Migrate ejabberd uploads to mod_s3_upload and Garage

In addition to installing and configuring the new module, this also
enables public access to the S3 API via `bucket-name.s3.kosmos.org` as
well as Web access on `bucket-name.web.s3.kosmos.org` (when enabled).

Also includes some drive-by improvements to Chef attribute naming and
usage.

Co-authored-by: Greg Karékinian <greg@karekinian.com>

site-cookbooks/kosmos_garage/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default['garage']['version']            = '0.8.0'
-node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['version']            = '0.8.4'
+node.default['garage']['checksum']['amd64']  = '45403d494847c42efc620f66c52d27c0bb0446a490e62f5b0b87489a588a767d'
 node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
@@ -9,3 +9,4 @@ node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
 node.default['garage']['s3_web_domains']     = []
+node.default['garage']['xmpp_upload_bucket'] = nil

site-cookbooks/kosmos_garage/recipes/nginx_s3.rb

@@ -0,0 +1,22 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_s3
+#
+
+domain_name = node['garage']['s3_api_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for domain_name do
+  domain [domain_name, server_name]
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_s3.erb"
+  variables server_name: "#{domain_name} #{server_name}",
+            domain_name: domain_name,
+            xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -15,18 +15,41 @@ proxy_cache_path #{node['openresty']['cache_dir']}/garage
 EOF
 end
 
-domains = node['garage']['s3_web_domains']
+#
+# Root domain for public Web access via bucket-name.root-domain.tld
+#
 
-domains.each do |server_name|
-  tls_cert_for server_name do
+domain_name = node['garage']['s3_web_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for server_name do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_web.erb"
+  variables server_name: server_name,
+            domain_name: domain_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end
+
+#
+# Custom domains for public Web access
+#
+
+node['garage']['s3_web_domains'].each do |domain_name|
+  tls_cert_for domain_name do
     auth "gandi_dns"
     action :create
   end
 
-  openresty_site server_name do
+  openresty_site domain_name do
     template "nginx_conf_web.erb"
-    variables server_name: server_name,
-              ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
-              ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    variables server_name: domain_name,
+              domain_name: domain_name,
+              ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+              ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
   end
 end

site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb

@@ -0,0 +1,49 @@
+upstream garage_s3 {
+  server 127.0.0.1:3900;
+}
+
+server {
+  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
+  listen [::]:443 http2 ssl;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    if ($request_method = OPTIONS) {
+      add_header Content-Length 0;
+      add_header Content-Type text/plain;
+      return 200;
+    }
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_request_buffering off;
+    proxy_max_temp_file_size 0;
+
+    proxy_pass http://garage_s3;
+
+<% if @xmpp_upload_bucket %>
+    # Some XMPP clients (e.g. Beagle, Siskin, Snikket, Monal) require a 201 CREATED
+    # for PUT requests to be considered successful
+    header_filter_by_lua_block {
+      if ngx.var.http_host == "<%= @xmpp_upload_bucket %>.<%= @domain_name %>" and
+         ngx.req.get_method() == "PUT" and ngx.status == ngx.HTTP_OK then
+        ngx.status = ngx.HTTP_CREATED
+      end
+    }
+<% end %>
+  }
+}

site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb

@@ -1,14 +1,15 @@
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
   listen [::]:443 http2 ssl;
 
   server_name <%= @server_name %>;
 
-  access_log off;
-
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
+  error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
+
   error_page 401 403 404 500 /__empty-page.html;
 
   location = /__empty-page.html {