Merge pull request 'Add Liquor Cabinet cookbooks and configs, deploy to production' (#541) from feature/535-liquor_cabinet into master

Reviewed-on: #541

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -19,3 +19,9 @@ node.default['akkounts']['lndhub']['api_url'] = nil
 node.default['akkounts']['lndhub']['public_url'] = nil
 node.default['akkounts']['lndhub']['public_key'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
+
+node.default['akkounts']['s3_enabled'] = true
+node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
+node.default['akkounts']['s3_region'] = "garage"
+node.default['akkounts']['s3_bucket'] = "akkounts-production"
+node.default['akkounts']['s3_alias_host'] = "https://s3.accounts.kosmos.org"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -69,17 +69,33 @@ if webhooks_allowed_ips.length > 0
   env[:webhooks_allowed_ips] = webhooks_allowed_ips
 end
 
+#
+# BTCPay Server
+#
+
 if btcpay_host
   env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
   env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
   env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
 end
 
+#
+# Discourse
+#
+
 env[:discourse_public_url] = "https://#{node['discourse']['domain']}"
 env[:discourse_connect_secret] = credentials['discourse_connect_secret']
 
+#
+# Drone CI
+#
+
 env[:droneci_public_url] = node["droneci"]["public_url"]
 
+#
+# ejabberd
+#
+
 ejabberd_private_ip_addresses = []
 search(:node, "role:ejabberd").each do |node|
   ejabberd_private_ip_addresses << node["knife_zero"]["host"]
@@ -101,8 +117,16 @@ if ejabberd_private_ip_addresses.size > 0
   env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url']
 end
 
+#
+# Gitea
+#
+
 env[:gitea_public_url] = "https://#{node['gitea']['domain']}"
 
+#
+# lndhub.go
+#
+
 if lndhub_host
   node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026"
   env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"]
@@ -119,10 +143,49 @@ if lndhub_host
   end
 end
 
+#
+# Mastodon
+#
+
 env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
 
+#
+# MediaWiki
+#
+
 env[:mediawiki_public_url] = node['mediawiki']['url']
 
+#
+# remoteStorage / Liquor Cabinet
+#
+
+env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}"
+
+rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil
+rs_redis_port = node['liquor-cabinet']['redis_port']
+rs_redis_db = node['liquor-cabinet']['redis_db']
+if rs_redis_host
+  env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}"
+end
+
+#
+# S3
+#
+
+if node['akkounts']['s3_enabled']
+  env[:s3_enabled] = true
+  env[:s3_endpoint] = node['akkounts']['s3_endpoint']
+  env[:s3_region] = node['akkounts']['s3_region']
+  env[:s3_bucket] = node['akkounts']['s3_bucket']
+  env[:s3_alias_host] = node['akkounts']['s3_alias_host']
+  env[:s3_access_key] = credentials['s3_access_key']
+  env[:s3_secret_key] = credentials['s3_secret_key']
+end
+
+#
+# Akkounts Deployment
+#
+
 systemd_unit "akkounts.service" do
   content({
     Unit: {

site-cookbooks/kosmos_liquor-cabinet/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/kosmos_liquor-cabinet/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_liquor-cabinet CHANGELOG
+
+This file is used to list changes made in each version of the kosmos_liquor-cabinet cookbook.
+
+## 0.1.0
+
+Initial release.

site-cookbooks/kosmos_liquor-cabinet/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/kosmos_liquor-cabinet/README.md

@@ -0,0 +1,7 @@
+# kosmos_liquor-cabinet
+
+Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server and
+reverse proxy.
+
+[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
+[2]: https://remotestorage.io

site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb

@@ -0,0 +1,4 @@
+node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
+node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
+node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
+node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'

site-cookbooks/kosmos_liquor-cabinet/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_liquor-cabinet/kitchen.yml

@@ -0,0 +1,37 @@
+---
+driver:
+  name: dokken
+  privileged: true  # allows systemd services to start
+
+provisioner:
+  name: dokken
+
+transport:
+  name: dokken
+
+verifier:
+  name: inspec
+
+platforms:
+  # @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
+  # @see https://hub.docker.com/u/dokken
+  - name: ubuntu-20.04
+    driver:
+      image: dokken/ubuntu-20.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: centos-8
+    driver:
+      image: dokken/centos-8
+      pid_one_command: /usr/lib/systemd/systemd
+
+suites:
+  - name: default
+    run_list:
+      - recipe[kosmos_liquor-cabinet::default]
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:

site-cookbooks/kosmos_liquor-cabinet/metadata.rb

@@ -0,0 +1,12 @@
+name 'kosmos_liquor-cabinet'
+maintainer 'Kosmos Developers'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Installs/configures Liquor Cabinet API and reverse proxy'
+version '0.1.0'
+chef_version '>= 18.2'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+# source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'liquor_cabinet'
+depends 'kosmos_openresty'

site-cookbooks/kosmos_liquor-cabinet/recipes/default.rb

@@ -0,0 +1,6 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: default
+#
+
+include_recipe 'liquor_cabinet'

site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb

@@ -0,0 +1,30 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: nginx
+#
+
+app_name = node['liquor-cabinet']['app_name']
+domain   = node[app_name]['domain']
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+upstream_hosts = []
+search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
+openresty_site domain do
+  template "nginx_conf_liquor-cabinet.erb"
+  variables app_name: app_name,
+            server_name: domain,
+            root_redirect_url: node[app_name]['root_redirect_url'],
+            max_upload_size: node['liquor-cabinet']['max_upload_size'],
+            upstream_hosts: upstream_hosts,
+            upstream_port: node[app_name]['rainbows']['port'],
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb

@@ -0,0 +1,79 @@
+#
+# Generated by Chef
+#
+upstream _<%= @app_name %> {
+<% @upstream_hosts.each do |host| -%>
+  server <%= host %>:<%= @upstream_port %>;
+<% end -%>
+}
+
+# TODO use cookbook attribute when enabling
+# variables_hash_max_size 2048;
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
+  listen [::]:80;
+  server_name <%= @server_name %>;
+  # Redirect to https
+  location / {
+    return 301 https://<%= @server_name %>$request_uri;
+  }
+}
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
+
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
+
+  # TODO
+  # log_by_lua_file "<%= @log_by_lua_file %>";
+
+  # We need strong ETags, disable compression
+  gzip off;
+  # brotli off;
+  # pagespeed off;
+
+  # Set a large maximum upload size
+  client_max_body_size <%= @max_upload_size %>m;
+
+  # TODO
+  # Use rate limiting (the zone is defined in
+  # /etc/nginx/conf.d/rate_limiting.conf)
+  # limit_req zone=per_ip burst=5000;
+
+  location = / {
+    return 301 <%= @root_redirect_url %>;
+  }
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+
+    proxy_buffering on;
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    # Needed for big uploads
+    proxy_read_timeout 180s;
+    proxy_send_timeout 180s;
+
+    proxy_pass http://_<%= @app_name %>;
+
+    proxy_next_upstream error timeout http_502 http_500;
+  }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}

site-cookbooks/kosmos_website/templates/nginx_conf_website.erb

@@ -18,15 +18,8 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  location /.well-known/lnurlp/ {
+  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
     proxy_ssl_server_name on;
-    rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break;
-    proxy_pass https://accounts.kosmos.org;
-  }
-
-  location /.well-known/keysend/ {
-    proxy_ssl_server_name on;
-    rewrite /.well-known/keysend/([^/]+) /keysend/$1@kosmos.org break;
     proxy_pass https://accounts.kosmos.org;
   }
 }

site-cookbooks/liquor_cabinet/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/liquor_cabinet/CHANGELOG.md

@@ -0,0 +1,7 @@
+# liquor_cabinet CHANGELOG
+
+This file is used to list changes made in each version of the liquor_cabinet cookbook.
+
+## 0.1.0
+
+Initial release.

site-cookbooks/liquor_cabinet/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/liquor_cabinet/README.md

@@ -0,0 +1,6 @@
+# liquor_cabinet
+
+Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server.
+
+[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
+[2]: https://remotestorage.io

site-cookbooks/liquor_cabinet/attributes/default.rb

@@ -0,0 +1,28 @@
+node.default['liquor-cabinet']['app_name'] = "liquor-cabinet"
+node.default['liquor-cabinet']['user'] = "deploy"
+node.default['liquor-cabinet']['group'] = "deploy"
+node.default['liquor-cabinet']['repo'] = 'https://gitea.kosmos.org/5apps/liquor-cabinet.git'
+node.default['liquor-cabinet']['revision'] = 'master'
+node.default['liquor-cabinet']['deploy_path'] = "/opt/#{node['liquor-cabinet']['app_name']}"
+node.default['liquor-cabinet']['redis_server_role'] = 'redis_server'
+node.default['liquor-cabinet']['redis_port'] = 6379
+node.default['liquor-cabinet']['redis_db'] = 1
+node.default['liquor-cabinet']['s3_endpoint'] = nil
+node.default['liquor-cabinet']['s3_region'] = nil
+node.default['liquor-cabinet']['s3_bucket'] = nil
+node.default['liquor-cabinet']['ufw_source_allowed'] = nil
+node.default['liquor-cabinet']['maintenance_mode_enabled'] = false
+node.default['liquor-cabinet']['ruby']['version'] = "3.1.4"
+node.default['liquor-cabinet']['rainbows'] = {
+  'port' => 3000,
+  'preload_app' => true,
+  'timeout' => 60,
+  'worker_processes' => node['cpu']['total'],
+  'worker_connections' => 100,
+  'client_header_buffer_size' => 1024,
+  'client_max_body_size' => 104857600,
+  'client_max_header_size' => 114688,
+  'copy_stream' => 'IO',
+  'keepalive_requests' => 100,
+  'keepalive_timeout' => 5
+}

site-cookbooks/liquor_cabinet/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/liquor_cabinet/kitchen.yml

@@ -0,0 +1,37 @@
+---
+driver:
+  name: dokken
+  privileged: true  # allows systemd services to start
+
+provisioner:
+  name: dokken
+
+transport:
+  name: dokken
+
+verifier:
+  name: inspec
+
+platforms:
+  # @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
+  # @see https://hub.docker.com/u/dokken
+  - name: ubuntu-20.04
+    driver:
+      image: dokken/ubuntu-20.04
+      pid_one_command: /bin/systemd
+      intermediate_instructions:
+        - RUN /usr/bin/apt-get update
+
+  - name: centos-8
+    driver:
+      image: dokken/centos-8
+      pid_one_command: /usr/lib/systemd/systemd
+
+suites:
+  - name: default
+    run_list:
+      - recipe[liquor_cabinet::default]
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:

site-cookbooks/liquor_cabinet/metadata.rb

@@ -0,0 +1,12 @@
+name 'liquor_cabinet'
+maintainer 'Kosmos Developers'
+maintainer_email 'ops@kosmos.org'
+license 'MIT'
+description 'Installs/configures the Liquor Cabinet remoteStorage API server'
+version '0.1.0'
+chef_version '>= 18.2'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+# source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'firewall'
+depends "ruby_build"

site-cookbooks/liquor_cabinet/recipes/default.rb

@@ -0,0 +1,139 @@
+#
+# Cookbook:: liquor_cabinet
+# Recipe:: default
+#
+
+app_name     = node['liquor-cabinet']['app_name']
+deploy_user  = node[app_name]['user']
+deploy_group = node[app_name]['group']
+deploy_path  = node[app_name]['deploy_path']
+credentials  = Chef::EncryptedDataBagItem.load('credentials', app_name)
+
+ruby_version = node[app_name]['ruby']['version']
+ruby_path    = "/opt/ruby_build/builds/#{ruby_version}"
+bundle_path  = "#{ruby_path}/bin/bundle"
+rack_env     = node.chef_environment == "production" ? "production" : "development"
+
+ruby_build_install 'v20231225'
+ruby_build_definition ruby_version do
+  prefix_path ruby_path
+end
+
+group deploy_group
+
+user deploy_user do
+  group       deploy_group
+  manage_home true
+  shell       "/bin/bash"
+end
+
+directory deploy_path do
+  owner deploy_user
+  group deploy_group
+  mode  '0750'
+end
+
+redis_server_role = node[app_name]['redis_server_role']
+redis_host = search(:node, "role:#{redis_server_role}").first['knife_zero']['host'] rescue nil
+if redis_host.nil?
+  Chef::Log.warn("No node found with '#{redis_server_role}' role. Stopping here.")
+  return
+end
+
+git deploy_path do
+  repository node[app_name]['repo']
+  revision node[app_name]['revision']
+  user  deploy_user
+  group deploy_group
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+directory "#{deploy_path}/tmp" do
+  owner deploy_user
+  group deploy_group
+  mode  0750
+end
+
+execute "bundle install" do
+  user deploy_user
+  cwd deploy_path
+  command "#{bundle_path} install --without development,test --deployment"
+end
+
+template "#{deploy_path}/config.yml.erb" do
+  source 'config.yml.erb'
+  owner deploy_user
+  group deploy_group
+  mode '0600'
+  sensitive true
+  variables environment: rack_env,
+            redis_host: redis_host,
+            redis_port: node[app_name]['redis_port'],
+            redis_db: node[app_name]['redis_db'],
+            s3_endpoint: node[app_name]['s3_endpoint'],
+            s3_region: node[app_name]['s3_region'],
+            s3_bucket: node[app_name]['s3_bucket'],
+            s3_access_key: credentials['s3_access_key'],
+            s3_secret_key: credentials['s3_secret_key'],
+            maintenance_mode_enabled: node[app_name]['maintenance_mode_enabled']
+            # TODO sentry_dsn: credentials['sentry_dsn']
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+directory '/etc/rainbows' do
+  owner deploy_user
+  group deploy_group
+  mode  '0750'
+end
+
+template "/etc/rainbows/#{app_name}.rb" do
+  source 'rainbows.rb.erb'
+  owner deploy_user
+  group deploy_group
+  mode '0640'
+  variables user: deploy_user,
+            group: deploy_group,
+            app_name: app_name,
+            working_directory: deploy_path,
+            config: node[app_name]['rainbows']
+  notifies :restart, "service[#{app_name}]", :delayed
+end
+
+systemd_unit "#{app_name}.service" do
+  content({
+    Unit: {
+      Description: "Liquor Cabinet remoteStorage HTTP API",
+      Documentation: ["https://gitea.kosmos.org/5apps/liquor-cabinet"],
+      After: "syslog.target network.target"
+    },
+    Service: {
+      Type: "simple",
+      User: deploy_user,
+      WorkingDirectory: deploy_path,
+      Environment: "RACK_ENV=#{rack_env}",
+      ExecStart: "#{bundle_path} exec rainbows -c /etc/rainbows/#{app_name}.rb -E #{rack_env}",
+      PIDFile: "#{deploy_path}/tmp/rainbows.pid",
+      TimeoutSec: "10",
+      Restart: "on-failure",
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  verify false
+  triggers_reload true
+  action [:create, :enable]
+end
+
+service app_name do
+  action [:enable, :start]
+end
+
+if node[app_name]['ufw_source_allowed']
+  firewall_rule app_name do
+    command  :allow
+    protocol :tcp
+    port     node[app_name]['rainbows']['port']
+    source   node[app_name]['ufw_source_allowed']
+  end
+end

site-cookbooks/liquor_cabinet/templates/config.yml.erb

@@ -0,0 +1,12 @@
+<%= @environment %>:
+  maintenance: <%= @maintenance_mode_enabled %>
+  redis:
+    host: <%= @redis_host %>
+    port: <%= @redis_port %>
+    db: <%= @redis_db %>
+  s3:
+    endpoint: <%= @s3_endpoint %>
+    region: <%= @s3_region %>
+    bucket: <%= @s3_bucket %>
+    access_key_id: <%= @s3_access_key %>
+    secret_key_id: <%= @s3_secret_key %>

site-cookbooks/liquor_cabinet/templates/rainbows.rb.erb

@@ -0,0 +1,32 @@
+##
+# Rainbows config at /etc/rainbows/<%= @app_name %>.rb
+# Managed by Chef - Local changes will be overwritten by Chef runs
+##
+
+# What ports/sockets to listen on, and what options for them.
+listen "<%= @config['port'] %>", { tcp_nodelay: true, backlog: 100 }
+
+# What the timeout for killing busy workers is, in seconds
+timeout <%= @config['timeout'] %>
+
+# Whether the app should be pre-loaded
+preload_app <%= @config['preload_app'] %>
+
+# How many worker processes
+worker_processes <%= @config['worker_processes'] %>
+
+# Run forked children as specified user/group
+user "<%= @user %>", "<%= @group %>"
+
+pid "<%= @working_directory %>/tmp/rainbows.pid"
+
+Rainbows! do
+  use :ThreadSpawn
+  client_header_buffer_size <%= @config['client_header_buffer_size'] %>
+  client_max_body_size <%= @config['client_max_body_size'] %>
+  client_max_header_size <%= @config['client_max_header_size'] %>
+  copy_stream <%= @config['copy_stream'] %>
+  keepalive_requests <%= @config['keepalive_requests'] %>
+  keepalive_timeout <%= @config['keepalive_timeout'] %>
+  worker_connections <%= @config['worker_connections'] %>
+end