kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Refactor RSK nginx sites for proxy/lb usage

Browse Source
This commit is contained in:
Râu Cao 2023-06-18 16:55:38 +02:00
parent 635ca3870a
commit 90f66c74d2
Signed by: raucao
GPG Key ID: 15E65F399D084BA9
9 changed files with 83 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nodes/fornax.kosmos.org.json
View File

@ -36,6 +36,8 @@
"kosmos_garage::firewall_rpc", "kosmos_garage::firewall_rpc",
"kosmos_garage::nginx_web", "kosmos_garage::nginx_web",
"kosmos_gitea::nginx", "kosmos_gitea::nginx",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_website", "kosmos_website",
"kosmos_website::default", "kosmos_website::default",
"kosmos-akkounts::nginx", "kosmos-akkounts::nginx",

2
roles/nginx_proxy.rb
View File

@ -22,6 +22,8 @@ default_run_list = %w(
kosmos_garage::firewall_rpc kosmos_garage::firewall_rpc
kosmos_garage::nginx_web kosmos_garage::nginx_web
kosmos_gitea::nginx kosmos_gitea::nginx
kosmos_rsk::nginx_testnet
kosmos_rsk::nginx_mainnet
kosmos_website::default kosmos_website::default
kosmos-akkounts::nginx kosmos-akkounts::nginx
kosmos-akkounts::nginx_api kosmos-akkounts::nginx_api

1
roles/rskj_testnet.rb
View File

@ -9,7 +9,6 @@ default_attributes 'rskj' => {
default_run_list = %w( default_run_list = %w(
kosmos_rsk::rskj kosmos_rsk::rskj
kosmos_rsk::nginx
) )
env_run_lists( env_run_lists(

2
site-cookbooks/kosmos_rsk/attributes/default.rb
View File

@ -1,2 +1,4 @@
node.default['rskj']['version'] = '4.4.0~focal' node.default['rskj']['version'] = '4.4.0~focal'
node.default['rskj']['network'] = 'testnet' node.default['rskj']['network'] = 'testnet'
node.default['rskj']['nginx']['domain'] = nil

27
site-cookbooks/kosmos_rsk/recipes/nginx.rb
View File

@ -1,27 +0,0 @@
#
# Cookbook Name:: kosmos_rsk
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
app_name = "rskj"
domain = node[app_name]["nginx"]["domain"]
nginx_certbot_site domain
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_#{app_name}.erb"
owner 'www-data'
mode 0640
variables app_name: app_name,
domain: domain,
port: "4444",
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

8
site-cookbooks/kosmos_rsk/recipes/nginx_mainnet.rb Normal file
View File

@ -0,0 +1,8 @@
#
# Cookbook Name:: kosmos_rsk
# Recipe:: nginx_mainnet
#
rskj_nginx_site "mainnet" do
domain "rsk.kosmos.org"
end

8
site-cookbooks/kosmos_rsk/recipes/nginx_testnet.rb Normal file
View File

@ -0,0 +1,8 @@
#
# Cookbook Name:: kosmos_rsk
# Recipe:: nginx_testnet
#
rskj_nginx_site "testnet" do
domain "rsk-testnet.kosmos.org"
end

37
site-cookbooks/kosmos_rsk/resources/nginx_site.rb Normal file
View File

@ -0,0 +1,37 @@
resource_name :rskj_nginx_site
provides :rskj_nginx_site
property :network, String, required: true, name_property: true
property :domain, String, required: true
action :create do
include_recipe "kosmos-nginx"
network = new_resource.network
domain = new_resource.domain
nginx_certbot_site domain
upstream_hosts = []
search(:node, "role:rskj_#{network}").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
upstream_hosts.push("localhost") if upstream_hosts.empty?
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_rskj.erb"
owner 'www-data'
mode 0640
variables domain: domain,
upstream_name: "rskj_#{network}",
upstream_hosts: upstream_hosts,
upstream_port: "4444",
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
end

32
site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
View File

@ -1,23 +1,39 @@
# Generated by Chef upstream _<%= @upstream_name %> {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> <% @upstream_hosts.each do |host| %>
server <%= host %>:<%= @upstream_port %>;
<% end %>
}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=15768000";
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
server_name <%= @domain %>; server_name <%= @domain %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
location / { location / {
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
add_header 'Access-Control-Max-Age' 1209600;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_redirect off; proxy_redirect off;
proxy_pass http://localhost:<%= @port %>; proxy_pass http://_<%= @upstream_name %>;
} }
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
} }
<% end -%>