From 53abc2ec9a85ccbe25f815a4d482eada710f088c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 26 Jul 2023 14:07:48 +0200
Subject: [PATCH] Migrate Drone CI proxy to openresty

---
 nodes/draco.kosmos.org.json                     |  1 +
 site-cookbooks/kosmos_drone/metadata.rb         |  2 +-
 site-cookbooks/kosmos_drone/recipes/nginx.rb    | 17 ++++++-----------
 .../kosmos_drone/templates/nginx_conf.erb       |  4 +---
 4 files changed, 9 insertions(+), 15 deletions(-)

diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json
index 5390f93..21262c9 100644
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -40,6 +40,7 @@
       "kosmos_assets::nginx_site",
       "kosmos-akkounts::nginx",
       "kosmos_discourse::nginx",
+      "kosmos_drone::nginx",
       "kosmos_encfs",
       "kosmos_encfs::default",
       "kosmos-ejabberd::firewall",
diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb
index e0ef895..648f5da 100644
--- a/site-cookbooks/kosmos_drone/metadata.rb
+++ b/site-cookbooks/kosmos_drone/metadata.rb
@@ -8,5 +8,5 @@ version '0.1.0'
 chef_version '>= 14.0'
 
 depends "firewall"
-depends "kosmos-nginx"
 depends "kosmos_gitea"
+depends "kosmos_openresty"
diff --git a/site-cookbooks/kosmos_drone/recipes/nginx.rb b/site-cookbooks/kosmos_drone/recipes/nginx.rb
index fffe902..4c4b564 100644
--- a/site-cookbooks/kosmos_drone/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb
@@ -12,21 +12,16 @@ end
 # No Discourse host, stop here
 return if upstream_ip_addresses.empty?
 
-nginx_certbot_site domain
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
 
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
+openresty_site domain do
+  template "nginx_conf.erb"
   variables server_name:   domain,
             upstream_ip_addresses: upstream_ip_addresses,
             upstream_port: node["kosmos_drone"]["upstream_port"],
             ssl_cert:      "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key:       "/etc/letsencrypt/live/#{domain}/privkey.pem"
-
-  notifies :reload, 'service[nginx]', :delayed
-end
-
-nginx_site domain do
-  action :enable
 end
diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
index f9e1dfa..3c9c741 100644
--- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
+++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb
@@ -1,4 +1,3 @@
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 # Generated by Chef
 upstream _drone {
   <% @upstream_ip_addresses.each do |upstream_ip_address| -%>
@@ -8,7 +7,7 @@ upstream _drone {
 
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;
@@ -33,4 +32,3 @@ server {
     proxy_http_version 1.1;
   }
 }
-<% end -%>