Migrate ejabberd uploads to mod_s3_upload and Garage

In addition to installing and configuring the new module, this also enables public access to the S3 API via `bucket-name.s3.kosmos.org` as well as Web access on `bucket-name.web.s3.kosmos.org` (when enabled). Also includes some drive-by improvements to Chef attribute naming and usage. Co-authored-by: Greg Karékinian <greg@karekinian.com>
2023-10-10 17:55:55 +02:00
parent 832075dfb2
commit 65d71d6a73
25 changed files with 322 additions and 132 deletions
--- a/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
@@ -0,0 +1,22 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_s3
+#
+
+domain_name = node['garage']['s3_api_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for domain_name do
+  domain [domain_name, server_name]
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_s3.erb"
+  variables server_name: "#{domain_name} #{server_name}",
+            domain_name: domain_name,
+            xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end
--- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
@@ -15,18 +15,41 @@ proxy_cache_path #{node['openresty']['cache_dir']}/garage
 EOF
 end

-domains = node['garage']['s3_web_domains']
+#
+# Root domain for public Web access via bucket-name.root-domain.tld
+#

-domains.each do |server_name|
-  tls_cert_for server_name do
+domain_name = node['garage']['s3_web_root_domain']
+server_name = "*.#{domain_name}"
+
+tls_cert_for server_name do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain_name do
+  template "nginx_conf_web.erb"
+  variables server_name: server_name,
+            domain_name: domain_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
+end
+
+#
+# Custom domains for public Web access
+#
+
+node['garage']['s3_web_domains'].each do |domain_name|
+  tls_cert_for domain_name do
    auth "gandi_dns"
    action :create
  end

-  openresty_site server_name do
+  openresty_site domain_name do
    template "nginx_conf_web.erb"
-    variables server_name: server_name,
-              ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
-              ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    variables server_name: domain_name,
+              domain_name: domain_name,
+              ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
+              ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
  end
 end