From d384f691393ce8588230c209c8c70450eef01e8d Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 20 Nov 2020 23:22:42 +0100 Subject: [PATCH] Configure/deploy new akkounts app --- data_bags/credentials/akkounts.json | 17 ++ .../kosmos-akkounts/attributes/default.rb | 7 +- site-cookbooks/kosmos-akkounts/metadata.rb | 17 +- .../kosmos-akkounts/recipes/default.rb | 152 +++++++++++------- .../kosmos-akkounts/recipes/nginx.rb | 21 +-- .../kosmos-akkounts/templates/dotenv.erb | 13 -- .../templates/nginx_conf_akkounts-api.erb | 28 ---- .../templates/nginx_conf_akkounts.erb | 54 +++++++ .../templates/nodejs.systemd.service.erb | 15 -- 9 files changed, 191 insertions(+), 133 deletions(-) create mode 100644 data_bags/credentials/akkounts.json delete mode 100644 site-cookbooks/kosmos-akkounts/templates/dotenv.erb delete mode 100644 site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb create mode 100644 site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb delete mode 100644 site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb diff --git a/data_bags/credentials/akkounts.json b/data_bags/credentials/akkounts.json new file mode 100644 index 0000000..1c4ab41 --- /dev/null +++ b/data_bags/credentials/akkounts.json @@ -0,0 +1,17 @@ +{ + "id": "akkounts", + "postgresql_password": { + "encrypted_data": "Vt/jXxrJPbJbEl8Nw9EdVymoId21hdzHxA0zwEfAkA==\n", + "iv": "rV3dOjUhPsrdhF59\n", + "auth_tag": "GwuMLjf5zqTxLUIKb7ZKjA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "rails_master_key": { + "encrypted_data": "GjtdLy59dThzWYbEUD9Ss4G9vC3tcVgWDWLz3AoUl/jjJfSP2ym7ErjYwJhl\nE+1J2T3+\n", + "iv": "7PJXyCr2ozJHsMWZ\n", + "auth_tag": "nuW914Rh3Cn+ldGMc1JdGw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb index 692c1ee..ad6f4ea 100644 --- a/site-cookbooks/kosmos-akkounts/attributes/default.rb +++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb @@ -1,3 +1,4 @@ -node.default['akkounts-api']['revision'] = 'master' -node.default['akkounts-api']['port'] = 3200 -node.default['akkounts-api']['server_name'] = 'api.accounts.kosmos.org' +node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git' +node.default['akkounts']['revision'] = 'master' +node.default['akkounts']['port'] = 3000 +node.default['akkounts']['domain'] = 'accounts.kosmos.org' diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb index c487b0c..04b9892 100644 --- a/site-cookbooks/kosmos-akkounts/metadata.rb +++ b/site-cookbooks/kosmos-akkounts/metadata.rb @@ -2,13 +2,16 @@ name 'kosmos-akkounts' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos-akkounts' -long_description 'Installs/Configures kosmos-akkounts' -version '0.1.0' +description 'Installs/configures kosmos-akkounts' +long_description 'Installs/configures kosmos-akkounts' +version '0.2.0' chef_version '>= 14.0' -depends 'application_javascript' -depends 'application_git' -depends 'kosmos-nodejs' -depends 'kosmos-mastodon' depends 'kosmos-nginx' +depends "kosmos-nodejs" +depends "poise-ruby-build" +depends "application" +depends 'application_git' +depends "postgresql" +depends "kosmos-postgresql" +depends "backup" diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb index 2c874eb..aa00689 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/default.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb @@ -3,8 +3,7 @@ # Recipe:: default # # The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers +# Copyright:: 2020, Kosmos Developers # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal @@ -23,12 +22,11 @@ # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. - -include_recipe 'kosmos-nodejs' - -app_name = "akkounts-api" +# +app_name = "akkounts" deploy_user = "deploy" deploy_group = "deploy" +deploy_path = "/opt/#{app_name}" credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) group deploy_group @@ -37,75 +35,115 @@ user deploy_user do group deploy_group manage_home true shell "/bin/bash" - comment "deploy user" end -path_to_deploy = "/opt/#{app_name}" -application path_to_deploy do +package "libpq-dev" + +include_recipe 'kosmos-nodejs' + +npm_package "yarn" do + version "1.22.4" +end + +ruby_version = "2.6.6" +bundle_path = "/opt/ruby_build/builds/#{ruby_version}/bin/bundle" +rails_env = node.chef_environment == "development" ? "development" : "production" + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +systemd_unit "akkounts.service" do + content({ + Unit: { + Description: "Kosmos account management", + Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"], + After: "network.target" + }, + Service: { + Type: "simple", + User: deploy_user, + WorkingDirectory: deploy_path, + Environment: "RAILS_ENV=#{rails_env}", + ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid", + ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop", + ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart", + PIDFile: "#{deploy_path}/tmp/puma.pid", + TimeoutSec: "10", + Restart: "always", + }, + Install: { + WantedBy: "multi-user.target" + } + }) + verify false + triggers_reload true + action [:create, :enable] +end + +application deploy_path do owner deploy_user group deploy_group # Take care of application restarts manually, in the git resource action_on_update false + environment "HOME" => deploy_path, + "PATH" => "/opt/ruby_build/builds/#{ruby_version}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin" + + ruby_runtime ruby_version do + provider :ruby_build + version ruby_version + end + git do - user deploy_user - group deploy_group - repository "https://github.com/67P/#{app_name}.git" - revision node[app_name]['revision'] - # Restart service on deployments - notifies :restart, "application[#{path_to_deploy}]", :delayed - end - - npm_install do user deploy_user + group deploy_group + repository node[app_name]["repo"] + revision node[app_name]["revision"] + # Restart services on deployments + notifies :restart, "application[#{deploy_path}]", :delayed end - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp') - - template "#{path_to_deploy}/.env" do - source "dotenv.erb" - sensitive true + file "#{deploy_path}/config/master.key" do + content credentials['rails_master_key'] + mode '0400' owner deploy_user group deploy_group - variables btcpay_url: "https://btcpay.kosmos.org", - btcpay_privkey: credentials["btcpay_privkey"], - btcpay_merchant: credentials["btcpay_merchant"], - btcpay_store_id: credentials["btcpay_store_id"], - btcpay_webhook_host: "https://#{node[app_name]["server_name"]}", - btcpay_webhook_token: credentials["btcpay_webhook_token"], - smtp_host: "smtp.mailgun.org", - smtp_use_tls: true, - smtp_username: smtp_credentials['user_name'], - smtp_password: smtp_credentials['password'], - mastodon_host: "https://#{node["kosmos-mastodon"]["server_name"]}", - mastodon_auth_token: credentials["mastodon_auth_token"] - mode '0440' - # Restart service when the config changes - notifies :restart, "application[#{path_to_deploy}]", :delayed end - template "/lib/systemd/system/#{app_name}.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0640' - variables( - user: deploy_user, - group: deploy_group, - app_dir: path_to_deploy, - entry: "/usr/bin/env node release/index.js" - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[#{app_name}]", :delayed + execute "bundle install" do + environment "HOME" => deploy_path + user deploy_user + cwd deploy_path + command "/opt/ruby_build/builds/#{ruby_version}/bin/bundle install --without development,test --deployment" end - service app_name do + execute "yarn install" do + environment "HOME" => deploy_path, "NODE_ENV" => "production" + user deploy_user + cwd deploy_path + command "yarn install --pure-lockfile" + end + + execute 'rake db:migrate' do + environment "RAILS_ENV" => rails_env, "HOME" => deploy_path + user deploy_user + group deploy_group + cwd deploy_path + command "PATH=\"/opt/ruby_build/builds/#{ruby_version}/bin:$PATH\" bundle exec rake db:migrate" + end + + execute 'rake assets:precompile' do + environment "RAILS_ENV" => rails_env, "HOME" => deploy_path + user deploy_user + group deploy_group + cwd deploy_path + command "PATH=\"/opt/ruby_build/builds/#{ruby_version}/bin:$PATH\" bundle exec rake assets:precompile" + end + + service "akkounts" do action [:enable, :start] end end diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb index 9a2b6a4..e9afb74 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb @@ -4,7 +4,7 @@ # # The MIT License (MIT) # -# Copyright:: 2019, Kosmos Developers +# Copyright:: 2020, Kosmos Developers # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal @@ -25,22 +25,23 @@ # THE SOFTWARE. include_recipe "kosmos-nginx" -app_name = "akkounts-api" -server_name = node[app_name]["server_name"] +app_name = "akkounts" +domain = node[app_name]["domain"] -template "#{node['nginx']['dir']}/sites-available/#{server_name}" do +template "#{node['nginx']['dir']}/sites-available/#{domain}" do source "nginx_conf_#{app_name}.erb" owner 'www-data' mode 0640 - variables port: node[app_name]['port'], - server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + variables port: node[app_name]['port'], + domain: domain, + root_dir: "/opt/#{app_name}/public", + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" notifies :reload, 'service[nginx]', :delayed end -nginx_site server_name do +nginx_site domain do action :enable end -nginx_certbot_site server_name +nginx_certbot_site domain diff --git a/site-cookbooks/kosmos-akkounts/templates/dotenv.erb b/site-cookbooks/kosmos-akkounts/templates/dotenv.erb deleted file mode 100644 index 15ae3b2..0000000 --- a/site-cookbooks/kosmos-akkounts/templates/dotenv.erb +++ /dev/null @@ -1,13 +0,0 @@ -BTCPAY_URL=<%= @btcpay_url %> -BTCPAY_PRIVKEY=<%= @btcpay_privkey %> -BTCPAY_MERCHANT=<%= @btcpay_merchant %> -BTCPAY_STORE_ID=<%= @btcpay_store_id %> -BTCPAY_WEBHOOK_HOST=<%= @btcpay_webhook_host %> -BTCPAY_WEBHOOK_TOKEN=<%= @btcpay_webhook_token %> -SMTP_HOST=<%= @smtp_host %> -SMTP_USE_TLS=true -SMTP_USERNAME=<%= @smtp_username %> -SMTP_PASSWORD=<%= @smtp_password %> -MASTODON_HOST=<%= @mastodon_host %> -MASTODON_AUTH_TOKEN=<%= @mastodon_auth_token %> -PORT=<%= node['akkounts-api']['port'] %> diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb deleted file mode 100644 index 58b7eeb..0000000 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts-api.erb +++ /dev/null @@ -1,28 +0,0 @@ -# Generated by Chef -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> -upstream _akkounts { - server localhost:<%= @port %>; -} - -server { - listen 443 ssl http2; - add_header Strict-Transport-Security "max-age=15768000"; - - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; - - server_name <%= @server_name %>; - - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; - - location / { - # Increase number of buffers. Default is 8 - proxy_buffers 1024 8k; - - proxy_pass http://_akkounts; - proxy_http_version 1.1; - } - -} -<% end -%> diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb new file mode 100644 index 0000000..d3f9c96 --- /dev/null +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb @@ -0,0 +1,54 @@ +# Generated by Chef +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +upstream _akkounts { + server localhost:<%= @port %>; +} + +server { + listen 443 ssl http2; + add_header Strict-Transport-Security "max-age=15768000"; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + server_name <%= @domain %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + + root <%= @root_dir %>; + + location ~ ^/(assets|packs|images|javascripts|stylesheets|swfs|system)/ { + access_log off; + gzip_static on; + expires max; + add_header Cache-Control public; + } + + try_files $uri/index.html $uri @app; + + location @app { + # an HTTP header important enough to have its own Wikipedia entry: + # http://en.wikipedia.org/wiki/X-Forwarded-For + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # enable this if and only if you use HTTPS, this helps Rack + # set the proper protocol for doing redirects: + proxy_set_header X-Forwarded-Proto https; + + # pass the Host: header from the client right along so redirects + # can be set properly within the Rack application + proxy_set_header Host $http_host; + + # we don't want nginx trying to do something clever with + # redirects, we set the Host: header above already. + proxy_redirect off; + + # Increase number of buffers. Default is 8 + proxy_buffers 1024 8k; + + proxy_pass http://_akkounts; + proxy_http_version 1.1; + } +} +<% end -%> diff --git a/site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb b/site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb deleted file mode 100644 index 76a74e8..0000000 --- a/site-cookbooks/kosmos-akkounts/templates/nodejs.systemd.service.erb +++ /dev/null @@ -1,15 +0,0 @@ -[Unit] -Description=Start nodejs app - -[Service] -ExecStart=<%= @entry %> -WorkingDirectory=<%= @app_dir %> -User=<%= @user %> -Group=<%= @group %> -<% if @environment -%> -Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> -<% end -%> -Restart=always - -[Install] -WantedBy=multi-user.target