From 65933bef4bfd53efa61192e62f36791987fc95f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Fri, 4 Nov 2022 14:41:21 +0100 Subject: [PATCH] Move hubot nginx sites to proxy role, deploy to fornax --- nodes/fornax.kosmos.org.json | 2 ++ roles/nginx_proxy.rb | 2 ++ .../recipes/botka_irc-libera-chat.rb | 32 ++++--------------- .../recipes/nginx_botka_irc-libera-chat.rb | 24 ++++++++++++++ .../recipes/nginx_hal8000_xmpp.rb | 24 ++++++++++++++ .../templates/default/nginx_conf_hubot.erb | 4 +-- 6 files changed, 60 insertions(+), 28 deletions(-) create mode 100644 site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb create mode 100644 site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index ba22c12..8be8647 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -33,6 +33,8 @@ "kosmos_website::default", "kosmos-ejabberd::nginx", "kosmos-akkounts::nginx_api", + "kosmos-hubot::nginx_botka_irc-libera-chat", + "kosmos-hubot::nginx_hal8000_xmpp", "remotestorage_discourse::nginx", "kosmos_zerotier::controller", "kosmos_zerotier::firewall", diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 55a64a3..8f4109b 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -8,6 +8,8 @@ default_run_list = %w( kosmos_website::default kosmos-ejabberd::nginx kosmos-akkounts::nginx_api + kosmos-hubot::nginx_botka_irc-libera-chat + kosmos-hubot::nginx_hal8000_xmpp remotestorage_discourse::nginx ) diff --git a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb index d30ad9d..52d4c87 100644 --- a/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb +++ b/site-cookbooks/kosmos-hubot/recipes/botka_irc-libera-chat.rb @@ -7,7 +7,6 @@ app_name = "botka_irc-libera-chat" app_path = "/opt/#{app_name}" app_user = "hubot" app_group = "hubot" -domain = "irc-libera-chat.botka.kosmos.chat" build_essential app_name do compile_time true @@ -15,8 +14,9 @@ end include_recipe 'redisio::default' include_recipe 'redisio::enable' -include_recipe "kosmos-nodejs" include_recipe "kosmos-hubot::_user" +include_recipe "kosmos-hubot::_nodejs" +include_recipe "kosmos-base::firewall" application app_path do credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) @@ -99,27 +99,9 @@ application app_path do end end -# -# Nginx reverse proxy -# -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - include_recipe "kosmos-nginx" - - template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source 'nginx_conf_hubot.erb' - owner node["nginx"]["user"] - mode 0640 - variables express_port: node[app_name]['http_port'], - server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site domain do - action :enable - end - - nginx_certbot_site domain +firewall_rule app_name do + port node[app_name]['http_port'] + source "10.1.1.0/24" + protocol :tcp + command :allow end diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb new file mode 100644 index 0000000..df0ba8f --- /dev/null +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb @@ -0,0 +1,24 @@ +include_recipe "kosmos-base::letsencrypt" +include_recipe "kosmos-nginx" + +domain = "irc-libera-chat.botka.kosmos.chat" + +nginx_certbot_site domain + +upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: node['botka_irc-libera-chat']['http_port'], + server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_host: upstream_host + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb new file mode 100644 index 0000000..75f9d12 --- /dev/null +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb @@ -0,0 +1,24 @@ +include_recipe "kosmos-base::letsencrypt" +include_recipe "kosmos-nginx" + +app_name = "hal8000_xmpp" + +nginx_certbot_site node[app_name]['domain'] + +upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] + +template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do + source 'nginx_conf_hubot.erb' + owner node["nginx"]["user"] + mode 0640 + variables express_port: node[app_name]['http_port'], + server_name: node[app_name]['domain'], + ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem", + upstream_host: upstream_host + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site node[app_name]['domain'] do + action :enable +end diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index e7848c1..6265688 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -2,10 +2,9 @@ # Generated by Chef # upstream _express_<%= @server_name.gsub(".", "_") %> { - server localhost:<%= @express_port %>; + server <%= @upstream_host || "localhost" %>:<%= @express_port %>; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { listen 443 ssl http2; server_name <%= @server_name %>; @@ -26,4 +25,3 @@ server { ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; } -<% end -%>