Add nginx proxy for akkounts/kredits API

closes #410

nodes/fornax.kosmos.org.json

@@ -25,6 +25,7 @@
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-ejabberd::nginx",
+      "kosmos-akkounts::nginx_api",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -57,14 +58,13 @@
     "platform_version": "20.04",
     "cloud": null,
     "chef_packages": {
-      "chef": {
-        "version": "17.5.22",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib",
-        "chef_effortless": null
-      },
       "ohai": {
-        "version": "17.5.2",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai"
+        "version": "15.12.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+      },
+      "chef": {
+        "version": "15.14.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
       }
     }
   },

roles/nginx_proxy.rb

@@ -7,6 +7,7 @@ default_run_list = %w(
   kosmos_gitea::nginx
   kosmos_website::default
   kosmos-ejabberd::nginx
+  kosmos-akkounts::nginx_api
 )
 
 env_run_lists(

site-cookbooks/kosmos-akkounts/attributes/default.rb

@@ -1,4 +1,6 @@
 node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
-node.default['akkounts']['revision'] = 'master'
+node.default['akkounts']['revision'] = 'feature/community_funds_balance'
 node.default['akkounts']['port'] = 3000
 node.default['akkounts']['domain'] = 'accounts.kosmos.org'
+
+node.default['akkounts_api']['domain'] = 'api.kosmos.org'

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -175,4 +175,12 @@ rescue IPAddr::InvalidAddressError
   next
 end
 
+# TODO move to nginx proxy
 include_recipe 'kosmos-akkounts::nginx'
+
+firewall_rule "Akkounts private access" do
+  command  :allow
+  port     node["akkounts"]["port"]
+  protocol :tcp
+  source   "10.1.1.0/24"
+end

site-cookbooks/kosmos-akkounts/recipes/nginx.rb

@@ -2,32 +2,13 @@
 # Cookbook Name:: kosmos-akkounts
 # Recipe:: nginx
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 include_recipe "kosmos-nginx"
 app_name    = "akkounts"
 domain      = node[app_name]["domain"]
 
+nginx_certbot_site domain
+
 template "#{node['nginx']['dir']}/sites-available/#{domain}" do
   source "nginx_conf_#{app_name}.erb"
   owner 'www-data'
@@ -43,5 +24,3 @@ end
 nginx_site domain do
   action :enable
 end
-
-nginx_certbot_site domain

site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb

@@ -0,0 +1,30 @@
+#
+# Cookbook Name:: kosmos-akkounts
+# Recipe:: nginx_api
+#
+
+include_recipe "kosmos-nginx"
+domain = node["akkounts_api"]["domain"]
+
+nginx_certbot_site domain
+
+upstream_hosts = []
+search(:node, "role:akkounts").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_akkounts_api.erb"
+  owner "www-data"
+  mode 0640
+  variables domain: domain,
+            upstream_port: node["akkounts"]["port"],
+            upstream_hosts: upstream_hosts,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end

site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb

@@ -0,0 +1,33 @@
+# Generated by Chef
+upstream _akkounts {
+<% @upstream_hosts.each do |host| %>
+  server   <%= host %>:<%= @upstream_port %>;
+<% end %>
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  add_header 'Strict-Transport-Security' 'max-age=31536000';
+
+  location /kredits/ {
+    add_header 'Access-Control-Allow-Origin' '*' always;
+    add_header 'Access-Control-Allow-Methods' 'GET' always;
+    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
+    add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
+
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+    proxy_ssl_server_name on;
+    proxy_buffers 1024 8k;
+    proxy_http_version 1.1;
+
+    proxy_pass http://_akkounts/api/kredits/;
+  }
+}