backup::default", + "logrotate::default", + "java::default", + "java::set_attributes_from_version", + "java::openjdk", + "java::notify", + "java::default_java_symlink", + "java::set_java_home", + "nodejs::npm", + "nodejs::install", + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "kosmos-nginx::firewall", + "tor-full::default", + "git::default", + "git::package" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "ohai": { + "version": "15.12.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" + }, + "chef": { + "version": "15.14.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[mastodon]" + ] +} \ No newline at end of file From 9224aa9d97830349a0bebadce19b3b376e17bd31 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 17:06:25 +0100 Subject: [PATCH 08/13] Update node data --- nodes/mastodon-1.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nodes/mastodon-1.json b/nodes/mastodon-1.json index c1a7a49..b06ab5f 100644 --- a/nodes/mastodon-1.json +++ b/nodes/mastodon-1.json @@ -63,7 +63,8 @@ "kosmos-nginx::firewall", "tor-full::default", "git::default", - "git::package" + "git::package", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", From 12a3fa5b4e1ee47bafa32b29609d9cbbdc3fd268 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Wed, 13 Jan 2021 17:06:36 +0100 Subject: [PATCH 09/13] Use default Redis database now --- site-cookbooks/kosmos-mastodon/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index eb91556..f04a577 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -2,7 +2,7 @@ node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon" node.default["kosmos-mastodon"]["puma_port"] = 3000 node.default["kosmos-mastodon"]["streaming_port"] = 4000 node.default["kosmos-mastodon"]["server_name"] = "kosmos.social" -node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/1" +node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0" node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 # Allocate this amount of RAM to the Java heap for Elasticsearch node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m" From 6c6026958badaeea2f002a18b486fafc52e01c9f Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 14 Jan 2021 21:23:03 +0100 Subject: [PATCH 10/13] Fix typo in port number of externalip config --- site-cookbooks/kosmos-bitcoin/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index dc11a70..b595fb7 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -42,7 +42,7 @@ node.default['lnd']['alias'] = 'ln2.kosmos.org' node.default['lnd']['color'] = '#5e0c99' node.default['lnd']['log_level'] = 'info' node.default['lnd']['public_ip'] = '148.251.237.111' -node.default['lnd']['public_port'] = '9375' +node.default['lnd']['public_port'] = '9735' node.default['lnd']['port'] = '9736' node.default['lnd']['minchansize'] = '1000000' node.default['lnd']['basefee'] = '500' From 775ec691efcd0fc230fb454e80506218471e4ce0 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 14 Jan 2021 21:23:20 +0100 Subject: [PATCH 11/13] Add firewall rules for LND and c-lightning --- site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb | 6 ++++++ site-cookbooks/kosmos-bitcoin/recipes/lnd.rb | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb index b86b184..b8f2865 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/c-lightning.rb @@ -92,3 +92,9 @@ systemd_unit 'lightningd.service' do triggers_reload true action [:create, :enable, :start] end + +firewall_rule 'lightningd' do + port [9735] # TODO use attribute + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb index b179c42..4e2464a 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lnd.rb @@ -89,3 +89,9 @@ systemd_unit 'lnd.service' do triggers_reload true action [:create, :enable, :start] end + +firewall_rule 'lnd' do + port [node['lnd']['port']] + protocol :tcp + command :allow +end From ab422155e46b6f3325fc9722acac00f837165f40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 22 Jan 2021 13:49:23 +0100 Subject: [PATCH 12/13] Add the ability to pass a disk size to the create_vm script Defaults to 10GB --- site-cookbooks/kosmos_kvm/files/create_vm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm index db4cf8e..0c82f2d 100644 --- a/site-cookbooks/kosmos_kvm/files/create_vm +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -5,13 +5,14 @@ if [[ $# -lt 3 ]] ; then cat <<-EOF USAGE (RAM in megabytes) -create_vm VMNAME RAM CPUS +create_vm VMNAME RAM CPUS DISKSIZE EOF exit 1 fi VMNAME=$1 RAM=$2 CPUS=$3 +DISKSIZE=${4:-10} # 10GB default # Directory where image files will be stored IMAGE_DIR=/var/lib/libvirt/images @@ -20,9 +21,6 @@ IMAGE_PATH=$IMAGE_DIR/$IMAGE_FILE CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso BASE_FILE=${IMAGE_DIR}/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2 -# Disk size assigned to the VM -DISKSIZE=10 # Unit: GB - # Create the VM image if it does not already exist if [ ! -f "$IMAGE_PATH" ]; then echo "info: image file $IMAGE_PATH not found. creating new image" From 05cd38a5b92a3d524abdd11b2369c38b2ead08f2 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sat, 23 Jan 2021 14:22:34 +0100 Subject: [PATCH 13/13] Re-enable and improve Tor access for kosmos.social --- .../kosmos-mastodon/attributes/default.rb | 2 +- site-cookbooks/kosmos-mastodon/recipes/nginx.rb | 1 + .../templates/default/nginx_conf_mastodon.erb | 13 +++++++++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-mastodon/attributes/default.rb b/site-cookbooks/kosmos-mastodon/attributes/default.rb index f04a577..0a92707 100644 --- a/site-cookbooks/kosmos-mastodon/attributes/default.rb +++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb @@ -8,5 +8,5 @@ node.default["kosmos-mastodon"]["sidekiq_threads"] = 25 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m" node.override["tor"]["HiddenServices"]["mastodon"] = { - "HiddenServicePorts" => ["80 127.0.0.1:80"] + "HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"] } diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 65717a1..84caba4 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -6,6 +6,7 @@ mastodon_path = node["kosmos-mastodon"]["directory"] server_name = node["kosmos-mastodon"]["server_name"] +node.override['nginx']['server_names_hash_bucket_size'] = 128 include_recipe "kosmos-nginx" directory "#{node['nginx']['dir']}/snippets" do diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 6991f7a..e1c6ebb 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -24,3 +24,16 @@ server { add_header Strict-Transport-Security "max-age=31536000"; } <% end %> + +<% if @onion_address %> +server { + listen 443 ssl http2; + server_name mastodon.<%= @onion_address %>; + include <%= @shared_config_path %>; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + add_header Strict-Transport-Security "max-age=31536000"; +} +<% end %>