Make Mastodon services listen on private IP in prod

And allow access to them from the private network

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -7,6 +7,7 @@ include_recipe "kosmos-nodejs"
 include_recipe "java"
 include_recipe 'redisio::default'
 include_recipe 'redisio::enable'
+include_recipe 'firewall'
 
 elasticsearch_user 'elasticsearch'
 
@@ -44,6 +45,12 @@ mastodon_path = node["kosmos-mastodon"]["directory"]
 
 mastodon_user = "mastodon"
 
+bind_ip = if node.chef_environment == "production"
+            node["knife_zero"]["host"]
+          else
+            node["kosmos-mastodon"]["bind_ip"]
+          end
+
 group mastodon_user do
   gid 62786
 end
@@ -77,7 +84,8 @@ template "/lib/systemd/system/mastodon-web.service" do
   source "mastodon-web.systemd.service.erb"
   variables user: mastodon_user,
             app_dir: mastodon_path,
-            port: node["kosmos-mastodon"]["puma_port"],
+            bind: bind_ip,
+            port: node["kosmos-mastodon"]["app_port"],
             bundle_path: "/opt/ruby_build/builds/#{ruby_version}/bin/bundle"
   notifies :run, "execute[systemctl daemon-reload]", :immediately
   notifies :restart, "service[mastodon-web]", :delayed
@@ -113,6 +121,7 @@ template "/lib/systemd/system/mastodon-streaming.service" do
   source "mastodon-streaming.systemd.service.erb"
   variables user: mastodon_user,
             app_dir: mastodon_path,
+            bind: bind_ip,
             port: node["kosmos-mastodon"]["streaming_port"]
   notifies :run, "execute[systemctl daemon-reload]", :immediately
   notifies :restart, "service[mastodon-streaming]", :delayed
@@ -215,3 +224,17 @@ application mastodon_path do
     action [:enable, :start]
   end
 end
+
+firewall_rule 'mastodon_app' do
+  port     node['kosmos-mastodon']['app_port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'mastodon_streaming' do
+  port     node['kosmos-mastodon']['streaming_port']
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end