Refactor Mastodon nginx recipe for proxy usage

Works both as local deployment and proxy (via roles and environments)

* Use upstreams for proxy_pass
* Access static assets from proxy, configure caching for them
* Move Tor config to environment, install via role
* ...
This commit is contained in:
Râu Cao 2022-11-30 12:02:17 +01:00
parent 83e55c84a2
commit 66f5217a41
Signed by: raucao
GPG Key ID: 15E65F399D084BA9
6 changed files with 85 additions and 52 deletions

View File

@ -1,17 +1,35 @@
name "nginx_proxy"
override_attributes(
'nginx' => {
'server_names_hash_bucket_size' => 128
},
'tor' => {
'HiddenServices' => {
'web' => {
'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443']
}
}
}
)
default_run_list = %w(
tor-full
kosmos_assets::nginx_site
kosmos_discourse::nginx
kosmos_drone::nginx
kosmos_gitea::nginx
kosmos_website::default
kosmos-ejabberd::nginx
kosmos-akkounts::nginx_api
kosmos-ejabberd::nginx
kosmos-hubot::nginx_botka_irc-libera-chat
kosmos-hubot::nginx_hal8000_xmpp
kosmos-ipfs::nginx_public_gateway
kosmos-mastodon::nginx
remotestorage_discourse::nginx
kosmos_garage::default
kosmos_garage::firewall_rpc
kosmos_garage::nginx_web
)
env_run_lists(

View File

@ -1,17 +1,14 @@
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "kosmos-production"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["server_name"] = "kosmos.social"
node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0"
node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
node.default["kosmos-mastodon"]["repo"] = "https://gitea.kosmos.org/kosmos/mastodon.git"
node.default["kosmos-mastodon"]["revision"] = "kosmos-production"
node.default["kosmos-mastodon"]["directory"] = "/opt/mastodon"
node.default["kosmos-mastodon"]["bind_ip"] = "127.0.0.1"
node.default["kosmos-mastodon"]["app_port"] = 3000
node.default["kosmos-mastodon"]["streaming_port"] = 4000
node.default["kosmos-mastodon"]["server_name"] = "kosmos.social"
node.default["kosmos-mastodon"]["redis_url"] = "redis://localhost:6379/0"
node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
node.default["kosmos-mastodon"]["onion_address"] = nil
# Allocate this amount of RAM to the Java heap for Elasticsearch
node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"
node.override["redisio"]["version"] = "6.2.6"
node.override["tor"]["HiddenServices"]["mastodon"] = {
"HiddenServicePorts" => ["80 127.0.0.1:80", "443 127.0.0.1:443"]
}

View File

@ -3,12 +3,23 @@
# Recipe:: nginx
#
mastodon_path = node["kosmos-mastodon"]["directory"]
server_name = node["kosmos-mastodon"]["server_name"]
node.override['nginx']['server_names_hash_bucket_size'] = 128
include_recipe "kosmos-nginx"
app_dir = node["kosmos-mastodon"]["directory"]
server_name = node["kosmos-mastodon"]["server_name"]
is_proxy = node.roles.include?('nginx_proxy') rescue nil
upstream_hosts = []
if is_proxy
web_root_dir = "/var/www/#{server_name}/public"
search(:node, "role:mastodon").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
else
web_root_dir = "#{app_dir}/public"
upstream_hosts << "localhost"
end
directory "#{node['nginx']['dir']}/snippets" do
action :create
owner 'www-data'
@ -19,40 +30,30 @@ template "#{node['nginx']['dir']}/snippets/mastodon.conf" do
source 'nginx_conf_shared.erb'
owner 'www-data'
mode 0640
variables streaming_port: node["kosmos-mastodon"]["streaming_port"],
puma_port: node["kosmos-mastodon"]["puma_port"],
mastodon_path: mastodon_path
variables web_root_dir: web_root_dir,
server_name: server_name
notifies :reload, 'service[nginx]', :delayed
end
onion_address = File.read("/var/lib/tor/mastodon/hostname").strip rescue nil
nginx_certbot_site server_name
onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_mastodon.erb'
owner 'www-data'
mode 0640
variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf",
onion_address: onion_address
variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf",
app_port: node["kosmos-mastodon"]["app_port"],
streaming_port: node["kosmos-mastodon"]["streaming_port"],
onion_address: onion_address,
upstream_hosts: upstream_hosts
notifies :reload, 'service[nginx]', :delayed
end
# Legacy vhost
nginx_site "mastodon" do
action :disable
end
nginx_site server_name do
action :enable
end
nginx_certbot_site server_name
#
# Tor hidden service
#
# The attributes for the hidden service are set in attributes/default.rb, due
# to the way the tor-full cookbook builds the path to the hidden service dir
include_recipe "tor-full"

View File

@ -32,6 +32,9 @@ SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com
# Serve static files (to nginx proxy)
RAILS_SERVE_STATIC_FILES=true
# S3 (optional)
S3_ENABLED=true
S3_BUCKET=<%= @s3_bucket %>

View File

@ -1,17 +1,24 @@
<% if @onion_address %>
server {
listen 80;
server_name mastodon.<%= @onion_address %>;
include <%= @shared_config_path %>;
}
upstream mastodon_app {
<% @upstream_hosts.each do |host| %>
server <%= host %>:<%= @app_port %>;
<% end %>
}
upstream mastodon_streaming {
<% @upstream_hosts.each do |host| %>
server <%= host %>:<%= @streaming_port %>;
<% end %>
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) %>
proxy_cache_path /var/cache/nginx/mastodon levels=1:2
keys_zone=mastodon_cache:10m
max_size=1g inactive=120m use_temp_path=off;
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
@ -22,11 +29,17 @@ server {
ssl_certificate_key <%= @ssl_key %>;
add_header Strict-Transport-Security "max-age=31536000";
<% if @onion_address %>
add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri;
}
<% end %>
}
<% if @onion_address %>
server {
listen 80;
server_name mastodon.<%= @onion_address %>;
include <%= @shared_config_path %>;
}
server {
listen 443 ssl http2;
server_name mastodon.<%= @onion_address %>;

View File

@ -6,7 +6,7 @@ keepalive_timeout 70;
sendfile on;
client_max_body_size 0;
root <%= @mastodon_path %>/public;
root <%= @web_root_dir %>;
gzip on;
gzip_disable "msie6";
@ -19,20 +19,21 @@ gzip_types text/plain text/css application/json application/javascript text/xml
location / {
# If the maintenance file is present, show maintenance page
if (-f <%= @mastodon_path %>/public/maintenance.html) {
if (-f <%= @web_root_dir %>/maintenance.html) {
return 503;
}
try_files $uri @proxy;
}
location /sw.js {
add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
try_files $uri @proxy;
}
location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
add_header Cache-Control "public, max-age=31536000, immutable";
proxy_cache mastodon_cache;
try_files $uri @proxy;
}
@ -44,7 +45,7 @@ location @proxy {
proxy_set_header Proxy "";
proxy_pass_header Server;
proxy_pass http://localhost:<%= @puma_port %>;
proxy_pass http://mastodon_app;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
@ -61,7 +62,7 @@ location /api/v1/streaming {
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Proxy "";
proxy_pass http://localhost:<%= @streaming_port %>;
proxy_pass http://mastodon_streaming;
proxy_buffering off;
proxy_redirect off;
proxy_http_version 1.1;
@ -75,5 +76,5 @@ error_page 500 501 502 504 /500.html;
error_page 503 /maintenance.html;
location = /maintenance.html {
root <%= @mastodon_path %>/public;
root <%= @web_root_dir %>;
}