kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

WIP Migrate Gitea proxy to openresty

Browse Source 
TODO: Make nginx_ssh stream resource work with openresty cookbook
This commit is contained in:
Râu Cao 2023-07-26 14:15:46 +02:00
parent 1681942fb1
commit 4b14297f83
Signed by: raucao
GPG Key ID: 15E65F399D084BA9
6 changed files with 32 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
nodes/draco.kosmos.org.json
View File

@ -41,6 +41,7 @@
"kosmos-akkounts::nginx", "kosmos-akkounts::nginx",
"kosmos_discourse::nginx", "kosmos_discourse::nginx",
"kosmos_drone::nginx", "kosmos_drone::nginx",
"kosmos_gitea::nginx",
"kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet", "kosmos_rsk::nginx_mainnet",
"kosmos_website", "kosmos_website",

1
nodes/fornax.kosmos.org.json
View File

@ -102,6 +102,7 @@
"role[base]", "role[base]",
"role[kvm_host]", "role[kvm_host]",
"role[nginx_proxy]", "role[nginx_proxy]",
"kosmos_gitea::nginx_ssh",
"role[zerotier_controller]" "role[zerotier_controller]"
] ]
} }

20
site-cookbooks/kosmos_gitea/metadata.rb
View File

@ -2,25 +2,13 @@ name 'kosmos_gitea'
maintainer 'Kosmos Developers' maintainer 'Kosmos Developers'
maintainer_email 'ops@kosmos.org' maintainer_email 'ops@kosmos.org'
license 'MIT' license 'MIT'
description 'Installs/Configures kosmos_gitea' description 'Installs/configures Gitea'
long_description 'Installs/Configures kosmos_gitea' long_description 'Installs/configures Gitea'
version '0.1.0' version '0.2.0'
chef_version '>= 14.0' chef_version '>= 14.0'
# The `issues_url` points to the location where issues for this cookbook are
# tracked. A `View Issues` link will be displayed on this cookbook's page when
# uploaded to a Supermarket.
#
# issues_url 'https://github.com/<insert_org_here>/kosmos_gitea/issues'
# The `source_url` points to the development repository for this cookbook. A
# `View Source` link will be displayed on this cookbook's page when uploaded to
# a Supermarket.
#
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
depends "firewall" depends "firewall"
depends "kosmos-nginx" depends "kosmos_openresty"
depends "kosmos_postgresql" depends "kosmos_postgresql"
depends "backup" depends "backup"
depends "kosmos-dirsrv" depends "kosmos-dirsrv"

37
site-cookbooks/kosmos_gitea/recipes/nginx.rb
View File

@ -3,14 +3,8 @@
# Recipe:: nginx # Recipe:: nginx
# #
include_recipe "kosmos-nginx"
domain = node["gitea"]["domain"] domain = node["gitea"]["domain"]
# upstream_ip_addresses = []
# search(:node, "role:gitea").each do |n|
# upstream_ip_addresses << n["knife_zero"]["host"]
# end
begin begin
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
rescue rescue
@ -18,35 +12,16 @@ rescue
return return
end end
nginx_certbot_site domain tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do openresty_site domain do
source "nginx_conf_web.erb" template "nginx_conf_web.erb"
owner 'www-data'
mode 0640
variables server_name: domain, variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_ip_address, upstream_host: upstream_ip_address,
upstream_port: node["gitea"]["port"] upstream_port: node["gitea"]["port"]
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
template "#{node['nginx']['dir']}/streams-available/ssh" do
source "nginx_conf_ssh.erb"
owner 'www-data'
mode 0640
variables domain: domain,
upstream_host: upstream_ip_address
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ssh" do
action :enable
end end

18
site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb Normal file
View File

@ -0,0 +1,18 @@
#
# Cookbook:: kosmos_gitea
# Recipe:: nginx_ssh
#
template "#{node['nginx']['dir']}/streams-available/ssh" do
source "nginx_conf_ssh.erb"
owner 'www-data'
mode 0640
variables domain: domain,
upstream_host: upstream_ip_address
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ssh" do
action :enable
end

13
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@ -4,23 +4,14 @@ upstream _gitea_web {
} }
server { server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>; server_name <%= @server_name %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
add_header Strict-Transport-Security "max-age=31536000"; add_header Strict-Transport-Security "max-age=31536000";
<% else -%>
listen 80;
server_name <%= @server_name %>;
location /.well-known {
root "/var/www/<%= @server_name %>";
}
<% end -%>
client_max_body_size 20M; client_max_body_size 20M;