diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index c216554..d8d9133 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -36,6 +36,8 @@ "kosmos_garage::firewall_rpc", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", + "kosmos_rsk::nginx_testnet", + "kosmos_rsk::nginx_mainnet", "kosmos_website", "kosmos_website::default", "kosmos-akkounts::nginx", diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 2444bd9..bc6cc58 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -22,6 +22,8 @@ default_run_list = %w( kosmos_garage::firewall_rpc kosmos_garage::nginx_web kosmos_gitea::nginx + kosmos_rsk::nginx_testnet + kosmos_rsk::nginx_mainnet kosmos_website::default kosmos-akkounts::nginx kosmos-akkounts::nginx_api diff --git a/roles/rskj_testnet.rb b/roles/rskj_testnet.rb index 665f137..eff18a0 100644 --- a/roles/rskj_testnet.rb +++ b/roles/rskj_testnet.rb @@ -9,7 +9,6 @@ default_attributes 'rskj' => { default_run_list = %w( kosmos_rsk::rskj - kosmos_rsk::nginx ) env_run_lists( diff --git a/site-cookbooks/kosmos_rsk/attributes/default.rb b/site-cookbooks/kosmos_rsk/attributes/default.rb index ca48dd0..db0e916 100644 --- a/site-cookbooks/kosmos_rsk/attributes/default.rb +++ b/site-cookbooks/kosmos_rsk/attributes/default.rb @@ -1,2 +1,4 @@ node.default['rskj']['version'] = '4.4.0~focal' node.default['rskj']['network'] = 'testnet' + +node.default['rskj']['nginx']['domain'] = nil diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx.rb b/site-cookbooks/kosmos_rsk/recipes/nginx.rb deleted file mode 100644 index 242d72f..0000000 --- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb +++ /dev/null @@ -1,27 +0,0 @@ -# -# Cookbook Name:: kosmos_rsk -# Recipe:: nginx -# - -include_recipe "kosmos-nginx" - -app_name = "rskj" -domain = node[app_name]["nginx"]["domain"] - -nginx_certbot_site domain - -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{app_name}.erb" - owner 'www-data' - mode 0640 - variables app_name: app_name, - domain: domain, - port: "4444", - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb b/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb new file mode 100644 index 0000000..cf97f28 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb @@ -0,0 +1,8 @@ +# +# Cookbook Name:: kosmos_rsk +# Recipe:: nginx_mainnet +# + +rskj_nginx_site "mainnet" do + domain "rsk.kosmos.org" +end diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb b/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb new file mode 100644 index 0000000..49a0e89 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb @@ -0,0 +1,8 @@ +# +# Cookbook Name:: kosmos_rsk +# Recipe:: nginx_testnet +# + +rskj_nginx_site "testnet" do + domain "rsk-testnet.kosmos.org" +end diff --git a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb new file mode 100644 index 0000000..2230655 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb @@ -0,0 +1,37 @@ +resource_name :rskj_nginx_site +provides :rskj_nginx_site + +property :network, String, required: true, name_property: true +property :domain, String, required: true + +action :create do + include_recipe "kosmos-nginx" + + network = new_resource.network + domain = new_resource.domain + + nginx_certbot_site domain + + upstream_hosts = [] + search(:node, "role:rskj_#{network}").each do |node| + upstream_hosts << node["knife_zero"]["host"] + end + upstream_hosts.push("localhost") if upstream_hosts.empty? + + template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf_rskj.erb" + owner 'www-data' + mode 0640 + variables domain: domain, + upstream_name: "rskj_#{network}", + upstream_hosts: upstream_hosts, + upstream_port: "4444", + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site domain do + action :enable + end +end diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 1a14d5c..9831d8b 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -1,23 +1,39 @@ -# Generated by Chef -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +upstream _<%= @upstream_name %> { +<% @upstream_hosts.each do |host| %> + server <%= host %>:<%= @upstream_port %>; +<% end %> +} + server { listen 443 ssl http2; listen [::]:443 ssl http2; - add_header Strict-Transport-Security "max-age=15768000"; - - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; server_name <%= @domain %>; + add_header Strict-Transport-Security "max-age=15768000"; + access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; location / { + if ($request_method = 'OPTIONS') { + add_header 'Access-Control-Allow-Origin' '*'; + add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; + add_header 'Access-Control-Max-Age' 1209600; + add_header 'Content-Type' 'text/plain; charset=utf-8'; + add_header 'Content-Length' 0; + return 204; + } + + proxy_set_header Host $http_host; + proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; - proxy_pass http://localhost:<%= @port %>; + proxy_pass http://_<%= @upstream_name %>; } + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; } -<% end -%>