Migrate discourse proxy to openresty

nodes/draco.kosmos.org.json

@@ -39,6 +39,7 @@
       "kosmos_openresty::firewall",
       "kosmos_assets::nginx_site",
       "kosmos-akkounts::nginx",
+      "kosmos_discourse::nginx",
       "kosmos_encfs",
       "kosmos_encfs::default",
       "kosmos-ejabberd::firewall",
@@ -99,4 +100,4 @@
     "recipe[kosmos_zerotier::firewall]",
     "recipe[sockethub::firewall]"
   ]
-}
+}

roles/openresty_proxy.rb

@@ -21,8 +21,6 @@ development_run_list = %w(
 default_run_list = %w(
   role[openresty]
   tor-full
-  kosmos_assets::nginx_site
-  kosmos_discourse::nginx
   kosmos_drone::nginx
   kosmos_garage::default
   kosmos_garage::firewall_rpc
@@ -46,6 +44,7 @@ production_run_list = %w(
   role[openresty]
   kosmos_assets::nginx_site
   kosmos-akkounts::nginx
+  kosmos_discourse::nginx
 )
 
 env_run_lists(

site-cookbooks/discourse/metadata.rb

@@ -7,5 +7,4 @@ long_description 'Installs/Configures discourse'
 version '0.1.0'
 chef_version '>= 14.0'
 
-depends 'kosmos-nginx'
 depends 'firewall'

site-cookbooks/discourse/recipes/nginx.rb

@@ -1,39 +0,0 @@
-#
-# Cookbook:: discourse
-# Recipe:: nginx
-#
-
-include_recipe "kosmos-nginx"
-
-domain = node['discourse']['domain']
-discourse_role = node['discourse']['role']
-
-upstream_ip_addresses = []
-search(:node, "role:#{discourse_role}").each do |n|
-  upstream_ip_addresses << n["knife_zero"]["host"]
-end
-# No Discourse host, stop here
-if upstream_ip_addresses.empty?
-  Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
-  return
-end
-
-nginx_certbot_site domain
-
-template "#{node['nginx']['dir']}/sites-available/#{domain}" do
-  source "nginx_conf.erb"
-  owner 'www-data'
-  mode 0640
-  variables server_name:           domain,
-            ssl_cert:              "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:               "/etc/letsencrypt/live/#{domain}/privkey.pem",
-            upstream_port:         node['discourse']['port'],
-            upstream_name:         discourse_role,
-            upstream_ip_addresses: upstream_ip_addresses
-
-  notifies :reload, 'service[nginx]', :delayed
-end
-
-nginx_site domain do
-  action :enable
-end

site-cookbooks/kosmos_discourse/metadata.rb

@@ -2,10 +2,11 @@ name 'kosmos_discourse'
 maintainer 'Kosmos Developers'
 maintainer_email 'mail@kosmos.org'
 license 'MIT'
-description 'Installs/Configures discourse'
-long_description 'Installs/Configures discourse'
-version '0.1.0'
+description 'Installs/configures Discourse'
+long_description 'Installs/configures Discourse'
+version '0.2.0'
 chef_version '>= 14.0'
 
 depends 'discourse'
 depends 'firewall'
+depends 'kosmos_openresty'

site-cookbooks/kosmos_discourse/recipes/nginx.rb

@@ -3,4 +3,30 @@
 # Recipe:: nginx
 #
 
-include_recipe "discourse::nginx"
+domain = node['discourse']['domain']
+discourse_role = node['discourse']['role']
+
+upstream_ip_addresses = []
+search(:node, "role:#{discourse_role}").each do |n|
+  upstream_ip_addresses << n["knife_zero"]["host"]
+end
+# No Discourse host, stop here
+if upstream_ip_addresses.empty?
+  Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
+  return
+end
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain do
+  template "nginx_conf.erb"
+  variables server_name:           domain,
+            ssl_cert:              "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:               "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            upstream_port:         node['discourse']['port'],
+            upstream_name:         discourse_role,
+            upstream_ip_addresses: upstream_ip_addresses
+end

site-cookbooks/kosmos_discourse/templates/nginx_conf.erb

@@ -8,7 +8,7 @@ upstream _discourse {
 <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 server {
   server_name <%= @server_name %>;
-  listen 443 ssl http2;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
   listen [::]:443 ssl http2;
 
   ssl_certificate     <%= @ssl_cert %>;