From dbccd9d2bf6b2cb9a56ec4a043b542e9fb6726fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 7 Jun 2024 20:43:46 +0200
Subject: [PATCH] Add kosmos_strfry cookbook, configs

---
 environments/production.json                  | 10 +++++++
 nodes/draco.kosmos.org.json                   |  1 +
 roles/openresty_proxy.rb                      |  1 +
 roles/strfry.rb                               |  6 ++++
 site-cookbooks/kosmos_strfry/LICENSE          | 20 +++++++++++++
 site-cookbooks/kosmos_strfry/README.md        |  4 +++
 site-cookbooks/kosmos_strfry/metadata.rb      |  9 ++++++
 .../kosmos_strfry/recipes/firewall.rb         | 13 +++++++++
 site-cookbooks/kosmos_strfry/recipes/nginx.rb | 29 +++++++++++++++++++
 .../templates/nginx_conf_strfry.erb           | 28 ++++++++++++++++++
 10 files changed, 121 insertions(+)
 create mode 100644 roles/strfry.rb
 create mode 100644 site-cookbooks/kosmos_strfry/LICENSE
 create mode 100644 site-cookbooks/kosmos_strfry/README.md
 create mode 100644 site-cookbooks/kosmos_strfry/metadata.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/firewall.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/nginx.rb
 create mode 100644 site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

diff --git a/environments/production.json b/environments/production.json
index 4f84064..d226fa7 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -101,6 +101,16 @@
     },
     "sentry": {
       "allowed_ips": "10.1.1.0/24"
+    },
+    "strfry": {
+      "domain": "nostr.kosmos.org",
+      "real_ip_header": "X-Real-IP",
+      "info": {
+        "name": "Kosmos Relay",
+        "description": "Members-only nostr relay for kosmos.org users",
+        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+        "contact": "ops@kosmos.org"
+      }
     }
   }
 }
diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json
index f07f268..f95e990 100644
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@@ -54,6 +54,7 @@
       "kosmos_liquor-cabinet::nginx",
       "kosmos_rsk::nginx_testnet",
       "kosmos_rsk::nginx_mainnet",
+      "kosmos_strfry::nginx",
       "kosmos_website",
       "kosmos_website::default",
       "kosmos-akkounts::nginx",
diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb
index 38e8bbb..c238c1b 100644
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@@ -28,6 +28,7 @@ production_run_list = %w(
   kosmos_liquor-cabinet::nginx
   kosmos_rsk::nginx_testnet
   kosmos_rsk::nginx_mainnet
+  kosmos_strfry::nginx
   kosmos_website::default
   kosmos-akkounts::nginx
   kosmos-akkounts::nginx_api
diff --git a/roles/strfry.rb b/roles/strfry.rb
new file mode 100644
index 0000000..65472d2
--- /dev/null
+++ b/roles/strfry.rb
@@ -0,0 +1,6 @@
+name "strfry"
+
+run_list %w(
+  strfry::default
+  kosmos_strfry::firewall
+)
diff --git a/site-cookbooks/kosmos_strfry/LICENSE b/site-cookbooks/kosmos_strfry/LICENSE
new file mode 100644
index 0000000..b5a9703
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/LICENSE
@@ -0,0 +1,20 @@
+Copyright (c) 2024 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
diff --git a/site-cookbooks/kosmos_strfry/README.md b/site-cookbooks/kosmos_strfry/README.md
new file mode 100644
index 0000000..04638b2
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/README.md
@@ -0,0 +1,4 @@
+kosmos_strfry
+=============
+
+Installs/configures a strfry relay and its reverse proxy config
diff --git a/site-cookbooks/kosmos_strfry/metadata.rb b/site-cookbooks/kosmos_strfry/metadata.rb
new file mode 100644
index 0000000..8498c01
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/metadata.rb
@@ -0,0 +1,9 @@
+name             'kosmos_strfry'
+maintainer       'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license          'MIT'
+description      'strfry wrapper cookbook'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '0.1.0'
+
+depends 'kosmos_openresty'
diff --git a/site-cookbooks/kosmos_strfry/recipes/firewall.rb b/site-cookbooks/kosmos_strfry/recipes/firewall.rb
new file mode 100644
index 0000000..ea26f83
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/firewall.rb
@@ -0,0 +1,13 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: firewall
+#
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "strfry" do
+  port     node["strfry"]["port"]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos_strfry/recipes/nginx.rb b/site-cookbooks/kosmos_strfry/recipes/nginx.rb
new file mode 100644
index 0000000..58cc724
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/nginx.rb
@@ -0,0 +1,29 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: nginx
+#
+
+domain = node["strfry"]["domain"]
+
+upstream_hosts = []
+search(:node, 'role:strfry').each do |node|
+  upstream_hosts << node['knife_zero']['host']
+end
+if upstream_hosts.empty?
+  Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+openresty_site domain do
+  template "nginx_conf_strfry.erb"
+  variables domain: domain,
+            upstream_port: node['strfry']['port'],
+            upstream_hosts: upstream_hosts,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end
diff --git a/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
new file mode 100644
index 0000000..c48ce62
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb
@@ -0,0 +1,28 @@
+upstream _strfry {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:<%= @upstream_port %>;
+<% end %>
+}
+
+server {
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @domain %>;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_strfry;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+}