diff --git a/clients/drone-1.json b/clients/drone-1.json new file mode 100644 index 0000000..f2fc607 --- /dev/null +++ b/clients/drone-1.json @@ -0,0 +1,4 @@ +{ + "name": "drone-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0DLEt7jfKPH7X7pBknG3\nWoB6Q6Vffl6Q0GRxQiMJ1uRC79dulKH097CYfLzIXFZD9gRRP4K78vW5BA2spXVV\nn3qrak9JT6BGgdFrkBEdMNGZyz814aMiyhPZrQUrmIzyH8R04xZgv7UH86qdNQ5p\nPeIXS7gU7/0PmwRgEBiM1KLq+Kba6pYdGefKqxx5D59xweH+yE+rbd5ac9xn2GP7\nyOiZoG2sMuksq7d3O4SeTS2lBAmG5IeiP2iWvHWpZD48PTr78ItkTgIbaqZU2PXV\ng+2OcJPTel5xISooe5FvW8gdpC9SYoBPvgJuJ6czc1+LdUSK7pE7577eAJNDlh+H\nRwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/gitea-1.json b/clients/gitea-1.json new file mode 100644 index 0000000..c210a98 --- /dev/null +++ b/clients/gitea-1.json @@ -0,0 +1,4 @@ +{ + "name": "gitea-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0bp4I/f5dLL22GRHanLV\nw57sNBEWT3Vx32B24hScKNP5nYDW0dIRkt1c7SLEpe+diNgyIwk7JlI20Vl+oaVo\njdCpmHSB18yXxQT2Ub6aI8ApwFLECVA6SckekcwxLJc/oGRMB52PonI8opJOVbPa\nF+heZ5NNDiMvn3E8qODdMWSjDiJNSVLJgsCPFHAt32aJgLaXQTqG5lrmltaamscW\njGlFqiBJw/5saCkKBPdPwdX4RcDqvGX1FdE1LVB42cskv8CrnvEVFLBxKXAhAr6s\nNhOhenzLGHpy58tNoUoUw3v4WiPRtcnlNxeSVG5LKkjaK04f2oxeZx3SiSU/1naY\nkwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/drone.json b/data_bags/credentials/drone.json index d499634..b6ce84d 100644 --- a/data_bags/credentials/drone.json +++ b/data_bags/credentials/drone.json @@ -1,23 +1,37 @@ { "id": "drone", "client_id": { - "encrypted_data": "PHC6f0UJwuaxnhMhxUVhHMqauCu9aYDp3IFqVzsxEoEodKhg8pgTWS14T5E7\nVm4xlcR/CuLcOA==\n", - "iv": "on4hNp3g6pLsvfTE\n", - "auth_tag": "ytx40h2fsBHhDpyhwKbHog==\n", + "encrypted_data": "bfwxBJt+xNihifwXmjWK3dMDCcjZ1XgiWvqvK0Dj3zd8ZuDRZUwt++xdr/bT\n1wwz1i3udaxZqQ==\n", + "iv": "0Bioz/6QbDo5w8Ay\n", + "auth_tag": "lF8gragaEIrfR1g+Ka1Wnw==\n", "version": 3, "cipher": "aes-256-gcm" }, "client_secret": { - "encrypted_data": "HAKFqsrbL447wgropHz2rgHmyRl3G2d24svTT+TYMI0jtQFTQPZLxNZkl3ki\n42n7baNrfXN3IJeQRyxyihw0\n", - "iv": "pmdiLiFgSPNNP7dl\n", - "auth_tag": "4j98l+lZ0k4mLioJHS5VJw==\n", + "encrypted_data": "1TKFuk54DqP/5kAPIfjI2PNriOIJ0NdwV2ETZdF1O7Gt55WXvHSTupQLu0NG\nQkrSXXqdgDKvW2/P+d1W0NTQ\n", + "iv": "nBqEog1s/Z2cHnqU\n", + "auth_tag": "yBjz6GQ6K6bowih970e37w==\n", "version": 3, "cipher": "aes-256-gcm" }, "rpc_secret": { - "encrypted_data": "ll4f3ECLQTgJj47aeqnP0Ci1ncMYTwwFw1J46Qx3gPloA2YGPwlfa82Uck1k\neSHCTSNW\n", - "iv": "hP5Iq9zOjELUb9d8\n", - "auth_tag": "WJlme717tpgbWPcXwFzyvQ==\n", + "encrypted_data": "KBJHpfjw6aEuMoOJevkNRFA6NVF8w4cAxRsPRchN+qlLXPT1Kxql2uug8c0P\n1DdKeaZq\n", + "iv": "qj9C1PqC1OlDX6YR\n", + "auth_tag": "vgI5nxBEYnhwgJATykISJA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "database_secret": { + "encrypted_data": "W+tSV89+1Ue/sNm6+dOW06jFGrmPTt4RVR8A0GUJXZhGbqBBie3jWNW3ZeKg\nfEQTYP1j\n", + "iv": "Of9fVasrPT7451HD\n", + "auth_tag": "fuY65GQr4s3vR6E3OuZdzQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "postgresql_password": { + "encrypted_data": "KqoUOOkqBy9Sfrg5THVWyOdgd21aDjXlEqxVhX1OIcsv\n", + "iv": "iPDmnzOO1TWA1bO1\n", + "auth_tag": "8o+0nRewMEGeoH5/ZfGUuQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index c617ef4..fcc9c55 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -14,7 +14,6 @@ "roles": [ "gitea", "postgresql_client", - "discourse", "drone" ], "recipes": [ @@ -26,8 +25,6 @@ "kosmos_gitea", "kosmos_gitea::default", "kosmos_gitea::backup", - "kosmos_discourse", - "kosmos_discourse::default", "kosmos_drone", "kosmos_drone::default", "kosmos_assets::nginx_site", @@ -36,7 +33,6 @@ "kosmos_website", "kosmos_website::default", "kosmos_zerotier::firewall", - "sockethub::_firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -82,13 +78,10 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos_encfs]", - "role[gitea]", - "role[drone]", "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos_website::default]", - "recipe[kosmos_zerotier::firewall]", - "recipe[sockethub::_firewall]" + "recipe[kosmos_zerotier::firewall]" ] } diff --git a/nodes/drone-1.json b/nodes/drone-1.json new file mode 100644 index 0000000..5ad5474 --- /dev/null +++ b/nodes/drone-1.json @@ -0,0 +1,58 @@ +{ + "name": "drone-1", + "normal": { + "knife_zero": { + "host": "10.1.1.128" + } + }, + "automatic": { + "fqdn": "drone-1", + "os": "linux", + "os_version": "5.4.0-1058-kvm", + "hostname": "drone-1", + "ipaddress": "192.168.122.200", + "roles": [ + "drone", + "postgresql_client" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_postgresql::hostsfile", + "kosmos_drone", + "kosmos_drone::default", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.9.52", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[drone]" + ] +} \ No newline at end of file diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index cb290db..4068c68 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -19,6 +19,8 @@ "kosmos-base::default", "kosmos_kvm::host", "kosmos_discourse::nginx", + "kosmos_gitea::nginx", + "kosmos_drone::nginx", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -63,6 +65,6 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos_kvm::host]", - "recipe[kosmos_discourse::nginx]" + "role[nginx_proxy]" ] } diff --git a/nodes/gitea-1.json b/nodes/gitea-1.json new file mode 100644 index 0000000..e3ec3a2 --- /dev/null +++ b/nodes/gitea-1.json @@ -0,0 +1,61 @@ +{ + "name": "gitea-1", + "normal": { + "knife_zero": { + "host": "10.1.1.36" + } + }, + "automatic": { + "fqdn": "gitea-1", + "os": "linux", + "os_version": "5.4.0-1058-kvm", + "hostname": "gitea-1", + "ipaddress": "192.168.122.218", + "roles": [ + "gitea", + "postgresql_client" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_postgresql::hostsfile", + "kosmos_gitea", + "kosmos_gitea::default", + "kosmos_gitea::backup", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "backup::default", + "logrotate::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.9.52", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.52/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.9.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[gitea]" + ] +} \ No newline at end of file diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index 89bcc85..8d7953a 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -19,6 +19,8 @@ "kosmos-base::default", "kosmos_postgresql::primary", "kosmos_postgresql::firewall", + "kosmos_gitea::pg_db", + "kosmos_drone::pg_db", "apt::default", "timezone_iii::default", "timezone_iii::debian", diff --git a/roles/drone.rb b/roles/drone.rb index 4ee08ac..4c39b2c 100644 --- a/roles/drone.rb +++ b/roles/drone.rb @@ -1,5 +1,6 @@ name "drone" run_list %w( + role[postgresql_client] kosmos_drone::default ) diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb new file mode 100644 index 0000000..0c94bc8 --- /dev/null +++ b/roles/nginx_proxy.rb @@ -0,0 +1,13 @@ +name "nginx_proxy" + +default_run_list = %w( + kosmos_discourse::nginx + kosmos_gitea::nginx + kosmos_drone::nginx +) + +env_run_lists( + '_default' => default_run_list, + 'development' => [], + 'production' => default_run_list +) diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index 58ef4b7..7126cb2 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -3,4 +3,6 @@ name "postgresql_primary" run_list %w( kosmos_postgresql::primary kosmos_postgresql::firewall + kosmos_gitea::pg_db + kosmos_drone::pg_db ) diff --git a/site-cookbooks/kosmos-nginx/recipes/default.rb b/site-cookbooks/kosmos-nginx/recipes/default.rb index c01301e..118795a 100644 --- a/site-cookbooks/kosmos-nginx/recipes/default.rb +++ b/site-cookbooks/kosmos-nginx/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-nginx # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. node.override['nginx']['default_site_enabled'] = false node.override['nginx']['server_tokens'] = 'off' diff --git a/site-cookbooks/kosmos_drone/attributes/default.rb b/site-cookbooks/kosmos_drone/attributes/default.rb new file mode 100644 index 0000000..ceb7564 --- /dev/null +++ b/site-cookbooks/kosmos_drone/attributes/default.rb @@ -0,0 +1,2 @@ +node.default["kosmos_drone"]["domain"] = "drone.kosmos.org" +node.default["kosmos_drone"]["upstream_port"] = 80 diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb index 5c14444..e0ef895 100644 --- a/site-cookbooks/kosmos_drone/metadata.rb +++ b/site-cookbooks/kosmos_drone/metadata.rb @@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_drone' version '0.1.0' chef_version '>= 14.0' +depends "firewall" depends "kosmos-nginx" depends "kosmos_gitea" diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index a0a2017..1eec1d2 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -4,10 +4,17 @@ # package "docker-compose" -domain = "drone.kosmos.org" deploy_path = "/opt/drone" -upstream_port = 3002 credentials = data_bag_item("credentials", "drone") +drone_credentials = data_bag_item('credentials', 'drone') + +postgres_config = { + username: "drone", + password: drone_credentials["postgresql_password"], + host: "pg.kosmos.local", + port: 5432, + database: "drone" +} directory deploy_path do action :create @@ -17,13 +24,16 @@ template "#{deploy_path}/docker-compose.yml" do source "docker-compose.yml.erb" sensitive true mode 0640 - variables upstream_port: upstream_port, - domain: domain, + variables domain: node["kosmos_drone"]["domain"], + upstream_port: node["kosmos_drone"]["upstream_port"], gitea_server: "https://#{node["kosmos_gitea"]["nginx"]["domain"]}", client_id: credentials['client_id'], client_secret: credentials['client_secret'], rpc_secret: credentials['rpc_secret'], + database_secret: credentials['database_secret'], + postgres: postgres_config, max_procs: 4 + notifies :restart, "systemd_unit[drone.service]", :delayed end systemd_unit "drone.service" do @@ -45,20 +55,9 @@ systemd_unit "drone.service" do action [:create, :enable, :start] end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: upstream_port - - notifies :reload, 'service[nginx]', :delayed +firewall_rule 'drone' do + port [node["kosmos_drone"]["upstream_port"]] + source "10.1.1.0/24" # TODO only allow nginx proxy IPs + protocol :tcp + command :allow end - -nginx_site domain do - action :enable -end - -nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_drone/recipes/nginx.rb b/site-cookbooks/kosmos_drone/recipes/nginx.rb new file mode 100644 index 0000000..fffe902 --- /dev/null +++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos_drone +# Recipe:: nginx +# + +domain = node["kosmos_drone"]["domain"] + +upstream_ip_addresses = [] +search(:node, "role:drone").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +return if upstream_ip_addresses.empty? + +nginx_certbot_site domain + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + upstream_ip_addresses: upstream_ip_addresses, + upstream_port: node["kosmos_drone"]["upstream_port"], + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos_drone/recipes/pg_db.rb b/site-cookbooks/kosmos_drone/recipes/pg_db.rb new file mode 100644 index 0000000..7b2e39d --- /dev/null +++ b/site-cookbooks/kosmos_drone/recipes/pg_db.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos_drone +# Recipe:: pg_db +# + +drone_credentials = data_bag_item("credentials", "drone") + +postgresql_user "drone" do + action :create + password drone_credentials["postgresql_password"] +end + +postgresql_database "drone" do + owner "drone" + action :create +end diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 049a061..0457342 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:2.5 + image: drone/drone:2.11 ports: - "<%= @upstream_port %>:80" @@ -17,6 +17,9 @@ services: - DRONE_SERVER_HOST=<%= @domain %> - DRONE_SERVER_PROTO=https # required for the Redirect URI to be built correctly - DRONE_RPC_SECRET=<%= @rpc_secret %> + - DRONE_DATABASE_DRIVER=postgres + - DRONE_DATABASE_DATASOURCE=postgres://<%= @postgres[:username] %>:<%= @postgres[:password] %>@<%= @postgres[:host] %>:<%= @postgres[:port] %>/<%= @postgres[:database] %>?sslmode=disable + - DRONE_DATABASE_SECRET=<%= @database_secret %> drone-runner: image: drone/drone-runner-docker:1.8 diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb index 4226de7..f9e1dfa 100644 --- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb @@ -1,7 +1,9 @@ <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef upstream _drone { - server localhost:<%= @upstream_port %>; + <% @upstream_ip_addresses.each do |upstream_ip_address| -%> + server <%= upstream_ip_address %>:<%= @upstream_port %>; + <% end -%> } server { diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 7a6b5d0..0495d7e 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,9 +1,10 @@ -gitea_version = "1.16.1" +gitea_version = "1.16.3" node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" -node.default["kosmos_gitea"]["binary_checksum"] = "f03f3a3c4dccc2219351cde5c9af372715b2ec3e88a821779702bc6f38084c97" +node.default["kosmos_gitea"]["binary_checksum"] = "626c7da554efcfd3abd88b0355e3adf55d7f0941a01e058b2d4f5923d0d5b7c3" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" +node.default["kosmos_gitea"]["port"] = 3000 node.default["kosmos_gitea"]["config"] = { "webhook": { diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 6b690ce..27947c3 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -19,6 +19,7 @@ chef_version '>= 14.0' # # source_url 'https://github.com//kosmos_gitea' +depends "firewall" depends "kosmos-nginx" depends "kosmos_postgresql" depends "backup" diff --git a/site-cookbooks/kosmos_gitea/recipes/backup.rb b/site-cookbooks/kosmos_gitea/recipes/backup.rb index 83704f2..f363577 100644 --- a/site-cookbooks/kosmos_gitea/recipes/backup.rb +++ b/site-cookbooks/kosmos_gitea/recipes/backup.rb @@ -4,26 +4,7 @@ # # The MIT License (MIT) # -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. -# + unless node.chef_environment == "development" # backup the data dir and the config files node.override["backup"]["archives"]["gitea"] = [node["kosmos_gitea"]["working_directory"]] diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index c059fa3..9d334ef 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -3,9 +3,6 @@ # Recipe:: default # -include_recipe "kosmos-nginx" - -domain = node["kosmos_gitea"]["nginx"]["domain"] working_directory = node["kosmos_gitea"]["working_directory"] git_home_directory = "/home/git" repository_root_directory = "#{git_home_directory}/gitea-repositories" @@ -63,15 +60,17 @@ directory config_directory do mode "0750" end -# Copy the self-signed root certificate to the system certificate store. Gitea -# will find it there automatically -postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') -root_cert_path = "/etc/ssl/certs/root.kosmos.org.crt" -file root_cert_path do - content postgresql_data_bag_item['ssl_root_cert'] - mode "0644" +nginx_proxy_ip_addresses = [] +search(:node, "role:nginx_proxy").each do |node| + nginx_proxy_ip_addresses << node["knife_zero"]["host"] end +node.default["kosmos_gitea"]["config"] = { + "webhook": { + "allowed_host_list" => "external,#{nginx_proxy_ip_addresses.join(",")}" + } +} + template "#{config_directory}/app.ini" do source "app.ini.erb" owner "git" @@ -119,20 +118,9 @@ service "gitea" do action [:enable, :start] end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: 3000 - - notifies :reload, 'service[nginx]', :delayed +firewall_rule 'gitea' do + port [node["kosmos_gitea"]["port"]] + source "10.1.1.0/24" # TODO only allow nginx proxy IPs + protocol :tcp + command :allow end - -nginx_site domain do - action :enable -end - -nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx.rb b/site-cookbooks/kosmos_gitea/recipes/nginx.rb new file mode 100644 index 0000000..20bd979 --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb @@ -0,0 +1,52 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: nginx +# + +include_recipe "kosmos-nginx" + +domain = node["kosmos_gitea"]["nginx"]["domain"] + +# upstream_ip_addresses = [] +# search(:node, "role:gitea").each do |n| +# upstream_ip_addresses << n["knife_zero"]["host"] +# end +begin + upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] +rescue + Chef::Log.warn('No server with "gitea" role. Stopping here.') + return +end + +nginx_certbot_site domain + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf_web.erb" + owner 'www-data' + mode 0640 + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_host: upstream_ip_address, + upstream_port: node["kosmos_gitea"]["port"] + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end + +template "#{node['nginx']['dir']}/streams-available/ssh" do + source "nginx_conf_ssh.erb" + owner 'www-data' + mode 0640 + variables domain: domain, + upstream_host: upstream_ip_address + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_stream "ssh" do + action :enable +end diff --git a/site-cookbooks/kosmos_gitea/recipes/pg_db.rb b/site-cookbooks/kosmos_gitea/recipes/pg_db.rb index 2cf4d19..2c2ce2c 100644 --- a/site-cookbooks/kosmos_gitea/recipes/pg_db.rb +++ b/site-cookbooks/kosmos_gitea/recipes/pg_db.rb @@ -2,7 +2,6 @@ # Cookbook:: kosmos_gitea # Recipe:: pg_db # -# Copyright:: 2020, Kosmos Developers, All Rights Reserved. gitea_data_bag_item = data_bag_item("credentials", "gitea") diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 1d43c86..ce9ae23 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -44,10 +44,6 @@ FROM = gitea@kosmos.org USER = <%= @smtp_user %> PASSWD = <%= @smtp_password %> -[oauth2] -JWT_SECRET = <%= @jwt_secret %> -JWT_SIGNING_ALGORITHM = HS256 - [security] INTERNAL_TOKEN = <%= @internal_token %> INSTALL_LOCK = true diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb new file mode 100644 index 0000000..085f7ff --- /dev/null +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb @@ -0,0 +1,8 @@ +upstream _gitea_ssh { + server <%= @upstream_host %>:22; +} + +server { + listen 148.251.83.201:22; + proxy_pass _gitea_ssh; +} diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb similarity index 82% rename from site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb rename to site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb index 7965156..1476976 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb @@ -1,6 +1,6 @@ # Generated by Chef -upstream _gitea { - server localhost:<%= @upstream_port %>; +upstream _gitea_web { + server <%= @upstream_host %>:<%= @upstream_port %>; } server { @@ -26,14 +26,14 @@ server { location ~ ^/(avatars|repo-avatars)/.*$ { proxy_buffers 1024 8k; - proxy_pass http://_gitea; + proxy_pass http://_gitea_web; proxy_http_version 1.1; expires 30d; } location / { proxy_buffers 1024 8k; - proxy_pass http://_gitea; + proxy_pass http://_gitea_web; proxy_http_version 1.1; } }