Merge pull request 'Set up public HTTPS endpoint for RSKj' (#337) from feature/rskj_public_endpoint into master

Reviewed-on: #337
2021-12-02 17:26:00 +00:00 · 2021-12-02 17:26:00 +00:00 · a75237e0fb
parent 62d7998da8 5ac53633cd
commit a75237e0fb
11 changed files with 125 additions and 76 deletions
--- a/nodes/rsk-mainnet-1.json
+++ b/nodes/rsk-mainnet-1.json
@ -12,12 +12,13 @@
    "hostname": "rsk-mainnet-1",
    "ipaddress": "192.168.122.233",
    "roles": [
-      "rsk_mainnet"
+      "rskj_mainnet"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_rsk::rskj",
+      "kosmos_rsk::nginx",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -32,8 +33,20 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
+      "kosmos_rsk::firewall",
      "firewall::default",
-      "chef-sugar::default"
+      "chef-sugar::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
@ -52,6 +65,6 @@
  },
  "run_list": [
    "recipe[kosmos-base]",
-    "role[rsk_mainnet]"
+    "role[rskj_mainnet]"
  ]
 }
--- a/nodes/rsk-testnet-1.json
+++ b/nodes/rsk-testnet-1.json
@ -1,53 +0,0 @@
-{
-  "name": "rsk-testnet-1",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.136"
-    }
-  },
-  "automatic": {
-    "fqdn": "rsk-testnet-1",
-    "os": "linux",
-    "os_version": "5.4.0-1026-kvm",
-    "hostname": "rsk-testnet-1",
-    "ipaddress": "192.168.122.196",
-    "roles": [
-
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "20.04",
-    "cloud": null,
-    "chef_packages": {
-      "ohai": {
-        "version": "16.13.0",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.7.0/gems/ohai-16.13.0/lib/ohai"
-      },
-      "chef": {
-        "version": "16.13.16",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.7.0/gems/chef-16.13.16/lib",
-        "chef_effortless": null
-      }
-    }
-  },
-  "run_list": [
-    "recipe[kosmos-base]"
-  ]
-}
--- a/nodes/rsk-testnet-2.json
+++ b/nodes/rsk-testnet-2.json
@ -12,12 +12,13 @@
    "hostname": "rsk-testnet-2",
    "ipaddress": "192.168.122.29",
    "roles": [
-      "rsk_testnet"
+      "rskj_testnet"
    ],
    "recipes": [
      "kosmos-base",
      "kosmos-base::default",
      "kosmos_rsk::rskj",
+      "kosmos_rsk::nginx",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -32,8 +33,20 @@
      "postfix::_attributes",
      "postfix::sasl_auth",
      "hostname::default",
+      "kosmos_rsk::firewall",
      "firewall::default",
-      "chef-sugar::default"
+      "chef-sugar::default",
+      "kosmos-nginx::default",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-nginx::firewall",
+      "kosmos-base::letsencrypt"
    ],
    "platform": "ubuntu",
    "platform_version": "20.04",
@ -52,6 +65,6 @@
  },
  "run_list": [
    "recipe[kosmos-base]",
-    "role[rsk_testnet]"
+    "role[rskj_testnet]"
  ]
 }
--- a/roles/rsk_mainnet.rb
+++ b/roles/rsk_mainnet.rb
@ -1,11 +0,0 @@
-name "rsk_mainnet"
-
-run_list %w(
-  kosmos_rsk::rskj
-)
-
-override_attributes(
-  :rskj => {
-    :network => "mainnet"
-  }
-)
--- a/roles/rsk_testnet.rb
+++ b/roles/rsk_testnet.rb
@ -1,5 +0,0 @@
-name "rsk_testnet"
-
-run_list %w(
-  kosmos_rsk::rskj
-)
--- a/roles/rskj_mainnet.rb
+++ b/roles/rskj_mainnet.rb
@ -0,0 +1,19 @@
+name 'rskj_mainnet'
+
+default_attributes 'rskj' => {
+  'network' => 'mainnet',
+  'nginx' => {
+    'domain' => 'rsk.kosmos.org'
+  }
+}
+
+default_run_list = %w(
+  kosmos_rsk::rskj
+  kosmos_rsk::nginx
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)
--- a/roles/rskj_testnet.rb
+++ b/roles/rskj_testnet.rb
@ -0,0 +1,19 @@
+name 'rskj_testnet'
+
+default_attributes 'rskj' => {
+  'network' => 'testnet',
+  'nginx' => {
+    'domain' => 'rsk-testnet.kosmos.org'
+  }
+}
+
+default_run_list = %w(
+  kosmos_rsk::rskj
+  kosmos_rsk::nginx
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)
--- a/site-cookbooks/kosmos_rsk/CHANGELOG.md
+++ b/site-cookbooks/kosmos_rsk/CHANGELOG.md
@ -2,6 +2,10 @@

 This file is used to list changes made in each version of the kosmos_rsk cookbook.

+## 0.2.0
+
+Add nginx recipe to configure public API access.
+
 ## 0.1.0

 Initial release.
--- a/site-cookbooks/kosmos_rsk/metadata.rb
+++ b/site-cookbooks/kosmos_rsk/metadata.rb
@ -3,9 +3,10 @@ maintainer 'Kosmos Developers'
 maintainer_email 'ops@kosmos.org'
 license 'MIT'
 description 'Installs/configures RSK and related software'
-version '0.1.0'
+version '0.2.0'
 chef_version '>= 15.0'
 issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
 source_url 'https://gitea.kosmos.org/kosmos/chef'

 depends 'firewall'
+depends 'kosmos-nginx'
--- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_rsk/recipes/nginx.rb
@ -0,0 +1,27 @@
+#
+# Cookbook Name:: kosmos_rsk
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-nginx"
+
+app_name = "rskj"
+domain   = node[app_name]["nginx"]["domain"]
+
+nginx_certbot_site domain
+
+template "#{node['nginx']['dir']}/sites-available/#{domain}" do
+  source "nginx_conf_#{app_name}.erb"
+  owner 'www-data'
+  mode 0640
+  variables app_name: app_name,
+            domain: domain,
+            port: "4444",
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
--- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
+++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
@ -0,0 +1,22 @@
+# Generated by Chef
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+server {
+  listen 443 ssl http2;
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  server_name <%= @domain %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
+
+  location / {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_redirect off;
+    proxy_pass http://localhost:<%= @port %>;
+   }
+}
+<% end -%>