diff --git a/data_bags/credentials/akkounts.json b/data_bags/credentials/akkounts.json index cc0a979..7914b0d 100644 --- a/data_bags/credentials/akkounts.json +++ b/data_bags/credentials/akkounts.json @@ -1,30 +1,37 @@ { "id": "akkounts", "postgresql_username": { - "encrypted_data": "drHBdPcrH3BqlsVfWP/vL5Thok8Uub6JhjuU\n", - "iv": "n+08nhiHoK4jRVwd\n", - "auth_tag": "elB4rx8k+jj34iQepECQNA==\n", + "encrypted_data": "W+Ia820+uYCAED9LRkQ1ZVe//56GRS5u0HrG\n", + "iv": "NpuVENC7C5FCjsEz\n", + "auth_tag": "KbqVv27nTc4qm7kzRWcjUQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "postgresql_password": { - "encrypted_data": "Hu8yjpvf3/KY/K3gcbRbEce3OkjSrN91m2lCcePT+A==\n", - "iv": "+GFS35dpYy4zD2pi\n", - "auth_tag": "jCJQMskBFo9TSr8Uq7BWkw==\n", + "encrypted_data": "gPzUikJ3vBhjEzor0ie2341VPLRHNIvGvuD+HBwldw==\n", + "iv": "Jsnldm8Bx9IzXMNy\n", + "auth_tag": "63YXFGVxHn23X+/11qwTSA==\n", "version": 3, "cipher": "aes-256-gcm" }, "sentry_dsn": { - "encrypted_data": "KG8apiKfWa4gWwiz8tFLZywpp7gMp3hLDCREeR/RA6+i6Of7qYRx0YRzYdpE\n8gdaO0EOQZ4PXzVBsiIQy4ijHRt8udo2PNzzZP6h91jdAjw=\n", - "iv": "KWU6LeHdE3iwPyBU\n", - "auth_tag": "7pQO/t8pXiwrlb5xAas+Zg==\n", + "encrypted_data": "3aC1Nc+WiJIn+jc4HY4Rb1WAqCqEurbOLXhbah4zSIbVIaNGEKzaoC+IA+qi\nV1jAVxbE0A1w91MrGE6HNa+oMjiTMurYx7JzVBIpCm01rgo=\n", + "iv": "SxEbTBYY2Pa5BzAF\n", + "auth_tag": "zGkIpM/aeyuNm2F0I3VAcA==\n", "version": 3, "cipher": "aes-256-gcm" }, "rails_master_key": { - "encrypted_data": "E4OVlsZgm9wupyi9Xs7iEy11wJrCXL0Qrm9akulW7vmdrEfnI8KC6x1UooM+\nEI1fYmLs\n", - "iv": "YFRMYT8D+bF+iu5+\n", - "auth_tag": "wT7rorNWEKGNR7xQLTe/xg==\n", + "encrypted_data": "cWOeQYNzOjgDNi7ZpkMC/jN7nSPyODYRhA6EIhhihzPxkEDt+/4HGNAhLHGK\nlJiQeRD/\n", + "iv": "Svsvx9gsO9OQs9RV\n", + "auth_tag": "mXVNNo13F6FddhWnri1yHQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "discourse_connect_secret": { + "encrypted_data": "BQcE5fUkiqJyuOR1dR9vNyxWzgWGX1Wl1WINJDGJ1sJiajrgAspPgDt0dX5L\nhxG8CQ==\n", + "iv": "UKpt0F1FODuosQ9u\n", + "auth_tag": "MLgv0jR9MhWGmQNUkA8GUQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/environments/production.json b/environments/production.json index f0d6f1c..0d0d0ac 100644 --- a/environments/production.json +++ b/environments/production.json @@ -2,6 +2,9 @@ "name": "production", "override_attributes": { "akkounts": { + "discourse": { + "public_url": "https://community.kosmos.org" + }, "lndhub": { "public_url": "https://lndhub.kosmos.org", "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946" diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 9f670b3..dc47bff 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -9,7 +9,7 @@ "automatic": { "fqdn": "akkounts-1", "os": "linux", - "os_version": "5.4.0-100-generic", + "os_version": "5.4.0-148-generic", "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index c216554..d8d9133 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -36,6 +36,8 @@ "kosmos_garage::firewall_rpc", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", + "kosmos_rsk::nginx_testnet", + "kosmos_rsk::nginx_mainnet", "kosmos_website", "kosmos_website::default", "kosmos-akkounts::nginx", diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 2444bd9..bc6cc58 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -22,6 +22,8 @@ default_run_list = %w( kosmos_garage::firewall_rpc kosmos_garage::nginx_web kosmos_gitea::nginx + kosmos_rsk::nginx_testnet + kosmos_rsk::nginx_mainnet kosmos_website::default kosmos-akkounts::nginx kosmos-akkounts::nginx_api diff --git a/roles/rskj_testnet.rb b/roles/rskj_testnet.rb index 665f137..eff18a0 100644 --- a/roles/rskj_testnet.rb +++ b/roles/rskj_testnet.rb @@ -9,7 +9,6 @@ default_attributes 'rskj' => { default_run_list = %w( kosmos_rsk::rskj - kosmos_rsk::nginx ) env_run_lists( diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb index b1a49e5..6188cb1 100644 --- a/site-cookbooks/kosmos-akkounts/attributes/default.rb +++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb @@ -5,12 +5,14 @@ node.default['akkounts']['domain'] = 'accounts.kosmos.org' node.default['akkounts_api']['domain'] = 'api.kosmos.org' -node.default['akkounts']['lndhub']['api_url'] = nil -node.default['akkounts']['lndhub']['public_url'] = nil -node.default['akkounts']['lndhub']['public_key'] = nil -node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub' - node.default['akkounts']['smtp']['from_address'] = 'Kosmos Accounts ' node.default['akkounts']['smtp']['domain'] = 'kosmos.org' node.default['akkounts']['smtp']['auth_method'] = 'plain' node.default['akkounts']['smtp']['enable_starttls'] = 'auto' + +node.default['akkounts']['discourse']['public_url'] = nil + +node.default['akkounts']['lndhub']['api_url'] = nil +node.default['akkounts']['lndhub']['public_url'] = nil +node.default['akkounts']['lndhub']['public_key'] = nil +node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub' diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb index c6ae288..689ad4c 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/default.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb @@ -60,9 +60,14 @@ env[:sentry_dsn] = credentials["sentry_dsn"] if webhooks_allowed_ips.length > 0 env[:webhooks_allowed_ips] = webhooks_allowed_ips end + if btcpay_host env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1" end + +env[:discourse_public_url] = node['akkounts']['discourse']['public_url'] +env[:discourse_connect_secret] = credentials['discourse_connect_secret'] + if lndhub_host node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026" env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"] diff --git a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb index 9db6621..db939fd 100644 --- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb @@ -27,6 +27,7 @@ server { proxy_buffers 1024 8k; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; proxy_pass http://_discourse; proxy_http_version 1.1; diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index 63efc04..db0e916 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,4 @@ -node.default['rskj']['version'] = '4.2.0~focal' +node.default['rskj']['version'] = '4.4.0~focal' node.default['rskj']['network'] = 'testnet' + +node.default['rskj']['nginx']['domain'] = nil diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx.rb b/site-cookbooks/kosmos_rsk/recipes/nginx.rb deleted file mode 100644 index 242d72f..0000000 --- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb +++ /dev/null @@ -1,27 +0,0 @@ -# -# Cookbook Name:: kosmos_rsk -# Recipe:: nginx -# - -include_recipe "kosmos-nginx" - -app_name = "rskj" -domain = node[app_name]["nginx"]["domain"] - -nginx_certbot_site domain - -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{app_name}.erb" - owner 'www-data' - mode 0640 - variables app_name: app_name, - domain: domain, - port: "4444", - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb b/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb new file mode 100644 index 0000000..cf97f28 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb @@ -0,0 +1,8 @@ +# +# Cookbook Name:: kosmos_rsk +# Recipe:: nginx_mainnet +# + +rskj_nginx_site "mainnet" do + domain "rsk.kosmos.org" +end diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb b/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb new file mode 100644 index 0000000..49a0e89 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb @@ -0,0 +1,8 @@ +# +# Cookbook Name:: kosmos_rsk +# Recipe:: nginx_testnet +# + +rskj_nginx_site "testnet" do + domain "rsk-testnet.kosmos.org" +end diff --git a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb new file mode 100644 index 0000000..2230655 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb @@ -0,0 +1,37 @@ +resource_name :rskj_nginx_site +provides :rskj_nginx_site + +property :network, String, required: true, name_property: true +property :domain, String, required: true + +action :create do + include_recipe "kosmos-nginx" + + network = new_resource.network + domain = new_resource.domain + + nginx_certbot_site domain + + upstream_hosts = [] + search(:node, "role:rskj_#{network}").each do |node| + upstream_hosts << node["knife_zero"]["host"] + end + upstream_hosts.push("localhost") if upstream_hosts.empty? + + template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf_rskj.erb" + owner 'www-data' + mode 0640 + variables domain: domain, + upstream_name: "rskj_#{network}", + upstream_hosts: upstream_hosts, + upstream_port: "4444", + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site domain do + action :enable + end +end diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 1a14d5c..9831d8b 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -1,23 +1,39 @@ -# Generated by Chef -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +upstream _<%= @upstream_name %> { +<% @upstream_hosts.each do |host| %> + server <%= host %>:<%= @upstream_port %>; +<% end %> +} + server { listen 443 ssl http2; listen [::]:443 ssl http2; - add_header Strict-Transport-Security "max-age=15768000"; - - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; server_name <%= @domain %>; + add_header Strict-Transport-Security "max-age=15768000"; + access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; location / { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Max-Age' 1209600; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; - proxy_pass http://localhost:<%= @port %>; + proxy_pass http://_<%= @upstream_name %>; } + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; } -<% end -%> diff --git a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb index a37cf79..605d734 100644 --- a/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb +++ b/site-cookbooks/kosmos_rsk/test/integration/rskj/rskj_test.rb @@ -9,7 +9,7 @@ end describe package('rskj') do it { should be_installed } - its('version') { should eq '4.2.0~focal' } + its('version') { should eq '4.4.0~focal' } end describe service('rsk') do @@ -21,3 +21,10 @@ end describe port(4444) do it { should be_listening } end + +describe parse_config_file('/etc/rsk/node.conf', { + assignment_regex: /^\s*([^=]*?)\s*=\s*(.*?)\s*$/ +}) do + its(['blockchain.config.name']) { should eq '"testnet"' } + its(['database.dir']) { should eq '/var/lib/rsk/database/testnet' } +end