diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 42117e3..01dc32d 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -27,7 +27,8 @@ "base", "kvm_host", "openresty_proxy", - "openresty" + "openresty", + "garage_gateway" ], "recipes": [ "kosmos-base", @@ -37,9 +38,13 @@ "kosmos_openresty", "kosmos_openresty::default", "kosmos_openresty::firewall", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos_garage::nginx_web", "kosmos_gitea::nginx", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", @@ -83,10 +88,10 @@ "openresty::commons_conf", "logrotate::default", "openresty::luarocks", + "firewall::default", "git::default", "git::package", "kosmos-base::letsencrypt", - "firewall::default", "fail2ban::default" ], "platform": "ubuntu", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index ed671eb..8195e6e 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -21,17 +21,16 @@ development_run_list = %w( default_run_list = %w( role[openresty] tor-full - kosmos_garage::default - kosmos_garage::firewall_rpc - kosmos_garage::nginx_web kosmos-ejabberd::nginx ) production_run_list = %w( role[openresty] + role[garage_gateway] kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx + kosmos_garage::nginx_web kosmos_gitea::nginx kosmos_rsk::nginx_testnet kosmos_rsk::nginx_mainnet diff --git a/site-cookbooks/kosmos_garage/metadata.rb b/site-cookbooks/kosmos_garage/metadata.rb index f1fde81..90a1ddb 100644 --- a/site-cookbooks/kosmos_garage/metadata.rb +++ b/site-cookbooks/kosmos_garage/metadata.rb @@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb index 9da8ab9..76ed235 100644 --- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -3,9 +3,7 @@ # Recipe:: nginx_web # -include_recipe "kosmos-nginx" - -file "/etc/nginx/conf.d/garage.conf" do +file "/etc/openresty/conf.d/garage.conf" do content <<-EOF upstream garage_web { server localhost:3902; @@ -19,19 +17,15 @@ end domains = node['garage']['s3_web_domains'] domains.each do |server_name| - nginx_certbot_site server_name - - template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_web.erb' - owner 'www-data' - mode 0640 - variables server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed + tls_cert_for server_name do + auth "gandi_dns" + action :create end - nginx_site server_name do - action :enable + openresty_site server_name do + template "nginx_conf_web.erb" + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" end end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb index c925887..49e219c 100644 --- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -1,5 +1,5 @@ server { - listen 443 http2 ssl; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 http2 ssl; server_name <%= @server_name %>;