Merge branch 'master' into jammy_jellyfish

2023-12-05 14:21:55 +01:00
parent ee3b8a3fc1 1e9878d17e
commit 67244f78e1
33 changed files with 102 additions and 253 deletions
--- a/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
+++ b/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
@@ -26,7 +26,7 @@ set -euf -o pipefail
 #   Defaults to 30 seconds.
 #
 GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=2
+PROVIDER_UPDATE_DELAY=10

 regex='.*\.(.*\..*)'
 if [[ $CERTBOT_DOMAIN =~ $regex ]]
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@@ -1,5 +1,5 @@
 node.default["kosmos-mastodon"]["repo"]              = "https://gitea.kosmos.org/kosmos/mastodon.git"
-node.default["kosmos-mastodon"]["revision"]          = "kosmos-production"
+node.default["kosmos-mastodon"]["revision"]          = "production"
 node.default["kosmos-mastodon"]["directory"]         = "/opt/mastodon"
 node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
 node.default["kosmos-mastodon"]["app_port"]          = 3000
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@@ -3,6 +3,8 @@
 # Recipe:: default
 #

+node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_16.x"
+
 include_recipe "kosmos-nodejs"
 include_recipe "java"
 include_recipe 'redisio::default'
@@ -73,13 +75,12 @@ npm_package "yarn" do
  version "1.22.4"
 end

-ruby_version = "3.0.4"
-# ruby_version = "3.2.2"
+ruby_version = "3.0.6"

 ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
 bundle_path = "#{ruby_path}/bin/bundle"

-ruby_build_install 'v20230615'
+ruby_build_install 'v20231025'
 ruby_build_definition ruby_version do
  prefix_path ruby_path
 end
@@ -210,15 +211,7 @@ execute "yarn install" do
  environment deploy_env
  user mastodon_user
  cwd mastodon_path
-  command "yarn install --pure-lockfile"
-end
-
-execute "rake db:migrate" do
-  environment deploy_env
-  user mastodon_user
-  group mastodon_user
-  cwd mastodon_path
-  command "bundle exec rake db:migrate"
+  command "yarn install --frozen-lockfile"
 end

 execute "rake assets:precompile" do
@@ -229,6 +222,14 @@ execute "rake assets:precompile" do
  command "bundle exec rake assets:precompile"
 end

+execute "rake db:migrate" do
+  environment deploy_env
+  user mastodon_user
+  group mastodon_user
+  cwd mastodon_path
+  command "bundle exec rake db:migrate"
+end
+
 service "mastodon-web" do
  action [:enable, :start]
 end
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-sidekiq.systemd.service.erb
@@ -8,7 +8,8 @@ Type=simple
 User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
-Environment="DB_POOL=50"
+Environment="DB_POOL=<%= @sidekiq_threads %>"
+Environment="MALLOC_ARENA_MAX=2"
 Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec sidekiq -c <%= @sidekiq_threads %> -q default -q mailers -q pull -q push -q ingress
 TimeoutSec=15
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
@@ -8,9 +8,10 @@ WorkingDirectory=<%= @app_dir %>
 Environment="NODE_ENV=production"
 Environment="BIND=<%= @bind %>"
 Environment="PORT=<%= @port %>"
-ExecStart=/usr/bin/npm run start
+ExecStart=/usr/bin/node ./streaming
 TimeoutSec=15
 Restart=always
+LimitNOFILE=65536

 [Install]
 WantedBy=multi-user.target
--- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
@@ -15,7 +15,7 @@ gzip_proxied any;
 gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_http_version 1.1;
-gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;

 location / {
 # If the maintenance file is present, show maintenance page
@@ -25,34 +25,60 @@ location / {
  try_files $uri @proxy;
 }

-location /sw.js {
-  add_header Cache-Control "max-age=0, no-cache, no-store, must-revalidate";
-  add_header Pragma "no-cache";
+location = /sw.js {
+  add_header Cache-Control "public, max-age=604800, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
  try_files $uri @proxy;
 }

-location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-  add_header Cache-Control "public, max-age=31536000, immutable";
-  proxy_cache mastodon_cache;
+location ~ ^/assets/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
  try_files $uri @proxy;
 }

-location @proxy {
-  proxy_set_header Host $host;
-  proxy_set_header X-Real-IP $remote_addr;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
-  proxy_set_header Proxy "";
-  proxy_pass_header Server;
+location ~ ^/avatars/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}

-  proxy_pass http://mastodon_app;
-  proxy_buffering off;
-  proxy_redirect off;
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection $connection_upgrade;
+location ~ ^/emoji/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}

-  tcp_nodelay on;
+location ~ ^/headers/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/packs/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/shortcuts/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/sounds/ {
+  add_header Cache-Control "public, max-age=2419200, must-revalidate";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  try_files $uri @proxy;
+}
+
+location ~ ^/system/ {
+  add_header Cache-Control "public, max-age=2419200, immutable";
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+  add_header X-Content-Type-Options nosniff;
+  add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
+  try_files $uri @proxy;
 }

 location /api/v1/streaming {
@@ -72,6 +98,24 @@ location /api/v1/streaming {
  tcp_nodelay on;
 }

+location @proxy {
+  proxy_set_header Host $host;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header Proxy "";
+  proxy_pass_header Server;
+
+  proxy_pass http://mastodon_app;
+  proxy_buffering on;
+  proxy_redirect off;
+  proxy_http_version 1.1;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+
+  tcp_nodelay on;
+}
+
 error_page 500 501 502 504 /500.html;
 error_page 503 /maintenance.html;

--- a/site-cookbooks/kosmos_garage/attributes/default.rb
+++ b/site-cookbooks/kosmos_garage/attributes/default.rb
@@ -10,3 +10,4 @@ node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
 node.default['garage']['s3_web_domains']     = []
 node.default['garage']['xmpp_upload_bucket'] = nil
+node.default['garage']['max_part_upload_size_mb'] = 101
--- a/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb
@@ -17,6 +17,7 @@ openresty_site domain_name do
  variables server_name: "#{domain_name} #{server_name}",
            domain_name: domain_name,
            xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
+            max_part_upload_size_mb: node['garage']["max_part_upload_size_mb"],
            ssl_cert:    "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
            ssl_key:     "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
 end
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb
@@ -16,6 +16,8 @@ server {

  error_page 401 403 404 500 /__empty-page.html;

+  client_max_body_size <%= @max_part_upload_size_mb %>m;
+
  location = /__empty-page.html {
    internal;
    return 200 "";
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,7 +1,7 @@
-gitea_version = "1.20.3"
+gitea_version = "1.20.5"
 node.default["gitea"]["version"] = gitea_version
 node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["gitea"]["binary_checksum"] = "bf9415d5f25690b81443302e6c68c16509c74e0b1385297c75a5b4913e43afd7"
+node.default["gitea"]["binary_checksum"] = "ae8d21f36098a62272fcfa67ecbb567d0ba6cf5aecaaab29a6b98a407d435bdf"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"
--- a/site-cookbooks/kosmos_kvm/files/backup_vm.sh
+++ b/site-cookbooks/kosmos_kvm/files/backup_vm.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 # GENERATED BY CHEF
 # DO NOT EDIT
-set -e

 REPOSITORY=$BORG_REPO

@@ -18,6 +17,7 @@ virsh snapshot-create-as --domain $1  \
        --disk-only           \
        --diskspec vda,snapshot=external

+# TODO report failures
 borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \
        /var/lib/libvirt/images/$1.qcow2  \
        /root/backups/vm_meta/$1.xml
--- a/site-cookbooks/kosmos_kvm/templates/backup_all_vms.sh.erb
+++ b/site-cookbooks/kosmos_kvm/templates/backup_all_vms.sh.erb
@@ -1,14 +1,12 @@
 #!/bin/bash
 # GENERATED BY CHEF
 # DO NOT EDIT
-set -e

 echo "Backing up all VMs with kvm_guest chef role..."

 for domain in <%= @vm_domains.join(" ") %>
 do
-  /root/backups/backup_vm.sh $domain
-  /root/backups/prune_vm_backups.sh $domain
+  /root/backups/backup_vm.sh $domain && /root/backups/prune_vm_backups.sh $domain
  # TODO Enable this when upgrading borg to 1.2
  # borg compact $BORG_REPO
 done
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@@ -26,12 +26,16 @@ server {
      return 204;
    }

+    proxy_pass http://_<%= @upstream_name %>;
+
+    proxy_redirect off;
+    proxy_next_upstream error timeout invalid_header http_500;
+    proxy_connect_timeout 2;
+
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
-    proxy_redirect off;
-    proxy_pass http://_<%= @upstream_name %>;
   }

  ssl_certificate <%= @ssl_cert %>;