Merge pull request 'Set up Sentry' (#478) from feature/sentry into master

Reviewed-on: #478

clients/sentry-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "sentry-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZFwP58ym+92YFa0adU3\nVGEJW13NkfaHChx+akB3IioSPKyJ9eOXEI8pOmU3QyqOUKSbqth78DY84hobXlqs\n4O0A7TV029uepcj5zPN047gDsV1TJ6Dakma5eH+Pe5kP/TigCEOF0Cgo+fqtEBEJ\nT/rhSs3zHD1EfBnZdyj/7YyeDv1XLWI8dXoizDUAoBSCDeJ5d7fG56zmFYLV05Ex\nMrjJuHitEmeJXTZABKstRbEd+3Rld+gfJZ/jI4djEW2j1EKAYMT1SxoXdjKlCrpQ\nGux2RSe+Gspt1hyp/flU5gHGO+qLDNSU9tZInClToyFMVBfoW8kWg28Gm2kGkIvr\npQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/akkounts.json

@@ -1,23 +1,30 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "Mw+E6dXUYIRQgMzfxij9cFT9XFauVn9VUT9p\n",
+    "encrypted_data": "drHBdPcrH3BqlsVfWP/vL5Thok8Uub6JhjuU\n",
-    "iv": "c2b2zKGTf1S3laui\n",
+    "iv": "n+08nhiHoK4jRVwd\n",
-    "auth_tag": "3ytXQSpxNYXGEeDOTq5g7g==\n",
+    "auth_tag": "elB4rx8k+jj34iQepECQNA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "UCwTT6i0ORWiVRn5gbjWMOuikAIb7gAwL8g0TFhIvg==\n",
+    "encrypted_data": "Hu8yjpvf3/KY/K3gcbRbEce3OkjSrN91m2lCcePT+A==\n",
-    "iv": "xL6W4GqhxAf7FxmK\n",
+    "iv": "+GFS35dpYy4zD2pi\n",
-    "auth_tag": "EFE3C0PBAuusn/SqTAdyYA==\n",
+    "auth_tag": "jCJQMskBFo9TSr8Uq7BWkw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "sentry_dsn": {
+    "encrypted_data": "KG8apiKfWa4gWwiz8tFLZywpp7gMp3hLDCREeR/RA6+i6Of7qYRx0YRzYdpE\n8gdaO0EOQZ4PXzVBsiIQy4ijHRt8udo2PNzzZP6h91jdAjw=\n",
+    "iv": "KWU6LeHdE3iwPyBU\n",
+    "auth_tag": "7pQO/t8pXiwrlb5xAas+Zg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "QZD0AJIcq3iqrFAHN9DHxfctCXAMRQjuTSI9QgmaIUXgCz4+3LawI6eYGvr9\nV2nyDGJa\n",
+    "encrypted_data": "E4OVlsZgm9wupyi9Xs7iEy11wJrCXL0Qrm9akulW7vmdrEfnI8KC6x1UooM+\nEI1fYmLs\n",
-    "iv": "4hw1Dk+NsQ8wF7Og\n",
+    "iv": "YFRMYT8D+bF+iu5+\n",
-    "auth_tag": "uoVSykmRQImRld1Ln0bg2g==\n",
+    "auth_tag": "wT7rorNWEKGNR7xQLTe/xg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

data_bags/credentials/lndhub-go.json

@@ -1,23 +1,30 @@
 {
   "id": "lndhub-go",
   "jwt_secret": {
-    "encrypted_data": "cFost8pLsoJ/8Gp5m/TgN8xjMkvk0oZuEZ3XfxDIaYjOVYi3fEX8\n",
+    "encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
-    "iv": "47gV4v/D+10B6xqu\n",
+    "iv": "bGQZjCk6FtD/hqVj\n",
-    "auth_tag": "MKEyVFfJ3f5pxWRSyMH4Rw==\n",
+    "auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "YSMEIWdZn08lyrZeJNAUZ5xwKhWHESa1A5MojKJ/5iiE\n",
+    "encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
-    "iv": "0mlURPOohnKbG+i8\n",
+    "iv": "KqLtV2UuaAzJx7C8\n",
-    "auth_tag": "bqIOqFEEIxA99wlvpTqxFA==\n",
+    "auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admin_token": {
-    "encrypted_data": "Jv2vQySZT9qn87g24IOYK1dpfSbZoUE/8VtZhzljQGIL\n",
+    "encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
-    "iv": "kjtrzmjTFKQq+nTV\n",
+    "iv": "oKLQJbD67tiz2235\n",
-    "auth_tag": "3YbOzU/ndVARbHTU1hoa9g==\n",
+    "auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "sentry_dsn": {
+    "encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
+    "iv": "Yt0fSsxL4SNicwUY\n",
+    "auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -36,6 +36,9 @@
       "alternate_domains": [
         "mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
       ]
+    },
+    "sentry": {
+      "allowed_ips": "10.1.1.0/24"
     }
   }
 }

nodes/akkounts-1.json

@@ -16,6 +16,7 @@
       "base",
       "kvm_guest",
       "ldap_client",
+      "sentry_client",
       "akkounts",
       "postgresql_client"
     ],
@@ -24,6 +25,7 @@
       "kosmos-base::default",
       "kosmos_kvm::guest",
       "kosmos-dirsrv::hostsfile",
+      "kosmos_sentry::client",
       "kosmos_postgresql::hostsfile",
       "kosmos-akkounts",
       "kosmos-akkounts::default",
@@ -74,6 +76,7 @@
     "role[base]",
     "role[kvm_guest]",
     "role[ldap_client]",
+    "role[sentry_client]",
     "role[akkounts]"
   ]
 }

nodes/bitcoin-2.json

@@ -14,6 +14,7 @@
     "roles": [
       "base",
       "kvm_guest",
+      "sentry_client",
       "bitcoind",
       "cln",
       "lnd",
@@ -25,6 +26,7 @@
       "kosmos-base",
       "kosmos-base::default",
       "kosmos_kvm::guest",
+      "kosmos_sentry::client",
       "tor-full",
       "tor-full::default",
       "kosmos-bitcoin::bitcoind",
@@ -106,6 +108,7 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
+    "role[sentry_client]",
     "recipe[tor-full]",
     "role[bitcoind]",
     "role[cln]",

nodes/sentry-1.json

@@ -0,0 +1,63 @@
+{
+  "name": "sentry-1",
+  "chef_environment": "production",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.132"
+    }
+  },
+  "automatic": {
+    "fqdn": "sentry-1",
+    "os": "linux",
+    "os_version": "5.4.0-1087-kvm",
+    "hostname": "sentry-1",
+    "ipaddress": "192.168.122.251",
+    "roles": [
+      "base",
+      "kvm_guest",
+      "sentry"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_kvm::guest",
+      "kosmos_sentry",
+      "kosmos_sentry::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "firewall::default",
+      "chef-sugar::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "role[base]",
+    "role[kvm_guest]",
+    "role[sentry]"
+  ]
+}

roles/sentry.rb

@@ -0,0 +1,11 @@
+name "sentry"
+
+default_run_list = %w(
+  kosmos_sentry::default
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)

roles/sentry_client.rb

@@ -0,0 +1,11 @@
+name "sentry_client"
+
+default_run_list = %w(
+  kosmos_sentry::client
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -53,6 +53,8 @@ env[:smtp] = {
   enable_starttls: node['akkounts']['smtp']['enable_starttls']
 }
 
+env[:sentry_dsn] = credentials["sentry_dsn"]
+
 if webhooks_allowed_ips.length > 0
   env[:webhooks_allowed_ips] = webhooks_allowed_ips
 end

site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb

@@ -67,7 +67,8 @@ template "#{source_dir}/.env" do
     strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
     burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
     branding: node['lndhub-go']['branding'],
-    webhook_url: node['lndhub-go']['webhook_url']
+    webhook_url: node['lndhub-go']['webhook_url'],
+    sentry_dsn: credentials['sentry_dsn']
   }
   notifies :restart, 'service[lndhub-go]', :delayed
 end

site-cookbooks/kosmos_sentry/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

site-cookbooks/kosmos_sentry/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2023 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kosmos_sentry/attributes/default.rb

@@ -0,0 +1,9 @@
+node.default["sentry"]["repo"] = "https://github.com/getsentry/self-hosted"
+node.default["sentry"]["revision"] = "23.3.1"
+node.default["sentry"]["port"] = 80
+node.default["sentry"]["retention_days"] = 90
+node.default["sentry"]["allowed_ips"] = nil
+# The Sentry setup requires docker-compose >= 1.28, which is newer than the
+# latest stable version for Ubuntu 20.04
+node.default["sentry"]["docker-compose"]["version"] = "2.17.0"
+node.default["sentry"]["docker-compose"]["checksum"] = "65edee934d988471c40ef31305731dbb4381d3cb0aeea13342119b61772f85e2"

site-cookbooks/kosmos_sentry/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_sentry/metadata.rb

@@ -0,0 +1,12 @@
+name 'kosmos_sentry'
+maintainer 'Kosmos Contributors'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/configures Sentry'
+version '0.1.0'
+chef_version '>= 15.0'
+issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
+source_url 'https://gitea.kosmos.org/kosmos/chef'
+
+depends 'git'
+depends 'firewall'

site-cookbooks/kosmos_sentry/recipes/client.rb

@@ -0,0 +1,11 @@
+#
+# Cookbook:: kosmos_sentry
+# Recipe:: client
+#
+
+sentry_host = search(:node, "role:sentry").first["knife_zero"]["host"]
+
+hostsfile_entry sentry_host do
+  hostname 'sentry.kosmos.local'
+  action :create
+end

site-cookbooks/kosmos_sentry/recipes/default.rb

@@ -0,0 +1,82 @@
+#
+# Cookbook:: kosmos_sentry
+# Recipe:: default
+#
+
+package "docker"
+
+remote_file "/usr/local/bin/docker-compose" do
+  source "https://github.com/docker/compose/releases/download/v#{node["sentry"]["docker-compose"]["version"]}/docker-compose-linux-x86_64"
+  checksum node["sentry"]["docker-compose"]["checksum"]
+  mode '0755'
+end
+
+deploy_path = "/opt/sentry"
+
+git deploy_path do
+  repository node["sentry"]["repo"]
+  revision node["sentry"]["revision"]
+end
+
+# TODO
+# Automatically run install script if sentry/sentry.conf.py does not exist yet
+
+env_config = {
+  sentry_event_retention_days: node["sentry"]["retention_days"],
+  sentry_bind: node["sentry"]["bind"] || node["sentry"]["port"],
+  # Default values from upstream
+  compose_project_name: "sentry-self-hosted",
+  sentry_image: "getsentry/sentry:nightly",
+  snuba_image: "getsentry/snuba:nightly",
+  relay_image: "getsentry/relay:nightly",
+  symbolicator_image: "getsentry/symbolicator:nightly",
+  wal2json_version: "latest",
+  healthcheck_interval: "30s",
+  healthcheck_timeout: "60s",
+  healthcheck_retries: "10"
+}
+
+template "#{deploy_path}/.env.custom" do
+  source 'env.custom.erb'
+  mode 0600
+  sensitive true
+  variables config: env_config
+  notifies :restart, "service[sentry]", :delayed
+end
+
+systemd_unit "sentry.service" do
+  content({Unit: {
+             Description: "Sentry service using Docker Compose",
+             Requires: "docker.service",
+             After: "docker.service",
+           },
+           Service: {
+             Type: "oneshot",
+             RemainAfterExit: "true",
+             WorkingDirectory: deploy_path,
+             ExecStart: "docker-compose --env-file #{deploy_path}/.env.custom up -d --remove-orphans",
+             ExecStop: "docker-compose stop",
+             StandardOutput: "syslog"
+           },
+           Install: {
+             WantedBy: "multi-user.target"
+           }})
+  verify false
+  triggers_reload true
+  action [:create]
+end
+
+service "sentry" do
+  action [:enable, :start]
+end
+
+include_recipe 'firewall'
+
+firewall_rule 'sentry' do
+  port     node["sentry"]["port"]
+  protocol :tcp
+  command  :allow
+  if node["sentry"]["allowed_ips"]
+    source node["sentry"]["allowed_ips"]
+  end
+end

site-cookbooks/kosmos_sentry/templates/default/env.custom.erb

@@ -0,0 +1,11 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<% if value %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>
+<% end %>