Deploy substr

2024-10-23 15:53:07 +02:00 · 2024-10-23 15:53:07 +02:00 · d35e57b90e
commit d35e57b90e
parent c8160e38c8
6 changed files with 134 additions and 1 deletions
--- a/environments/production.json
+++ b/environments/production.json
@ -109,7 +109,9 @@
      "policy_path": "/opt/strfry/strfry-policy.ts",
      "known_pubkeys": {
        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
+        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
      },
      "info": {
        "name": "Kosmos Relay",
@ -118,6 +120,11 @@
        "contact": "ops@kosmos.org",
        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
      }
+    },
+    "substr": {
+      "relay_urls": [
+        "ws://localhost:7777"
+      ]
    }
  }
 }
--- a/nodes/strfry-1.json
+++ b/nodes/strfry-1.json
@ -27,6 +27,7 @@
      "strfry::default",
      "kosmos_strfry::policies",
      "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@ -5,4 +5,5 @@ run_list %w(
  strfry::default
  kosmos_strfry::policies
  kosmos_strfry::firewall
+  kosmos_strfry::substr
 )
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@ -1,2 +1,10 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
+
+# node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
+# node.default["substr"]["revision"] = "master"
+node.default["substr"]["version"] = "nightly"
+node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
+node.default["substr"]["workdir"] = "/opt/substr"
+node.default["substr"]["port"] = 30023
+node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]
--- a/site-cookbooks/kosmos_strfry/recipes/substr.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/substr.rb
@ -0,0 +1,100 @@
+#
+# Cookbook:: kosmos_strfry
+# Recipe:: substr
+#
+
+unless platform?("ubuntu")
+  raise "This recipe only supports Ubuntu installs at the moment"
+end
+
+apt_package "imagemagick"
+
+directory node["substr"]["workdir"] do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+if node["substr"]["download_url"]
+  remote_file '/usr/local/bin/substr' do
+    source node["substr"]["download_url"]
+    checksum node["substr"]["checksum"]
+    mode '0755'
+    show_progress true
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "/usr/local/bin/substr"
+else
+  # TODO Install Deno 2
+
+  git node["substr"]["workdir"] do
+    user node["strfry"]["user"]
+    group node["strfry"]["group"]
+    repository node['substr']['repo']
+    revision node['substr']['revision']
+    action :sync
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "deno task server"
+end
+
+file "#{node["substr"]["workdir"]}/users.yaml" do
+  mode "0644"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  content node["strfry"]["known_pubkeys"].to_yaml
+  notifies :restart, "service[substr]", :delayed
+end
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  port: node['substr']['port'],
+  base_url: "https://#{node["strfry"]["domain"]}",
+  relay_urls: node['substr']['relay_urls'].join(","),
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+}
+
+template "#{node["substr"]["workdir"]}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[substr]", :delayed
+end
+
+systemd_unit "substr.service" do
+  content({
+    Unit: {
+      Description: "substr for nostr",
+      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
+    },
+    Service: {
+      Type: "simple",
+      User: node["strfry"]["user"],
+      WorkingDirectory: node["substr"]["workdir"],
+      ExecStart: exec_start,
+      Restart: "on-failure",
+      RestartSec: "5",
+      ProtectHome: "no",
+      NoNewPrivileges: "yes",
+      ProtectSystem: "full"
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  triggers_reload true
+  action :create
+end
+
+service "substr" do
+  action [:enable, :start]
+end
--- a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@ -4,6 +4,12 @@ upstream _strfry {
 <% end %>
 }

+upstream _substr {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:30023;
+<% end %>
+}
+
 server {
  server_name <%= @domain %>;
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@ -15,6 +21,16 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

+  location = /favicon.ico {
+    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
+  }
+
+  location ~* ^/[@~n]|^/assets {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_substr;
+  }
+
  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;