From 7a52f2bd8976a5d632132e7561b1ca0745564a2a Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 24 May 2022 13:08:41 +0200 Subject: [PATCH 1/3] Allow BTCPay API access over private network --- site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb index 42cf3c6..648414d 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/btcpay.rb @@ -97,13 +97,23 @@ systemd_unit 'btcpayserver.service' do action [:create, :enable, :start] end +firewall_rule "BTCPay API private access" do + command :allow + port 23001 + protocol :tcp + source "10.1.1.0/24" +end + # # HTTPS Reverse Proxy +# TODO move to separate recipe, nginx proxy role # include_recipe "kosmos-nginx" server_name = node["btcpay"]["domain"] +nginx_certbot_site server_name + template "#{node["nginx"]["dir"]}/sites-available/#{server_name}" do source "nginx_conf_btcpayserver.erb" owner node["nginx"]["user"] @@ -118,5 +128,3 @@ end nginx_site server_name do action :enable end - -nginx_certbot_site server_name From 92d1bcd8c786344d21e0fdca7157122274de5b96 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 24 May 2022 15:03:51 +0200 Subject: [PATCH 2/3] Add nginx proxy for akkounts/kredits API closes #410 --- nodes/fornax.kosmos.org.json | 14 ++++---- roles/nginx_proxy.rb | 1 + .../kosmos-akkounts/attributes/default.rb | 4 ++- .../kosmos-akkounts/recipes/default.rb | 8 +++++ .../kosmos-akkounts/recipes/nginx.rb | 25 ++------------ .../kosmos-akkounts/recipes/nginx_api.rb | 30 +++++++++++++++++ .../templates/nginx_conf_akkounts_api.erb | 33 +++++++++++++++++++ 7 files changed, 84 insertions(+), 31 deletions(-) create mode 100644 site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb create mode 100644 site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index f8bb746..7d475f0 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -25,6 +25,7 @@ "kosmos_website", "kosmos_website::default", "kosmos-ejabberd::nginx", + "kosmos-akkounts::nginx_api", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -57,14 +58,13 @@ "platform_version": "20.04", "cloud": null, "chef_packages": { - "chef": { - "version": "17.5.22", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.5.22/lib", - "chef_effortless": null - }, "ohai": { - "version": "17.5.2", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.5.2/lib/ohai" + "version": "15.12.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" + }, + "chef": { + "version": "15.14.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib" } } }, diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 0bed71a..7e44df5 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -7,6 +7,7 @@ default_run_list = %w( kosmos_gitea::nginx kosmos_website::default kosmos-ejabberd::nginx + kosmos-akkounts::nginx_api ) env_run_lists( diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb index ad6f4ea..e8795bf 100644 --- a/site-cookbooks/kosmos-akkounts/attributes/default.rb +++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb @@ -1,4 +1,6 @@ node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git' -node.default['akkounts']['revision'] = 'master' +node.default['akkounts']['revision'] = 'feature/community_funds_balance' node.default['akkounts']['port'] = 3000 node.default['akkounts']['domain'] = 'accounts.kosmos.org' + +node.default['akkounts_api']['domain'] = 'api.kosmos.org' diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb index 2173628..9b2d290 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/default.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb @@ -175,4 +175,12 @@ rescue IPAddr::InvalidAddressError next end +# TODO move to nginx proxy include_recipe 'kosmos-akkounts::nginx' + +firewall_rule "Akkounts private access" do + command :allow + port node["akkounts"]["port"] + protocol :tcp + source "10.1.1.0/24" +end diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb index e9afb74..025cd9b 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb @@ -2,32 +2,13 @@ # Cookbook Name:: kosmos-akkounts # Recipe:: nginx # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. include_recipe "kosmos-nginx" app_name = "akkounts" domain = node[app_name]["domain"] +nginx_certbot_site domain + template "#{node['nginx']['dir']}/sites-available/#{domain}" do source "nginx_conf_#{app_name}.erb" owner 'www-data' @@ -43,5 +24,3 @@ end nginx_site domain do action :enable end - -nginx_certbot_site domain diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb new file mode 100644 index 0000000..b02518d --- /dev/null +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb @@ -0,0 +1,30 @@ +# +# Cookbook Name:: kosmos-akkounts +# Recipe:: nginx_api +# + +include_recipe "kosmos-nginx" +domain = node["akkounts_api"]["domain"] + +nginx_certbot_site domain + +upstream_hosts = [] +search(:node, "role:akkounts").each do |node| + upstream_hosts << node["knife_zero"]["host"] +end + +template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do + source "nginx_conf_akkounts_api.erb" + owner "www-data" + mode 0640 + variables domain: domain, + upstream_port: node["akkounts"]["port"], + upstream_hosts: upstream_hosts, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" + notifies :reload, "service[nginx]", :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb new file mode 100644 index 0000000..1d237e9 --- /dev/null +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb @@ -0,0 +1,33 @@ +# Generated by Chef +upstream _akkounts { +<% @upstream_hosts.each do |host| %> + server <%= host %>:<%= @upstream_port %>; +<% end %> +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name <%= @domain %>; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + add_header 'Strict-Transport-Security' 'max-age=31536000'; + + location /kredits/ { + add_header 'Access-Control-Allow-Origin' '*' always; + add_header 'Access-Control-Allow-Methods' 'GET' always; + add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always; + add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_ssl_server_name on; + proxy_buffers 1024 8k; + proxy_http_version 1.1; + + proxy_pass http://_akkounts/api/kredits/; + } +} From a93c5e5af6ec5ca786943999e1dd1f0154396a2e Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Tue, 24 May 2022 15:10:24 +0200 Subject: [PATCH 3/3] Allow external HTTP requests to BTCPay Limited to private network via firewall rule. --- site-cookbooks/kosmos-akkounts/attributes/default.rb | 2 +- .../kosmos-bitcoin/templates/btcpay-settings.config.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb index e8795bf..4386c90 100644 --- a/site-cookbooks/kosmos-akkounts/attributes/default.rb +++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb @@ -1,5 +1,5 @@ node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git' -node.default['akkounts']['revision'] = 'feature/community_funds_balance' +node.default['akkounts']['revision'] = 'master' node.default['akkounts']['port'] = 3000 node.default['akkounts']['domain'] = 'accounts.kosmos.org' diff --git a/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb b/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb index 8bdbf55..b581e73 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/btcpay-settings.config.erb @@ -1,6 +1,6 @@ network=<%= @bitcoin_network %> port=<%= @btcpay_port %> -bind=127.0.0.1 +bind=0.0.0.0 chains=btc postgres=User ID=<%= @postgres_user %>;Password=<%= @postgres_password %>;Host=<%= @postgres_host %>;Port=<%= @postgres_port %>;Database=<%= @postgres_database %>; debuglog=<%= @btcpay_log_path %>