From 8c3bd2e939b22b20e857419da946c22c3fcb0c7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 30 Nov 2022 12:13:39 +0100 Subject: [PATCH] Add nginx proxy hosts for Garage Web access The respective bucket needs to be configured with a domain alias. When a new alias is added to the `s3_web_domains` config, a new nginx site can then be deployed to the `nginx_proxy` hosts. --- environments/production.json | 7 ++-- .../kosmos_garage/attributes/default.rb | 3 +- .../kosmos_garage/recipes/nginx_web.rb | 26 +++++++++++++++ .../templates/nginx_conf_web.erb | 33 +++++++++++++++++++ 4 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 site-cookbooks/kosmos_garage/recipes/nginx_web.rb create mode 100644 site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb diff --git a/environments/production.json b/environments/production.json index 635c0f3..8c0e97a 100644 --- a/environments/production.json +++ b/environments/production.json @@ -4,7 +4,10 @@ "garage": { "replication_mode": "2", "s3_api_root_domain": ".s3.garage.kosmos.org", - "s3_web_root_domain": ".web.garage.kosmos.org" + "s3_web_root_domain": ".web.garage.kosmos.org", + "s3_web_domains": [ + "s3.kosmos.social" + ] }, "gitea": { "postgresql_host": "pg.kosmos.local:5432", @@ -23,4 +26,4 @@ ] } } -} \ No newline at end of file +} diff --git a/site-cookbooks/kosmos_garage/attributes/default.rb b/site-cookbooks/kosmos_garage/attributes/default.rb index 068ede8..68cf18f 100644 --- a/site-cookbooks/kosmos_garage/attributes/default.rb +++ b/site-cookbooks/kosmos_garage/attributes/default.rb @@ -1,5 +1,6 @@ node.default['garage']['version'] = '0.8.0' node.default['garage']['checksum']['amd64'] = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74' +node.default['garage']['replication_mode'] = 'none' node.default['garage']['s3_api_port'] = 3900 node.default['garage']['rpc_port'] = 3901 node.default['garage']['s3_web_port'] = 3902 @@ -7,4 +8,4 @@ node.default['garage']['admin_port'] = 3903 node.default['garage']['k2v_api_port'] = 3904 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost' node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost' -node.default['garage']['replication_mode'] = 'none' +node.default['garage']['s3_web_domains'] = [] diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb new file mode 100644 index 0000000..83e6399 --- /dev/null +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -0,0 +1,26 @@ +# +# Cookbook Name:: kosmos_garage +# Recipe:: nginx_web +# + +include_recipe "kosmos-nginx" + +domains = node['garage']['s3_web_domains'] + +domains.each do |server_name| + nginx_certbot_site server_name + + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do + source 'nginx_conf_web.erb' + owner 'www-data' + mode 0640 + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site server_name do + action :enable + end +end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb new file mode 100644 index 0000000..566980f --- /dev/null +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -0,0 +1,33 @@ +upstream garage_web { + server localhost:3902; +} + +proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m + max_size=1g inactive=60m use_temp_path=off; + +server { + listen 443 http2 ssl; + listen [::]:443 http2 ssl; + + server_name <%= @server_name %>; + + access_log off; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + error_page 401 403 404 500 /__empty-page.html; + + location = /__empty-page.html { + internal; + return 200 ""; + } + + location / { + proxy_intercept_errors on; + proxy_cache garage_cache; + proxy_pass http://garage_web; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + } +}