Make Mastodon services listen on private IP in prod

And allow access to them from the private network
2022-11-30 11:54:33 +01:00 · 2022-11-30 11:54:33 +01:00 · c4d43b7f4e
parent 3df9611a9d
commit c4d43b7f4e
6 changed files with 44 additions and 16 deletions
--- a/nodes/mastodon-3.json
+++ b/nodes/mastodon-3.json
@ -1,5 +1,6 @@
 {
  "name": "mastodon-3",
+  "chef_environment": "production",
  "normal": {
    "knife_zero": {
      "host": "10.1.1.30"
--- a/site-cookbooks/kosmos-mastodon/attributes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/attributes/default.rb
@ -1,11 +1,12 @@
 node.default["kosmos-mastodon"]["repo"]            = "https://gitea.kosmos.org/kosmos/mastodon.git"
 node.default["kosmos-mastodon"]["revision"]        = "kosmos-production"
 node.default["kosmos-mastodon"]["directory"]       = "/opt/mastodon"
-node.default["kosmos-mastodon"]["puma_port"]       = 3000
-node.default["kosmos-mastodon"]["streaming_port"]  = 4000
 node.default["kosmos-mastodon"]["server_name"]     = "kosmos.social"
 node.default["kosmos-mastodon"]["redis_url"]       = "redis://localhost:6379/0"
 node.default["kosmos-mastodon"]["sidekiq_threads"] = 25
+node.default["kosmos-mastodon"]["bind_ip"]           = "127.0.0.1"
+node.default["kosmos-mastodon"]["app_port"]          = 3000
+node.default["kosmos-mastodon"]["streaming_port"]    = 4000
 # Allocate this amount of RAM to the Java heap for Elasticsearch
 node.default["kosmos-mastodon"]["elasticsearch"]["allocated_memory"] = "1536m"

--- a/site-cookbooks/kosmos-mastodon/metadata.rb
+++ b/site-cookbooks/kosmos-mastodon/metadata.rb
@ -2,19 +2,20 @@ name             'kosmos-mastodon'
 maintainer       'Kosmos'
 maintainer_email 'mail@kosmos.org'
 license          'MIT'
-description      'Installs/Configures kosmos-mastodon'
+description      'Installs/Configures Mastodon'
 long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.2.1'

-depends "kosmos-nginx"
-depends "kosmos-nodejs"
+depends 'application'
+depends 'application_git'
+depends 'backup'
+depends 'elasticsearch'
+depends 'java'
+depends 'firewall'
 depends 'redisio'
-depends "poise-ruby-build"
-depends "application"
-depends "application_git"
-depends "postgresql"
-depends "kosmos_postgresql"
-depends "backup"
-depends "elasticsearch"
-depends "tor-full"
-depends "java"
+depends 'tor-full'
+depends 'poise-ruby-build'
+depends 'postgresql'
+depends 'kosmos-nginx'
+depends 'kosmos-nodejs'
+depends 'kosmos_postgresql'
--- a/site-cookbooks/kosmos-mastodon/recipes/default.rb
+++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb
@ -7,6 +7,7 @@ include_recipe "kosmos-nodejs"
 include_recipe "java"
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
+include_recipe 'firewall'

 elasticsearch_user 'elasticsearch'

@ -44,6 +45,12 @@ mastodon_path = node["kosmos-mastodon"]["directory"]

 mastodon_user = "mastodon"

+bind_ip = if node.chef_environment == "production"
+            node["knife_zero"]["host"]
+          else
+            node["kosmos-mastodon"]["bind_ip"]
+          end
+
 group mastodon_user do
  gid 62786
 end
@ -77,7 +84,8 @@ template "/lib/systemd/system/mastodon-web.service" do
  source "mastodon-web.systemd.service.erb"
  variables user: mastodon_user,
            app_dir: mastodon_path,
-            port: node["kosmos-mastodon"]["puma_port"],
+            bind: bind_ip,
+            port: node["kosmos-mastodon"]["app_port"],
            bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
  notifies :run, "execute[systemctl daemon-reload]", :immediately
  notifies :restart, "service[mastodon-web]", :delayed
@ -113,6 +121,7 @@ template "/lib/systemd/system/mastodon-streaming.service" do
  source "mastodon-streaming.systemd.service.erb"
  variables user: mastodon_user,
            app_dir: mastodon_path,
+            bind: bind_ip,
            port: node["kosmos-mastodon"]["streaming_port"]
  notifies :run, "execute[systemctl daemon-reload]", :immediately
  notifies :restart, "service[mastodon-streaming]", :delayed
@ -215,3 +224,17 @@ application mastodon_path do
    action [:enable, :start]
  end
 end
+
+firewall_rule 'mastodon_app' do
+  port     node['kosmos-mastodon']['app_port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'mastodon_streaming' do
+  port     node['kosmos-mastodon']['streaming_port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-streaming.systemd.service.erb
@ -6,6 +6,7 @@ Type=simple
 User=<%= @user %>
 WorkingDirectory=<%= @app_dir %>
 Environment="NODE_ENV=production"
+Environment="BIND=<%= @bind %>"
 Environment="PORT=<%= @port %>"
 ExecStart=/usr/bin/npm run start
 TimeoutSec=15
--- a/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb
+++ b/site-cookbooks/kosmos-mastodon/templates/default/mastodon-web.systemd.service.erb
@ -9,7 +9,8 @@ User=<%= @user %>
 PIDFile=<%= @app_dir %>/tmp/puma.pid
 WorkingDirectory=<%= @app_dir %>
 Environment="RAILS_ENV=production"
-Environment="PORT=3000"
+Environment="BIND=<%= @bind %>"
+Environment="PORT=<%= @port %>"
 Environment="LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
 ExecStart=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid
 ExecStop=<%= @bundle_path %> exec puma -C config/puma.rb --pidfile <%= @app_dir %>/tmp/puma.pid stop