kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 28 Pull Requests 3 Projects 2 Activity

Merge pull request 'Set up Sentry' (#478) from feature/sentry into master

Browse Source 
Reviewed-on: #478
This commit is contained in:
Greg 2023-03-28 20:13:28 +00:00
commit d7cbdbd6a5
19 changed files with 419 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clients/sentry-1.json Normal file
View File

@ -0,0 +1,4 @@
{
"name": "sentry-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtZFwP58ym+92YFa0adU3\nVGEJW13NkfaHChx+akB3IioSPKyJ9eOXEI8pOmU3QyqOUKSbqth78DY84hobXlqs\n4O0A7TV029uepcj5zPN047gDsV1TJ6Dakma5eH+Pe5kP/TigCEOF0Cgo+fqtEBEJ\nT/rhSs3zHD1EfBnZdyj/7YyeDv1XLWI8dXoizDUAoBSCDeJ5d7fG56zmFYLV05Ex\nMrjJuHitEmeJXTZABKstRbEd+3Rld+gfJZ/jI4djEW2j1EKAYMT1SxoXdjKlCrpQ\nGux2RSe+Gspt1hyp/flU5gHGO+qLDNSU9tZInClToyFMVBfoW8kWg28Gm2kGkIvr\npQIDAQAB\n-----END PUBLIC KEY-----\n"
}

25
data_bags/credentials/akkounts.json
View File

@ -1,23 +1,30 @@
{
"id": "akkounts",
"postgresql_username": {
"encrypted_data": "Mw+E6dXUYIRQgMzfxij9cFT9XFauVn9VUT9p\n",
"iv": "c2b2zKGTf1S3laui\n",
"auth_tag": "3ytXQSpxNYXGEeDOTq5g7g==\n",
"encrypted_data": "drHBdPcrH3BqlsVfWP/vL5Thok8Uub6JhjuU\n",
"iv": "n+08nhiHoK4jRVwd\n",
"auth_tag": "elB4rx8k+jj34iQepECQNA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "UCwTT6i0ORWiVRn5gbjWMOuikAIb7gAwL8g0TFhIvg==\n",
"iv": "xL6W4GqhxAf7FxmK\n",
"auth_tag": "EFE3C0PBAuusn/SqTAdyYA==\n",
"encrypted_data": "Hu8yjpvf3/KY/K3gcbRbEce3OkjSrN91m2lCcePT+A==\n",
"iv": "+GFS35dpYy4zD2pi\n",
"auth_tag": "jCJQMskBFo9TSr8Uq7BWkw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "KG8apiKfWa4gWwiz8tFLZywpp7gMp3hLDCREeR/RA6+i6Of7qYRx0YRzYdpE\n8gdaO0EOQZ4PXzVBsiIQy4ijHRt8udo2PNzzZP6h91jdAjw=\n",
"iv": "KWU6LeHdE3iwPyBU\n",
"auth_tag": "7pQO/t8pXiwrlb5xAas+Zg==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"rails_master_key": {
"encrypted_data": "QZD0AJIcq3iqrFAHN9DHxfctCXAMRQjuTSI9QgmaIUXgCz4+3LawI6eYGvr9\nV2nyDGJa\n",
"iv": "4hw1Dk+NsQ8wF7Og\n",
"auth_tag": "uoVSykmRQImRld1Ln0bg2g==\n",
"encrypted_data": "E4OVlsZgm9wupyi9Xs7iEy11wJrCXL0Qrm9akulW7vmdrEfnI8KC6x1UooM+\nEI1fYmLs\n",
"iv": "YFRMYT8D+bF+iu5+\n",
"auth_tag": "wT7rorNWEKGNR7xQLTe/xg==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

25
data_bags/credentials/lndhub-go.json
View File

@ -1,23 +1,30 @@
{
"id": "lndhub-go",
"jwt_secret": {
"encrypted_data": "cFost8pLsoJ/8Gp5m/TgN8xjMkvk0oZuEZ3XfxDIaYjOVYi3fEX8\n",
"iv": "47gV4v/D+10B6xqu\n",
"auth_tag": "MKEyVFfJ3f5pxWRSyMH4Rw==\n",
"encrypted_data": "3T4JYnoISKXCnatCBeLCXyE8wVjzphw5/JU5A0vHfQ2xSDZreIRQ\n",
"iv": "bGQZjCk6FtD/hqVj\n",
"auth_tag": "CS87+UK1ZIFMiNcNaoyO6w==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"postgresql_password": {
"encrypted_data": "YSMEIWdZn08lyrZeJNAUZ5xwKhWHESa1A5MojKJ/5iiE\n",
"iv": "0mlURPOohnKbG+i8\n",
"auth_tag": "bqIOqFEEIxA99wlvpTqxFA==\n",
"encrypted_data": "u8kf/6WdSTzyIz2kF+24JgOPLndWH2WmTFZ3CToJsnay\n",
"iv": "KqLtV2UuaAzJx7C8\n",
"auth_tag": "3aqx45+epb2NFkNfOfG89A==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"admin_token": {
"encrypted_data": "Jv2vQySZT9qn87g24IOYK1dpfSbZoUE/8VtZhzljQGIL\n",
"iv": "kjtrzmjTFKQq+nTV\n",
"auth_tag": "3YbOzU/ndVARbHTU1hoa9g==\n",
"encrypted_data": "Z737fXqRE9JHfunRhc2GG281dFFN1bvBvTzTDzl/Vb8O\n",
"iv": "oKLQJbD67tiz2235\n",
"auth_tag": "SlVIqC9d9SRoO78M7cBjTw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"sentry_dsn": {
"encrypted_data": "gmDHGDWkTIvaXjcWMs1dnKnbqtsADPJ2mLmWw8Idj6RVevU5CabjvviAxEo1\n3hs2LWuObumRSCQt2QKap191uMq3CL2+da53hbsv+JUkxl4=\n",
"iv": "Yt0fSsxL4SNicwUY\n",
"auth_tag": "j7BWbcNnymHHMNTADWmCNw==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

3
environments/production.json
View File

@ -36,6 +36,9 @@
"alternate_domains": [
"mastodon.w7nooprauv6yrnhzh2ajpcnj3doinked2aaztlwfyt6u6pva2qdxqhid.onion"
]
},
"sentry": {
"allowed_ips": "10.1.1.0/24"
}
}
}

3
nodes/akkounts-1.json
View File

@ -16,6 +16,7 @@
"base",
"kvm_guest",
"ldap_client",
"sentry_client",
"akkounts",
"postgresql_client"
],
@ -24,6 +25,7 @@
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile",
"kosmos_sentry::client",
"kosmos_postgresql::hostsfile",
"kosmos-akkounts",
"kosmos-akkounts::default",
@ -74,6 +76,7 @@
"role[base]",
"role[kvm_guest]",
"role[ldap_client]",
"role[sentry_client]",
"role[akkounts]"
]
}

3
nodes/bitcoin-2.json
View File

@ -14,6 +14,7 @@
"roles": [
"base",
"kvm_guest",
"sentry_client",
"bitcoind",
"cln",
"lnd",
@ -25,6 +26,7 @@
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_sentry::client",
"tor-full",
"tor-full::default",
"kosmos-bitcoin::bitcoind",
@ -106,6 +108,7 @@
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[sentry_client]",
"recipe[tor-full]",
"role[bitcoind]",
"role[cln]",

63
nodes/sentry-1.json Normal file
View File

@ -0,0 +1,63 @@
{
"name": "sentry-1",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.132"
}
},
"automatic": {
"fqdn": "sentry-1",
"os": "linux",
"os_version": "5.4.0-1087-kvm",
"hostname": "sentry-1",
"ipaddress": "192.168.122.251",
"roles": [
"base",
"kvm_guest",
"sentry"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_sentry",
"kosmos_sentry::default",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"chef-sugar::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "17.10.3",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
"chef_effortless": null
},
"ohai": {
"version": "17.9.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[sentry]"
]
}

11
roles/sentry.rb Normal file
View File

@ -0,0 +1,11 @@
name "sentry"
default_run_list = %w(
kosmos_sentry::default
)
env_run_lists(
'_default' => default_run_list,
'development' => default_run_list,
'production' => default_run_list
)

11
roles/sentry_client.rb Normal file
View File

@ -0,0 +1,11 @@
name "sentry_client"
default_run_list = %w(
kosmos_sentry::client
)
env_run_lists(
'_default' => default_run_list,
'development' => default_run_list,
'production' => default_run_list
)

2
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@ -53,6 +53,8 @@ env[:smtp] = {
enable_starttls: node['akkounts']['smtp']['enable_starttls']
}
env[:sentry_dsn] = credentials["sentry_dsn"]
if webhooks_allowed_ips.length > 0
env[:webhooks_allowed_ips] = webhooks_allowed_ips
end

3
site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb
View File

@ -67,7 +67,8 @@ template "#{source_dir}/.env" do
strict_rate_limit: node['lndhub-go']['strict_rate_limit'],
burst_rate_limit: node['lndhub-go']['burst_rate_limit'],
branding: node['lndhub-go']['branding'],
webhook_url: node['lndhub-go']['webhook_url']
webhook_url: node['lndhub-go']['webhook_url'],
sentry_dsn: credentials['sentry_dsn']
}
notifies :restart, 'service[lndhub-go]', :delayed
end

25
site-cookbooks/kosmos_sentry/.gitignore vendored Normal file
View File

@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

20
site-cookbooks/kosmos_sentry/LICENSE Normal file
View File

@ -0,0 +1,20 @@
Copyright (c) 2023 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

9
site-cookbooks/kosmos_sentry/attributes/default.rb Normal file
View File

@ -0,0 +1,9 @@
node.default["sentry"]["repo"] = "https://github.com/getsentry/self-hosted"
node.default["sentry"]["revision"] = "23.3.1"
node.default["sentry"]["port"] = 80
node.default["sentry"]["retention_days"] = 90
node.default["sentry"]["allowed_ips"] = nil
# The Sentry setup requires docker-compose >= 1.28, which is newer than the
# latest stable version for Ubuntu 20.04
node.default["sentry"]["docker-compose"]["version"] = "2.17.0"
node.default["sentry"]["docker-compose"]["checksum"] = "65edee934d988471c40ef31305731dbb4381d3cb0aeea13342119b61772f85e2"

115
site-cookbooks/kosmos_sentry/chefignore Normal file
View File

@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

12
site-cookbooks/kosmos_sentry/metadata.rb Normal file
View File

@ -0,0 +1,12 @@
name 'kosmos_sentry'
maintainer 'Kosmos Contributors'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/configures Sentry'
version '0.1.0'
chef_version '>= 15.0'
issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
source_url 'https://gitea.kosmos.org/kosmos/chef'
depends 'git'
depends 'firewall'

11
site-cookbooks/kosmos_sentry/recipes/client.rb Normal file
View File

@ -0,0 +1,11 @@
#
# Cookbook:: kosmos_sentry
# Recipe:: client
#
sentry_host = search(:node, "role:sentry").first["knife_zero"]["host"]
hostsfile_entry sentry_host do
hostname 'sentry.kosmos.local'
action :create
end

82
site-cookbooks/kosmos_sentry/recipes/default.rb Normal file
View File

@ -0,0 +1,82 @@
#
# Cookbook:: kosmos_sentry
# Recipe:: default
#
package "docker"
remote_file "/usr/local/bin/docker-compose" do
source "https://github.com/docker/compose/releases/download/v#{node["sentry"]["docker-compose"]["version"]}/docker-compose-linux-x86_64"
checksum node["sentry"]["docker-compose"]["checksum"]
mode '0755'
end
deploy_path = "/opt/sentry"
git deploy_path do
repository node["sentry"]["repo"]
revision node["sentry"]["revision"]
end
# TODO
# Automatically run install script if sentry/sentry.conf.py does not exist yet
env_config = {
sentry_event_retention_days: node["sentry"]["retention_days"],
sentry_bind: node["sentry"]["bind"] || node["sentry"]["port"],
# Default values from upstream
compose_project_name: "sentry-self-hosted",
sentry_image: "getsentry/sentry:nightly",
snuba_image: "getsentry/snuba:nightly",
relay_image: "getsentry/relay:nightly",
symbolicator_image: "getsentry/symbolicator:nightly",
wal2json_version: "latest",
healthcheck_interval: "30s",
healthcheck_timeout: "60s",
healthcheck_retries: "10"
}
template "#{deploy_path}/.env.custom" do
source 'env.custom.erb'
mode 0600
sensitive true
variables config: env_config
notifies :restart, "service[sentry]", :delayed
end
systemd_unit "sentry.service" do
content({Unit: {
Description: "Sentry service using Docker Compose",
Requires: "docker.service",
After: "docker.service",
},
Service: {
Type: "oneshot",
RemainAfterExit: "true",
WorkingDirectory: deploy_path,
ExecStart: "docker-compose --env-file #{deploy_path}/.env.custom up -d --remove-orphans",
ExecStop: "docker-compose stop",
StandardOutput: "syslog"
},
Install: {
WantedBy: "multi-user.target"
}})
verify false
triggers_reload true
action [:create]
end
service "sentry" do
action [:enable, :start]
end
include_recipe 'firewall'
firewall_rule 'sentry' do
port node["sentry"]["port"]
protocol :tcp
command :allow
if node["sentry"]["allowed_ips"]
source node["sentry"]["allowed_ips"]
end
end

11
site-cookbooks/kosmos_sentry/templates/default/env.custom.erb Normal file
View File

@ -0,0 +1,11 @@
<% @config.each do |key, value| %>
<% if value.is_a?(Hash) %>
<% value.each do |k, v| %>
<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
<% end %>
<% else %>
<% if value %>
<%= key.upcase %>=<%= value.to_s %>
<% end %>
<% end %>
<% end %>