kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity

Merge pull request 'Deploy Sockethub from the npm package' (#146) from feature/145-sockethub_from_npm into master 

Reviewed-on: #146
This commit is contained in:
Râu Cao 2021-08-31 09:00:07 +00:00
parent 0ffddb9d0f e00d6c3a86
commit 483481b141
10 changed files with 174 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
nodes/centaurus.kosmos.org.json
View File

@ -34,6 +34,7 @@
"kosmos_kvm::host", "kosmos_kvm::host",
"kosmos-ejabberd::firewall", "kosmos-ejabberd::firewall",
"kosmos_zerotier::firewall", "kosmos_zerotier::firewall",
"sockethub::_firewall",
"apt::default", "apt::default",
"timezone_iii::default", "timezone_iii::default",
"timezone_iii::debian", "timezone_iii::debian",
@ -85,6 +86,7 @@
"recipe[kosmos_assets::nginx_site]", "recipe[kosmos_assets::nginx_site]",
"recipe[kosmos_kvm::host]", "recipe[kosmos_kvm::host]",
"recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-ejabberd::firewall]",
"recipe[kosmos_zerotier::firewall]" "recipe[kosmos_zerotier::firewall]",
"recipe[sockethub::_firewall]"
] ]
} }

17
nodes/nodejs-2.json
View File

@ -12,7 +12,8 @@
"hostname": "nodejs-2", "hostname": "nodejs-2",
"ipaddress": "192.168.122.243", "ipaddress": "192.168.122.243",
"roles": [ "roles": [
"kredits_github" "kredits_github",
"sockethub"
], ],
"recipes": [ "recipes": [
"kosmos-base", "kosmos-base",
@ -21,6 +22,9 @@
"kredits-github", "kredits-github",
"kredits-github::default", "kredits-github::default",
"kredits-github::nginx", "kredits-github::nginx",
"sockethub",
"sockethub::default",
"sockethub::proxy",
"apt::default", "apt::default",
"timezone_iii::default", "timezone_iii::default",
"timezone_iii::debian", "timezone_iii::debian",
@ -51,6 +55,14 @@
"nginx::commons_script", "nginx::commons_script",
"nginx::commons_conf", "nginx::commons_conf",
"kosmos-nginx::firewall", "kosmos-nginx::firewall",
"kosmos-redis::default",
"redis::server",
"redis::default",
"backup::default",
"logrotate::default",
"nodejs::npm",
"nodejs::install",
"sockethub::_firewall",
"kosmos-base::letsencrypt" "kosmos-base::letsencrypt"
], ],
"platform": "ubuntu", "platform": "ubuntu",
@ -70,6 +82,7 @@
"run_list": [ "run_list": [
"recipe[kosmos-base]", "recipe[kosmos-base]",
"recipe[kosmos-hubot::wormhole]", "recipe[kosmos-hubot::wormhole]",
"role[kredits_github]" "role[kredits_github]",
"role[sockethub]"
] ]
} }

6
roles/sockethub.rb Normal file
View File

@ -0,0 +1,6 @@
name "sockethub"
run_list %w(
sockethub::default
sockethub::proxy
)

3
site-cookbooks/sockethub/attributes/default.rb
View File

@ -1,4 +1,5 @@
node.default['sockethub']['port'] = '10551' node.default['sockethub']['port'] = '10551'
node.default['sockethub']['external_port'] = '10550' node.default['sockethub']['external_port'] = '10550'
node.default['sockethub']['revision'] = 'v3.0.1' node.default['sockethub']['version'] = '4.0.1'
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
node.default['sockethub']['debug_logs'] = 'sockethub*'

3
site-cookbooks/sockethub/metadata.rb
View File

@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures sockethub' description 'Installs/Configures sockethub'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.1' version '0.2.0'
depends 'application_javascript'
depends 'kosmos-redis' depends 'kosmos-redis'
depends 'kosmos-nodejs' depends 'kosmos-nodejs'
depends 'kosmos-nginx' depends 'kosmos-nginx'

90
site-cookbooks/sockethub/recipes/default.rb
View File

@ -27,11 +27,15 @@
include_recipe 'kosmos-nodejs' include_recipe 'kosmos-nodejs'
include_recipe 'kosmos-redis' include_recipe 'kosmos-redis'
group "sockethub" do user = "sockethub"
group = "sockethub"
entry = "/usr/bin/sockethub"
group group do
gid 7625 gid 7625
end end
user "sockethub" do user user do
comment "sockethub user" comment "sockethub user"
uid 7625 uid 7625
gid 7625 gid 7625
@ -39,47 +43,43 @@ user "sockethub" do
shell "/bin/bash" shell "/bin/bash"
end end
path_to_deploy = "/opt/sockethub" npm_package "sockethub" do
application path_to_deploy do version node['sockethub']['version']
owner "sockethub" end
group "sockethub"
execute "systemctl daemon-reload" do
git do command "systemctl daemon-reload"
user "sockethub" action :nothing
group "sockethub" end
repository 'https://github.com/sockethub/sockethub.git'
revision node['sockethub']['revision'] environment_variables = {
end 'PORT' => node['sockethub']['port'],
# Use the second database (index starts at 0)
npm_install do 'REDIS_URL' => "redis://localhost:6379/1"
user "sockethub" }
end unless node['sockethub']['debug_logs'].nil?
environment_variables['DEBUG'] = node['sockethub']['debug_logs']
execute "systemctl daemon-reload" do end
command "systemctl daemon-reload"
action :nothing environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ')
end
systemd_unit "sockethub_nodejs.service" do
template "/lib/systemd/system/sockethub_nodejs.service" do content <<-EOF
source 'nodejs.systemd.service.erb' [Unit]
owner 'root' Description=Start sockethub
group 'root' Requires=redis-server.service
mode '0644' After=redis-server.service
variables(
user: "sockethub", [Service]
group: "sockethub", ExecStart=#{entry}
app_dir: path_to_deploy, User=#{user}
entry: "/usr/bin/node /usr/bin/npm start", Group=#{group}
environment: { 'DEBUG' => '*', Environment=#{environment}
'PORT' => node['sockethub']['port'], Restart=always
# Use the second database (index starts at 0)
'REDIS_URL' => "redis://localhost:6379/1" } [Install]
) WantedBy=multi-user.target
notifies :run, "execute[systemctl daemon-reload]", :delayed EOF
notifies :restart, "service[sockethub_nodejs]", :delayed triggers_reload true
end action [:create, :enable, :start]
service "sockethub_nodejs" do
action [:enable, :start]
end
end end

39
site-cookbooks/sockethub/recipes/proxy.rb
View File

@ -26,8 +26,41 @@
include_recipe 'sockethub::_firewall' include_recipe 'sockethub::_firewall'
include_recipe 'kosmos-nginx' include_recipe 'kosmos-nginx'
include_recipe "kosmos-base::letsencrypt"
server_name = node['sockethub']['nginx']['server_name'] server_name = node['sockethub']['nginx']['server_name']
nginx_post_hook = <<-EOF
#!/usr/bin/env bash
set -e
systemctl reload nginx
EOF
file "/etc/letsencrypt/renewal-hooks/post/nginx" do
content nginx_post_hook
mode 0755
owner "root"
group "root"
end
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
template "/root/gandi_dns_certbot_hook.sh" do
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for sockethub" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n"
not_if do
File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
end
end
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_sockethub.erb' source 'nginx_conf_sockethub.erb'
owner 'www-data' owner 'www-data'
@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
notifies :reload, 'service[nginx]', :delayed notifies :reload, 'service[nginx]', :delayed
end end
# Legacy vhost
nginx_site "sockethub" do
action :disable
end
nginx_site server_name do nginx_site server_name do
action :enable action :enable
end end
nginx_certbot_site server_name

8
site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
View File

@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade {
'' close; '' close;
} }
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server { server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @sockethub_external_port %> ssl http2; listen <%= @sockethub_external_port %> ssl http2;
add_header Strict-Transport-Security "max-age=15768000"; add_header Strict-Transport-Security "max-age=15768000";
<% else -%>
listen <%= @sockethub_external_port %>;
<% end -%>
server_name <%= @server_name %>; server_name <%= @server_name %>;
@ -32,7 +35,8 @@ server {
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
} }
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
<% end -%>
} }
<% end -%>

17
site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb
View File

@ -1,17 +0,0 @@
[Unit]
Description=Start nodejs app
Requires=redis-server.service
After=redis-server.service
[Service]
ExecStart=<%= @entry %>
WorkingDirectory=<%= @app_dir %>
User=<%= @user %>
Group=<%= @group %>
<% unless @environment.empty? -%>
Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
<% end -%>
Restart=always
[Install]
WantedBy=multi-user.target

63
site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb Executable file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
# depending on how slow your DNS host is to begin serving new DNS records after updating
# them via the API. 30 seconds is a safe default, but some providers can be very slow
# (e.g. Linode).
#
# Defaults to 30 seconds.
#
GANDI_API_KEY="<%= @gandi_api_key %>"
PROVIDER_UPDATE_DELAY=30
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
else
DOMAIN="${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
}
HANDLER=$1; shift;
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
$HANDLER "$@"
fi