Merge branch 'master' into feature/lightning_address_keysend

nodes/akkounts-1.json

@@ -42,14 +42,16 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "redisio::default",
+      "redisio::_install_prereqs",
+      "redisio::install",
+      "ulimit::default",
+      "redisio::disable_os_default",
+      "redisio::configure",
+      "redisio::enable",
       "kosmos-nodejs::default",
       "nodejs::nodejs_from_package",
       "nodejs::repo",
-      "kosmos-redis::default",
-      "redis::server",
-      "redis::default",
-      "backup::default",
-      "logrotate::default",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",

nodes/fornax.kosmos.org.json

@@ -38,6 +38,7 @@
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos-akkounts::nginx",
       "kosmos-akkounts::nginx_api",
       "kosmos-bitcoin::nginx_lndhub",
       "kosmos-ejabberd::nginx",

roles/akkounts.rb

@@ -3,7 +3,6 @@ name "akkounts"
 default_run_list = %w(
   role[postgresql_client]
   kosmos-akkounts::default
-  kosmos-akkounts::nginx
 )
 
 env_run_lists(

roles/nginx_proxy.rb

@@ -23,6 +23,7 @@ default_run_list = %w(
   kosmos_garage::nginx_web
   kosmos_gitea::nginx
   kosmos_website::default
+  kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
   kosmos-bitcoin::nginx_lndhub
   kosmos-ejabberd::nginx

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -8,3 +8,5 @@ node.default['akkounts_api']['domain'] = 'api.kosmos.org'
 node.default['akkounts']['lndhub']['api_url'] = nil
 node.default['akkounts']['lndhub']['public_url'] = nil
 node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
+
+node.override["redisio"]["version"] = "6.2.6"

site-cookbooks/kosmos-akkounts/metadata.rb

@@ -9,7 +9,7 @@ chef_version '>= 14.0'
 
 depends 'kosmos-nginx'
 depends "kosmos-nodejs"
-depends "kosmos-redis"
+depends "redisio"
 depends "poise-ruby-build"
 depends "application"
 depends 'application_git'

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -20,8 +20,9 @@ end
 
 package "libpq-dev"
 
+include_recipe 'redisio::default'
+include_recipe 'redisio::enable'
 include_recipe 'kosmos-nodejs'
-include_recipe "kosmos-redis"
 
 npm_package "yarn" do
   version "1.22.4"
@@ -82,7 +83,8 @@ systemd_unit "akkounts.service" do
     Unit: {
       Description: "Kosmos Accounts",
       Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
-      After: "network.target"
+      Requires: "redis@6379.service",
+      After: "syslog.target network.target"
     },
     Service: {
       Type: "simple",
@@ -110,8 +112,8 @@ systemd_unit "akkounts-sidekiq.service" do
     Unit: {
       Description: "Kosmos Accounts async/background jobs",
       Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
-      Requires: "redis-server.service",
-      After: "syslog.target network.target redis-server.service"
+      Requires: "redis@6379.service",
+      After: "syslog.target network.target redis@6379.service"
     },
     Service: {
       Type: "notify",
@@ -215,10 +217,7 @@ application deploy_path do
   end
 end
 
-# TODO move to nginx proxy
-include_recipe 'kosmos-akkounts::nginx'
-
-firewall_rule "Akkounts private access" do
+firewall_rule "akkounts_zerotier" do
   command  :allow
   port     node["akkounts"]["port"]
   protocol :tcp

site-cookbooks/kosmos-akkounts/recipes/nginx.rb

@@ -9,12 +9,20 @@ domain      = node[app_name]["domain"]
 
 nginx_certbot_site domain
 
+upstream_hosts = []
+search(:node, "role:akkounts").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
 template "#{node['nginx']['dir']}/sites-available/#{domain}" do
   source "nginx_conf_#{app_name}.erb"
   owner 'www-data'
   mode 0640
   variables port: node[app_name]['port'],
             domain: domain,
+            upstream_port: node["akkounts"]["port"],
+            upstream_hosts: upstream_hosts,
             root_dir: "/opt/#{app_name}/public",
             ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
             ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"

site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb

@@ -12,6 +12,7 @@ upstream_hosts = []
 search(:node, "role:akkounts").each do |node|
   upstream_hosts << node["knife_zero"]["host"]
 end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
 
 template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
   source "nginx_conf_akkounts_api.erb"

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb

@@ -1,17 +1,23 @@
 # Generated by Chef
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 upstream _akkounts {
-  server   localhost:<%= @port %>;
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
 }
 
+proxy_cache_path /var/cache/nginx/akkounts levels=1:2
+                 keys_zone=akkounts_cache:10m
+                 max_size=1g inactive=120m use_temp_path=off;
+
 server {
   listen 443 ssl http2;
-  add_header Strict-Transport-Security "max-age=15768000";
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
 
-  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
-  server_name <%= @domain %>;
+  add_header Strict-Transport-Security "max-age=15768000";
 
   access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
   error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
@@ -23,32 +29,19 @@ server {
     gzip_static on;
     expires max;
     add_header Cache-Control public;
+    proxy_cache akkounts_cache;
   }
 
-  try_files $uri/index.html $uri @app;
+  try_files $uri/index.html $uri @proxy;
 
-  location @app {
-    # an HTTP header important enough to have its own Wikipedia entry:
-    # http://en.wikipedia.org/wiki/X-Forwarded-For
+  location @proxy {
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    # enable this if and only if you use HTTPS, this helps Rack
-    # set the proper protocol for doing redirects:
     proxy_set_header X-Forwarded-Proto https;
-
-    # pass the Host: header from the client right along so redirects
-    # can be set properly within the Rack application
     proxy_set_header Host $http_host;
-
-    # we don't want nginx trying to do something clever with
-    # redirects, we set the Host: header above already.
     proxy_redirect off;
-
-    # Increase number of buffers. Default is 8
     proxy_buffers 1024 8k;
+    proxy_http_version 1.1;
 
     proxy_pass http://_akkounts;
-    proxy_http_version 1.1;
-   }
+  }
 }
-<% end -%>

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -1,5 +1,5 @@
 # Generated by Chef
-upstream _akkounts {
+upstream _akkounts_api {
 <% @upstream_hosts.each do |host| %>
   server   <%= host %>:<%= @upstream_port %>;
 <% end %>
@@ -15,6 +15,9 @@ server {
 
   add_header 'Strict-Transport-Security' 'max-age=31536000';
 
+  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
+
   location /kredits/ {
     add_header 'Access-Control-Allow-Origin' '*' always;
     add_header 'Access-Control-Allow-Methods' 'GET' always;
@@ -28,6 +31,6 @@ server {
     proxy_buffers 1024 8k;
     proxy_http_version 1.1;
 
-    proxy_pass http://_akkounts/api/kredits/;
+    proxy_pass http://_akkounts_api/api/kredits/;
   }
 }

site-cookbooks/kosmos-bitcoin/attributes/default.rb

@@ -111,7 +111,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
 node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
 
 node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
-node.default['btcpay']['revision'] = 'v1.7.5'
+node.default['btcpay']['revision'] = 'v1.8.0'
 node.default['btcpay']['source_dir'] = '/opt/btcpay'
 node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
 node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"