From 89e27a040fd4c525a54654c9e03c4077d670b95e Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 9 Aug 2021 19:02:14 +0200 Subject: [PATCH 1/7] Set up public HTTPS endpoint for RSKj refs #325 --- nodes/rsk-testnet-1.json | 10 ++++--- roles/rskj_testnet.rb | 19 +++++++++++++ site-cookbooks/kosmos_rsk/metadata.rb | 1 + site-cookbooks/kosmos_rsk/recipes/nginx.rb | 27 +++++++++++++++++++ .../kosmos_rsk/templates/nginx_conf_rskj.erb | 26 ++++++++++++++++++ 5 files changed, 80 insertions(+), 3 deletions(-) create mode 100644 roles/rskj_testnet.rb create mode 100644 site-cookbooks/kosmos_rsk/recipes/nginx.rb create mode 100644 site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb diff --git a/nodes/rsk-testnet-1.json b/nodes/rsk-testnet-1.json index dddf579..5e2c80e 100644 --- a/nodes/rsk-testnet-1.json +++ b/nodes/rsk-testnet-1.json @@ -12,11 +12,12 @@ "hostname": "rsk-testnet-1", "ipaddress": "192.168.122.196", "roles": [ - + "rskj_testnet" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos_rsk::rskj", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -30,7 +31,9 @@ "postfix::_common", "postfix::_attributes", "postfix::sasl_auth", - "hostname::default" + "hostname::default", + "firewall::default", + "chef-sugar::default" ], "platform": "ubuntu", "platform_version": "20.04", @@ -48,6 +51,7 @@ } }, "run_list": [ - "recipe[kosmos-base]" + "recipe[kosmos-base]", + "role[rskj_testnet]" ] } \ No newline at end of file diff --git a/roles/rskj_testnet.rb b/roles/rskj_testnet.rb new file mode 100644 index 0000000..665f137 --- /dev/null +++ b/roles/rskj_testnet.rb @@ -0,0 +1,19 @@ +name 'rskj_testnet' + +default_attributes 'rskj' => { + 'network' => 'testnet', + 'nginx' => { + 'domain' => 'rsk-testnet.kosmos.org' + } +} + +default_run_list = %w( + kosmos_rsk::rskj + kosmos_rsk::nginx +) + +env_run_lists( + '_default' => default_run_list, + 'development' => default_run_list, + 'production' => default_run_list +) diff --git a/site-cookbooks/kosmos_rsk/metadata.rb b/site-cookbooks/kosmos_rsk/metadata.rb index b5cd6c7..070026a 100644 --- a/site-cookbooks/kosmos_rsk/metadata.rb +++ b/site-cookbooks/kosmos_rsk/metadata.rb @@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' +depends 'kosmos-nginx' diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx.rb b/site-cookbooks/kosmos_rsk/recipes/nginx.rb new file mode 100644 index 0000000..c4d5c50 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/recipes/nginx.rb @@ -0,0 +1,27 @@ +# +# Cookbook Name:: kosmos_rsk +# Recipe:: nginx +# + +include_recipe "kosmos-nginx" + +app_name = "rskj" +domain = node[app_name]["nginx"]["domain"] + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source "nginx_conf_#{app_name}.erb" + owner 'www-data' + mode 0640 + variables app_name: app_name, + domain: domain, + port: "4444", + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end + +nginx_certbot_site domain diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb new file mode 100644 index 0000000..4863646 --- /dev/null +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -0,0 +1,26 @@ +# Generated by Chef +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +server { + listen 443 ssl http2; + add_header Strict-Transport-Security "max-age=15768000"; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + server_name <%= @domain %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + + root <%= @root_dir %>; + + location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_redirect off; + proxy_pass localhost:<%= @port %>; + } +} +<% end -%> From 381728456644a9cfe8b62146b2414c901e7f9cf1 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 9 Aug 2021 19:12:45 +0200 Subject: [PATCH 2/7] Bump version --- site-cookbooks/kosmos_rsk/CHANGELOG.md | 4 ++++ site-cookbooks/kosmos_rsk/metadata.rb | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos_rsk/CHANGELOG.md b/site-cookbooks/kosmos_rsk/CHANGELOG.md index 8f3ba6e..6c75b43 100644 --- a/site-cookbooks/kosmos_rsk/CHANGELOG.md +++ b/site-cookbooks/kosmos_rsk/CHANGELOG.md @@ -2,6 +2,10 @@ This file is used to list changes made in each version of the kosmos_rsk cookbook. +## 0.2.0 + +Add nginx recipe to configure public API access. + ## 0.1.0 Initial release. diff --git a/site-cookbooks/kosmos_rsk/metadata.rb b/site-cookbooks/kosmos_rsk/metadata.rb index 070026a..23e7d33 100644 --- a/site-cookbooks/kosmos_rsk/metadata.rb +++ b/site-cookbooks/kosmos_rsk/metadata.rb @@ -3,7 +3,7 @@ maintainer 'Kosmos Developers' maintainer_email 'ops@kosmos.org' license 'MIT' description 'Installs/configures RSK and related software' -version '0.1.0' +version '0.2.0' chef_version '>= 15.0' issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' From c9d32e02aa868e8e4430459dc3ebb41010b91494 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sun, 28 Nov 2021 10:02:28 -0600 Subject: [PATCH 3/7] Remove old RSK testnet node config --- nodes/rsk-testnet-1.json | 57 ---------------------------------------- 1 file changed, 57 deletions(-) delete mode 100644 nodes/rsk-testnet-1.json diff --git a/nodes/rsk-testnet-1.json b/nodes/rsk-testnet-1.json deleted file mode 100644 index 5e2c80e..0000000 --- a/nodes/rsk-testnet-1.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "name": "rsk-testnet-1", - "normal": { - "knife_zero": { - "host": "10.1.1.136" - } - }, - "automatic": { - "fqdn": "rsk-testnet-1", - "os": "linux", - "os_version": "5.4.0-1026-kvm", - "hostname": "rsk-testnet-1", - "ipaddress": "192.168.122.196", - "roles": [ - "rskj_testnet" - ], - "recipes": [ - "kosmos-base", - "kosmos-base::default", - "kosmos_rsk::rskj", - "apt::default", - "timezone_iii::default", - "timezone_iii::debian", - "ntp::default", - "ntp::apparmor", - "kosmos-base::systemd_emails", - "apt::unattended-upgrades", - "kosmos-base::firewall", - "kosmos-postfix::default", - "postfix::default", - "postfix::_common", - "postfix::_attributes", - "postfix::sasl_auth", - "hostname::default", - "firewall::default", - "chef-sugar::default" - ], - "platform": "ubuntu", - "platform_version": "20.04", - "cloud": null, - "chef_packages": { - "ohai": { - "version": "16.13.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.7.0/gems/ohai-16.13.0/lib/ohai" - }, - "chef": { - "version": "16.13.16", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.7.0/gems/chef-16.13.16/lib", - "chef_effortless": null - } - } - }, - "run_list": [ - "recipe[kosmos-base]", - "role[rskj_testnet]" - ] -} \ No newline at end of file From 0628d091dccaa86e46eebd93d0bdf14c180e06e6 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sun, 28 Nov 2021 10:05:48 -0600 Subject: [PATCH 4/7] Update rsk-testnet-2 with new rskj-testnet role --- nodes/rsk-testnet-2.json | 5 +++-- site-cookbooks/kosmos_rsk/recipes/nginx.rb | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json index 5735317..770fb70 100644 --- a/nodes/rsk-testnet-2.json +++ b/nodes/rsk-testnet-2.json @@ -32,6 +32,7 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", + "kosmos_rsk::firewall", "firewall::default", "chef-sugar::default" ], @@ -52,6 +53,6 @@ }, "run_list": [ "recipe[kosmos-base]", - "role[rsk_testnet]" + "role[rskj_testnet]" ] -} \ No newline at end of file +} diff --git a/site-cookbooks/kosmos_rsk/recipes/nginx.rb b/site-cookbooks/kosmos_rsk/recipes/nginx.rb index c4d5c50..242d72f 100644 --- a/site-cookbooks/kosmos_rsk/recipes/nginx.rb +++ b/site-cookbooks/kosmos_rsk/recipes/nginx.rb @@ -8,6 +8,8 @@ include_recipe "kosmos-nginx" app_name = "rskj" domain = node[app_name]["nginx"]["domain"] +nginx_certbot_site domain + template "#{node['nginx']['dir']}/sites-available/#{domain}" do source "nginx_conf_#{app_name}.erb" owner 'www-data' @@ -23,5 +25,3 @@ end nginx_site domain do action :enable end - -nginx_certbot_site domain From f68eceec4cfdd7b2fac7c5bb6d0eee209c67767f Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sun, 28 Nov 2021 10:08:39 -0600 Subject: [PATCH 5/7] Remove obsolete role --- roles/rsk_testnet.rb | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 roles/rsk_testnet.rb diff --git a/roles/rsk_testnet.rb b/roles/rsk_testnet.rb deleted file mode 100644 index 281b45d..0000000 --- a/roles/rsk_testnet.rb +++ /dev/null @@ -1,5 +0,0 @@ -name "rsk_testnet" - -run_list %w( - kosmos_rsk::rskj -) From 0e1b362644288450c39345e9dd4da073560a1039 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 13:33:43 -0600 Subject: [PATCH 6/7] Fix nginx config, deploy LE cert --- nodes/rsk-testnet-2.json | 18 +++++++++++++++--- .../kosmos_rsk/templates/nginx_conf_rskj.erb | 4 ---- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/nodes/rsk-testnet-2.json b/nodes/rsk-testnet-2.json index 770fb70..4258baf 100644 --- a/nodes/rsk-testnet-2.json +++ b/nodes/rsk-testnet-2.json @@ -12,12 +12,13 @@ "hostname": "rsk-testnet-2", "ipaddress": "192.168.122.29", "roles": [ - "rsk_testnet" + "rskj_testnet" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos_rsk::rskj", + "kosmos_rsk::nginx", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -34,7 +35,18 @@ "hostname::default", "kosmos_rsk::firewall", "firewall::default", - "chef-sugar::default" + "chef-sugar::default", + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "kosmos-nginx::firewall", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", @@ -55,4 +67,4 @@ "recipe[kosmos-base]", "role[rskj_testnet]" ] -} +} \ No newline at end of file diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 4863646..7a4cbd5 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -12,12 +12,8 @@ server { access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; - root <%= @root_dir %>; - location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_pass localhost:<%= @port %>; From 584da20d3ef9d53aa9f69a8899546d5b27636aee Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Mon, 29 Nov 2021 13:55:04 -0600 Subject: [PATCH 7/7] Deploy nginx reverse proxy for RSK mainnet --- nodes/rsk-mainnet-1.json | 19 ++++++++++++++++--- roles/rsk_mainnet.rb | 11 ----------- roles/rskj_mainnet.rb | 19 +++++++++++++++++++ .../kosmos_rsk/templates/nginx_conf_rskj.erb | 2 +- 4 files changed, 36 insertions(+), 15 deletions(-) delete mode 100644 roles/rsk_mainnet.rb create mode 100644 roles/rskj_mainnet.rb diff --git a/nodes/rsk-mainnet-1.json b/nodes/rsk-mainnet-1.json index efc92a3..1509a4c 100644 --- a/nodes/rsk-mainnet-1.json +++ b/nodes/rsk-mainnet-1.json @@ -12,12 +12,13 @@ "hostname": "rsk-mainnet-1", "ipaddress": "192.168.122.233", "roles": [ - "rsk_mainnet" + "rskj_mainnet" ], "recipes": [ "kosmos-base", "kosmos-base::default", "kosmos_rsk::rskj", + "kosmos_rsk::nginx", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -32,8 +33,20 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", + "kosmos_rsk::firewall", "firewall::default", - "chef-sugar::default" + "chef-sugar::default", + "kosmos-nginx::default", + "nginx::default", + "nginx::package", + "nginx::ohai_plugin", + "nginx::repo", + "nginx::commons", + "nginx::commons_dir", + "nginx::commons_script", + "nginx::commons_conf", + "kosmos-nginx::firewall", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", @@ -52,6 +65,6 @@ }, "run_list": [ "recipe[kosmos-base]", - "role[rsk_mainnet]" + "role[rskj_mainnet]" ] } \ No newline at end of file diff --git a/roles/rsk_mainnet.rb b/roles/rsk_mainnet.rb deleted file mode 100644 index cfa58c1..0000000 --- a/roles/rsk_mainnet.rb +++ /dev/null @@ -1,11 +0,0 @@ -name "rsk_mainnet" - -run_list %w( - kosmos_rsk::rskj -) - -override_attributes( - :rskj => { - :network => "mainnet" - } -) diff --git a/roles/rskj_mainnet.rb b/roles/rskj_mainnet.rb new file mode 100644 index 0000000..0a0d9e1 --- /dev/null +++ b/roles/rskj_mainnet.rb @@ -0,0 +1,19 @@ +name 'rskj_mainnet' + +default_attributes 'rskj' => { + 'network' => 'mainnet', + 'nginx' => { + 'domain' => 'rsk.kosmos.org' + } +} + +default_run_list = %w( + kosmos_rsk::rskj + kosmos_rsk::nginx +) + +env_run_lists( + '_default' => default_run_list, + 'development' => default_run_list, + 'production' => default_run_list +) diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 7a4cbd5..0c18d52 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -16,7 +16,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; - proxy_pass localhost:<%= @port %>; + proxy_pass http://localhost:<%= @port %>; } } <% end -%>