Set up public HTTPS endpoint for RSKj

refs #325
2021-08-09 19:02:14 +02:00 · 2021-08-09 19:02:14 +02:00 · 89e27a040f
commit 89e27a040f
parent 0ffddb9d0f
5 changed files with 80 additions and 3 deletions
--- a/nodes/rsk-testnet-1.json
+++ b/nodes/rsk-testnet-1.json
@ -12,11 +12,12 @@
    "hostname": "rsk-testnet-1",
    "ipaddress": "192.168.122.196",
    "roles": [
-
+      "rskj_testnet"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
+      "kosmos_rsk::rskj",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -30,7 +31,9 @@
      "postfix::_common",
      "postfix::_attributes",
      "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
@ -48,6 +51,7 @@
    }
  },
  "run_list": [
-    "recipe[kosmos-base]"
+    "recipe[kosmos-base]",
+    "role[rskj_testnet]"
  ]
 }
--- a/roles/rskj_testnet.rb
+++ b/roles/rskj_testnet.rb
@ -0,0 +1,19 @@
+name 'rskj_testnet'
+
+default_attributes 'rskj' => {
+  'network' => 'testnet',
+  'nginx' => {
+    'domain' => 'rsk-testnet.kosmos.org'
+  }
+}
+
+default_run_list = %w(
+  kosmos_rsk::rskj
+  kosmos_rsk::nginx
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)
--- a/site-cookbooks/kosmos_rsk/metadata.rb
+++ b/site-cookbooks/kosmos_rsk/metadata.rb
@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
 source_url 'https://gitea.kosmos.org/kosmos/chef'

 depends 'firewall'
+depends 'kosmos-nginx'
--- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/nginx.rb
@ -0,0 +1,27 @@
+#
+# Cookbook Name:: kosmos_rsk
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+app_name = "rskj"
+domain   = node[app_name]["nginx"]["domain"]
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf_#{app_name}.erb"
+  owner 'www-data'
+  mode 0640
+  variables app_name: app_name,
+            domain: domain,
+            port: "4444",
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+nginx_certbot_site domain
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@ -0,0 +1,26 @@
+# Generated by Chef
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+server {
+  listen 443 ssl http2;
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  server_name <%= @domain %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
+
+  root <%= @root_dir %>;
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_redirect off;
+    proxy_pass localhost:<%= @port %>;
+   }
+}
+<% end -%>