Initial kosmos-btcpayserver cookbook setting up an nginx reverse proxy

Closes #19

site-cookbooks/kosmos-btcpayserver/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+.kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos-btcpayserver/Berksfile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+source 'https://supermarket.chef.io'
+
+metadata

site-cookbooks/kosmos-btcpayserver/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos-btcpayserver CHANGELOG
+
+This file is used to list changes made in each version of the kosmos-btcpayserver cookbook.
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos-btcpayserver/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2019 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos-btcpayserver/README.md

@@ -0,0 +1,4 @@
+# kosmos-btcpayserver
+
+TODO: Enter the cookbook description here.
+

site-cookbooks/kosmos-btcpayserver/attributes/default.rb

@@ -0,0 +1,2 @@
+node.default["kosmos-btcpayserver"]["nginx"]["server_name"] = "btcpay.kosmos.org"
+node.default["kosmos-btcpayserver"]["port"] = 23001

site-cookbooks/kosmos-btcpayserver/chefignore

@@ -0,0 +1,104 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a chef-server or supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+Icon?
+nohup.out
+ehthumbs.db
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+\#*
+.#*
+*~
+*.sw[a-z]
+*.bak
+REVISION
+TAGS*
+tmtags
+*_flymake.*
+*_flymake
+*.tmproj
+.project
+.settings
+mkmf.log
+
+## COMPILED ##
+##############
+a.out
+*.o
+*.pyc
+*.so
+*.com
+*.class
+*.dll
+*.exe
+*/rdoc/
+
+# Testing #
+###########
+.watchr
+.rspec
+spec/*
+spec/fixtures/*
+test/*
+features/*
+examples/*
+Guardfile
+Procfile
+.kitchen*
+kitchen.yml*
+.rubocop.yml
+spec/*
+Rakefile
+.travis.yml
+.foodcritic
+.codeclimate.yml
+
+# SCM #
+#######
+.git
+*/.git
+.gitignore
+.gitmodules
+.gitconfig
+.gitattributes
+.svn
+*/.bzr/*
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CONTRIBUTING*
+CHANGELOG*
+TESTING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos-btcpayserver/metadata.rb

@@ -0,0 +1,22 @@
+name 'kosmos-btcpayserver'
+maintainer 'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license 'All Rights Reserved'
+description 'Installs/Configures kosmos-btcpayserver'
+long_description 'Installs/Configures kosmos-btcpayserver'
+version '0.1.0'
+chef_version '>= 13.0'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/kosmos-btcpayserver/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/kosmos-btcpayserver'
+depends "kosmos-nginx"
+depends "kosmos-base"

site-cookbooks/kosmos-btcpayserver/recipes/default.rb

@@ -0,0 +1,5 @@
+#
+# Cookbook:: kosmos-btcpayserver
+# Recipe:: default
+#
+# Copyright:: 2019, Kosmos Developers, All Rights Reserved.

site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb

@@ -0,0 +1,34 @@
+#
+# Cookbook:: kosmos-btcpayserver
+# Recipe:: proxy
+#
+# Copyright:: 2019, Kosmos, All Rights Reserved.
+#
+include_recipe "kosmos-nginx"
+server_name = node["kosmos-btcpayserver"]["nginx"]["server_name"]
+
+template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do
+  source "nginx_conf_btcpayserver.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables btcpay_port: node["kosmos-btcpayserver"]["port"],
+            server_name: server_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name
+
+unless node.chef_environment == "development"
+  include_recipe "firewall"
+  firewall_rule "btcpayserver" do
+    port     node["kosmos-btcpayserver"]["port"]
+    protocol :tcp
+    command  :allow
+  end
+end

site-cookbooks/kosmos-btcpayserver/templates/nginx_conf_btcpayserver.erb

@@ -0,0 +1,74 @@
+upstream _btcpayserver {
+  server localhost:<%= @btcpay_port %>;
+}
+
+# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
+# scheme used to connect to this server
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+  default $http_x_forwarded_proto;
+  ''      $scheme;
+}
+
+# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
+# server port the client connected to
+map $http_x_forwarded_port $proxy_x_forwarded_port {
+  default $http_x_forwarded_port;
+  ''      $server_port;
+}
+
+# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
+# Connection header that may have been passed to this server
+map $http_upgrade $proxy_connection {
+  default upgrade;
+  '' close;
+}
+
+# Set appropriate X-Forwarded-Ssl header
+map $scheme $proxy_x_forwarded_ssl {
+  default off;
+  https on;
+}
+
+# HTTP 1.1 support
+proxy_http_version 1.1;
+proxy_buffering off;
+proxy_set_header Host $http_host;
+proxy_set_header Upgrade $http_upgrade;
+proxy_set_header Connection $proxy_connection;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
+proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
+
+# Mitigate httpoxy attack
+proxy_set_header Proxy "";
+
+server {
+  client_max_body_size 100M;
+  server_name <%= @server_name %>;
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl http2;
+  <% else -%>
+  listen 80;
+  <% end -%>
+
+  access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn;
+
+  ssl_prefer_server_ciphers on;
+  ssl_session_timeout 5m;
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_tickets off;
+
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header Strict-Transport-Security "max-age=15768000";
+  <% end -%>
+
+  location / {
+    proxy_pass http://_btcpayserver;
+  }
+}