diff --git a/clients/akaunting-1.json b/clients/akaunting-1.json new file mode 100644 index 0000000..449e02e --- /dev/null +++ b/clients/akaunting-1.json @@ -0,0 +1,4 @@ +{ + "name": "akaunting-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzmNpNWJh5DeXDsINDqAt\n5OtcGhnzLtqdILTD8A8KuPxWhoKI0k9xwvuT4yO2DLQqFMPyGefRuQkVsIq2OuU5\npK8B5c79E9MBHxti6mQZw4b/Jhmul+x2LGtOWYjPTDhFYXRsNNDtFDxwpwJGPede\nYts026yExHPhiF35Mt1JxA3TXJfPC8Vx0YGHu/6Ev+1fLmcKhFmhed5yKkA0gwod\nczdyQiCfw3ze9LuS90QmALpFOHHpekZeywemdwyPia207CoTrXsPLWj9KmuUEIQJ\nwL+OlEU2tVA6KaBKpl54n5/tMsccZmlicbNsVpgkk6LctrkNh6Kk+fW9ry3L/Gxg\nAwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/akaunting.json b/data_bags/credentials/akaunting.json new file mode 100644 index 0000000..3a32a81 --- /dev/null +++ b/data_bags/credentials/akaunting.json @@ -0,0 +1,31 @@ +{ + "id": "akaunting", + "app_key": { + "encrypted_data": "C7VVGHHrE/ESwtGeODf8zVraayO5uBSXaGR7f4yoj0MDq9WxPujItC3dIkMQ\ngjGzk8fH\n", + "iv": "4+d+RMLeuqaneFBa\n", + "auth_tag": "sBQDUVl6QbL/h9pd0kBQ0g==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "pg_database": { + "encrypted_data": "4mqHsMfDAqPvDmGsWgS9iE63qVeus7diSW8WiA==\n", + "iv": "6Cb1lVUcXBz+GA4u\n", + "auth_tag": "8O3N0m8jGhxs/YacdhgNHA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "pg_username": { + "encrypted_data": "Nu0wiBhvqUwqC7PL2Qo8otq0b3faJqRsabqp2g==\n", + "iv": "1uA8mJc7itT0qHcx\n", + "auth_tag": "PRWw6LTlFrWs63SDRsovtQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "pg_password": { + "encrypted_data": "oXDKiXQ4aH5M2pVu1sx7dj0awKCORke03fq0uemjIfCMYbM=\n", + "iv": "snPyC8mocevc5kGH\n", + "auth_tag": "9wx4GPSydkYr2WGpZK5HZg==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/data_bags/credentials/akkounts.json b/data_bags/credentials/akkounts.json index a59beae..63b7bcb 100644 --- a/data_bags/credentials/akkounts.json +++ b/data_bags/credentials/akkounts.json @@ -1,72 +1,72 @@ { "id": "akkounts", "postgresql_username": { - "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n", - "iv": "GCCUoqU5pxQ7fGkv\n", - "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n", + "encrypted_data": "ofLOjxGBj7no+lWrIvtxQQFoeozCh6mpfMTt\n", + "iv": "/CF+o4GqZx2O5WOm\n", + "auth_tag": "bjHXfgNQfXpQ2gucPLrUWA==\n", "version": 3, "cipher": "aes-256-gcm" }, "postgresql_password": { - "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n", - "iv": "tb5yz8WDer0CsGvJ\n", - "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n", + "encrypted_data": "f8Jfs4aqIjc6/6/NQlI2Fv8TzSgVmi5g0iYNhh9bAA==\n", + "iv": "vAzrZeUodmu4x5eB\n", + "auth_tag": "vx8eH2SY7I4IkZElXSC1Nw==\n", "version": 3, "cipher": "aes-256-gcm" }, "sentry_dsn": { - "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n", - "iv": "IRNOzN/hLwg1iqax\n", - "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n", + "encrypted_data": "oxW5jGU8DlIp5A9enxBhcJXuKyaZ5HziXq8Zw+Rbvpbv4C/RTGkJkgZdKcH1\nVzW/wNAT8nTK+nEvWgcQ3svjE40ltj2jcOexIRqLbuCClJE=\n", + "iv": "wpW9+VdX5GjocHSl\n", + "auth_tag": "1qrf1kZMrIR7WRiSaRjppQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "rails_master_key": { - "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n", - "iv": "fpdbDitqTRHxEKiv\n", - "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n", + "encrypted_data": "KHVYYH7Nb9/SsoKkYfbjzhFwj3Ioj72hm5pfdCuinf+GQvjKumq99eQTlKdf\nBZM1n0XN\n", + "iv": "x9AQZvw/vCinKQ8k\n", + "auth_tag": "mi0KHHOTBvVNhtvqk38BtQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "discourse_connect_secret": { - "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n", - "iv": "bL1BmvRhgxFqSM1P\n", - "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n", + "encrypted_data": "WyLrV0DOsxyafSqyeQVj0BhVwm/0gvWeJLBsAbiqCGphryoYqUByPcum1T6R\n2H44nQ==\n", + "iv": "lUtlJDv6Ieq8Bs5x\n", + "auth_tag": "ku22BlQKw/BhHxuANTF6yg==\n", "version": 3, "cipher": "aes-256-gcm" }, "lndhub_admin_token": { - "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n", - "iv": "nvjXrOwgfgutwEVw\n", - "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n", + "encrypted_data": "DQuxQW8ks3sUzyHYEpQVyPg2f/U4/LWeRoCD9225Hd+c\n", + "iv": "mjxYi+YAcKGuurD2\n", + "auth_tag": "8P3bFFNeQ5HQgpXDB5Sk5A==\n", "version": 3, "cipher": "aes-256-gcm" }, "btcpay_auth_token": { - "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n", - "iv": "zk6WnxsY89oNW1F9\n", - "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n", + "encrypted_data": "3wsY9osaUdX4SvBPfHprNLSbx6/rfI5BfXnDxsc6OET3nGn19qBhH6wgeiwZ\n/dweqdQ25HpbFPygddc=\n", + "iv": "ccouibxktHLlUCQJ\n", + "auth_tag": "pWuRC8O2EAkmztL/9V3now==\n", "version": 3, "cipher": "aes-256-gcm" }, "s3_access_key": { - "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n", - "iv": "Q3rg06v6K9pUDLDY\n", - "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n", + "encrypted_data": "hJGHa+hEmddtsZ4UncrYBkjRa/2Csqdh79tXpTVxUWbIsYGdlvyadk7C1UCj\n", + "iv": "GlxNdnWiNzmNYthg\n", + "auth_tag": "hlRLkroUN01L7VzQFBU/IA==\n", "version": 3, "cipher": "aes-256-gcm" }, "s3_secret_key": { - "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n", - "iv": "bXzIVWnX6V0P6PRb\n", - "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n", + "encrypted_data": "LKdQJOKIfFIoiF3GvfTs1mg3AI//Aoi8r42zcw8QhEVPB8ONsSf0/vhM037C\nf5nzUk7xwglvTOveqbOM+UTBJF/4oblQfgwFW3VobWUGkJqjtKE=\n", + "iv": "tWTxzK/ccpjlLmQV\n", + "auth_tag": "n2MFkTIquyqz4wqRNdSJcg==\n", "version": 3, "cipher": "aes-256-gcm" }, "nostr_private_key": { - "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n", - "iv": "+1CIUyvIUOveLrY4\n", - "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n", + "encrypted_data": "CPMeNxzpYMReaQU4+v+EqpVESRsnaYc3a4y7OkHOhtn2gjaNEDERGKvRmlyd\nD6vxKPcIrwTCZ7neJ3YLOVOxPDNv6skqdtMHBwSgl7aBEOrx7tY=\n", + "iv": "AV1on2sw1avmFFuY\n", + "auth_tag": "9rb9qQBKrj5Xja1t+qROKQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/nodes/akaunting-1.json b/nodes/akaunting-1.json new file mode 100644 index 0000000..88d0792 --- /dev/null +++ b/nodes/akaunting-1.json @@ -0,0 +1,66 @@ +{ + "name": "akaunting-1", + "chef_environment": "production", + "normal": { + "knife_zero": { + "host": "10.1.1.215" + } + }, + "automatic": { + "fqdn": "akaunting-1", + "os": "linux", + "os_version": "5.15.0-1069-kvm", + "hostname": "akaunting-1", + "ipaddress": "192.168.122.162", + "roles": [ + "base", + "kvm_guest", + "akaunting", + "postgresql_client" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_postgresql::hostsfile", + "kosmos_akaunting", + "kosmos_akaunting::default", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "kosmos-nodejs::default", + "nodejs::nodejs_from_package", + "nodejs::repo" + ], + "platform": "ubuntu", + "platform_version": "22.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "18.5.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.5.0/lib", + "chef_effortless": null + }, + "ohai": { + "version": "18.1.11", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[akaunting]" + ] +} diff --git a/nodes/her.json b/nodes/her.json index 43402f3..cdb9bc7 100644 --- a/nodes/her.json +++ b/nodes/her.json @@ -1,15 +1,818 @@ { "name": "her", "chef_environment": "production", + "override": { + "apt": { + "unattended_upgrades": { + "allowed_origins": [ + "${distro_id}:${distro_codename}-security", + "${distro_id}:${distro_codename}-updates" + ], + "mail": "ops@kosmos.org", + "syslog_enable": true + } + }, + "set_fqdn": "*", + "akkounts": { + "btcpay": { + "public_url": "https://btcpay.kosmos.org", + "store_id": "FNJVVsrVkKaduPDAkRVchdegjwzsNhpceAdonCaXAwBX" + }, + "ejabberd": { + "admin_url": "https://xmpp.kosmos.org:5443/admin" + }, + "lndhub": { + "public_url": "https://lndhub.kosmos.org", + "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946" + }, + "nostr": { + "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a" + } + }, + "discourse": { + "domain": "community.kosmos.org" + }, + "droneci": { + "public_url": "https://drone.kosmos.org" + }, + "ejabberd": { + "turn_domain": "turn.kosmos.org" + }, + "email": { + "domain": "kosmos.org", + "hostname": "mail.kosmos.org", + "report_contact": "abuse@kosmos.org", + "virtual_aliases": { + "admin@kosmos.org": "ops@kosmos.org", + "ops@kosmos.org": "ops@5apps.com", + "webmaster": "mail@kosmos.org", + "hostmaster@kosmos.org": "mail@kosmos.org", + "postmaster@kosmos.org": "mail@kosmos.org", + "abuse@kosmos.org": "mail@kosmos.org", + "mail@kosmos.org": "foundation@kosmos.org" + } + }, + "garage": { + "replication_mode": "2", + "s3_api_root_domain": "s3.kosmos.org", + "s3_web_root_domain": "web.s3.kosmos.org", + "s3_web_domains": [ + "media.kosmos.chat", + "s3.accounts.kosmos.org", + "s3.community.kosmos.org", + "s3.kosmos.social" + ], + "xmpp_upload_bucket": "kosmos-xmpp-uploads" + }, + "gitea": { + "domain": "gitea.kosmos.org", + "postgresql_host": "pg.kosmos.local:5432", + "config": { + "storage": { + "type": "minio", + "endpoint": "localhost:3900", + "location": "garage", + "use_ssl": "false" + } + } + }, + "kosmos_kvm": { + "backup": { + "nodes_excluded": [ + "garage-", + "lq-", + "rsk-", + "postgres-6" + ] + } + }, + "kosmos-mastodon": { + "domain": "kosmos.social", + "user_address_domain": "kosmos.social", + "s3_endpoint": "http://localhost:3900", + "s3_region": "garage", + "s3_bucket": "kosmos-social", + "s3_alias_host": "s3.kosmos.social", + "libre_translate_endpoint": "http://127.0.0.1:5000", + "alternate_domains": [ + "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion" + ] + }, + "liquor-cabinet": { + "ufw_source_allowed": "10.1.1.0/24", + "redis_port": 6379, + "redis_db": 1, + "s3_endpoint": "http://localhost:3900", + "s3_region": "garage", + "s3_bucket": "rs-kosmos", + "domain": "storage.kosmos.org", + "root_redirect_url": "https://accounts.kosmos.org" + }, + "mediawiki": { + "url": "https://wiki.kosmos.org" + }, + "sentry": { + "allowed_ips": "10.1.1.0/24" + } + }, "normal": { "knife_zero": { "host": "10.1.1.222" } }, + "default": { + "audit": { + "inspec_backend_cache": true, + "reporter": null, + "fetcher": null, + "insecure": null, + "quiet": true, + "profiles": { + + }, + "inputs": { + + }, + "attributes": { + + }, + "waiver_file": null, + "json_file": { + "location": "/var/chef/compliance_reports/compliance-20241213130159.json" + }, + "run_time_limit": 1.0, + "result_message_limit": 10000, + "result_include_backtrace": false, + "control_results_limit": 50, + "chef_node_attribute_enabled": true, + "compliance_phase": false, + "interval": { + "enabled": false, + "time": 1440 + } + }, + "apt": { + "cacher_dir": "/var/cache/apt-cacher-ng", + "cacher_interface": null, + "cacher_port": 3142, + "compiletime": false, + "compile_time_update": false, + "key_proxy": "", + "periodic_update_min_delay": 86400, + "launchpad_api_version": "1.0", + "unattended_upgrades": { + "enable": false, + "update_package_lists": true, + "allowed_origins": [ + "Ubuntu jammy" + ], + "origins_patterns": [ + + ], + "package_blacklist": [ + + ], + "auto_fix_interrupted_dpkg": false, + "minimal_steps": false, + "install_on_shutdown": false, + "mail": null, + "sender": null, + "mail_only_on_error": true, + "remove_unused_dependencies": false, + "automatic_reboot": false, + "automatic_reboot_time": "now", + "dl_limit": null, + "random_sleep": null, + "syslog_enable": false, + "syslog_facility": "daemon", + "dpkg_options": [ + + ] + }, + "cacher_client": { + "cacher_server": { + + } + }, + "confd": { + "force_confask": false, + "force_confdef": false, + "force_confmiss": false, + "force_confnew": false, + "force_confold": false, + "install_recommends": true, + "install_suggests": false + } + }, + "firewall": { + "allow_ssh": false, + "allow_winrm": false, + "allow_mosh": false, + "allow_loopback": false, + "allow_icmp": false, + "firewalld": { + "permanent": false + }, + "iptables": { + "defaults": { + "policy": { + "input": "DROP", + "forward": "DROP", + "output": "ACCEPT" + }, + "ruleset": { + "*filter": 1, + ":INPUT DROP": 2, + ":FORWARD DROP": 3, + ":OUTPUT ACCEPT": 4, + "COMMIT_FILTER": 100 + } + } + }, + "ubuntu_iptables": false, + "redhat7_iptables": false, + "allow_established": true, + "ipv6_enabled": true, + "ufw": { + "defaults": { + "ipv6": "yes", + "manage_builtins": "no", + "ipt_sysctl": "/etc/ufw/sysctl.conf", + "ipt_modules": "nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns", + "policy": { + "input": "DROP", + "output": "ACCEPT", + "forward": "DROP", + "application": "SKIP" + } + } + }, + "windows": { + "defaults": { + "policy": { + "input": "blockinbound", + "output": "allowoutbound" + } + } + } + }, + "hostsfile": { + "path": null + }, + "hostname_cookbook": { + "hostsfile_ip": "127.0.1.1", + "hostsfile_aliases": [ + + ], + "hostsfile_include_hostname_in_aliases": true, + "append_hostsfile_ip": true + }, + "postfix": { + "packages": [ + "postfix" + ], + "mail_type": "client", + "relayhost_role": "relayhost", + "relayhost_port": "25", + "multi_environment_relay": false, + "use_procmail": false, + "use_alias_maps": false, + "use_transport_maps": false, + "use_access_maps": false, + "use_virtual_aliases": false, + "use_virtual_aliases_domains": false, + "use_relay_restrictions_maps": false, + "transports": { + + }, + "access": { + + }, + "virtual_aliases": { + + }, + "virtual_aliases_domains": { + + }, + "main_template_source": "postfix", + "master_template_source": "postfix", + "sender_canonical_map_entries": { + + }, + "smtp_generic_map_entries": { + + }, + "recipient_canonical_map_entries": { + + }, + "access_db_type": "hash", + "aliases_db_type": "hash", + "transport_db_type": "hash", + "virtual_alias_db_type": "hash", + "virtual_alias_domains_db_type": "hash", + "conf_dir": "/etc/postfix", + "aliases_db": "/etc/aliases", + "transport_db": "/etc/postfix/transport", + "access_db": "/etc/postfix/access", + "virtual_alias_db": "/etc/postfix/virtual", + "virtual_alias_domains_db": "/etc/postfix/virtual_domains", + "relay_restrictions_db": "/etc/postfix/relay_restrictions", + "main": { + "biff": "no", + "append_dot_mydomain": "no", + "myhostname": "her", + "mydomain": "her", + "myorigin": "$myhostname", + "mydestination": [ + "her", + "her", + "localhost.localdomain", + "localhost" + ], + "smtpd_use_tls": "yes", + "smtp_use_tls": "yes", + "smtpd_tls_mandatory_protocols": "!SSLv2,!SSLv3", + "smtp_tls_mandatory_protocols": "!SSLv2,!SSLv3", + "smtpd_tls_protocols": "!SSLv2,!SSLv3", + "smtp_tls_protocols": "!SSLv2,!SSLv3", + "smtp_sasl_auth_enable": "yes", + "mailbox_size_limit": 0, + "mynetworks": null, + "inet_interfaces": "loopback-only", + "smtp_tls_CAfile": "/etc/ssl/certs/ca-certificates.crt", + "smtpd_tls_CAfile": "/etc/ssl/certs/ca-certificates.crt", + "relayhost": "smtp.mailgun.org:587", + "smtp_sasl_password_maps": "hash:/etc/postfix/sasl_passwd", + "smtp_sasl_security_options": "noanonymous", + "smtpd_tls_cert_file": "/etc/ssl/certs/ssl-cert-snakeoil.pem", + "smtpd_tls_key_file": "/etc/ssl/private/ssl-cert-snakeoil.key", + "smtpd_tls_session_cache_database": "btree:${data_directory}/smtpd_scache", + "smtp_tls_session_cache_database": "btree:${data_directory}/smtp_scache", + "maildrop_destination_recipient_limit": 1, + "cyrus_destination_recipient_limit": 1 + }, + "cafile": "/etc/ssl/certs/ca-certificates.crt", + "master": { + "smtp": { + "active": true, + "order": 10, + "type": "inet", + "private": false, + "chroot": false, + "command": "smtpd", + "args": [ + + ] + }, + "submission": { + "active": false, + "order": 20, + "type": "inet", + "private": false, + "chroot": false, + "command": "smtpd", + "args": [ + "-o smtpd_enforce_tls=yes", + " -o smtpd_sasl_auth_enable=yes", + "-o smtpd_client_restrictions=permit_sasl_authenticated,reject" + ] + }, + "smtps": { + "active": false, + "order": 30, + "type": "inet", + "private": false, + "chroot": false, + "command": "smtpd", + "args": [ + "-o smtpd_tls_wrappermode=yes", + "-o smtpd_sasl_auth_enable=yes", + "-o smtpd_client_restrictions=permit_sasl_authenticated,reject" + ] + }, + "628": { + "active": false, + "order": 40, + "type": "inet", + "private": false, + "chroot": false, + "command": "qmqpdd", + "args": [ + + ] + }, + "pickup": { + "active": true, + "order": 50, + "type": "fifo", + "private": false, + "chroot": false, + "wakeup": "60", + "maxproc": "1", + "command": "pickup", + "args": [ + + ] + }, + "cleanup": { + "active": true, + "order": 60, + "type": "unix", + "private": false, + "chroot": false, + "maxproc": "0", + "command": "cleanup", + "args": [ + + ] + }, + "qmgr": { + "active": true, + "order": 70, + "type": "fifo", + "private": false, + "chroot": false, + "wakeup": "300", + "maxproc": "1", + "command": "qmgr", + "args": [ + + ] + }, + "tlsmgr": { + "active": true, + "order": 80, + "type": "unix", + "chroot": false, + "wakeup": "1000?", + "maxproc": "1", + "command": "tlsmgr", + "args": [ + + ] + }, + "rewrite": { + "active": true, + "order": 90, + "type": "unix", + "chroot": false, + "command": "trivial-rewrite", + "args": [ + + ] + }, + "bounce": { + "active": true, + "order": 100, + "type": "unix", + "chroot": false, + "maxproc": "0", + "command": "bounce", + "args": [ + + ] + }, + "defer": { + "active": true, + "order": 110, + "type": "unix", + "chroot": false, + "maxproc": "0", + "command": "bounce", + "args": [ + + ] + }, + "trace": { + "active": true, + "order": 120, + "type": "unix", + "chroot": false, + "maxproc": "0", + "command": "bounce", + "args": [ + + ] + }, + "verify": { + "active": true, + "order": 130, + "type": "unix", + "chroot": false, + "maxproc": "1", + "command": "verify", + "args": [ + + ] + }, + "flush": { + "active": true, + "order": 140, + "type": "unix", + "private": false, + "chroot": false, + "wakeup": "1000?", + "maxproc": "0", + "command": "flush", + "args": [ + + ] + }, + "proxymap": { + "active": true, + "order": 150, + "type": "unix", + "chroot": false, + "command": "proxymap", + "args": [ + + ] + }, + "smtpunix": { + "service": "smtp", + "active": true, + "order": 160, + "type": "unix", + "chroot": false, + "maxproc": "500", + "command": "smtp", + "args": [ + + ] + }, + "relay": { + "active": true, + "comment": "When relaying mail as backup MX, disable fallback_relay to avoid MX loops", + "order": 170, + "type": "unix", + "chroot": false, + "command": "smtp", + "args": [ + "-o smtp_fallback_relay=" + ] + }, + "showq": { + "active": true, + "order": 180, + "type": "unix", + "private": false, + "chroot": false, + "command": "showq", + "args": [ + + ] + }, + "error": { + "active": true, + "order": 190, + "type": "unix", + "chroot": false, + "command": "error", + "args": [ + + ] + }, + "discard": { + "active": true, + "order": 200, + "type": "unix", + "chroot": false, + "command": "discard", + "args": [ + + ] + }, + "local": { + "active": true, + "order": 210, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "local", + "args": [ + + ] + }, + "virtual": { + "active": true, + "order": 220, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "virtual", + "args": [ + + ] + }, + "lmtp": { + "active": true, + "order": 230, + "type": "unix", + "chroot": false, + "command": "lmtp", + "args": [ + + ] + }, + "anvil": { + "active": true, + "order": 240, + "type": "unix", + "chroot": false, + "maxproc": "1", + "command": "anvil", + "args": [ + + ] + }, + "scache": { + "active": true, + "order": 250, + "type": "unix", + "chroot": false, + "maxproc": "1", + "command": "scache", + "args": [ + + ] + }, + "maildrop": { + "active": true, + "comment": "See the Postfix MAILDROP_README file for details. To main.cf will be added: maildrop_destination_recipient_limit=1", + "order": 510, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}" + ] + }, + "old-cyrus": { + "active": false, + "comment": "The Cyrus deliver program has changed incompatibly, multiple times.", + "order": 520, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}" + ] + }, + "cyrus": { + "active": true, + "comment": "Cyrus 2.1.5 (Amos Gouaux). To main.cf will be added: cyrus_destination_recipient_limit=1", + "order": 530, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}" + ] + }, + "uucp": { + "active": true, + "comment": "See the Postfix UUCP_README file for configuration details.", + "order": 540, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)" + ] + }, + "ifmail": { + "active": false, + "order": 550, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)" + ] + }, + "bsmtp": { + "active": true, + "order": 560, + "type": "unix", + "unpriv": false, + "chroot": false, + "command": "pipe", + "args": [ + "flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient" + ] + } + }, + "aliases": { + + }, + "sasl": { + "smtp_sasl_user_name": "postmaster@mg.kosmos.org", + "smtp_sasl_passwd": "f5a3ba8e20e01b6f2cca83b28d8cd2a6-c30053db-fc52c414" + }, + "sasl_password_file": "/etc/postfix/sasl_passwd" + }, + "ntp": { + "servers": [ + "0.pool.ntp.org", + "1.pool.ntp.org", + "2.pool.ntp.org", + "3.pool.ntp.org" + ], + "peers": [ + + ], + "restrictions": [ + + ], + "tinker": { + "panic": 1000, + "allan": 1500, + "dispersion": 15, + "step": 0.128, + "stepout": 900 + }, + "restrict_default": "kod notrap nomodify nopeer noquery", + "packages": [ + "ntp" + ], + "service": "ntp", + "varlibdir": "/var/lib/ntp", + "driftfile": "/var/lib/ntp/ntp.drift", + "logfile": null, + "conffile": "/etc/ntp.conf", + "statsdir": "/var/log/ntpstats/", + "conf_owner": "root", + "conf_group": "root", + "var_owner": "ntp", + "var_group": "ntp", + "leapfile": "/etc/ntp.leapseconds", + "sync_clock": false, + "sync_hw_clock": false, + "listen": null, + "listen_network": null, + "ignore": null, + "apparmor_enabled": true, + "monitor": false, + "statistics": true, + "conf_restart_immediate": false, + "keys": null, + "trustedkey": null, + "requestkey": null, + "disable_tinker_panic_on_virtualization_guest": true, + "peer": { + "key": null, + "use_iburst": true, + "use_burst": false, + "minpoll": 6, + "maxpoll": 10 + }, + "server": { + "prefer": "", + "use_iburst": true, + "use_burst": false, + "minpoll": 6, + "maxpoll": 10 + }, + "orphan": { + "enabled": false, + "stratum": 5 + }, + "localhost": { + "noquery": false + }, + "use_cmos": true + }, + "timezone_iii": { + "timezone": "Etc/UTC", + "tzdata_dir": "/usr/share/zoneinfo", + "localtime_path": "/etc/localtime", + "use_symlink": false + }, + "kosmos_kvm": { + "host": { + "qemu_base_image": { + "url": "https://cloud-images.ubuntu.com/releases/jammy/release-20240514/ubuntu-22.04-server-cloudimg-amd64-disk-kvm.img", + "checksum": "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f", + "path": "/var/lib/libvirt/images/base/ubuntu-22.04-server-cloudimg-amd64-disk-kvm-20240514.qcow2" + } + }, + "backup": { + "schedule": "0/3:00", + "nodes_excluded": [ + + ] + } + } + }, "automatic": { "fqdn": "her", "os": "linux", - "os_version": "5.15.0-84-generic", + "os_version": "5.15.0-101-generic", "hostname": "her", "ipaddress": "192.168.30.172", "roles": [ @@ -55,4 +858,4 @@ "role[base]", "role[kvm_host]" ] -} +} \ No newline at end of file diff --git a/nodes/postgres-6.json b/nodes/postgres-6.json index a756544..9732aa7 100644 --- a/nodes/postgres-6.json +++ b/nodes/postgres-6.json @@ -22,6 +22,7 @@ "kosmos_kvm::guest", "kosmos_postgresql::primary", "kosmos_postgresql::firewall", + "kosmos_akaunting::pg_db", "kosmos-bitcoin::lndhub-go_pg_db", "kosmos-bitcoin::nbxplorer_pg_db", "kosmos_drone::pg_db", diff --git a/roles/akaunting.rb b/roles/akaunting.rb new file mode 100644 index 0000000..a9822ed --- /dev/null +++ b/roles/akaunting.rb @@ -0,0 +1,6 @@ +name "akaunting" + +run_list %w[ + role[postgresql_client] + kosmos_akaunting::default +] diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index 5f3f2bd..ff26fa9 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -3,6 +3,7 @@ name "postgresql_primary" run_list %w( kosmos_postgresql::primary kosmos_postgresql::firewall + kosmos_akaunting::pg_db kosmos-bitcoin::lndhub-go_pg_db kosmos-bitcoin::nbxplorer_pg_db kosmos_drone::pg_db diff --git a/site-cookbooks/kosmos_akaunting/.gitignore b/site-cookbooks/kosmos_akaunting/.gitignore new file mode 100644 index 0000000..f1e57b8 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/.gitignore @@ -0,0 +1,25 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef Infra +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json + +.idea/ + diff --git a/site-cookbooks/kosmos_akaunting/Policyfile.rb b/site-cookbooks/kosmos_akaunting/Policyfile.rb new file mode 100644 index 0000000..98151f3 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/Policyfile.rb @@ -0,0 +1,16 @@ +# Policyfile.rb - Describe how you want Chef Infra Client to build your system. +# +# For more information on the Policyfile feature, visit +# https://docs.chef.io/policyfile/ + +# A name that describes what the system you're building with Chef does. +name 'kosmos_akaunting' + +# Where to find external cookbooks: +default_source :supermarket + +# run_list: chef-client will run these recipes in the order specified. +run_list 'kosmos_akaunting::default' + +# Specify a custom source for a single cookbook: +cookbook 'kosmos_akaunting', path: '.' diff --git a/site-cookbooks/kosmos_akaunting/README.md b/site-cookbooks/kosmos_akaunting/README.md new file mode 100644 index 0000000..9a99473 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/README.md @@ -0,0 +1,4 @@ +# kosmos_akaunting + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_akaunting/attributes/default.rb b/site-cookbooks/kosmos_akaunting/attributes/default.rb new file mode 100644 index 0000000..13467de --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/attributes/default.rb @@ -0,0 +1,5 @@ +node.default["akaunting"]["user"] = "deploy" +node.default["akaunting"]["group"] = "www-data" +node.default["akaunting"]["repo"] = "https://github.com/akaunting/akaunting.git" +node.default["akaunting"]["revision"] = "3.1.12" +node.default["akaunting"]["port"] = 80 diff --git a/site-cookbooks/kosmos_akaunting/chefignore b/site-cookbooks/kosmos_akaunting/chefignore new file mode 100644 index 0000000..cc170ea --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/chefignore @@ -0,0 +1,115 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db +.envrc + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +REVISION +TAGS* +tmtags +.vscode +.editorconfig + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out +mkmf.log + +# Testing # +########### +.circleci/* +.codeclimate.yml +.delivery/* +.foodcritic +.kitchen* +.mdlrc +.overcommit.yml +.rspec +.rubocop.yml +.travis.yml +.watchr +.yamllint +azure-pipelines.yml +Dangerfile +examples/* +features/* +Guardfile +kitchen.yml* +mlc_config.json +Procfile +Rakefile +spec/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitkeep +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Documentation # +############# +CODE_OF_CONDUCT* +CONTRIBUTING* +documentation/* +TESTING* +UPGRADING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_akaunting/kitchen.yml b/site-cookbooks/kosmos_akaunting/kitchen.yml new file mode 100644 index 0000000..cef0219 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/kitchen.yml @@ -0,0 +1,31 @@ +--- +driver: + name: vagrant + +## The forwarded_port port feature lets you connect to ports on the VM guest +## via localhost on the host. +## see also: https://www.vagrantup.com/docs/networking/forwarded_ports + +# network: +# - ["forwarded_port", {guest: 80, host: 8080}] + +provisioner: + name: chef_zero + + ## product_name and product_version specifies a specific Chef product and version to install. + ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/ + # product_name: chef + # product_version: 17 + +verifier: + name: inspec + +platforms: + - name: ubuntu-20.04 + - name: centos-8 + +suites: + - name: default + verifier: + inspec_tests: + - test/integration/default diff --git a/site-cookbooks/kosmos_akaunting/metadata.rb b/site-cookbooks/kosmos_akaunting/metadata.rb new file mode 100644 index 0000000..af9a2ec --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/metadata.rb @@ -0,0 +1,9 @@ +name 'kosmos_akaunting' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/configures akaunting for Kosmos' +version '0.1.0' +chef_version '>= 18.0' + +depends 'kosmos-nodejs' diff --git a/site-cookbooks/kosmos_akaunting/recipes/default.rb b/site-cookbooks/kosmos_akaunting/recipes/default.rb new file mode 100644 index 0000000..4592c0b --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/recipes/default.rb @@ -0,0 +1,148 @@ +# +# Cookbook:: kosmos_akaunting +# Recipe:: default +# + +app_name = "akaunting" +deploy_user = node["akaunting"]["user"] +deploy_group = node["akaunting"]["group"] +deploy_path = "/opt/#{app_name}" +credentials = data_bag_item("credentials", "akaunting") +pg_host = search(:node, "role:postgresql_primary").first["knife_zero"]["host"] rescue "localhost" + +env = { + app_name: "Akaunting", + app_env: "production", + app_locale: "en-US", + app_installed: "true", + app_key: credentials["app_key"], + app_debug: "true", + app_schedule_time: "\"09:00\"", + app_url: "http://akaunting.kosmos.org", + db_connection: "pgsql", + db_host: pg_host, + db_port: "5432", + db_database: credentials["pg_database"], + db_username: credentials["pg_username"], + db_password: credentials["pg_password"], + log_level: "debug" + # mail_mailer: "mail", + # mail_host: "localhost", + # mail_port: "2525", + # mail_username: "null", + # mail_password: "null", + # mail_encryption: "null", + # mail_from_name: "null", + # mail_from_address: "null", +} + +%w[ + unzip nginx php8.1 php8.1-cli php8.1-bcmath php8.1-ctype php8.1-curl + php8.1-dom php8.1-fileinfo php8.1-intl php8.1-fpm php8.1-gd php8.1-mbstring + php8.1-pdo php8.1-pgsql php8.1-tokenizer php8.1-xml php8.1-zip +].each do |pkg| + package pkg +end + +# TODO install composer + +node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x" +include_recipe "kosmos-nodejs" + +group deploy_group + +user deploy_user do + group deploy_group + manage_home true + shell "/bin/bash" +end + +directory deploy_path do + owner deploy_user + group deploy_group + mode "0775" +end + +git deploy_path do + repository node[app_name]["repo"] + revision node[app_name]["revision"] + user deploy_user + group deploy_group + action :sync + notifies :run, "execute[composer_install]", :immediately + notifies :run, "execute[npm_install]", :immediately + notifies :restart, "service[php8.1-fpm]", :delayed +end + +execute "composer_install" do + user deploy_user + cwd deploy_path + command "composer install" + action :nothing +end + +execute "npm_install" do + user deploy_user + cwd deploy_path + command "npm install" + action :nothing + notifies :run, "execute[compile_assets]", :immediately +end + +execute "compile_assets" do + user deploy_user + cwd deploy_path + command "npm run prod" + action :nothing +end + +execute "set_storage_permissions" do + command "chown -R www-data:www-data #{deploy_path}/storage" +end + +template "#{deploy_path}/.env" do + source 'env.erb' + owner deploy_user + group deploy_group + mode 0660 + sensitive true + variables config: env + notifies :restart, "service[php8.1-fpm]", :delayed +end + +template "/etc/nginx/sites-available/default" do + source 'nginx-local.conf.erb' + owner deploy_user + group deploy_group + mode 0660 + variables deploy_path: deploy_path, + port: node["akaunting"]["port"] + notifies :restart, "service[nginx]", :delayed +end + +# template "/etc/php/8.1/fpm/pool.d/akaunting.conf" do +# source 'php-fpm.pool.erb' +# owner deploy_user +# group deploy_group +# mode 0600 +# variables user: deploy_user, +# group: deploy_group, +# chdir: deploy_path, +# port: node["akaunting"]["port"] +# notifies :restart, "service[php8.1-fpm]", :delayed +# end + +service "php8.1-fpm" do + action [:enable, :start] +end + +service "nginx" do + action [:enable, :start] +end + +firewall_rule "akaunting_zerotier" do + command :allow + port node["akaunting"]["port"] + protocol :tcp + source "10.1.1.0/24" +end diff --git a/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb b/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb new file mode 100644 index 0000000..d89dcda --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/recipes/pg_db.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos_akaunting +# Recipe:: pg_db +# + +credentials = data_bag_item("credentials", "akaunting") + +postgresql_user credentials["pg_username"] do + action :create + password credentials["pg_password"] +end + +postgresql_database credentials["pg_database"] do + owner credentials["pg_username"] + action :create +end diff --git a/site-cookbooks/kosmos_akaunting/templates/env.erb b/site-cookbooks/kosmos_akaunting/templates/env.erb new file mode 100644 index 0000000..4b1faa5 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/templates/env.erb @@ -0,0 +1,11 @@ +<% @config.each do |key, value| %> +<% if value.is_a?(Hash) %> +<% value.each do |k, v| %> +<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %> +<% end %> +<% else %> +<% if value %> +<%= key.upcase %>=<%= value.to_s %> +<% end %> +<% end %> +<% end %> diff --git a/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb b/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb new file mode 100644 index 0000000..8d99f07 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/templates/nginx-local.conf.erb @@ -0,0 +1,49 @@ +server { + listen 80 default_server; + + server_name akaunting.kosmos.org; + + root <%= @deploy_path %>; + + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + + index index.html index.htm index.php; + + charset utf-8; + + location / { + try_files $uri $uri/ /index.php?$query_string; + } + + # Prevent Direct Access To Protected Files + location ~ \.(env|log) { + deny all; + } + + # Prevent Direct Access To Protected Folders + location ~ ^/(^app$|bootstrap|config|database|overrides|resources|routes|storage|tests|artisan) { + deny all; + } + + # Prevent Direct Access To modules/vendor Folders Except Assets + location ~ ^/(modules|vendor)\/(.*)\.((?!ico|gif|jpg|jpeg|png|js\b|css|less|sass|font|woff|woff2|eot|ttf|svg|xls|xlsx).)*$ { + deny all; + } + + error_page 404 /index.php; + + # Pass PHP Scripts To FastCGI Server + location ~ \.php$ { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:/var/run/php/php8.1-fpm.sock; # Depends On The PHP Version + fastcgi_index index.php; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + include fastcgi_params; + } + + location ~ /\.(?!well-known).* { + deny all; + } +} diff --git a/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb b/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb new file mode 100644 index 0000000..ecf4571 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/templates/php-fpm.pool.erb @@ -0,0 +1,18 @@ +[akaunting] +user = <%= @user %> +group = <%= @group %> +listen = 0.0.0.0:<%= @port %> +listen.owner = <%= @user %> +listen.group = <%= @group %> +listen.mode = 0660 + +pm = dynamic +pm.max_children = 10 +pm.start_servers = 4 +pm.min_spare_servers = 2 +pm.max_spare_servers = 6 +pm.max_requests = 500 + +chdir = <%= @chdir %> +catch_workers_output = yes +php_admin_flag[log_errors] = on diff --git a/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb b/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb new file mode 100644 index 0000000..50edca1 --- /dev/null +++ b/site-cookbooks/kosmos_akaunting/test/integration/default/default_test.rb @@ -0,0 +1,16 @@ +# Chef InSpec test for recipe kosmos_akaunting::default + +# The Chef InSpec reference, with examples and extensive documentation, can be +# found at https://docs.chef.io/inspec/resources/ + +unless os.windows? + # This is an example test, replace with your own test. + describe user('root'), :skip do + it { should exist } + end +end + +# This is an example test, replace it with your own test. +describe port(80), :skip do + it { should_not be_listening } +end