Basic Sentry setup

Not running the install script automatically at this point yet.

clients/sentry-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "sentry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZFwP58ym+92YFa0adU3\nVGEJW13NkfaHChx+akB3IioSPKyJ9eOXEI8pOmU3QyqOUKSbqth78DY84hobXlqs\n4O0A7TV029uepcj5zPN047gDsV1TJ6Dakma5eH+Pe5kP/TigCEOF0Cgo+fqtEBEJ\nT/rhSs3zHD1EfBnZdyj/7YyeDv1XLWI8dXoizDUAoBSCDeJ5d7fG56zmFYLV05Ex\nMrjJuHitEmeJXTZABKstRbEd+3Rld+gfJZ/jI4djEW2j1EKAYMT1SxoXdjKlCrpQ\nGux2RSe+Gspt1hyp/flU5gHGO+qLDNSU9tZInClToyFMVBfoW8kWg28Gm2kGkIvr\npQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

environments/production.json

@@ -36,6 +36,9 @@
       "alternate_domains": [
         "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
       ]
+    },
+    "sentry": {
+      "allowed_ips": "10.1.1.0/24"
     }
   }
 }

nodes/sentry-1.json

@@ -0,0 +1,63 @@
+{
+  "name": "sentry-1",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.132"
+    }
+  },
+  "automatic": {
+    "fqdn": "sentry-1",
+    "os": "linux",
+    "os_version": "5.4.0-1087-kvm",
+    "hostname": "sentry-1",
+    "ipaddress": "192.168.122.251",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "sentry"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_sentry",
+      "kosmos_sentry::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[sentry]"
+  ]
+}

roles/sentry.rb

@@ -0,0 +1,11 @@
+name "sentry"
+
+default_run_list = %w(
+  kosmos_sentry::default
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)

site-cookbooks/kosmos_sentry/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/kosmos_sentry/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2023 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_sentry/attributes/default.rb

@@ -0,0 +1,9 @@
+node.default["sentry"]["repo"] = "https://github.com/getsentry/self-hosted"
+node.default["sentry"]["revision"] = "master"
+node.default["sentry"]["port"] = 80
+node.default["sentry"]["retention_days"] = 90
+node.default["sentry"]["allowed_ips"] = nil
+# The Sentry setup requires docker-compose >= 1.28, which is newer than the
+# latest stable version for Ubuntu 20.04
+node.default["sentry"]["docker-compose"]["version"] = "2.17.0"
+node.default["sentry"]["docker-compose"]["checksum"] = "65edee934d988471c40ef31305731dbb4381d3cb0aeea13342119b61772f85e2"

site-cookbooks/kosmos_sentry/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_sentry/metadata.rb

@@ -0,0 +1,12 @@
+name 'kosmos_sentry'
+maintainer 'Kosmos Contributors'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/configures Sentry'
+version '0.1.0'
+chef_version '>= 16.0'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'git'
+depends 'firewall'

site-cookbooks/kosmos_sentry/recipes/default.rb

@@ -0,0 +1,82 @@
+#
+# Cookbook:: kosmos_sentry
+# Recipe:: default
+#
+
+package "docker"
+
+remote_file "/usr/local/bin/docker-compose" do
+  source "https://github.com/docker/compose/releases/download/v#{node["sentry"]["docker-compose"]["version"]}/docker-compose-linux-x86_64"
+  checksum node["sentry"]["docker-compose"]["checksum"]
+  mode '0755'
+end
+
+deploy_path = "/opt/sentry"
+
+git deploy_path do
+  repository node["sentry"]["repo"]
+  revision node["sentry"]["revision"]
+end
+
+# TODO
+# Automatically run install script if sentry/sentry.conf.py does not exist yet
+
+env_config = {
+  sentry_event_retention_days: node["sentry"]["retention_days"],
+  sentry_bind: node["sentry"]["bind"] || node["sentry"]["port"],
+  # Default values from upstream
+  compose_project_name: "sentry-self-hosted",
+  sentry_image: "getsentry/sentry:nightly",
+  snuba_image: "getsentry/snuba:nightly",
+  relay_image: "getsentry/relay:nightly",
+  symbolicator_image: "getsentry/symbolicator:nightly",
+  wal2json_version: "latest",
+  healthcheck_interval: "30s",
+  healthcheck_timeout: "60s",
+  healthcheck_retries: "10"
+}
+
+template "#{deploy_path}/.env.custom" do
+  source 'env.custom.erb'
+  mode 0600
+  sensitive true
+  variables config: env_config
+  notifies :restart, "service[sentry]", :delayed
+end
+
+systemd_unit "sentry.service" do
+  content({Unit: {
+             Description: "Sentry service using Docker Compose",
+             Requires: "docker.service",
+             After: "docker.service",
+           },
+           Service: {
+             Type: "oneshot",
+             RemainAfterExit: "true",
+             WorkingDirectory: deploy_path,
+             ExecStart: "docker-compose --env-file #{deploy_path}/.env.custom up -d --remove-orphans",
+             ExecStop: "docker-compose stop",
+             StandardOutput: "syslog"
+           },
+           Install: {
+             WantedBy: "multi-user.target"
+           }})
+  verify false
+  triggers_reload true
+  action [:create]
+end
+
+service "sentry" do
+  action [:enable, :start]
+end
+
+include_recipe 'firewall'
+
+firewall_rule 'sentry' do
+  port     node["sentry"]["port"]
+  protocol :tcp
+  command  :allow
+  if node["sentry"]["allowed_ips"]
+    source node["sentry"]["allowed_ips"]
+  end
+end

site-cookbooks/kosmos_sentry/templates/default/env.custom.erb

@@ -0,0 +1,11 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<% if value %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>
+<% end %>