diff --git a/README.md b/README.md index 7ff3f92..31772d0 100644 --- a/README.md +++ b/README.md @@ -44,3 +44,14 @@ Install cookbooks listed in Berksfile: Vendor installed cookbooks to the `cookbooks/` dir: berks vendor cookbooks/ --delete + +### "Expired" TLS certificates + +If you encounter expired TLS certificates during a Chef run (e.g. for remote +files), the issue is likely that the certificate has been issued by Let's +Encrypt and Chef is still using its own, outdated CA cert store (see +[here](https://github.com/chef/chef/issues/12126#issuecomment-932067530) for +example). + +As a hotfix, you can manually remove the "DST Root CA X3" cert from +`/opt/chef/embedded/ssl/cert.pem` on the machine you're trying to converge. diff --git a/clients/postgres-4.json b/clients/postgres-4.json new file mode 100644 index 0000000..eed891f --- /dev/null +++ b/clients/postgres-4.json @@ -0,0 +1,4 @@ +{ + "name": "postgres-4", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu6fPxOZeKloF/EgYvU0k\nOwv8bJjsCQcWaMTPle5//mRTszA6PM2z9RI+Mfr45qxTlsL9pQY8WJOWF6QOK31x\nszuqcr7oOjtAhrLI8f/oNDEDjcx325FqG9gNKQEAD7d4zodh+PhDe6x7GIyIS7lG\nIcD5Zre9iDwv8FGLR+5GLqS8SJOPL/wJkQ8w+N0f8YDFw81kiTta5NLhAx3fMDs0\n2kmoNlbmKlNZTtLjCfCV+/pa9oY6wycjck3GvobiFE/4cWaNkeGlPc+uAwlfmrOv\nHy0tq1XBX/BCvE5kMXmhnMT23JXjm2s2PgCLgEVGAXilXk/T597KDm+z4oBpAQma\nnQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/rsk-mainnet-1.json b/clients/rsk-mainnet-1.json new file mode 100644 index 0000000..7422123 --- /dev/null +++ b/clients/rsk-mainnet-1.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-mainnet-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtavs6RQW6af9fWuEuhI1\nQa4Ff7Z1CfZ0fHz152UqUeUKatQ/psKVs5ULWDV/b69fSuNsUzkCny9OwtwyQB/F\n2U+vbv3/3As3z6i3V3q8q4ahCHd7tkMmxMLaWcdkfWbpupWTRkCEX+PSDKS0hdfp\n3EQKVA2FrqR0sSnnT+Q66kZw4/WJrNwtSLcps4D5OubG7xr/uUn3Vyv5qXvS/7kx\nGvMONs55qh64Gtc3FSFPEdVyZXasCMEWwXyadqzf+/qJtEYlK0Uy5E/u7CTsnmcH\n9TEiYVw0/6PomQ2HJfSlZVUUO007OliBHO9bWOwZ6qI5c53pt5KES0dyy6SQ4m+8\nawIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/clients/rsk-testnet-2.json b/clients/rsk-testnet-2.json new file mode 100644 index 0000000..2739bd0 --- /dev/null +++ b/clients/rsk-testnet-2.json @@ -0,0 +1,4 @@ +{ + "name": "rsk-testnet-2", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzG2bgL0n5Q7bTR4WYHOB\nZNOuRem/jjarU/bL0VKKn0JqD3PPDAnhq9gRn7H8SwyGoVFN60YGzu45O4c+SqN3\nCXN+FeFabigH2tKLxBz3kNDYTT/F1ErLLi/6ydrCV3tpddR5KTqLSOntojG8KNzc\nyG4rMV9ebCE1wDVxAFdEA+YDZS8YjP0nO5sLWFacA0ZTx27t5ugqZP1acjSvKzWs\nZ+ekX5Pbws/oUHyaqEEPdz7er4MTBm0bdkCHZbM7132oBcH/huJZhmTXFEdoy4ML\nhP4MWWSvwo66HDYjnaID82a8W1RJZZu2irbPHrfVlaFAh8VQk1T1kkUu0bMovT3V\nYQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/doc/backups.md b/doc/backups.md new file mode 100644 index 0000000..4486d50 --- /dev/null +++ b/doc/backups.md @@ -0,0 +1,21 @@ +Backup +====== + +## Backup gem + +Backups are stored on AWS S3, in the `kosmos-dev-backups` bucket. + +The S3 credentials as well as the backup password are stored in the +`credentials` data bag under the `backup` item. + +### Restore + +To decrypt a backup archive, use the following command: + + openssl aes-256-cbc -d -base64 -pbkdf2 -in my_backup.tar.enc -out my_backup.tar + +If you get an error message along the lines of "bad decrypt", the archive was +likely encrypted before we switched the key derivation scheme. Try without +`-pbkdf2` in this case: + + openssl aes-256-cbc -d -base64 -in my_backup.tar.enc -out my_backup.tar diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 411d304..1168a2d 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "akkounts-1", "os": "linux", - "os_version": "5.4.0-54-generic", + "os_version": "5.4.0-90-generic", "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ @@ -18,7 +18,7 @@ "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-postgresql::hostsfile", + "kosmos_postgresql::hostsfile", "kosmos-akkounts", "kosmos-akkounts::default", "kosmos-akkounts::nginx", diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 70f42cc..325d48f 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -33,6 +33,8 @@ "kosmos_assets::nginx_site", "kosmos_kvm::host", "kosmos-ejabberd::firewall", + "kosmos_website", + "kosmos_website::default", "kosmos_zerotier::firewall", "sockethub::_firewall", "apt::default", @@ -86,6 +88,7 @@ "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos_website::default]", "recipe[kosmos_zerotier::firewall]", "recipe[sockethub::_firewall]" ] diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json new file mode 100644 index 0000000..853710e --- /dev/null +++ b/nodes/fornax.kosmos.org.json @@ -0,0 +1,54 @@ +{ + "name": "fornax.kosmos.org", + "normal": { + "knife_zero": { + "host": "fornax.kosmos.org" + } + }, + "automatic": { + "fqdn": "fornax.kosmos.org", + "os": "linux", + "os_version": "5.4.0-88-generic", + "hostname": "fornax", + "ipaddress": "148.251.83.201", + "roles": [ + + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::host", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.5.22", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.5.2", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "recipe[kosmos_kvm::host]" + ] +} \ No newline at end of file diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 241fb7e..67f0e7d 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "nodejs-2", "os": "linux", - "os_version": "5.4.0-1045-kvm", + "os_version": "5.4.0-1049-kvm", "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index cd48a8c..89bcc85 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -8,17 +8,17 @@ "automatic": { "fqdn": "postgres-2", "os": "linux", - "os_version": "5.4.0-64-generic", + "os_version": "5.4.0-77-generic", "hostname": "postgres-2", "ipaddress": "192.168.122.244", "roles": [ - "postgresql_replica" + "postgresql_primary" ], "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos-postgresql::replica", - "kosmos-postgresql::firewall", + "kosmos_postgresql::primary", + "kosmos_postgresql::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -52,4 +52,4 @@ "recipe[kosmos-base]", "role[postgresql_primary]" ] -} +} \ No newline at end of file diff --git a/nodes/postgres-4.json b/nodes/postgres-4.json new file mode 100644 index 0000000..77e5a0f --- /dev/null +++ b/nodes/postgres-4.json @@ -0,0 +1,57 @@ +{ + "name": "postgres-4", + "normal": { + "knife_zero": { + "host": "10.1.1.107" + } + }, + "automatic": { + "fqdn": "postgres-4", + "os": "linux", + "os_version": "5.4.0-91-generic", + "hostname": "postgres-4", + "ipaddress": "192.168.122.3", + "roles": [ + "postgresql_replica" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_postgresql::hostsfile", + "kosmos_postgresql::replica", + "kosmos_postgresql::firewall", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.7.29", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.7.29/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.7.8", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.8/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[postgresql_replica]" + ] +} \ No newline at end of file diff --git a/nodes/rsk-mainnet-1.json b/nodes/rsk-mainnet-1.json new file mode 100644 index 0000000..efc92a3 --- /dev/null +++ b/nodes/rsk-mainnet-1.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-mainnet-1", + "normal": { + "knife_zero": { + "host": "10.1.1.137" + } + }, + "automatic": { + "fqdn": "rsk-mainnet-1", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-mainnet-1", + "ipaddress": "192.168.122.233", + "roles": [ + "rsk_mainnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_mainnet]" + ] +} \ No newline at end of file diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json new file mode 100644 index 0000000..5735317 --- /dev/null +++ b/nodes/rsk-testnet-2.json @@ -0,0 +1,57 @@ +{ + "name": "rsk-testnet-2", + "normal": { + "knife_zero": { + "host": "10.1.1.214" + } + }, + "automatic": { + "fqdn": "rsk-testnet-2", + "os": "linux", + "os_version": "5.4.0-1048-kvm", + "hostname": "rsk-testnet-2", + "ipaddress": "192.168.122.29", + "roles": [ + "rsk_testnet" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_rsk::rskj", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default", + "chef-sugar::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "17.6.18", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.6.18/lib", + "chef_effortless": null + }, + "ohai": { + "version": "17.6.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.6.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[rsk_testnet]" + ] +} \ No newline at end of file diff --git a/roles/parity.rb b/roles/parity.rb deleted file mode 100644 index 69e1f1a..0000000 --- a/roles/parity.rb +++ /dev/null @@ -1,6 +0,0 @@ -name 'parity' - -run_list %w( - recipe[kosmos-parity::from_package] - recipe[kosmos-parity::node_dev] -) diff --git a/roles/postgresql_client.rb b/roles/postgresql_client.rb index 96b5418..f2fbb71 100644 --- a/roles/postgresql_client.rb +++ b/roles/postgresql_client.rb @@ -3,5 +3,5 @@ name "postgresql_client" run_list %w( - kosmos-postgresql::hostsfile + kosmos_postgresql::hostsfile ) diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index ba5e5be..58ef4b7 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -1,6 +1,6 @@ name "postgresql_primary" run_list %w( - kosmos-postgresql::primary - kosmos-postgresql::firewall + kosmos_postgresql::primary + kosmos_postgresql::firewall ) diff --git a/roles/postgresql_replica.rb b/roles/postgresql_replica.rb index 6d73f31..099291d 100644 --- a/roles/postgresql_replica.rb +++ b/roles/postgresql_replica.rb @@ -1,7 +1,7 @@ name "postgresql_replica" run_list %w( - kosmos-postgresql::hostsfile - kosmos-postgresql::replica - kosmos-postgresql::firewall + kosmos_postgresql::hostsfile + kosmos_postgresql::replica + kosmos_postgresql::firewall ) diff --git a/roles/rsk_mainnet.rb b/roles/rsk_mainnet.rb new file mode 100644 index 0000000..cfa58c1 --- /dev/null +++ b/roles/rsk_mainnet.rb @@ -0,0 +1,11 @@ +name "rsk_mainnet" + +run_list %w( + kosmos_rsk::rskj +) + +override_attributes( + :rskj => { + :network => "mainnet" + } +) diff --git a/roles/rsk_testnet.rb b/roles/rsk_testnet.rb new file mode 100644 index 0000000..281b45d --- /dev/null +++ b/roles/rsk_testnet.rb @@ -0,0 +1,5 @@ +name "rsk_testnet" + +run_list %w( + kosmos_rsk::rskj +) diff --git a/site-cookbooks/backup/recipes/default.rb b/site-cookbooks/backup/recipes/default.rb index a0aa1f7..564bcaf 100644 --- a/site-cookbooks/backup/recipes/default.rb +++ b/site-cookbooks/backup/recipes/default.rb @@ -32,6 +32,8 @@ gem_package 'backup' do version '5.0.0.beta.2' end +smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp') + backup_data = Chef::EncryptedDataBagItem.load('credentials', 'backup') backup_dir = node["backup"]["dir"] directory backup_dir @@ -46,8 +48,12 @@ template "#{backup_dir}/config.rb" do s3_secret_access_key: backup_data["s3_secret_access_key"], s3_region: backup_data["s3_region"], encryption_password: backup_data["encryption_password"], + mail_from: "backups@kosmos.org", mail_to: "ops@5apps.com", - mail_from: "backups@kosmos.org" + mail_address: 'smtp.mailgun.org', + mail_domain: 'kosmos.org', + mail_user_name: smtp_credentials["user_name"], + mail_password: smtp_credentials["password"] end template "#{backup_dir}/models/default.rb" do diff --git a/site-cookbooks/backup/templates/default/config.rb.erb b/site-cookbooks/backup/templates/default/config.rb.erb index 1123f80..c5f9f64 100644 --- a/site-cookbooks/backup/templates/default/config.rb.erb +++ b/site-cookbooks/backup/templates/default/config.rb.erb @@ -6,6 +6,18 @@ # Documentation: http://backup.github.io/backup # Issue Tracker: https://github.com/backup/backup/issues +# +# Monkey patch to not use deprecated key derivation scheme +# https://github.com/backup/backup/issues/949#issuecomment-589883577 +# +module OpenSSLFixDeprecatedKeyDerivation + def options + super + ' -pbkdf2' + end +end +require 'backup/encryptor/open_ssl' +Backup::Encryptor::OpenSSL.prepend(OpenSSLFixDeprecatedKeyDerivation) + Storage::S3.defaults do |s3| s3.access_key_id = "<%= @s3_access_key_id %>" s3.secret_access_key = "<%= @s3_secret_access_key %>" @@ -22,7 +34,13 @@ end Notifier::Mail.defaults do |mail| mail.from = "<%= node.name %> <<%= @mail_from %>>" mail.to = "<%= @mail_to %>" - mail.delivery_method = :sendmail + mail.address = "<%= @mail_address %>" + mail.domain = "<%= @mail_domain %>" + mail.user_name = "<%= @mail_user_name %>" + mail.password = "<%= @mail_password %>" + mail.port = <%= @mail_port || 587 %> + mail.authentication = "<%= @mail_authentication || 'plain' %>" + mail.encryption = <%= @mail_encryption || ':starttls' %> end <%- if node["backup"]["mongodb"] -%> @@ -75,7 +93,7 @@ preconfigure 'KosmosBackup' do encrypt_with OpenSSL notify_by Mail do |mail| mail.on_success = false - mail.on_warning = false + mail.on_warning = true mail.on_failure = true end end diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb index 695ce6b..538869f 100644 --- a/site-cookbooks/kosmos-akkounts/metadata.rb +++ b/site-cookbooks/kosmos-akkounts/metadata.rb @@ -14,5 +14,5 @@ depends "poise-ruby-build" depends "application" depends 'application_git' depends "postgresql" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/Berksfile b/site-cookbooks/kosmos-ejabberd/Berksfile index 8c1347f..abfa26f 100644 --- a/site-cookbooks/kosmos-ejabberd/Berksfile +++ b/site-cookbooks/kosmos-ejabberd/Berksfile @@ -2,5 +2,5 @@ source 'https://supermarket.chef.io' source chef_repo: ".." -cookbook "kosmos-postgresql", path: "../kosmos-postgresql" +cookbook "kosmos_postgresql", path: "../kosmos_postgresql" metadata diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 6e90702..0131259 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -20,9 +20,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # source_url 'https://github.com//kosmos-ejabberd' depends "kosmos-base" -depends "kosmos-postgresql" depends "kosmos-nginx" depends "kosmos-dirsrv" +depends "kosmos_postgresql" depends "backup" depends "firewall" depends "tor-full" diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index 5617289..5885e4e 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -13,7 +13,7 @@ depends "poise-ruby-build" depends "application" depends "application_git" depends "postgresql" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" depends "elasticsearch" depends "tor-full" diff --git a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb index 9d9c0b6..8dc974e 100644 --- a/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb +++ b/site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb @@ -1,4 +1,5 @@ resource_name :nginx_certbot_site +provides :nginx_certbot_site property :domain, String, name_property: true # pass it if the site name is not the same as the hostname, for example for the diff --git a/site-cookbooks/kosmos-postgresql/CHANGELOG.md b/site-cookbooks/kosmos-postgresql/CHANGELOG.md deleted file mode 100644 index 20e9a6a..0000000 --- a/site-cookbooks/kosmos-postgresql/CHANGELOG.md +++ /dev/null @@ -1,5 +0,0 @@ -# kosmos-postgresql CHANGELOG - -# 0.1.0 - -Initial release. diff --git a/site-cookbooks/kosmos_drone/recipes/default.rb b/site-cookbooks/kosmos_drone/recipes/default.rb index f8629fc..a0a2017 100644 --- a/site-cookbooks/kosmos_drone/recipes/default.rb +++ b/site-cookbooks/kosmos_drone/recipes/default.rb @@ -2,27 +2,6 @@ # Cookbook:: kosmos_drone # Recipe:: default # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package "docker-compose" domain = "drone.kosmos.org" diff --git a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb index 7854ce8..049a061 100644 --- a/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb +++ b/site-cookbooks/kosmos_drone/templates/docker-compose.yml.erb @@ -2,7 +2,7 @@ version: '3' services: drone-server: - image: drone/drone:1 + image: drone/drone:2.5 ports: - "<%= @upstream_port %>:80" @@ -19,7 +19,7 @@ services: - DRONE_RPC_SECRET=<%= @rpc_secret %> drone-runner: - image: drone/drone-runner-docker:1 + image: drone/drone-runner-docker:1.8 command: agent restart: always diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb index 5ede51d..a2d7925 100644 --- a/site-cookbooks/kosmos_gitea/attributes/default.rb +++ b/site-cookbooks/kosmos_gitea/attributes/default.rb @@ -1,6 +1,6 @@ -gitea_version = "1.14.6" +gitea_version = "1.15.6" node.default["kosmos_gitea"]["version"] = gitea_version node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64" -node.default["kosmos_gitea"]["binary_checksum"] = "20cc0a89421695320b077c9fe4f16996f03aaf9d24f661f8d2255794551c849b" +node.default["kosmos_gitea"]["binary_checksum"] = "1b7473b5993e07b33fec58edbc1a90f15f040759ca4647e97317c33d5dfe58be" node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org" node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea" diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 9ceba2a..6b690ce 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -20,5 +20,5 @@ chef_version '>= 14.0' # source_url 'https://github.com//kosmos_gitea' depends "kosmos-nginx" -depends "kosmos-postgresql" +depends "kosmos_postgresql" depends "backup" diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 22d148e..9a2bddf 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -76,7 +76,7 @@ template "#{config_directory}/app.ini" do source "app.ini.erb" owner "git" group "git" - mode "0640" + mode "0600" sensitive true variables working_directory: working_directory, git_home_directory: git_home_directory, diff --git a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb index 04eab6e..e013a0d 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/app.ini.erb @@ -46,6 +46,7 @@ PASSWD = <%= @smtp_password %> [oauth2] JWT_SECRET = <%= @jwt_secret %> +JWT_SIGNING_ALGORITHM = HS256 [security] INTERNAL_TOKEN = <%= @internal_token %> diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb index a89f7eb..1d611bd 100644 --- a/site-cookbooks/kosmos_kvm/recipes/host.rb +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -2,34 +2,13 @@ # Cookbook:: kosmos_kvm # Recipe:: host # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. package %w(virtinst libvirt-daemon-system) directory "/var/lib/libvirt/images/base" do recursive true owner "libvirt-qemu" - group "root" + group "kvm" mode "0750" end @@ -37,7 +16,7 @@ end remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img" owner "libvirt-qemu" - group "root" + group "kvm" mode "0640" end diff --git a/site-cookbooks/kosmos-postgresql/.gitignore b/site-cookbooks/kosmos_postgresql/.gitignore similarity index 100% rename from site-cookbooks/kosmos-postgresql/.gitignore rename to site-cookbooks/kosmos_postgresql/.gitignore diff --git a/site-cookbooks/kosmos-postgresql/Berksfile b/site-cookbooks/kosmos_postgresql/Berksfile similarity index 100% rename from site-cookbooks/kosmos-postgresql/Berksfile rename to site-cookbooks/kosmos_postgresql/Berksfile diff --git a/site-cookbooks/kosmos_postgresql/CHANGELOG.md b/site-cookbooks/kosmos_postgresql/CHANGELOG.md new file mode 100644 index 0000000..1ffdd2a --- /dev/null +++ b/site-cookbooks/kosmos_postgresql/CHANGELOG.md @@ -0,0 +1,5 @@ +# kosmos_postgresql CHANGELOG + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos-postgresql/LICENSE b/site-cookbooks/kosmos_postgresql/LICENSE similarity index 100% rename from site-cookbooks/kosmos-postgresql/LICENSE rename to site-cookbooks/kosmos_postgresql/LICENSE diff --git a/site-cookbooks/kosmos-postgresql/README.md b/site-cookbooks/kosmos_postgresql/README.md similarity index 98% rename from site-cookbooks/kosmos-postgresql/README.md rename to site-cookbooks/kosmos_postgresql/README.md index 2541424..9ea16a7 100644 --- a/site-cookbooks/kosmos-postgresql/README.md +++ b/site-cookbooks/kosmos_postgresql/README.md @@ -1,4 +1,4 @@ -# kosmos-postgresql +# kosmos_postgresql ## Usage diff --git a/site-cookbooks/kosmos-postgresql/attributes/default.rb b/site-cookbooks/kosmos_postgresql/attributes/default.rb similarity index 59% rename from site-cookbooks/kosmos-postgresql/attributes/default.rb rename to site-cookbooks/kosmos_postgresql/attributes/default.rb index dec530f..f3daf9b 100644 --- a/site-cookbooks/kosmos-postgresql/attributes/default.rb +++ b/site-cookbooks/kosmos_postgresql/attributes/default.rb @@ -1,3 +1,3 @@ # This is set to false by default, and set to true in the server resource # for replicas. -node.default['kosmos-postgresql']['ready_to_set_up_replica'] = false +node.default['kosmos_postgresql']['ready_to_set_up_replica'] = false diff --git a/site-cookbooks/kosmos-postgresql/chefignore b/site-cookbooks/kosmos_postgresql/chefignore similarity index 100% rename from site-cookbooks/kosmos-postgresql/chefignore rename to site-cookbooks/kosmos_postgresql/chefignore diff --git a/site-cookbooks/kosmos-postgresql/libraries/helpers.rb b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb similarity index 100% rename from site-cookbooks/kosmos-postgresql/libraries/helpers.rb rename to site-cookbooks/kosmos_postgresql/libraries/helpers.rb diff --git a/site-cookbooks/kosmos-postgresql/metadata.rb b/site-cookbooks/kosmos_postgresql/metadata.rb similarity index 70% rename from site-cookbooks/kosmos-postgresql/metadata.rb rename to site-cookbooks/kosmos_postgresql/metadata.rb index 1b031b2..ad7ca14 100644 --- a/site-cookbooks/kosmos-postgresql/metadata.rb +++ b/site-cookbooks/kosmos_postgresql/metadata.rb @@ -1,9 +1,9 @@ -name 'kosmos-postgresql' +name 'kosmos_postgresql' maintainer 'Kosmos' maintainer_email 'ops@5apps.com' license 'MIT' -description 'Installs/Configures kosmos-postgresql' -long_description 'Installs/Configures kosmos-postgresql' +description 'Installs/Configures kosmos_postgresql' +long_description 'Installs/Configures kosmos_postgresql' version '0.1.0' chef_version '>= 12.14' if respond_to?(:chef_version) @@ -11,13 +11,13 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # tracked. A `View Issues` link will be displayed on this cookbook's page when # uploaded to a Supermarket. # -# issues_url 'https://github.com//kosmos-postgresql/issues' +# issues_url 'https://github.com//kosmos_postgresql/issues' # The `source_url` points to the development repository for this cookbook. A # `View Source` link will be displayed on this cookbook's page when uploaded to # a Supermarket. # -# source_url 'https://github.com//kosmos-postgresql' +# source_url 'https://github.com//kosmos_postgresql' depends "postgresql", ">= 7.0.0" depends "build-essential" diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb b/site-cookbooks/kosmos_postgresql/recipes/firewall.rb similarity index 89% rename from site-cookbooks/kosmos-postgresql/recipes/firewall.rb rename to site-cookbooks/kosmos_postgresql/recipes/firewall.rb index 7b9b380..ebc3404 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb +++ b/site-cookbooks/kosmos_postgresql/recipes/firewall.rb @@ -1,5 +1,5 @@ # -# Cookbook:: kosmos-postgresql +# Cookbook:: kosmos_postgresql # Recipe:: firewall # diff --git a/site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb b/site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb similarity index 87% rename from site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb rename to site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb index 265f563..9000b67 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/hostsfile.rb +++ b/site-cookbooks/kosmos_postgresql/recipes/hostsfile.rb @@ -1,5 +1,5 @@ # -# Cookbook:: kosmos-postgresql +# Cookbook:: kosmos_postgresql # Recipe:: hostsfile # diff --git a/site-cookbooks/kosmos-postgresql/recipes/primary.rb b/site-cookbooks/kosmos_postgresql/recipes/primary.rb similarity index 95% rename from site-cookbooks/kosmos-postgresql/recipes/primary.rb rename to site-cookbooks/kosmos_postgresql/recipes/primary.rb index b3a7534..de7466f 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/primary.rb +++ b/site-cookbooks/kosmos_postgresql/recipes/primary.rb @@ -1,5 +1,5 @@ # -# Cookbook:: kosmos-postgresql +# Cookbook:: kosmos_postgresql # Recipe:: primary # diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos_postgresql/recipes/replica.rb similarity index 97% rename from site-cookbooks/kosmos-postgresql/recipes/replica.rb rename to site-cookbooks/kosmos_postgresql/recipes/replica.rb index 6525948..b1dd345 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos_postgresql/recipes/replica.rb @@ -1,5 +1,5 @@ # -# Cookbook:: kosmos-postgresql +# Cookbook:: kosmos_postgresql # Recipe:: replica # diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos_postgresql/resources/server.rb similarity index 90% rename from site-cookbooks/kosmos-postgresql/resources/server.rb rename to site-cookbooks/kosmos_postgresql/resources/server.rb index f71520e..5d5fb1c 100644 --- a/site-cookbooks/kosmos-postgresql/resources/server.rb +++ b/site-cookbooks/kosmos_postgresql/resources/server.rb @@ -1,4 +1,5 @@ resource_name :postgresql_custom_server +provides :postgresql_custom_server property :postgresql_version, String, required: true, name_property: true property :role, String, required: true # Can be primary or replica @@ -41,14 +42,14 @@ action :create do action :disable end - shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # > 1GB RAM + shared_buffers = if node['memory']['total'].to_i / 1024 < 1024 # < 1GB RAM "128MB" - else # >= 1GB RAM, use 25% of total RAM - "#{node['memory']['total'].to_i / 1024 / 4}MB" + else # >= 1GB RAM, use 50% of total RAM + "#{node['memory']['total'].to_i / 1024 / 2}MB" end additional_config = { - max_connections: 100, # default + max_connections: 200, # default shared_buffers: shared_buffers, unix_socket_directories: "/var/run/postgresql", dynamic_shared_memory_type: "posix", diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index 48cc220..608edad 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,2 @@ -node.default['rskj']['version'] = '2.2.0~focal' +node.default['rskj']['version'] = '3.0.1~focal' node.default['rskj']['network'] = 'testnet' diff --git a/site-cookbooks/kosmos_rsk/recipes/firewall.rb b/site-cookbooks/kosmos_rsk/recipes/firewall.rb new file mode 100644 index 0000000..b1c9bcf --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/firewall.rb @@ -0,0 +1,7 @@ +include_recipe 'firewall' + +firewall_rule 'rskj' do + port [4444,50505] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos_rsk/recipes/rskj.rb b/site-cookbooks/kosmos_rsk/recipes/rskj.rb index 0ec4a5d..ea9a7ab 100644 --- a/site-cookbooks/kosmos_rsk/recipes/rskj.rb +++ b/site-cookbooks/kosmos_rsk/recipes/rskj.rb @@ -30,10 +30,4 @@ service "rsk" do action [:enable, :start] end -include_recipe 'firewall' - -firewall_rule 'rskj' do - port [4444,50505] - protocol :tcp - command :allow -end +include_recipe 'kosmos_rsk::firewall' diff --git a/site-cookbooks/kosmos_website/attributes/default.rb b/site-cookbooks/kosmos_website/attributes/default.rb new file mode 100644 index 0000000..4f0e4a0 --- /dev/null +++ b/site-cookbooks/kosmos_website/attributes/default.rb @@ -0,0 +1,3 @@ +node.default["kosmos_website"]["domain"] = "kosmos.org" +node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git" +node.default["kosmos_website"]["revision"] = "master" diff --git a/site-cookbooks/kosmos_website/metadata.rb b/site-cookbooks/kosmos_website/metadata.rb new file mode 100644 index 0000000..a828211 --- /dev/null +++ b/site-cookbooks/kosmos_website/metadata.rb @@ -0,0 +1,10 @@ +name 'kosmos_website' +maintainer 'Kosmos' +maintainer_email 'ops@kosmos.org' +license 'MIT' +description 'Configures the main kosmos.org website' +long_description 'Configures the main kosmos.org website' +version '1.0.0' +chef_version '>= 15.10' if respond_to?(:chef_version) + +depends "kosmos-nginx" diff --git a/site-cookbooks/kosmos_website/recipes/default.rb b/site-cookbooks/kosmos_website/recipes/default.rb new file mode 100644 index 0000000..903809a --- /dev/null +++ b/site-cookbooks/kosmos_website/recipes/default.rb @@ -0,0 +1,38 @@ +# +# Cookbook:: kosmos_website +# Recipe:: default +# + +include_recipe "kosmos-nginx" + +domain = node["kosmos_website"]["domain"] + +nginx_certbot_site domain + +directory "/var/www/#{domain}/site" do + user node["nginx"]["user"] + group node["nginx"]["group"] + mode "0755" +end + +git "/var/www/#{domain}/site" do + user node["nginx"]["user"] + group node["nginx"]["group"] + repository node["kosmos_website"]["repo"] + revision node["kosmos_website"]["revision"] + action :sync +end + +template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do + source "nginx_conf_website.erb" + owner node["nginx"]["user"] + mode 0640 + variables domain: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, "service[nginx]", :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb new file mode 100644 index 0000000..9e06160 --- /dev/null +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -0,0 +1,26 @@ +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +# Generated by Chef + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @domain %>; + + root /var/www/<%= @domain %>/site; + + access_log off; + gzip_static on; + gzip_comp_level 5; + + add_header 'Access-Control-Allow-Origin' '*'; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + location /.well-known/lnurlp/ { + proxy_ssl_server_name on; + rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break; + proxy_pass https://accounts.kosmos.org; + } +} +<% end -%>