Add nginx proxy hosts for Garage Web access

The respective bucket needs to be configured with a domain alias. When a new alias is added to the `s3_web_domains` config, a new nginx site can then be deployed to the `nginx_proxy` hosts.
2022-11-30 12:13:39 +01:00 · 2022-11-30 12:13:39 +01:00 · b738dc1e80
commit b738dc1e80
parent 3641ea7a60
4 changed files with 66 additions and 3 deletions
--- a/environments/production.json
+++ b/environments/production.json
@ -4,7 +4,10 @@
    "garage": {
      "replication_mode": "2",
      "s3_api_root_domain": ".s3.garage.kosmos.org",
-      "s3_web_root_domain": ".web.garage.kosmos.org"
+      "s3_web_root_domain": ".web.garage.kosmos.org",
+      "s3_web_domains": [
+        "s3.kosmos.social"
+      ]
    },
    "gitea": {
      "postgresql_host": "pg.kosmos.local:5432",
@ -23,4 +26,4 @@
      ]
    }
  }
-}
+}
--- a/site-cookbooks/kosmos_garage/attributes/default.rb
+++ b/site-cookbooks/kosmos_garage/attributes/default.rb
@ -1,5 +1,6 @@
 node.default['garage']['version']            = '0.8.0'
 node.default['garage']['checksum']['amd64']  = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74'
+node.default['garage']['replication_mode']   = 'none'
 node.default['garage']['s3_api_port']        = 3900
 node.default['garage']['rpc_port']           = 3901
 node.default['garage']['s3_web_port']        = 3902
@ -7,4 +8,4 @@ node.default['garage']['admin_port']         = 3903
 node.default['garage']['k2v_api_port']       = 3904
 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
 node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
-node.default['garage']['replication_mode']   = 'none'
+node.default['garage']['s3_web_domains']     = []
--- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
+++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb
@ -0,0 +1,26 @@
+#
+# Cookbook Name:: kosmos_garage
+# Recipe:: nginx_web
+#
+
+include_recipe "kosmos-nginx"
+
+domains = node['garage']['s3_web_domains']
+
+domains.each do |server_name|
+  nginx_certbot_site server_name
+
+  template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+    source 'nginx_conf_web.erb'
+    owner 'www-data'
+    mode 0640
+    variables server_name:         server_name,
+              ssl_cert:            "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+              ssl_key:             "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+    notifies :reload, 'service[nginx]', :delayed
+  end
+
+  nginx_site server_name do
+    action :enable
+  end
+end
--- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
+++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
@ -0,0 +1,33 @@
+upstream garage_web {
+  server localhost:3902;
+}
+
+proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
+                 max_size=1g inactive=60m use_temp_path=off;
+
+server {
+  listen 443 http2 ssl;
+  listen [::]:443 http2 ssl;
+
+  server_name <%= @server_name %>;
+
+  access_log off;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  error_page 401 403 404 500 /__empty-page.html;
+
+  location = /__empty-page.html {
+    internal;
+    return 200 "";
+  }
+
+  location / {
+    proxy_intercept_errors on;
+    proxy_cache garage_cache;
+    proxy_pass http://garage_web;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+  }
+}