kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Merge branch 'master' into feature/ubuntu-16.04

Browse Source
This commit is contained in:
Greg Karékinian
2017-06-09 16:36:19 +02:00
parent b567547bdc afc07c3192
commit 5385813eda
873 changed files with 38209 additions and 15880 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
site-cookbooks/5apps-hubot/CHANGELOG.md
View File

@@ -1,11 +1,4 @@
# 5apps-hubot CHANGELOG
This file is used to list changes made in each version of the 5apps-hubot cookbook.
## 0.1.0
- [your_name] - Initial release of 5apps-hubot
- - -
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
- [Greg Karékinian] - Initial release of 5apps-hubot

5
site-cookbooks/5apps-hubot/metadata.rb
View File

@@ -7,5 +7,6 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends 'kosmos-nodejs'
depends 'application'
depends 'application_nodejs'
depends 'application_javascript'
depends 'application_git'
depends 'firewall'

128
site-cookbooks/5apps-hubot/recipes/xmpp_botka.rb
View File

@@ -7,59 +7,99 @@
# All rights reserved - Do Not Redistribute
#
firewall_rule 'hubot_express_botka_xmpp' do
port 8082
protocol :tcp
command :allow
unless node.chef_environment == "development"
include_recipe "firewall"
firewall_rule 'hubot_express_botka_xmpp' do
port 8082
protocol :tcp
command :allow
end
end
group "hubot" do
gid 48268
end
user "hubot" do
system true
manage_home true
comment "hubot user"
uid 48268
gid 48268
shell "/bin/bash"
end
botka_xmpp_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', '5apps_botka_xmpp')
application "botka_xmpp" do
path "/srv/botka_xmpp"
botka_xmpp_path = "/opt/botka_xmpp"
application botka_xmpp_path do
owner "hubot"
group "hubot"
action :deploy
before_restart do
file "#{new_resource.release_path}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-remotestorage-logger"
].to_json
end
file "#{new_resource.release_path}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [].to_json
end
git do
user "hubot"
group "hubot"
repository "https://github.com/67P/botka.git"
revision "master"
end
repository "https://github.com/67P/botka.git"
revision "master"
file "external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-remotestorage-logger",
].to_json
end
nodejs do
entry_point "/srv/botka_xmpp/current/bin/hubot -a xmpp --name botka"
# Use our own systemd service that depends on redis-server
template "nodejs.systemd.service.erb"
environment "HUBOT_XMPP_USERNAME" => "botka@5apps.com/hubot",
"HUBOT_XMPP_PASSWORD" => botka_xmpp_data_bag_item['password'],
"HUBOT_XMPP_ROOMS" => "5info@muc.5apps.com,5ops@muc.5apps.com,core@muc.5apps.com,deploy@muc.5apps.com,storage@muc.5apps.com,watercooler@muc.5apps.com,hilti@muc.5apps.com,gymapp@muc.5apps.com",
"HUBOT_XMPP_HOST" => "xmpp.5apps.com",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"EXPRESS_PORT" => "8082",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "basti,garret,greg",
"REDIS_URL" => "redis://localhost:6379/5apps_botka_xmpp",
"RS_LOGGER_USER" => "5apps@5apps.com",
"RS_LOGGER_TOKEN" => botka_xmpp_data_bag_item['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "5apps",
"WEBHOOK_TOKEN" => botka_xmpp_data_bag_item['webhook_token']
file "external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [].to_json
end
npm_install do
user "hubot"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/botka_xmpp_nodejs.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: "hubot",
group: "hubot",
app_dir: botka_xmpp_path,
entry: "#{botka_xmpp_path}/bin/hubot -a xmpp --name botka",
environment: { "HUBOT_XMPP_USERNAME" => "botka@5apps.com/hubot",
"HUBOT_XMPP_PASSWORD" => botka_xmpp_data_bag_item['password'],
"HUBOT_XMPP_ROOMS" => "5info@muc.5apps.com,5ops@muc.5apps.com,core@muc.5apps.com,deploy@muc.5apps.com,storage@muc.5apps.com,watercooler@muc.5apps.com,hilti@muc.5apps.com,gymapp@muc.5apps.com",
"HUBOT_XMPP_HOST" => "xmpp.5apps.com",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"EXPRESS_PORT" => "8082",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "basti,garret,greg",
"REDIS_URL" => "redis://localhost:6379/5apps_botka_xmpp",
"RS_LOGGER_USER" => "5apps@5apps.com",
"RS_LOGGER_TOKEN" => botka_xmpp_data_bag_item['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "5apps",
"WEBHOOK_TOKEN" => botka_xmpp_data_bag_item['webhook_token'] }
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[botka_xmpp_nodejs]", :delayed
end
service "botka_xmpp_nodejs" do
action [:enable, :start]
end
end

173
site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb
View File

@@ -7,62 +7,141 @@
# All rights reserved - Do Not Redistribute
#
firewall_rule 'hubot_express_schlupp_xmpp' do
port 8083
protocol :tcp
command :allow
express_port = 8083
unless node.chef_environment == "development"
include_recipe "firewall"
firewall_rule 'hubot_express_schlupp_xmpp' do
port express_port
protocol :tcp
command :allow
end
end
group "hubot" do
gid 48268
end
user "hubot" do
system true
manage_home true
comment "hubot user"
uid 48268
gid 48268
shell "/bin/bash"
end
schlupp_xmpp_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', '5apps_schlupp_xmpp')
application "schlupp_xmpp" do
path "/srv/schlupp_xmpp"
schlupp_xmpp_path = "/opt/schlupp_xmpp"
application schlupp_xmpp_path do
owner "hubot"
group "hubot"
action :deploy
before_restart do
# No hubot-remotestorage-logger, botka takes care of that
file "#{new_resource.release_path}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-auth",
"hubot-help",
"hubot-redis-brain",
"hubot-rules",
"hubot-shipit",
"hubot-plusplus",
"hubot-tell",
"hubot-seen",
"hubot-rss-reader",
"hubot-incoming-webhook",
"hubot-yubikey-invalidation"
].to_json
end
git do
user "hubot"
group "hubot"
repository "git@gitlab.com:5apps/schlupp.git"
revision "master"
deploy_key schlupp_xmpp_data_bag_item['deploy_key']
end
repository "git@gitlab.com:5apps/schlupp.git"
revision "master"
deploy_key schlupp_xmpp_data_bag_item['deploy_key']
file "external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-auth",
"hubot-help",
"hubot-redis-brain",
"hubot-rules",
"hubot-shipit",
"hubot-plusplus",
"hubot-tell",
"hubot-seen",
"hubot-rss-reader",
"hubot-incoming-webhook",
"hubot-yubikey-invalidation",
].to_json
end
nodejs do
entry_point "/srv/schlupp_xmpp/current/bin/hubot -a xmpp --name schlupp"
# Use our own systemd service that depends on redis-server
template "nodejs.systemd.service.erb"
environment "HUBOT_XMPP_USERNAME" => "schlupp@5apps.com/hubot",
"HUBOT_XMPP_PASSWORD" => schlupp_xmpp_data_bag_item['password'],
"HUBOT_XMPP_ROOMS" => "5info@muc.5apps.com,5ops@muc.5apps.com,core@muc.5apps.com,deploy@muc.5apps.com,storage@muc.5apps.com,watercooler@muc.5apps.com,hilti@muc.5apps.com,test@muc.5apps.com,gymapp@muc.5apps.com",
"HUBOT_XMPP_HOST" => "xmpp.5apps.com",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"EXPRESS_PORT" => "8083",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "basti,garret,greg",
"REDIS_URL" => "redis://localhost:6379/5apps_schlupp_xmpp",
"RS_OPS_TOKEN" => schlupp_xmpp_data_bag_item['rs_ops_token'],
"WEBHOOK_TOKEN" => schlupp_xmpp_data_bag_item['webhook_token'],
"AIRTABLE_API_KEY" => schlupp_xmpp_data_bag_item['airtable_api_key']
npm_install do
user "hubot"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/schlupp_xmpp_nodejs.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: "hubot",
group: "hubot",
app_dir: schlupp_xmpp_path,
entry: "#{schlupp_xmpp_path}/bin/hubot -a xmpp --name schlupp",
environment: { "HUBOT_XMPP_USERNAME" => "schlupp@5apps.com/hubot",
"HUBOT_XMPP_PASSWORD" => schlupp_xmpp_data_bag_item['password'],
"HUBOT_XMPP_ROOMS" => "5info@muc.5apps.com,5ops@muc.5apps.com,core@muc.5apps.com,deploy@muc.5apps.com,storage@muc.5apps.com,watercooler@muc.5apps.com,hilti@muc.5apps.com,test@muc.5apps.com,gymapp@muc.5apps.com",
"HUBOT_XMPP_HOST" => "xmpp.5apps.com",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"EXPRESS_PORT" => express_port,
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "basti,garret,greg",
"REDIS_URL" => "redis://localhost:6379/5apps_schlupp_xmpp",
"RS_OPS_TOKEN" => schlupp_xmpp_data_bag_item['rs_ops_token'],
"WEBHOOK_TOKEN" => schlupp_xmpp_data_bag_item['webhook_token'],
"AIRTABLE_API_KEY" => schlupp_xmpp_data_bag_item['airtable_api_key'],
"GITHUB_TOKEN" => schlupp_xmpp_data_bag_item['github_token'] }
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[schlupp_xmpp_nodejs]", :delayed
end
service "schlupp_xmpp_nodejs" do
action [:enable, :start]
end
end
# nginx reverse proxy
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
end
include_recipe 'kosmos-nginx'
directory "/var/www/hubot.5apps.com/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
recursive true
action :create
end
template "#{node['nginx']['dir']}/sites-available/hubot.5apps.com" do
source 'nginx_conf_hubot.5apps.com.erb'
owner node["nginx"]["user"]
mode 0640
variables express_port: express_port,
server_name: 'hubot.5apps.com',
ssl_cert: "/etc/letsencrypt/live/hubot.5apps.com/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/hubot.5apps.com/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site 'hubot.5apps.com' do
enable true
end
unless node.chef_environment == "development"
execute "letsencrypt cert for hubot.5apps.com" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/hubot.5apps.com -d hubot.5apps.com -n"
cwd "/usr/local/certbot"
not_if { File.exist? "/etc/letsencrypt/live/hubot.5apps.com/fullchain.pem" }
notifies :create, "template[#{node['nginx']['dir']}/sites-available/hubot.5apps.com]", :immediately
end
end

41
site-cookbooks/5apps-hubot/templates/default/nginx_conf_hubot.5apps.com.erb Normal file
View File

@@ -0,0 +1,41 @@
# Generated by Chef
upstream _express_schlupp {
server localhost:<%= @express_port %>;
}
server {
listen 80; # For Let's Encrypt
server_name <%= @server_name %>;
location /.well-known {
root "/var/www/hubot.5apps.com";
}
location / {
return 301 https://$host$request_uri;
}
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
<% end -%>
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/hubot.5apps.com.access.log json;
error_log <%= node[:nginx][:log_dir] %>/hubot.5apps.com.error.log warn;
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_pass http://_express_schlupp;
proxy_http_version 1.1;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}

2
site-cookbooks/5apps-xmpp_server/CHANGELOG.md
View File

@@ -1,6 +1,4 @@
# 5apps-xmpp_server CHANGELOG
This file is used to list changes made in each version of the 5apps-xmpp_server cookbook.
## 0.1.0
- [Greg Karékinian] - Initial release of 5apps-xmpp_server

11
site-cookbooks/5apps-xmpp_server/recipes/default.rb
View File

@@ -7,10 +7,13 @@
# All rights reserved - Do Not Redistribute
#
firewall_rule "xmpp" do
port [5222, 5269]
protocol :tcp
command :allow
unless node.chef_environment == "development"
include_recipe "firewall"
firewall_rule "xmpp" do
port [5222, 5269]
protocol :tcp
command :allow
end
end
apt_repository "prosody" do

2
site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
View File

@@ -29,7 +29,7 @@ execute "letsencrypt cert for xmpp.5apps.com" do
cwd "/usr/local/certbot"
only_if do
File.exist?("#{node['nginx']['dir']}/sites-enabled/xmpp.5apps.com") &&
! File.exist?("/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem")
!File.exist?("/etc/letsencrypt/live/xmpp.5apps.com/fullchain.pem")
end
notifies :create, "template[#{node['nginx']['dir']}/sites-available/xmpp.5apps.com]", :delayed
notifies :run, "execute[copy the tls cert to prosody folder]", :delayed

2
site-cookbooks/5apps-xmpp_server/templates/default/nginx_conf_xmpp.5apps.com.erb
View File

@@ -1,7 +1,7 @@
server {
listen 80; # For Let's Encrypt
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl spdy;
listen 443 ssl http2;
<% end -%>
server_name <%= @server_name %>;

1
site-cookbooks/backup/metadata.rb
View File

@@ -7,3 +7,4 @@ version "0.5.0"
name "backup"
depends 'logrotate'
depends 'mysql'

20
site-cookbooks/backup/recipes/default.rb
View File

@@ -28,12 +28,12 @@ gem_package 'backup' do
end
backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup')
backup_dir = node["backup"]["dir"]
directory backup_dir
directory "#{backup_dir}/models"
directory "#{backup_dir}/log"
directory node["backup"]["dir"]
directory "#{node["backup"]["dir"]}/models"
directory "#{node["backup"]["dir"]}/log"
template "#{node["backup"]["dir"]}/config.rb" do
template "#{backup_dir}/config.rb" do
source "config.rb.erb"
mode 0640
sensitive true
@@ -46,7 +46,7 @@ template "#{node["backup"]["dir"]}/config.rb" do
end
if node["backup"]["default_model"]
template "#{node["backup"]["dir"]}/models/default.rb" do
template "#{backup_dir}/models/default.rb" do
source "backup.rb.erb"
mode 0640
end
@@ -54,10 +54,16 @@ if node["backup"]["default_model"]
cron "default backup model" do
hour node['backup']['cron']['hour']
minute node['backup']['cron']['minute']
command "/usr/bin/env HOME=/home/user PATH=/usr/local/bin:/usr/local/ruby/bin:/usr/bin:/bin:$PATH /bin/sh -l -c 'backup perform -t default --root-path #{node["backup"]["dir"]} >> /var/log/backup.log 2>&1'"
command "/usr/bin/env HOME=/home/user PATH=/usr/local/bin:/usr/local/ruby/bin:/usr/bin:/bin:$PATH /bin/sh -l -c 'backup perform -t default --root-path #{backup_dir} >> /var/log/backup.log 2>&1'"
end
include_recipe 'logrotate'
unless node["backup"]["mysql"]["databases"].empty?
# Install MySQL client (includes mysqldump)
mysql_client 'default' do
action :create
end
end
logrotate_app 'backup' do
path '/var/log/backup.log'

4
site-cookbooks/backup/templates/default/backup.rb.erb
View File

@@ -16,6 +16,10 @@ KosmosBackup.new(:default, 'default backup') do
<%- end -%>
<%- end -%>
<%- if node["backup"]["postgresql"] -%>
database PostgreSQL
<%- end -%>
<%- if node["mongodb"] -%>
<%- node["backup"]["mongodb"]["databases"].each do |db_name| -%>
database MongoDB, :"<%= db_name.to_sym %>" do |db|

23
site-cookbooks/backup/templates/default/config.rb.erb
View File

@@ -45,6 +45,15 @@ Database::MySQL.defaults do |db|
end
<%- end -%>
<%- if node["backup"]["mysql"] -%>
Database::MySQL.defaults do |db|
db.host = "<%= node["backup"]["mysql"]["host"] %>"
db.username = "<%= node["backup"]["mysql"]["username"] %>"
db.password = "<%= node["backup"]["mysql"]["password"] %>"
db.additional_options = ['--quick', '--single-transaction']
end
<%- end -%>
Database::Redis.defaults do |db|
db.host = "<%= node["backup"]["redis"]["host"] %>"
db.port = 6379
@@ -53,6 +62,20 @@ Database::Redis.defaults do |db|
<%# db.socket = "/tmp/redis.sock"%>
end
<%- if node["backup"]["postgresql"] -%>
Database::PostgreSQL.defaults do |db|
db.username = "<%= node["backup"]["postgresql"]["username"] %>"
db.password = "<%= node["backup"]["postgresql"]["password"] %>"
db.host = "<%= node["backup"]["postgresql"]["host"] %>"
db.port = 5432
# db.socket = "/var/run/postgresql/.s.PGSQL.5432"
# When dumping all databases, `skip_tables` and `only_tables` are ignored.
db.skip_tables = []
db.only_tables = []
db.additional_options = []
end
<% end -%>
preconfigure 'KosmosBackup' do
split_into_chunks_of 250 # megabytes
store_with S3

2
site-cookbooks/ipfs/CHANGELOG.md
View File

@@ -1,6 +1,4 @@
# ipfs CHANGELOG
This file is used to list changes made in each version of the ipfs cookbook.
## 0.1.0
- [gregkare] - Initial release of ipfs

2
site-cookbooks/ipfs/attributes/default.rb
View File

@@ -17,5 +17,5 @@ node.default['ipfs']['config']['swarm']['addr_filter'] = [
"/ip4/198.18.0.0/ipcidr/15",
"/ip4/198.51.100.0/ipcidr/24",
"/ip4/203.0.113.0/ipcidr/24",
"/ip4/240.0.0.0/ipcidr/4"
"/ip4/240.0.0.0/ipcidr/4",
]

2
site-cookbooks/ipfs/metadata.rb
View File

@@ -6,6 +6,6 @@ description 'Installs/Configures ipfs'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
supports ['ubuntu', 'debian']
supports %w(ubuntu debian)
depends 'ark'

2
site-cookbooks/ipfs/recipes/default.rb
View File

@@ -34,7 +34,7 @@ execute "ipfs init --empty-repo" do
end
if platform?('ubuntu') && node[:platform_version].to_f < 15.04 ||
platform?('debian') && node['platform_version'].to_f < 8
platform?('debian') && node['platform_version'].to_f < 8
template "ipfs.initd.service.erb" do
path "/etc/init.d/ipfs"
source 'ipfs.initd.service.erb'

5
site-cookbooks/ipfs/resources/config.rb
View File

@@ -15,8 +15,9 @@ action :create do
not_if do
require 'json'
require 'mixlib/shellout'
cmd = Mixlib::ShellOut.new("ipfs", "config", key, user: 'ipfs',
env: {"IPFS_PATH" => "/home/ipfs/.ipfs"})
cmd = Mixlib::ShellOut.new("ipfs", "config", key,
user: 'ipfs',
env: { "IPFS_PATH" => "/home/ipfs/.ipfs" })
cmd.run_command
begin
JSON.parse(cmd.stdout) == value

2
site-cookbooks/ipfs/test/integration/default/serverspec/ipfs_spec.rb
View File

@@ -4,7 +4,6 @@ require 'serverspec'
set :backend, :exec
describe "IPFS" do
# It is in the PATH
describe command("which ipfs") do
its(:exit_status) { should eq 0 }
@@ -22,5 +21,4 @@ describe "IPFS" do
expect(service("ipfs")).to be_running
expect(service("ipfs")).to be_enabled
end
end

6
site-cookbooks/kosmos-base/metadata.rb
View File

@@ -6,11 +6,11 @@ description 'The Kosmos base cookbook'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.1'
depends 'unattended-upgrades'
depends 'apt'
depends 'users'
depends 'sudo'
depends 'kosmos-postfix'
depends 'hostname'
depends 'ufw'
depends 'omnibus_updater'
depends 'firewall'
depends 'chef_client_updater'
depends 'timezone-ii'

23
site-cookbooks/kosmos-base/recipes/default.rb
View File

@@ -7,19 +7,16 @@
# All rights reserved - Do Not Redistribute
#
include_recipe 'apt'
include_recipe 'timezone-ii'
node.override['omnibus_updater']['version'] = '12.19.36'
node.override['omnibus_updater']['kill_chef_on_upgrade'] = false
include_recipe 'omnibus_updater'
# Update chef to the chosen version
chef_version = '12.19.36'
chef_client_updater "Install #{chef_version}" do
version chef_version
end
package 'mailutils'
node.override['unattended-upgrades']['admin_email'] = 'ops@5apps.com'
include_recipe 'unattended-upgrades'
package 'ruby2.1'
package 'ruby2.1-dev'
package 'mosh'
# Searches data bag "users" for groups attribute "sysadmin".
@@ -29,6 +26,14 @@ users_manage 'sysadmin' do
action [:remove, :create]
end
node.override['authorization']['sudo']['sudoers_defaults'] = [
# not default on Ubuntu, explicitely enable. Uses a minimal white list of
# environment variables
'env_reset',
# Send emails on unauthorized attempts
'mail_badpass',
'secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"',
]
node.override['authorization']['sudo']['passwordless'] = true
include_recipe 'sudo'

18
site-cookbooks/kosmos-base/recipes/firewall.rb
View File

@@ -21,3 +21,21 @@ firewall_rule 'mosh' do
protocol :udp
command :allow
end
firewall_rule 'hubot_express_hal8000' do
port 8080
protocol :tcp
command :allow
end
firewall_rule 'hubot_express_botka_xmpp' do
port 8082
protocol :tcp
command :allow
end
firewall_rule 'hubot_express_schlupp_xmpp' do
port 8083
protocol :tcp
command :allow
end

2
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@@ -10,7 +10,7 @@
git "/usr/local/certbot" do
repository "https://github.com/certbot/certbot"
action :sync
revision "v0.12.0"
revision "v0.13.0"
user "root"
group "root"
end

7
site-cookbooks/kosmos-hubot/attributes/default.rb Normal file
View File

@@ -0,0 +1,7 @@
node.default['hal8000']['kredits']['provider_url'] = 'https://parity.kosmos.org:8545'
node.default['hal8000']['kredits']['room'] = '#kosmos'
node.default['hal8000']['kredits']['wallet_path'] = 'wallet.json'
node.default['hal8000']['kredits']['contract_address'] = '0x7dfab325c6ec203597c419b4b3172c6b219b9315'
node.default['hal8000']['kredits']['ipfs_host'] = 'ipfs.kosmos.org'
node.default['hal8000']['kredits']['ipfs_port'] = '5444'
node.default['hal8000']['kredits']['ipfs_protocol'] = 'https'

1
site-cookbooks/kosmos-hubot/files/default/wallet.json Normal file
View File

@@ -0,0 +1 @@
{"version":3,"id":"7096b0d1-9426-4130-8f38-c7dfa2a225a3","address":"c80d2513277fa04b10403e2d1d7daa86f931f4d1","crypto":{"ciphertext":"b3e50e533ebbe3ac05b52d8689e87df86a651138fe65f55a1fa9ec08f479a0d0","cipherparams":{"iv":"9b514daf0f202b111bee9ad131e433df"},"cipher":"aes-128-ctr","kdf":"scrypt","kdfparams":{"dklen":32,"salt":"10490a40bf9b1d8efc146bf2c974e4a7fb750a24a7e08a9fc599024e5a7aaabc","n":262144,"r":8,"p":1},"mac":"b3f584afe25b973a8f1eceb344201cec6de24dc14d99ea37576ce7f9f9e936ce"}}

5
site-cookbooks/kosmos-hubot/metadata.rb
View File

@@ -7,5 +7,6 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends 'kosmos-nodejs'
depends 'application'
depends 'application_nodejs'
depends 'kosmos-redis'
depends 'firewall'
depends 'application_javascript'

237
site-cookbooks/kosmos-hubot/recipes/default.rb
View File

@@ -2,15 +2,18 @@
# Cookbook Name:: kosmos-hubot
# Recipe:: default
#
# Copyright 2015, Kosmos
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
firewall_rule 'hubot_express_hal8000' do
port 8080
protocol :tcp
command :allow
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule 'hubot_express_hal8000' do
port 8080
protocol :tcp
command :allow
end
end
include_recipe "kosmos-nodejs"
@@ -25,113 +28,163 @@ user "hubot" do
uid 48268
gid 48268
shell "/bin/bash"
home "/srv/hal8000"
end
hal8000_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'hal8000_freenode')
application "hal8000" do
path "/srv/hal8000"
hal8000_path = "/opt/hal8000"
application hal8000_path do
owner "hubot"
group "hubot"
action :deploy
before_restart do
file "#{new_resource.release_path}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-read-tweet",
"hubot-redis-brain",
"hubot-rules",
"hubot-shipit",
"hubot-plusplus",
"hubot-tell",
"hubot-seen",
"hubot-rss-reader",
"hubot-incoming-webhook",
"hubot-auth"
].to_json
end
git do
user "hubot"
group "hubot"
repository "https://github.com/67P/hal8000.git"
revision "master"
end
repository "https://github.com/67P/hal8000.git"
revision "master"
file "#{name}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-read-tweet",
"hubot-redis-brain",
"hubot-rules",
"hubot-shipit",
"hubot-plusplus",
"hubot-tell",
"hubot-seen",
"hubot-rss-reader",
"hubot-incoming-webhook",
"hubot-auth",
"hubot-kredits",
].to_json
end
nodejs do
entry_point "/srv/hal8000/current/bin/hubot -a irc"
# Use our own systemd service that depends on redis-server
template "nodejs.systemd.service.erb"
environment "HUBOT_IRC_SERVER" => "irc.freenode.net",
"HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#remotestorage,#hackerbeach,#unhosted,#sockethub",
"HUBOT_IRC_NICK" => "hal8000",
"HUBOT_IRC_NICKSERV_USERNAME" => "hal8000",
"HUBOT_IRC_NICKSERV_PASSWORD" => hal8000_freenode_data_bag_item['nickserv_password'],
"HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_IRCCOLORS" => "true",
# "HUBOT_LOG_LEVEL" => "error",
"EXPRESS_PORT" => "8080",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao",
"OA_ASSET_FROM_ADDRESS" => "akRWZJMETdM2U5UGKadKhv1PAj2npoGja1m",
"OA_DEFAULT_QUANTITY" => "100",
"OA_ASSET_ID" => "AbDn6L2AUGnDreUuNkGFEqcxnsoUP4HCjm",
"OA_SERVER_URL" => "http://localhost:4562",
"OA_SERVER_USERNAME" => "kosmos",
"OA_SERVER_PASSWORD" => "asEjdak1yqw",
"OA_MAX_QUANTITY" => "5000",
"OA_BOT_KEYWORD" => "kredits",
"OA_PLUSPLUS_ROOMS" => "#kosmos",
"WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['webhook_token']
npm_install do
user "hubot"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/hal8000_nodejs.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: "hubot",
group: "hubot",
app_dir: hal8000_path,
entry: "#{hal8000_path}/bin/hubot -a irc",
environment: {
# "HUBOT_LOG_LEVEL" => "error",
"HUBOT_IRC_SERVER" => "irc.freenode.net",
"HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#remotestorage,#hackerbeach,#unhosted,#sockethub",
"HUBOT_IRC_NICK" => "hal8000",
"HUBOT_IRC_NICKSERV_USERNAME" => "hal8000",
"HUBOT_IRC_NICKSERV_PASSWORD" => hal8000_freenode_data_bag_item['nickserv_password'],
"HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_IRCCOLORS" => "true",
"EXPRESS_PORT" => "8080",
"HUBOT_RSS_HEADER" => "Update:",
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,slvrbckt,raucao",
"WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['webhook_token'],
"KREDITS_WEBHOOK_TOKEN" => hal8000_freenode_data_bag_item['kredits_webhook_token'],
"KREDITS_PROVIDER_URL" => node['hal8000']['kredits']['provider_url'],
"KREDITS_ROOM" => node['hal8000']['kredits']['room'],
"KREDITS_WALLET_PATH" => node['hal8000']['kredits']['wallet_path'],
"KREDITS_WALLET_PASSWORD" => hal8000_freenode_data_bag_item['kredits_wallet_password'],
"KREDITS_CONTRACT_ADDRESS" => node['hal8000']['kredits']['contract_address']
# "IPFS_API_HOST" => node['hal8000']['kredits']['ipfs_host'],
# "IPFS_API_PORT" => node['hal8000']['kredits']['ipfs_port'],
# "IPFS_API_PROTOCOL" => node['hal8000']['kredits']['ipfs_protocol']
}
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[hal8000_nodejs]", :delayed
end
cookbook_file "#{name}/wallet.json" do
source "wallet.json"
end
service "hal8000_nodejs" do
action [:enable, :start]
end
end
botka_freenode_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', 'botka_freenode')
application "botka_freenode" do
path "/srv/botka_freenode"
botka_freenode_path = "/opt/botka_freenode"
application botka_freenode_path do
owner "hubot"
group "hubot"
action :deploy
before_restart do
file "#{new_resource.release_path}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-remotestorage-logger"
].to_json
end
git do
user "hubot"
group "hubot"
repository "https://github.com/67P/botka.git"
revision "master"
end
repository "https://github.com/67P/botka.git"
revision "master"
file "#{name}/external-scripts.json" do
mode "0640"
owner "hubot"
group "hubot"
content [
"hubot-help",
"hubot-remotestorage-logger",
].to_json
end
nodejs do
entry_point "/srv/botka_freenode/current/bin/hubot -a irc"
# Use our own systemd service that depends on redis-server
template "nodejs.systemd.service.erb"
environment "HUBOT_IRC_SERVER" => "irc.freenode.net",
"HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#remotestorage,#hackerbeach,#unhosted,#sockethub,#opensourcedesign,#openknot,#emberjs",
"HUBOT_IRC_NICK" => "botka",
"HUBOT_IRC_NICKSERV_USERNAME" => "botka",
"HUBOT_IRC_NICKSERV_PASSWORD" => botka_freenode_data_bag_item['nickserv_password'],
"HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_IRCCOLORS" => "true",
# "HUBOT_LOG_LEVEL" => "error",
"EXPRESS_PORT" => "8082",
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao",
"RS_LOGGER_USER" => "kosmos@5apps.com",
"RS_LOGGER_TOKEN" => botka_freenode_data_bag_item['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "freenode",
"RS_LOGGER_PUBLIC" => "true"
npm_install do
user "hubot"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/botka_freenode_nodejs.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: "hubot",
group: "hubot",
app_dir: botka_freenode_path,
entry: "#{botka_freenode_path}/bin/hubot -a irc",
environment: { "HUBOT_IRC_SERVER" => "irc.freenode.net",
"HUBOT_IRC_ROOMS" => "#5apps,#kosmos,#kosmos-dev,#remotestorage,#hackerbeach,#unhosted,#sockethub,#opensourcedesign,#openknot,#emberjs,#mastodon,#indieweb",
"HUBOT_IRC_NICK" => "botka",
"HUBOT_IRC_NICKSERV_USERNAME" => "botka",
"HUBOT_IRC_NICKSERV_PASSWORD" => botka_freenode_data_bag_item['nickserv_password'],
"HUBOT_IRC_UNFLOOD" => "100",
"HUBOT_RSS_PRINTSUMMARY" => "false",
"HUBOT_RSS_IRCCOLORS" => "true",
# "HUBOT_LOG_LEVEL" => "error",
"EXPRESS_PORT" => "8082",
"HUBOT_AUTH_ADMIN" => "bkero,derbumi,galfert,gregkare,jaaan,slvrbckt,raucao",
"RS_LOGGER_USER" => "kosmos@5apps.com",
"RS_LOGGER_TOKEN" => botka_freenode_data_bag_item['rs_logger_token'],
"RS_LOGGER_SERVER_NAME" => "freenode",
"RS_LOGGER_PUBLIC" => "true" }
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[botka_freenode_nodejs]", :delayed
end
service "botka_freenode_nodejs" do
action [:enable, :start]
end
end

2
site-cookbooks/kosmos-ipfs/CHANGELOG.md
View File

@@ -1,6 +1,4 @@
# kosmos-ipfs CHANGELOG
This file is used to list changes made in each version of the kosmos-ipfs cookbook.
## 0.1.0
- [gregkare] - Initial release of kosmos-ipfs

11
site-cookbooks/kosmos-ipfs/recipes/default.rb
View File

@@ -21,4 +21,15 @@ ipfs_config "Gateway.Writable" do
value true
end
# Set up CORS headers
ipfs_config "API.HTTPHeaders.Access-Control-Allow-Credentials" do
value '["true"]'
end
ipfs_config "API.HTTPHeaders.Access-Control-Allow-Methods" do
value '["PUT", "GET", "POST"]'
end
ipfs_config "API.HTTPHeaders.Access-Control-Allow-Origin" do
value '["*"]'
end
include_recipe "kosmos-ipfs::letsencrypt"

42
site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
View File

@@ -8,7 +8,9 @@
#
# nginx config to generate a Let's Encrypt cert
include_recipe "kosmos-base::letsencrypt"
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
end
root_directory = "/var/www/ipfs.kosmos.org"
@@ -23,11 +25,12 @@ template "#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org" do
source 'nginx_conf_ipfs.kosmos.org.erb'
owner 'www-data'
mode 0640
variables server_name: 'ipfs.kosmos.org',
root_directory: root_directory,
ssl_cert: "/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/ipfs.kosmos.org/privkey.pem",
ipfs_api_port: 5001
variables server_name: 'ipfs.kosmos.org',
root_directory: root_directory,
ssl_cert: "/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/ipfs.kosmos.org/privkey.pem",
ipfs_api_port: 5001,
ipfs_external_api_port: 5444
notifies :reload, 'service[nginx]', :delayed
end
@@ -36,14 +39,23 @@ nginx_site 'ipfs.kosmos.org' do
enable true
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for ipfs.kosmos.org" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n"
cwd "/usr/local/certbot"
only_if do
File.exist?("#{node['nginx']['dir']}/sites-enabled/ipfs.kosmos.org") &&
! File.exist?("/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem")
unless node.chef_environment == "development"
include_recipe "firewall"
firewall_rule 'ipfs_api' do
port 5444
protocol :tcp
command :allow
end
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for ipfs.kosmos.org" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n"
cwd "/usr/local/certbot"
only_if do
File.exist?("#{node['nginx']['dir']}/sites-enabled/ipfs.kosmos.org") &&
!File.exist?("/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem")
end
notifies :create, "template[#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org]", :delayed
end
notifies :create, "template[#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org]", :delayed
end

8
site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
View File

@@ -16,7 +16,7 @@ server {
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl spdy;
listen <%= @ipfs_external_api_port %> ssl http2;
<% else -%>
listen 80;
<% end -%>
@@ -31,8 +31,6 @@ server {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_http_version 1.1;
# CORS headers for Kredits
add_header 'Access-Control-Allow-Origin' 'https://kredits.kosmos.org';
location /api/v0/cat {
proxy_pass http://_ipfs/api/v0/cat;
@@ -42,6 +40,10 @@ server {
proxy_pass http://_ipfs/api/v0/add;
}
location /api/v0/object/get {
proxy_pass http://_ipfs/api/v0/object/get;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;

4
site-cookbooks/kosmos-mastodon/CHANGELOG.md Normal file
View File

@@ -0,0 +1,4 @@
# kosmos-mastodon CHANGELOG
## 0.1.0
- [Greg Karékinian] - Initial release of kosmos-mastodon

80
site-cookbooks/kosmos-mastodon/README.md Normal file
View File

@@ -0,0 +1,80 @@
# kosmos-mastodon Cookbook
TODO: Enter the cookbook description here.
e.g.
This cookbook makes your favorite breakfast sandwich.
## Requirements
TODO: List your cookbook requirements. Be sure to include any requirements this cookbook has on platforms, libraries, other cookbooks, packages, operating systems, etc.
e.g.
### Platforms
- SandwichOS
### Chef
- Chef 12.0 or later
### Cookbooks
- `toaster` - kosmos-mastodon needs toaster to brown your bagel.
## Attributes
TODO: List your cookbook attributes here.
e.g.
### kosmos-mastodon::default
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['kosmos-mastodon']['bacon']</tt></td>
<td>Boolean</td>
<td>whether to include bacon</td>
<td><tt>true</tt></td>
</tr>
</table>
## Usage
### kosmos-mastodon::default
TODO: Write usage instructions for each cookbook.
e.g.
Just include `kosmos-mastodon` in your node's `run_list`:
```json
{
"name":"my_node",
"run_list": [
"recipe[kosmos-mastodon]"
]
}
```
## Contributing
TODO: (optional) If this is a public cookbook, detail the process for contributing. If this is a private cookbook, remove this section.
e.g.
1. Fork the repository on Github
2. Create a named feature branch (like `add_component_x`)
3. Write your change
4. Write tests for your change (if applicable)
5. Run the tests, ensuring they all pass
6. Submit a Pull Request using Github
## License and Authors
Authors: TODO: List authors

4
site-cookbooks/kosmos-mastodon/attributes/default.rb Normal file
View File

@@ -0,0 +1,4 @@
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["puma_port"] = 3000
node.default["kosmos-mastodon"]["streaming_port"] = 4000
node.default["kosmos-mastodon"]["server_name"] = "kosmos.social"

17
site-cookbooks/kosmos-mastodon/metadata.rb Normal file
View File

@@ -0,0 +1,17 @@
name 'kosmos-mastodon'
maintainer 'Kosmos'
maintainer_email 'mail@kosmos.org'
license 'All rights reserved'
description 'Installs/Configures kosmos-mastodon'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends "kosmos-nginx"
depends "kosmos-nodejs"
depends "kosmos-redis"
depends "poise-ruby-build"
depends "application_ruby"
depends "application_javascript"
depends "postgresql"
depends "database"
depends "backup"

176
site-cookbooks/kosmos-mastodon/recipes/default.rb Normal file
View File

@@ -0,0 +1,176 @@
#
# Cookbook Name:: kosmos-mastodon
# Recipe:: default
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe "kosmos-nodejs"
include_recipe "kosmos-redis"
node.override['postgresql']['enable_pgdg_apt'] = false
include_recipe "postgresql::server"
include_recipe "postgresql::ruby"
unless node.chef_environment == "development"
node.override['postgresql']['config_pgtune']['db_type'] = "web"
include_recipe "postgresql::config_pgtune"
end
postgresql_database 'mastodon' do
connection(
host: '127.0.0.1',
port: 5432,
username: 'postgres',
password: node['postgresql']['password']['postgres']
)
action :create
end
mastodon_path = node["kosmos-mastodon"]["directory"]
group "mastodon" do
gid 62786
end
user "mastodon" do
comment "mastodon user"
uid 62786
gid 62786
shell "/bin/bash"
home mastodon_path
end
package %w(imagemagick ffmpeg libxml2-dev libxslt1-dev file git curl pkg-config libprotobuf-dev protobuf-compiler)
node_package %w(yarn) # Used by Rails' assets pipeline
ruby_version = "2.4.1"
application mastodon_path do
owner "mastodon"
group "mastodon"
environment "HOME" => mastodon_path
ruby_runtime ruby_version do
provider :ruby_build
version ruby_version
end
git do
user "mastodon"
group "mastodon"
repository "https://github.com/67P/mastodon.git"
revision "kosmos"
end
mastodon_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mastodon')
template ".env.production" do
source "env.production.erb"
mode "0640"
owner "mastodon"
group "mastodon"
variables redis_db: 1,
redis_actioncable_db: 2,
domain: node["kosmos-mastodon"]["server_name"],
paperclip_secret: mastodon_credentials['paperclip_secret'],
secret_key_base: mastodon_credentials['secret_key_base'],
otp_secret: mastodon_credentials['otp_secret'],
smtp_login: mastodon_credentials['smtp_user_name'],
smtp_password: mastodon_credentials['smtp_password'],
smtp_from_address: "mail@#{node['kosmos-mastodon']['server_name']}",
s3_bucket: "kosmos-social",
aws_access_key_id: mastodon_credentials['aws_access_key_id'],
aws_secret_access_key: mastodon_credentials['aws_secret_access_key'],
s3_region: "eu-west-1"
end
directory "#{mastodon_path}/public/.well-known" do
owner node['nginx']['user']
group node['nginx']['group']
recursive true
end
bundle_install do
user "mastodon"
deployment true
without %w(development test)
end
rails do
migrate true
rails_env "production"
precompile_assets false # buggy, done manually below
end
# This is the only way I could find that makes compiling the assets
# successfully for now. application_ruby's precompile_assets crashes because
# it cannot find the bundled gems
execute 'rake assets:precompile' do
environment "RAILS_ENV" => "production", "HOME" => mastodon_path
user "mastodon"
group "mastodon"
cwd mastodon_path
command "PATH=\"/opt/ruby_build/builds/#{ruby_version}/bin:$PATH\" /opt/ruby_build/builds/#{ruby_version}/bin/bundle exec rake assets:precompile"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
# mastodon-web service
#
template "/lib/systemd/system/mastodon-web.service" do
source "mastodon-web.systemd.service.erb"
variables user: user,
app_dir: mastodon_path,
port: node["kosmos-mastodon"]["puma_port"],
bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[mastodon-web]", :delayed
end
service "mastodon-web" do
action [:enable, :start]
end
# mastodon-sidekiq service
#
template "/lib/systemd/system/mastodon-sidekiq.service" do
source "mastodon-sidekiq.systemd.service.erb"
variables user: user,
app_dir: mastodon_path,
bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[mastodon-sidekiq]", :delayed
end
service "mastodon-sidekiq" do
action [:enable, :start]
end
# mastodon-streaming service
#
template "/lib/systemd/system/mastodon-streaming.service" do
source "mastodon-streaming.systemd.service.erb"
variables user: user,
app_dir: mastodon_path,
port: node["kosmos-mastodon"]["streaming_port"]
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[mastodon-streaming]", :delayed
end
service "mastodon-streaming" do
action [:enable, :start]
end
end
unless node.chef_environment == "development"
# Backup the database to S3
node.override["backup"]["postgresql"]["host"] = "localhost"
node.override["backup"]["postgresql"]["username"] = "postgres"
node.override["backup"]["postgresql"]["password"] = node['postgresql']['password']['postgres']
include_recipe "backup"
end

47
site-cookbooks/kosmos-mastodon/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,47 @@
#
# Cookbook Name:: kosmos-mastodon
# Recipe:: nginx
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
mastodon_path = node["kosmos-mastodon"]["directory"]
server_name = node["kosmos-mastodon"]["server_name"]
include_recipe "kosmos-nginx"
directory "/var/www/mastodon/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
recursive true
action :create
end
template "#{node['nginx']['dir']}/sites-available/mastodon" do
source 'nginx_conf_mastodon.erb'
owner 'www-data'
mode 0640
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
puma_port: node["kosmos-mastodon"]["puma_port"],
server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
mastodon_path: mastodon_path
notifies :reload, 'service[nginx]', :delayed
end
nginx_site 'mastodon' do
enable true
end
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
execute "letsencrypt cert for #{server_name}" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/mastodon -d #{server_name} -n"
cwd "/usr/local/certbot"
not_if { File.exist? "/etc/letsencrypt/live/#{server_name}/fullchain.pem" }
notifies :create, "template[#{node['nginx']['dir']}/sites-available/mastodon]", :immediately
end
end

119
site-cookbooks/kosmos-mastodon/templates/default/config-environment-production.rb.erb Normal file
View File

@@ -0,0 +1,119 @@
Rails.application.configure do
# Settings specified here will take precedence over those in config/application.rb.
# Code is not reloaded between requests.
config.cache_classes = true
# Eager load code on boot. This eager loads most of Rails and
# your application in memory, allowing both threaded web servers
# and those relying on copy on write to perform better.
# Rake tasks automatically ignore this option for performance.
config.eager_load = true
# Full error reports are disabled and caching is turned on.
config.consider_all_requests_local = false
config.action_controller.perform_caching = true
config.action_controller.asset_host = ENV['CDN_HOST'] if ENV.key?('CDN_HOST')
# Disable serving static files from the `/public` folder by default since
# Apache or NGINX already handles this.
config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
# Compress JavaScripts and CSS.
config.assets.js_compressor = Uglifier.new(mangle: false)
# config.assets.css_compressor = :sass
# Do not fallback to assets pipeline if a precompiled asset is missed.
config.assets.compile = false
# `config.assets.precompile` and `config.assets.version` have moved to config/initializers/assets.rb
# Specifies the header that your server uses for sending files.
# config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache
config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX
# Allow to specify public IP of reverse proxy if it's needed
config.action_dispatch.trusted_proxies = [IPAddr.new(ENV['TRUSTED_PROXY_IP'])] unless ENV['TRUSTED_PROXY_IP'].blank?
# Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
config.force_ssl = false
# Use the lowest log level to ensure availability of diagnostic information
# when problems arise.
config.log_level = :debug
# Prepend all log lines with the following tags.
config.log_tags = [:request_id]
# Use a different logger for distributed setups.
# config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
# Parse and split the REDIS_URL if passed (used with hosting platforms such as Heroku).
# Set ENV variables because they are used elsewhere.
if ENV['REDIS_URL']
redis_url = URI.parse(ENV['REDIS_URL'])
ENV['REDIS_HOST'] = redis_url.host
ENV['REDIS_PORT'] = redis_url.port.to_s
ENV['REDIS_PASSWORD'] = redis_url.password
end
# Use a different cache store in production.
config.cache_store = :redis_store, {
host: ENV.fetch('REDIS_HOST') { 'localhost' },
port: ENV.fetch('REDIS_PORT') { 6379 },
password: ENV.fetch('REDIS_PASSWORD') { false },
db: <%= @redis_db %>,
namespace: 'cache',
expires_in: 20.minutes,
}
# Enable serving of images, stylesheets, and JavaScripts from an asset server.
# config.action_controller.asset_host = 'http://assets.example.com'
# Ignore bad email addresses and do not raise email delivery errors.
# Set this to true and configure the email server for immediate delivery to raise delivery errors.
# config.action_mailer.raise_delivery_errors = false
# Enable locale fallbacks for I18n (makes lookups for any locale fall back to
# the I18n.default_locale when a translation cannot be found).
config.i18n.fallbacks = true
# Send deprecation notices to registered listeners.
config.active_support.deprecation = :notify
# Use default logging formatter so that PID and timestamp are not suppressed.
config.log_formatter = ::Logger::Formatter.new
# Better log formatting
config.lograge.enabled = true
# Do not dump schema after migrations.
config.active_record.dump_schema_after_migration = false
config.action_mailer.perform_caching = false
# E-mails
config.action_mailer.smtp_settings = {
:port => ENV['SMTP_PORT'],
:address => ENV['SMTP_SERVER'],
:user_name => ENV['SMTP_LOGIN'],
:password => ENV['SMTP_PASSWORD'],
:domain => ENV['SMTP_DOMAIN'] || config.x.local_domain,
:authentication => :plain,
}
config.action_mailer.delivery_method = :smtp
config.react.variant = :production
config.to_prepare do
StatsD.backend = StatsD::Instrument::Backends::NullBackend.new if ENV['STATSD_ADDR'].blank?
end
config.action_dispatch.default_headers = {
'Server' => 'Mastodon',
'X-Frame-Options' => 'DENY',
'X-Content-Type-Options' => 'nosniff',
'X-XSS-Protection' => '1; mode=block',
}
end

49
site-cookbooks/kosmos-mastodon/templates/default/env.production.erb Normal file
View File

@@ -0,0 +1,49 @@
# Service dependencies
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=<%= @redis_db %>
REDIS_ACTIONCABLE_DB=<%= @redis_actioncable_db %>
DB_HOST=localhost
DB_USER=postgres
DB_NAME=mastodon
DB_PASS=<%= node['postgresql']['password']['postgres'] %>
DB_PORT=5432
# Federation
LOCAL_DOMAIN=<%= @domain %>
LOCAL_HTTPS=true
# Application secrets
# Generate each with the `rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
PAPERCLIP_SECRET=<%= @paperclip_secret %>
SECRET_KEY_BASE=<%= @secret_key_base %>
OTP_SECRET=<%= @otp_secret %>
# Registrations
# Single user mode will disable registrations and redirect frontpage to the first profile
# SINGLE_USER_MODE=true
# Prevent registrations with following e-mail domains
# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
# E-mail configuration
SMTP_SERVER=smtp.mailgun.org
SMTP_PORT=587
SMTP_LOGIN=<%= @smtp_login %>
SMTP_PASSWORD=<%= @smtp_password %>
SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com
# S3 (optional)
S3_ENABLED=true
S3_BUCKET=<%= @s3_bucket %>
AWS_ACCESS_KEY_ID=<%= @aws_access_key_id %>
AWS_SECRET_ACCESS_KEY=<%= @aws_secret_access_key %>
S3_REGION=<%= @s3_region %>
# Optional alias for S3 if you want to use Cloudfront or Cloudflare in front
# S3_CLOUDFRONT_HOST=
# Streaming API integration
# STREAMING_API_BASE_URL=

17
site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb Normal file
View File

@@ -0,0 +1,17 @@
[Unit]
Description=mastodon-sidekiq
Requires=redis-server.service
After=redis-server.service
[Service]
Type=simple
User=<%= @user %>
WorkingDirectory=<%= @app_dir %>
Environment="RAILS_ENV=production"
Environment="DB_POOL=5"
ExecStart=<%= @bundle_path %> exec sidekiq -c 5 -q default -q mailers -q pull -q push
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target

15
site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb Normal file
View File

@@ -0,0 +1,15 @@
Description=mastodon-streaming
After=network.target
[Service]
Type=simple
User=<%= @user %>
WorkingDirectory=<%= @app_dir %>
Environment="NODE_ENV=production"
Environment="PORT=<%= @port %>"
ExecStart=/usr/local/bin/npm run start
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target

23
site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb Normal file
View File

@@ -0,0 +1,23 @@
[Unit]
Description=mastodon-web
Requires=redis-server.service
After=redis-server.service
Requires=postgresql@9.4-main.service
After=postgresql@9.4-main.service
[Service]
Type=simple
User=<%= @user %>
PIDFile=<%= @app_dir %>/tmp/puma.pid
WorkingDirectory=<%= @app_dir %>
Environment="RAILS_ENV=production"
Environment="PORT=3000"
ExecStart=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid
ExecStop=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid stop
ExecReload=<%= @bundle_path %> exec pumactl -F config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid phased-restart
ExecRestart=<%= @bundle_path %> exec pumactl -F config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid restart
TimeoutSec=15
Restart=always
[Install]
WantedBy=multi-user.target

84
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb Normal file
View File

@@ -0,0 +1,84 @@
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80; # IPv4
listen [::]:80; #IPv6
server_name <%= @server_name %>;
access_log "/var/log/nginx/mastodon.access.log";
error_log "/var/log/nginx/mastodon.error.log";
location /.well-known {
root "/var/www/mastodon";
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2; #IPv4
listen [::]:443 ssl http2; #IPv6
server_name <%= @server_name %>;
access_log "/var/log/nginx/mastodon.access.log";
error_log "/var/log/nginx/mastodon.error.log";
<% if File.exist?(@ssl_cert) &&
File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
gzip off;
root <%= @mastodon_path %>/public;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass_header Server;
proxy_pass http://localhost:<%= @puma_port %>;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
location /api/v1/streaming {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://localhost:<%= @streaming_port %>;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
tcp_nodelay on;
}
error_page 500 501 502 503 504 /500.html;
}

9
site-cookbooks/kosmos-mediawiki/CHANGELOG.md
View File

@@ -1,13 +1,6 @@
kosmos-mediawiki CHANGELOG
==========================
This file is used to list changes made in each version of the kosmos-mediawiki cookbook.
0.1.0
-----
- [your_name] - Initial release of kosmos-mediawiki
- - -
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
- [Greg Karékinian] - Initial release of kosmos-mediawiki

1
site-cookbooks/kosmos-mediawiki/metadata.rb
View File

@@ -7,7 +7,6 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends "mediawiki"
depends "firewall"
depends "ark"
depends "backup"
depends "kosmos-nginx"

11
site-cookbooks/kosmos-mediawiki/recipes/default.rb
View File

@@ -14,7 +14,7 @@ include_recipe 'ark'
#
# sudo su - /var/www/mediawiki-1.xx.y/maintenance/update.php
node.override['mediawiki']['version'] = "1.28.0"
node.override['mediawiki']['webdir'] = "#{node["mediawiki"]["docroot_dir"]}/mediawiki-#{node['mediawiki']['version']}"
node.override['mediawiki']['webdir'] = "#{node['mediawiki']['docroot_dir']}/mediawiki-#{node['mediawiki']['version']}"
node.override['mediawiki']['tarball']['name'] = "mediawiki-#{node['mediawiki']['version']}.tar.gz"
node.override['mediawiki']['tarball']['url'] = "https://releases.wikimedia.org/mediawiki/1.28/#{node['mediawiki']['tarball']['name']}"
node.override['mediawiki']['language_code'] = 'en'
@@ -54,6 +54,13 @@ include_recipe "mediawiki::nginx"
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
execute "letsencrypt cert for wiki.kosmos.org" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node['mediawiki']['docroot_dir']} -d wiki.kosmos.org -n"
cwd "/usr/local/certbot"
not_if { File.exist? "/etc/letsencrypt/live/wiki.kosmos.org/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end
execute "letsencrypt cert for wiki.kosmos.org" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{node["mediawiki"]["docroot_dir"]} -d wiki.kosmos.org -n"
cwd "/usr/local/certbot"
@@ -124,7 +131,7 @@ end
ruby_block "configuration" do
block do
file = Chef::Util::FileEdit.new("#{node['mediawiki']['webdir']}/LocalSettings.php")
file.search_file_replace_line(/\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";/,
file.search_file_replace_line(%r{\$wgLogo\ =\ \"\$wgResourceBasePath\/resources\/assets\/wiki.png\";},
"$wgLogo = \"$wgResourceBasePath/skins/common/images/kosmos.png\";")
file.insert_line_if_no_match(/# Our config/,
<<-EOF

1
site-cookbooks/kosmos-mediawiki/templates/default/nginx.conf.erb
View File

@@ -33,6 +33,7 @@ server {
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>

14
site-cookbooks/kosmos-nginx/files/default/nginx_tls_config.conf Normal file
View File

@@ -0,0 +1,14 @@
# Improve performance
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Disable insecure cyphers
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
# From https://mozilla.github.io/server-side-tls/ssl-config-generator/
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
# We don't have a lot of those cyphers (using Ubuntu 15.04), but CBC is insecure:
# https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# Unique DH Group, see https://weakdh.org/sysadmin.html
ssl_dhparam /etc/ssl/private/dhparams.pem;

5
site-cookbooks/kosmos-nginx/metadata.rb
View File

@@ -4,7 +4,8 @@ maintainer_email 'mail@kosmos.org'
license 'All rights reserved'
description 'Installs/Configures kosmos-nginx'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
version '0.2.0'
depends 'nginx'
depends 'chef_nginx'
depends 'firewall'
depends 'openssl'

34
site-cookbooks/kosmos-nginx/recipes/default.rb
View File

@@ -22,12 +22,32 @@ node.override['nginx']['log_formats']['json'] = <<-EOF
'"ua":"$http_user_agent"}'
EOF
node.override['nginx']['repo_source'] = 'nginx' # Install from official repo
node.override['nginx']['upstream_repository'] = "http://nginx.org/packages/mainline/#{node['platform']}"
include_recipe 'chef_nginx'
include_recipe 'nginx'
include_recipe 'kosmos-base::firewall'
firewall_rule 'http/https' do
port [80, 443]
protocol :tcp
command :allow
# Generate Strong Diffie-Hellman Group (increases security)
# https://weakdh.org/sysadmin.html
openssl_dhparam "/etc/ssl/private/dhparams.pem" do
key_length 2048
mode 0600
owner 'www-data'
end
cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
source 'nginx_tls_config.conf'
owner 'root'
group 'root'
mode '0644'
notifies :restart, 'service[nginx]'
end
unless node.chef_environment == "development"
include_recipe 'kosmos-base::firewall'
firewall_rule 'http/https' do
port [80, 443]
protocol :tcp
command :allow
end
end

4
site-cookbooks/kosmos-nodejs/recipes/default.rb
View File

@@ -7,6 +7,6 @@
# All rights reserved - Do Not Redistribute
#
node.override['nodejs']['version'] = '6.9.4'
node.override['nodejs']['source']['checksum'] = 'c51d7c61db40455d57428abcadc7eb0f0a08a8878cb1d8ea3c1e211c54532c35'
node.override['nodejs']['version'] = '6.10.2'
node.override['nodejs']['source']['checksum'] = '80aa11333da99813973a99646e2113c6be5b63f665c0731ed14ecb94cbe846b6'
include_recipe 'nodejs::nodejs_from_source'

4
site-cookbooks/kosmos-parity/CHANGELOG.md Normal file
View File

@@ -0,0 +1,4 @@
# kosmos-parity CHANGELOG
## 0.1.0
- [Greg Karékinian] - Initial release of kosmos-parity

52
site-cookbooks/kosmos-parity/README.md Normal file
View File

@@ -0,0 +1,52 @@
# kosmos-parity Cookbook
This cookbook installs [Parity](https://parity.io/) nodes
## Requirements
### Platforms
- Ubuntu
### Chef
- Chef 12.1 or later
## Attributes
### kosmos-parity::default
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['kosmos-parity']['home_path']</tt></td>
<td>String</td>
<td>The parity user's home path</td>
<td><tt>/home/parity</tt></td>
</tr>
</table>
## Usage
### kosmos-parity::default
### kosmos-parity::node_dev
Sets up a parity node running on the dev chain on port 8545 (behind nginx, with
HTTPS)
### kosmos-parity::node_testnet
Sets up a parity node running on the testnet chain on port 8546 (behind nginx,
with HTTPS)
## License and Authors
Authors:
* Greg Karékinian

7
site-cookbooks/kosmos-parity/attributes/default.rb Normal file
View File

@@ -0,0 +1,7 @@
node.default['kosmos-parity']['home_path'] = "/home/parity"
node.default['kosmos-parity']['version'] = "1.6.6"
node.default['kosmos-parity']['package_checksum'] = '7fd51ded7a367774e62c965088ffd15ad0fa42251005d448eb700cbf5db8df24'
node.default['kosmos-parity']['package_version'] = '1.7.0'
node.default['kosmos-parity']['package_timestamp'] = '1493999009'
node.default['kosmos-parity']['debian_package_dir'] = Chef::Config[:file_cache_path]
node.default['kosmos-parity']['hostname'] = "parity.kosmos.org"

15
site-cookbooks/kosmos-parity/metadata.rb Normal file
View File

@@ -0,0 +1,15 @@
name 'kosmos-parity'
maintainer 'Kosmos'
maintainer_email 'mail@kosmos.org'
license 'All rights reserved'
description 'Installs/Configures kosmos-parity'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
gem 'toml'
depends 'ark'
depends 'build-essential'
depends 'kosmos-nginx'
depends 'firewall'
depends 'backup'

6
site-cookbooks/kosmos-parity/recipes/backup.rb Normal file
View File

@@ -0,0 +1,6 @@
return if node.chef_environment == "development"
# Backup the local directory
node.override["backup"]["archives"]["parity"] = ["#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/**/keys"]
include_recipe "backup"

69
site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb Normal file
View File

@@ -0,0 +1,69 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: create_package_from_github
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe 'kosmos-parity::user'
include_recipe 'build-essential'
package %w(git libssl-dev pkg-config libudev-dev)
gem_package 'fpm' do
version '1.8.1'
end
rust_version = '1.17.0'
architecture = node['kernel']['machine']
rust_canonical_basename = "rust-#{rust_version}-#{architecture}-unknown-linux-gnu"
rust_path = "/usr/local/rust_#{rust_version}"
url = "https://static.rust-lang.org/dist/#{rust_canonical_basename}.tar.gz"
ark "rust_#{rust_version}" do
url url
path "/usr/local"
action :put
notifies :run, "execute[install rust]", :immediately
end
execute "install rust" do
command "./install.sh"
cwd "#{rust_path}"
action :nothing
end
parity_revision = "0d8920347a72fc50e82b540855eba94c8bbb2c0f"
git "/home/parity/parity" do
repository "https://github.com/paritytech/parity.git"
revision parity_revision
user "parity"
group "parity"
notifies :run, "execute[build parity]", :immediately
end
execute "build parity" do
cwd "/home/parity/parity"
environment "HOME" => "/home/parity"
command "cargo build --release"
action :nothing
user "parity"
group "parity"
notifies :run, "execute[copy parity]", :immediately
end
execute "copy parity" do
command "cp /home/parity/parity/target/release/parity /usr/bin/"
action :run
notifies :run, "execute[create package]", :immediately
end
timestamp = Time.now.strftime('%s')
parity_version = node['kosmos-parity']['package_version']
execute "create package" do
cwd node['kosmos-parity']['debian_package_dir']
command "fpm -s dir -t deb -n parity -v #{parity_version}-#{timestamp} -p parity_#{parity_version}-#{timestamp}.deb /usr/bin/parity"
action :nothing
end

25
site-cookbooks/kosmos-parity/recipes/default.rb Normal file
View File

@@ -0,0 +1,25 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: default
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe 'kosmos-parity::user'
parity_version = node['kosmos-parity']['version']
parity_package_path = "#{Chef::Config[:file_cache_path]}/parity_#{parity_version}_amd64.deb"
remote_file parity_package_path do
source "https://d1h4xl4cr1h0mo.cloudfront.net/v#{parity_version}/x86_64-unknown-linux-gnu/parity_#{parity_version}_amd64.deb"
checksum node['kosmos-parity']['checksum']
mode 0750
notifies :install, "dpkg_package[parity]", :immediately
end
dpkg_package "parity" do
source parity_package_path
end
include_recipe "kosmos-parity::backup"

29
site-cookbooks/kosmos-parity/recipes/from_package.rb Normal file
View File

@@ -0,0 +1,29 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: default
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe 'kosmos-parity::user'
parity_version = node['kosmos-parity']['package_version']
package_timestamp = node['kosmos-parity']['package_timestamp']
parity_filename = "parity_#{parity_version}-#{package_timestamp}.deb"
parity_package_path = "#{Chef::Config[:file_cache_path]}/#{parity_filename}"
remote_file parity_package_path do
source "https://dl.5apps.com/#{parity_filename}"
checksum node['kosmos-parity']['checksum']
mode 0750
notifies :install, "dpkg_package[parity]", :immediately
end
dpkg_package "parity" do
source parity_package_path
version "#{parity_version}-#{package_timestamp}"
end
include_recipe "kosmos-parity::backup"

40
site-cookbooks/kosmos-parity/recipes/letsencrypt.rb Normal file
View File

@@ -0,0 +1,40 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: letsencrypt
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe "kosmos-base::letsencrypt"
hostname = node['kosmos-parity']['hostname']
directory "/var/www/#{hostname}/.well-known/acme-challenge" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
template "#{node['nginx']['dir']}/sites-available/#{hostname}" do
source 'nginx_conf_parity_letsencrypt.erb'
owner 'www-data'
mode 0640
variables server_name: hostname,
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site "#{hostname}" do
action :enable
end
execute "letsencrypt cert for #{hostname}" do
command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{hostname} -d #{hostname} -n"
cwd "/usr/local/certbot"
not_if { File.exist? "/etc/letsencrypt/live/#{hostname}/fullchain.pem" }
notifies :reload, "service[nginx]", :delayed
end

58
site-cookbooks/kosmos-parity/recipes/node_dev.rb Normal file
View File

@@ -0,0 +1,58 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_dev
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
# Sets up a parity node running on the dev chain on port 8545 (behind nginx,
# with HTTPS)
rpc_proxy_port = 8545
rpc_port = 18545
dapps_port = 8180
parity_node "dev" do
password "parityparity"
config parity: {
chain: "dev",
no_download: true, # Don't download updates
},
network: {
port: 30303,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
},
mining: {
reseal_min_period: 0,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_dev" do
port rpc_proxy_port
protocol :tcp
command :allow
end
end

57
site-cookbooks/kosmos-parity/recipes/node_mainnet.rb Normal file
View File

@@ -0,0 +1,57 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_mainnet
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
# Sets up a parity node running on the mainnet chain on port 8547 (behind
# nginx, with HTTPS)
rpc_proxy_port = 8547
rpc_port = 18547
dapps_port = 8182
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
parity_node "mainnet" do
password credentials["mainnet_password"]
config parity: {
chain: "homestead",
no_download: true, # Don't Download Updates
},
network: {
port: 30305,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_mainnet" do
port rpc_proxy_port
protocol :tcp
command :allow
end
end

58
site-cookbooks/kosmos-parity/recipes/node_testnet.rb Normal file
View File

@@ -0,0 +1,58 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_testnet
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
# Sets up a parity node running on the testnet chain on port 8546 (behind
# nginx, with HTTPS)
rpc_proxy_port = 8546
rpc_port = 18546
dapps_port = 8181
network_port = 30304
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
parity_node "testnet" do
password credentials["testnet_password"]
config parity: {
chain: "ropsten",
no_download: true, # Don't download updates
},
network: {
port: network_port,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_testnet" do
port [ rpc_proxy_port, network_port ]
protocol :tcp
command :allow
end
end

20
site-cookbooks/kosmos-parity/recipes/user.rb Normal file
View File

@@ -0,0 +1,20 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: user
#
# Copyright 2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
group "parity" do
gid 72748
end
user "parity" do
system true
manage_home true
comment "parity user"
uid 72748
gid 72748
end

136
site-cookbooks/kosmos-parity/resources/node.rb Normal file
View File

@@ -0,0 +1,136 @@
require 'toml'
provides :parity_node
property :name, String, name_property: true, required: true
property :config, Hash, required: true
property :password, String, required: true
property :rpc_proxy_port, Integer
action :enable do
node_name = name
parity_service = "parity_#{node_name}"
base_path = "#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/#{node_name}"
config_path = "#{base_path}/config.toml"
config[:parity][:base_path] = base_path
config[:account] = {}
config[:account][:password] = ["#{base_path}/password"]
if config[:parity][:chain] == "dev"
config[:parity][:chain] = "#{base_path}/chain-config.json"
end
directory base_path do
recursive true
owner "parity"
group "parity"
end
%w(chains keys).each do |subfolder|
directory "#{base_path}/#{subfolder}" do
recursive true
owner "parity"
group "parity"
end
end
password_path = "#{base_path}/password"
file password_path do
content password
owner "parity"
group "parity"
mode 0640
end
ruby_block "generate config" do
block do
parity_args = "--chain #{config[:parity][:chain]} --base-path #{base_path}"
parity_account_list = Mixlib::ShellOut.new(
"parity account list #{parity_args}",
user: "parity"
)
parity_account_list.run_command
parity_account = parity_account_list.stdout.strip.gsub(/[(\[|\])]/, '')
if parity_account.empty?
parity_account_create = Mixlib::ShellOut.new(
"parity account new #{parity_args} --password #{base_path}/password",
user: "parity"
)
parity_account_create.run_command
parity_account = parity_account_create.stdout.strip
end
config[:account][:unlock] = [parity_account]
# Using our own chain config (i.e. dev)
if config[:parity][:chain].include?(".json")
template "#{base_path}/chain-config.json" do
source 'chain-config.json.erb'
variables parity_account: parity_account
owner "parity"
group "parity"
mode 0640
notifies :restart, "service[#{parity_service}]", :delayed
end
end
file "config" do
path config_path
content TOML::Generator.new(config).body
owner "parity"
group "parity"
mode 0640
notifies :restart, "service[#{parity_service}]", :delayed
end
end
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/#{parity_service}.service" do
source "parity.systemd.service.erb"
variables config_file: config_path
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[#{parity_service}]", :delayed
end
service parity_service do
action [:enable, :start]
end
if rpc_proxy_port
unless node.chef_environment == "development"
include_recipe "kosmos-parity::letsencrypt"
end
include_recipe "kosmos-nginx"
hostname = node['kosmos-parity']['hostname']
template "#{node['nginx']['dir']}/sites-available/#{parity_service}" do
source 'nginx_conf_parity.erb'
owner 'www-data'
mode 0640
variables internal_port: config[:rpc][:port],
external_port: rpc_proxy_port,
parity_service: parity_service,
server_name: hostname,
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site "#{parity_service}" do
action :enable
end
end
end

34
site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb Normal file
View File

@@ -0,0 +1,34 @@
{
"name": "KreditsChain",
"engine": {
"instantSeal": { "params": {} }
},
"params": {
"accountStartNonce": "0x00",
"maximumExtraDataSize": "0x20",
"minGasLimit": "0x1388",
"networkID" : "0x11"
},
"genesis": {
"seal": {
"ethereum": {
"nonce": "0x00006d6f7264656e",
"mixHash": "0x00000000000000000000000000000000000000647572616c65787365646c6578"
}
},
"difficulty": "0x20000",
"author": "0x0000000000000000000000000000000000000000",
"timestamp": "0x00",
"parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"extraData": "0x",
"gasLimit": "0x5B8D80"
},
"accounts": {
"0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } },
"0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } },
"0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } },
"0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } },
"<%= @parity_account %>":{"balance": "1606938044258990275541962092341162602522" }
}
}

34
site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb Normal file
View File

@@ -0,0 +1,34 @@
# Generated by Chef
upstream _<%= @parity_service %> {
server localhost:<%= @internal_port %>;
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @external_port %> ssl http2;
<% else -%>
listen <%= @external_port %>;
<% end -%>
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
location /.well-known {
root "/var/www/<%= @parity_service %>";
}
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_pass http://_<%= @parity_service %>;
proxy_http_version 1.1;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}

13
site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity_letsencrypt.erb Normal file
View File

@@ -0,0 +1,13 @@
# Generated by Chef
server {
listen 80; # For Let's Encrypt
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
location /.well-known {
root "/var/www/<%= @server_name %>";
}
}

11
site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb Normal file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Parity Daemon (<%= @environment %>)
After=network.target
[Service]
ExecStart=/usr/bin/parity --config <%= @config_file %> --no-discovery $ARGS
User=parity
Group=parity
[Install]
WantedBy=default.target

7
site-cookbooks/kosmos-redis/recipes/default.rb
View File

@@ -10,5 +10,8 @@
node.override['redis']['unixsocket'] = ''
include_recipe 'redis::server'
node.override["backup"]["redis"]["databases"] = ["dump"]
include_recipe "backup"
unless node.chef_environment == "development"
# Backup the database to S3
node.override["backup"]["redis"]["databases"] = ["dump"]
include_recipe "backup"
end

9
site-cookbooks/kosmos-wordpress/CHANGELOG.md
View File

@@ -1,13 +1,6 @@
kosmos-wordpress CHANGELOG
==========================
This file is used to list changes made in each version of the kosmos-wordpress cookbook.
0.1.0
-----
- [your_name] - Initial release of kosmos-wordpress
- - -
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
- [Greg Karékinian] - Initial release of kosmos-wordpress

3
site-cookbooks/kosmos-wordpress/templates/default/nginx.conf.erb
View File

@@ -1,7 +1,7 @@
server {
listen 80;
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @server_port %> ssl spdy;
listen <%= @server_port %> ssl http2;
<% end -%>
server_name <%= @server_name %> <%= @server_aliases.join(" ") %>;
@@ -35,6 +35,7 @@ server {
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>

9
site-cookbooks/sockethub/CHANGELOG.md
View File

@@ -1,13 +1,6 @@
sockethub CHANGELOG
===================
This file is used to list changes made in each version of the sockethub cookbook.
0.1.0
-----
- [your_name] - Initial release of sockethub
- - -
Check the [Markdown Syntax Guide](http://daringfireball.net/projects/markdown/syntax) for help with Markdown.
The [Github Flavored Markdown page](http://github.github.com/github-flavored-markdown/) describes the differences between markdown on github and standard markdown.
- [Greg Karékinian] - Initial release of sockethub

3
site-cookbooks/sockethub/metadata.rb
View File

@@ -6,8 +6,7 @@ description 'Installs/Configures sockethub'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
depends 'application'
depends 'application_nodejs'
depends 'application_javascript'
depends 'kosmos-redis'
depends 'kosmos-nodejs'
depends 'kosmos-nginx'

72
site-cookbooks/sockethub/recipes/default.rb
View File

@@ -2,31 +2,65 @@
# Cookbook Name:: sockethub
# Recipe:: default
#
# Copyright 2015, Kosmos
# Copyright 2015-2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
include_recipe 'kosmos-nodejs'
include_recipe 'kosmos-redis'
application "sockethub" do
path "/srv/sockethub"
owner "www-data"
group "www-data"
action :deploy
repository 'https://github.com/sockethub/sockethub.git'
revision 'v1.0.5'
nodejs do
entry_point '/srv/sockethub/current/bin/sockethub'
# Use our own systemd service that depends on redis-server
template 'nodejs.systemd.service.erb'
environment 'DEBUG' => '*',
'PORT' => node['sockethub']['port']
end
group "sockethub" do
gid 7625
end
user "sockethub" do
comment "sockethub user"
uid 7625
gid 7625
manage_home true
shell "/bin/bash"
end
path_to_deploy = "/opt/sockethub"
application path_to_deploy do
owner "sockethub"
group "sockethub"
git do
user "sockethub"
group "sockethub"
repository 'https://github.com/sockethub/sockethub.git'
revision 'v1.0.5'
end
npm_install do
user "sockethub"
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/sockethub_nodejs.service" do
source 'nodejs.systemd.service.erb'
owner 'root'
group 'root'
mode '0644'
variables(
user: "sockethub",
group: "sockethub",
app_dir: path_to_deploy,
entry: "/usr/local/bin/node /usr/local/bin/npm start",
environment: { 'DEBUG' => '*',
'PORT' => node['sockethub']['port'] }
)
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[sockethub_nodejs]", :delayed
end
service "sockethub_nodejs" do
action [:enable, :start]
end
end

24
site-cookbooks/sockethub/recipes/proxy.rb
View File

@@ -2,27 +2,31 @@
# Cookbook Name:: sockethub
# Recipe:: proxy
#
# Copyright 2015, Kosmos
# Copyright 2015-2017, Kosmos
#
# All rights reserved - Do Not Redistribute
#
firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i
protocol :tcp
command :allow
unless node.chef_environment == "development"
include_recipe "kosmos-base::letsencrypt"
include_recipe "firewall"
firewall_rule 'sockethub' do
port node['sockethub']['external_port'].to_i
protocol :tcp
command :allow
end
end
include_recipe 'kosmos-nginx'
directory "/var/www/sockethub" do
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
owner node["nginx"]["user"]
group node["nginx"]["group"]
action :create
recursive true
end
include_recipe 'kosmos-nginx'
template "#{node['nginx']['dir']}/sites-available/sockethub" do
source 'nginx_conf_sockethub.erb'
owner 'www-data'

2
site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb
View File

@@ -11,7 +11,7 @@ map $http_upgrade $connection_upgrade {
server {
listen 80; # For Let's Encrypt
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @sockethub_external_port %> ssl spdy;
listen <%= @sockethub_external_port %> ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
<% end -%>

1
site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb
View File

@@ -5,6 +5,7 @@ After=redis-server.service
[Service]
ExecStart=<%= @entry %>
WorkingDirectory=<%= @app_dir %>
User=<%= @user %>
Group=<%= @group %>
<% unless @environment.empty? -%>