Move akkounts nginx to nginx proxy

2023-03-02 18:05:37 +08:00 · 2023-03-02 18:05:37 +08:00 · 8225e1b67b
commit 8225e1b67b
parent e2e857ec76
8 changed files with 33 additions and 30 deletions
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -38,6 +38,7 @@
      "kosmos_gitea::nginx",
      "kosmos_website",
      "kosmos_website::default",
+      "kosmos-akkounts::nginx",
      "kosmos-akkounts::nginx_api",
      "kosmos-bitcoin::nginx_lndhub",
      "kosmos-ejabberd::nginx",
--- a/roles/akkounts.rb
+++ b/roles/akkounts.rb
@ -3,7 +3,6 @@ name "akkounts"
 default_run_list = %w(
  role[postgresql_client]
  kosmos-akkounts::default
-  kosmos-akkounts::nginx
 )

 env_run_lists(
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@ -23,6 +23,7 @@ default_run_list = %w(
  kosmos_garage::nginx_web
  kosmos_gitea::nginx
  kosmos_website::default
+  kosmos-akkounts::nginx
  kosmos-akkounts::nginx_api
  kosmos-bitcoin::nginx_lndhub
  kosmos-ejabberd::nginx
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@ -217,10 +217,7 @@ application deploy_path do
  end
 end

-# TODO move to nginx proxy
-include_recipe 'kosmos-akkounts::nginx'
-
-firewall_rule "Akkounts private access" do
+firewall_rule "akkounts_zerotier" do
  command  :allow
  port     node["akkounts"]["port"]
  protocol :tcp
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb
@ -9,12 +9,20 @@ domain      = node[app_name]["domain"]

 nginx_certbot_site domain

+upstream_hosts = []
+search(:node, "role:akkounts").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
 template "#{node['nginx']['dir']}/sites-available/#{domain}" do
  source "nginx_conf_#{app_name}.erb"
  owner 'www-data'
  mode 0640
  variables port: node[app_name]['port'],
            domain: domain,
+            upstream_port: node["akkounts"]["port"],
+            upstream_hosts: upstream_hosts,
            root_dir: "/opt/#{app_name}/public",
            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
--- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
@ -12,6 +12,7 @@ upstream_hosts = []
 search(:node, "role:akkounts").each do |node|
  upstream_hosts << node["knife_zero"]["host"]
 end
+upstream_hosts.push("localhost") if upstream_hosts.empty?

 template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
  source "nginx_conf_akkounts_api.erb"
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@ -1,17 +1,23 @@
 # Generated by Chef
-<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
 upstream _akkounts {
-  server   localhost:<%= @port %>;
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
 }

+proxy_cache_path /var/cache/nginx/akkounts levels=1:2
+                 keys_zone=akkounts_cache:10m
+                 max_size=1g inactive=120m use_temp_path=off;
+
 server {
  listen 443 ssl http2;
-  add_header Strict-Transport-Security "max-age=15768000";
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;

-  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

-  server_name <%= @domain %>;
+  add_header Strict-Transport-Security "max-age=15768000";

  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
@ -23,32 +29,19 @@ server {
    gzip_static on;
    expires max;
    add_header Cache-Control public;
+    proxy_cache akkounts_cache;
  }

-  try_files $uri/index.html $uri @app;
+  try_files $uri/index.html $uri @proxy;

-  location @app {
-    # an HTTP header important enough to have its own Wikipedia entry:
-    # http://en.wikipedia.org/wiki/X-Forwarded-For
+  location @proxy {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    # enable this if and only if you use HTTPS, this helps Rack
-    # set the proper protocol for doing redirects:
    proxy_set_header X-Forwarded-Proto https;
-
-    # pass the Host: header from the client right along so redirects
-    # can be set properly within the Rack application
    proxy_set_header Host $http_host;
-
-    # we don't want nginx trying to do something clever with
-    # redirects, we set the Host: header above already.
    proxy_redirect off;
-
-    # Increase number of buffers. Default is 8
    proxy_buffers 1024 8k;
+    proxy_http_version 1.1;

    proxy_pass http://_akkounts;
-    proxy_http_version 1.1;
-   }
+  }
 }
-<% end -%>
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
@ -1,5 +1,5 @@
 # Generated by Chef
-upstream _akkounts {
+upstream _akkounts_api {
 <% @upstream_hosts.each do |host| %>
  server   <%= host %>:<%= @upstream_port %>;
 <% end %>
@ -15,6 +15,9 @@ server {

  add_header 'Strict-Transport-Security' 'max-age=31536000';

+  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
+
  location /kredits/ {
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET' always;
@ -28,6 +31,6 @@ server {
    proxy_buffers 1024 8k;
    proxy_http_version 1.1;

-    proxy_pass http://_akkounts/api/kredits/;
+    proxy_pass http://_akkounts_api/api/kredits/;
  }
 }