From 1d98bf14fe671c70990de2a5fa0860a1e698fd10 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 19 Apr 2019 17:35:29 +0100 Subject: [PATCH 01/12] Configure kosmos-github closes #35 --- data_bags/credentials/kredits-github.json | 24 +++++ nodes/barnard.kosmos.org.json | 9 ++ site-cookbooks/kredits-github/CHANGELOG.md | 6 ++ site-cookbooks/kredits-github/LICENSE | 20 ++++ site-cookbooks/kredits-github/README.md | 31 ++++++ .../kredits-github/attributes/default.rb | 3 + site-cookbooks/kredits-github/metadata.rb | 12 +++ .../kredits-github/recipes/default.rb | 96 +++++++++++++++++++ .../kredits-github/recipes/nginx.rb | 46 +++++++++ .../templates/default/nginx_conf.erb | 26 +++++ .../default/nodejs.systemd.service.erb | 17 ++++ 11 files changed, 290 insertions(+) create mode 100644 data_bags/credentials/kredits-github.json create mode 100644 nodes/barnard.kosmos.org.json create mode 100644 site-cookbooks/kredits-github/CHANGELOG.md create mode 100644 site-cookbooks/kredits-github/LICENSE create mode 100644 site-cookbooks/kredits-github/README.md create mode 100644 site-cookbooks/kredits-github/attributes/default.rb create mode 100644 site-cookbooks/kredits-github/metadata.rb create mode 100644 site-cookbooks/kredits-github/recipes/default.rb create mode 100644 site-cookbooks/kredits-github/recipes/nginx.rb create mode 100644 site-cookbooks/kredits-github/templates/default/nginx_conf.erb create mode 100644 site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb diff --git a/data_bags/credentials/kredits-github.json b/data_bags/credentials/kredits-github.json new file mode 100644 index 0000000..cda8c04 --- /dev/null +++ b/data_bags/credentials/kredits-github.json @@ -0,0 +1,24 @@ +{ + "id": "kredits-github", + "app_id": { + "encrypted_data": "DVvsNFAlZIO1NMmo1dVbA05MYdyJfPG9\n", + "iv": "JP4lpX3pFT8l43Hl\n", + "auth_tag": "EncRbtgQigRvLIfbMS+IxQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "private_key": { + "encrypted_data": "nV2ecoeWtL/TIM9grbsDAVh34gkaE/bJFc7qebUA9fOU40eeC7xMQst9pBZ+\nIfok2Y4Q0+ABQEKTrilfhSAOA+Hck66W2k1oNdCKXRcNb40T0Y01L77nNdzO\n0b6+uzopQ9oe2M5PF283gk8JWWQV9qED4eKpXEyU8prooA26KabXSrnsMESU\nIztULMsHNhUbDPHBRiEA6q/YUKlw8R++Sh9BcOjjeAEK+pueiARDh+yNMfJV\nomZRWfqncLlryDY6g+hbWEy5Oh+uMD8Th7zhbO//5dPOP1T6ZJjzHfhVQw+v\ng8txFD505yCBKiv70K4cHy9dF+ExFzJBcgr42gJ60gzShemZywAxOCDIc2yz\nFSEVwxGlxYRs5PLHhOT+KCaDzE7w5JmHDyMzv0j+IJnUtPPeInUUI9CNw42F\nmXygqGaY2BmJXAqYtCqEeMsZBtXijqu3TY3mmqxudupxethRrXZ9uZ0I3Ohf\nw6BCnqTw/sT3JkBxtNRQeEQvF+2G8ysXyLujkbqAyWiT+fCmS14FhisEOr8H\n6ojfRGb5iHHScG5wTwXn6tr4de9jjVk5Hrth3Rj46ZImMd1lzROPYyIcWFlS\no57Y3nmF6j7pjDBz++nInnpGlzPG+17sG4OSp6t0t93Vwkr8q9WNQjLo0Jqc\nLNaziU1ke3g+ZpKnHhUwJ2sCyVk4xvVD98hx4lhwCPzKghGQhWu6Vo2YfN79\nhSMjNw5N/3WFxdb5EuF4vYWOFitBvogPkAusZjrexlhUmGIS2qf+jlKvo6yD\nIl8CrCYZttj1UnyCuDmftIXTY9/7czBDQgq+vHlT33e7hNLHD7tFDeTEaz0t\nS+/I0+BgEnKv7aQHSSKExg3ZNc86yqfREKNsKxf4O6YiceBP7r/0qqFR6VBH\nIOQpUwK2e6cv70VmmtoEIjIpRZIOScrVVc1w2QlCj7xH9WfdEG9GSft3uHqd\nqbpegChVNuq2tEq7DoAC8ednjzbYdka4bpGJCqF6zm1c48WaL0G6VBLioi/r\nwFhCNi6AOEYkX0v3wovxME1aodfzBiu1Q6nEuzflZthr+1zERZXXaXY59VZ8\nqzWnLd5Xd/SxvvODY67fdykP90Kn94Xf+6XD9r72ch3S3ZqoWi66YFyqZ5Aa\n0LVKK+nCUwlGWjdgzcEcGx5OOyvbqm2VVnwWo2HuVk/iTzkrppF9y5nvFWUc\n6FfDdGWytkmzRH3KBZ9GKqgrIrswUmsSoIHESugVouJ+QfbFZZLLQS/0p4wH\nPFT8H8GSUvg8CEbap4JRW3R/+yspqSXipfIH5TrKr6NkyggWSE7EMNYq41eU\nuFWtwqX/z8x0SVVo+thAXkgg7KcZrZ9W4LdSGnfrx90QGZ0/K9Xs27pPY8R1\nSUNpaUc3S4Vxt28ualRBksuiIXT9AJGPGQf5UOgpOzBmDFw0GSjZdzz33tLL\n49Ymktapc6mC1FCxkJO3e+pI/I34+FcD9oiVea5v0Gg1cuuZInGJBYrq0PBE\nTaz0w2e8X/eQ2fVnQlUgmHlPcOugtoK8sLEO2+HDyBmIx9ypCfqFo6tu+MHG\nZTRp1GFmifYKUMnGvyxgo7mMFuSJtzgF/UR4PddbfX9yFAxPUTzM2Ba4s9um\nBZXKQoQB/dS9wXhmZVme9Yjq/D1d8w3wosSOcDV3apNerDxegbFqt8ugYbtQ\nmy35aHCXU560Xi1uyWBggRXsoWSsb3RZhNbTz6vsvsly9kj6pSUtxbAiwvwI\nrZuGwvNUgYHdXaHdQAqyCAiIF3KJfQGTyk2di26BZ3K8eTnP3tKbTT157Adf\nOt4e+sHhfmacjmXN9FFuOlLddOk45Y7YSRDwGgqS3NqTSo21GAPBSDqfwqkr\neG76OKxoijCMYeJQ6h0lqh8lXYO5h376BdbUMvZfiy8PzkfbCZ9j45b/jHQD\n8CSWz+T8LmQM4Mg69MZn3zAYOSrPQj9DMbwuQshqe19qRlrexRRemWATvkSO\nYchQJ2891WGn7WZ2vrd9VpEdiXdC6JmCpDfoBBJ3JcaknTrNx7VBPc/48rli\nIlso0fzzxTGIrJjFbYL38Br20/qZcXzOO+YJXuHY+n5vuZ2870yPck4r1vUX\n6HSRALY768YGSLNWwfg9sDfbOcpfxKrnrNJxF5Nz7cGN63CKm1e6GZG+vSX+\nNBkumwPGyUWtLJO+JE8l6yivOZeq01W+XOjSh8NzrQJ3Tt2XVhuqWy+ruXS0\nA9O2/tdI2pu0ed63TVaWL/ULYrfXtHtCOYyjc5ulIwX7+L9LXU2I9zmycp0u\n3eR50MpHBgGSCyk=\n", + "iv": "IlCQ6yNhvGFeTJlP\n", + "auth_tag": "bItEhCOGVHB2HMzWKuyExg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "webhook_secret": { + "encrypted_data": "5aUw9uwoX7BmUXCXLjJ82VtEOAAaneldYMUnv2XJqL+XUNokmdf/tQwTjI7R\n8Ov1+sXCp2R073apPUk=\n", + "iv": "6VeynEodre6uhBE7\n", + "auth_tag": "kRGFN3q+N0NKPwoLRrtgtw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/barnard.kosmos.org.json b/nodes/barnard.kosmos.org.json new file mode 100644 index 0000000..67856da --- /dev/null +++ b/nodes/barnard.kosmos.org.json @@ -0,0 +1,9 @@ +{ + "run_list": [ + "role[base]", + "kredits-github" + ], + "automatic": { + "ipaddress": "barnard.kosmos.org" + } +} diff --git a/site-cookbooks/kredits-github/CHANGELOG.md b/site-cookbooks/kredits-github/CHANGELOG.md new file mode 100644 index 0000000..f1e847a --- /dev/null +++ b/site-cookbooks/kredits-github/CHANGELOG.md @@ -0,0 +1,6 @@ +kredits-github CHANGELOG +======================== + +0.1.0 +----- +- [Râu Cao] - Initial release of kredits-github diff --git a/site-cookbooks/kredits-github/LICENSE b/site-cookbooks/kredits-github/LICENSE new file mode 100644 index 0000000..f3b5d1c --- /dev/null +++ b/site-cookbooks/kredits-github/LICENSE @@ -0,0 +1,20 @@ +Copyright (c) 2019 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kredits-github/README.md b/site-cookbooks/kredits-github/README.md new file mode 100644 index 0000000..39e43f5 --- /dev/null +++ b/site-cookbooks/kredits-github/README.md @@ -0,0 +1,31 @@ +kredits-github Cookbook +======================= + +This cookbook installs [kredits-github](https://github.com/67P/kredits-github). + +Attributes +---------- + +#### kredits-github::default + + + + + + + + + + + + + + + + + + + +
KeyTypeDescriptionDefault
['sockethub']['port']IntegerThe local port to run sockethub on10551
['sockethub']['external_port']IntegerThe external port to run sockethub on. This will also open the port on the firewall10550
+ +Right now the nginx vhost is hardcoded: sockethub.kosmos.org diff --git a/site-cookbooks/kredits-github/attributes/default.rb b/site-cookbooks/kredits-github/attributes/default.rb new file mode 100644 index 0000000..d024a64 --- /dev/null +++ b/site-cookbooks/kredits-github/attributes/default.rb @@ -0,0 +1,3 @@ +node.default['kredits-github']['port'] = '3000' +node.default['kredits-github']['revision'] = 'master' +node.default['kredits-github']['domain'] = 'kredits-github.kosmos.org' diff --git a/site-cookbooks/kredits-github/metadata.rb b/site-cookbooks/kredits-github/metadata.rb new file mode 100644 index 0000000..eb57f47 --- /dev/null +++ b/site-cookbooks/kredits-github/metadata.rb @@ -0,0 +1,12 @@ +name 'kredits-github' +maintainer 'Kosmos' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures kredits-github' +long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) +version '0.1.0' + +depends 'application_javascript' +depends 'kosmos-nodejs' +depends 'kosmos-nginx' +depends 'firewall' diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb new file mode 100644 index 0000000..1512879 --- /dev/null +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -0,0 +1,96 @@ +# +# Cookbook Name:: sockethub +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'kosmos-nodejs' +include_recipe 'kredits-github::nginx' + +app_name = "kredits-github" +deploy_user = "deploy" +deploy_group = "deploy" +credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) + +group deploy_group + +user deploy_user do + group deploy_group + manage_home true + shell "/bin/bash" + comment "deploy user" +end + +path_to_deploy = "/opt/#{app_name}" +application path_to_deploy do + owner deploy_user + group deploy_group + + git do + user deploy_user + group deploy_group + repository "https://github.com/67P/#{app_name}.git" + revision node[app_name]['revision'] + end + + npm_install do + user deploy_user + end + + execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing + end + + file "#{path_to_deploy}/github_app_key.pem" do + content credentials['private_key'] + owner deploy_user + group deploy_group + mode '0440' + end + + template "/lib/systemd/system/#{app_name}.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: deploy_user, + group: deploy_group, + app_dir: path_to_deploy, + entry: "/usr/bin/node /usr/bin/npm start", + environment: { + 'LOG_LEVEL' => "debug", + 'APP_ID' => credentials['app_id'], + 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", + 'WEBHOOK_SECRET' => credentials['webhook_secret'], + } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[#{app_name}]", :delayed + end + + service app_name do + action [:enable, :start] + end +end diff --git a/site-cookbooks/kredits-github/recipes/nginx.rb b/site-cookbooks/kredits-github/recipes/nginx.rb new file mode 100644 index 0000000..54b576a --- /dev/null +++ b/site-cookbooks/kredits-github/recipes/nginx.rb @@ -0,0 +1,46 @@ +# +# Cookbook Name:: kredits-github +# Recipe:: nginx +# +# The MIT License (MIT) +# +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'kosmos-nginx' +server_name = node['kredits-github']['domain'] + +template "#{node['nginx']['dir']}/sites-available/#{server_name}" do + source 'nginx_conf.erb' + owner 'www-data' + mode 0640 + variables app_name: "kredits-github", + nodejs_port: node['kredits-github']['port'], + server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site server_name do + action :enable +end + +nginx_certbot_site server_name diff --git a/site-cookbooks/kredits-github/templates/default/nginx_conf.erb b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb new file mode 100644 index 0000000..70aefb8 --- /dev/null +++ b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb @@ -0,0 +1,26 @@ +# Generated by Chef +upstream _<%= @app_name %> { + server localhost:<%= @nodejs_port %>; +} + +<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> +server { + listen 443 ssl http2; + add_header Strict-Transport-Security "max-age=15768000"; + + server_name <%= @server_name %>; + + access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json; + error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn; + + gzip on; + + location / { + proxy_buffers 1024 8k; # Increase number of buffers. Default is 8 + proxy_pass http://_<%= @app_name %>; + } + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; +} +<% end -%> diff --git a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb new file mode 100644 index 0000000..a20fb92 --- /dev/null +++ b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb @@ -0,0 +1,17 @@ +[Unit] +Description=Start nodejs app +Requires=nginx.service +After=nginx.service + +[Service] +ExecStart=<%= @entry %> +WorkingDirectory=<%= @app_dir %> +User=<%= @user %> +Group=<%= @group %> +<% unless @environment.empty? -%> +Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> +<% end -%> +Restart=always + +[Install] +WantedBy=multi-user.target From e62393e4438d4da648c325573dbb43056b8302b3 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Fri, 19 Apr 2019 18:52:44 +0100 Subject: [PATCH 02/12] Update cookbook README --- site-cookbooks/kredits-github/README.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/site-cookbooks/kredits-github/README.md b/site-cookbooks/kredits-github/README.md index 39e43f5..37a7626 100644 --- a/site-cookbooks/kredits-github/README.md +++ b/site-cookbooks/kredits-github/README.md @@ -15,16 +15,22 @@ Attributes Default - ['sockethub']['port'] - Integer - The local port to run sockethub on - 10551 + ['kredits-github']['port'] + String + The local port that kredits-github is running on + 3000 - ['sockethub']['external_port'] - Integer - The external port to run sockethub on. This will also open the port on the firewall - 10550 + ['kredits-github']['revision'] + String + Git revision/branch to deploy + master + + + ['kredits-github']['domain'] + String + Domain name for requests to the app + kredits-github.kosmos.org From f26edab7ad040472a5278c45a063a0fd85b9174c Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sat, 20 Apr 2019 09:25:27 +0100 Subject: [PATCH 03/12] Fix nginx template It refused to accept connections when the header directive was before the server_name one. --- .../kredits-github/templates/default/nginx_conf.erb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kredits-github/templates/default/nginx_conf.erb b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb index 70aefb8..257de71 100644 --- a/site-cookbooks/kredits-github/templates/default/nginx_conf.erb +++ b/site-cookbooks/kredits-github/templates/default/nginx_conf.erb @@ -6,8 +6,6 @@ upstream _<%= @app_name %> { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { listen 443 ssl http2; - add_header Strict-Transport-Security "max-age=15768000"; - server_name <%= @server_name %>; access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json; @@ -15,10 +13,12 @@ server { gzip on; + add_header Strict-Transport-Security "max-age=15768000"; + location / { proxy_buffers 1024 8k; # Increase number of buffers. Default is 8 proxy_pass http://_<%= @app_name %>; - } + } ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; From 2658b90c5b7b2d00fb89516caffb4704cea3f955 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Sat, 20 Apr 2019 09:34:37 +0100 Subject: [PATCH 04/12] Set log level to info Now that everything works, we don't need detailed output for every GitHub payload anymore. --- site-cookbooks/kredits-github/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index 1512879..283a2b9 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -80,7 +80,7 @@ application path_to_deploy do app_dir: path_to_deploy, entry: "/usr/bin/node /usr/bin/npm start", environment: { - 'LOG_LEVEL' => "debug", + 'LOG_LEVEL' => "info", 'APP_ID' => credentials['app_id'], 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", 'WEBHOOK_SECRET' => credentials['webhook_secret'], From 3b2a3bf3fa24027ca56e73b414b3980519d3f6d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 10:33:31 +0200 Subject: [PATCH 05/12] Replace reference to sockethub, remove comment that's not relevant --- site-cookbooks/kredits-github/README.md | 2 -- site-cookbooks/kredits-github/recipes/default.rb | 2 +- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/site-cookbooks/kredits-github/README.md b/site-cookbooks/kredits-github/README.md index 37a7626..2bf8f4b 100644 --- a/site-cookbooks/kredits-github/README.md +++ b/site-cookbooks/kredits-github/README.md @@ -33,5 +33,3 @@ Attributes kredits-github.kosmos.org - -Right now the nginx vhost is hardcoded: sockethub.kosmos.org diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index 283a2b9..954c990 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -1,5 +1,5 @@ # -# Cookbook Name:: sockethub +# Cookbook Name:: kredits-github # Recipe:: default # # The MIT License (MIT) From 1d0f66adc4664da89370705cf3f79e37219fefec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 11:25:16 +0200 Subject: [PATCH 06/12] Remove an unused dependency on the firewall cookbook --- site-cookbooks/kredits-github/metadata.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/site-cookbooks/kredits-github/metadata.rb b/site-cookbooks/kredits-github/metadata.rb index eb57f47..fdcf098 100644 --- a/site-cookbooks/kredits-github/metadata.rb +++ b/site-cookbooks/kredits-github/metadata.rb @@ -9,4 +9,3 @@ version '0.1.0' depends 'application_javascript' depends 'kosmos-nodejs' depends 'kosmos-nginx' -depends 'firewall' From fabbe398a2e50aa9aa459e27a1327053992187f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 11:28:23 +0200 Subject: [PATCH 07/12] Remove the nginx recipe inclusion and the dependency on nginx in the service The nginx vhost should be set up after the app is deployed. The node app doesn't need nginx to run --- site-cookbooks/kredits-github/recipes/default.rb | 1 - .../kredits-github/templates/default/nodejs.systemd.service.erb | 2 -- 2 files changed, 3 deletions(-) diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index 954c990..d452416 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -25,7 +25,6 @@ # THE SOFTWARE. include_recipe 'kosmos-nodejs' -include_recipe 'kredits-github::nginx' app_name = "kredits-github" deploy_user = "deploy" diff --git a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb index a20fb92..68f7a05 100644 --- a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb +++ b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb @@ -1,7 +1,5 @@ [Unit] Description=Start nodejs app -Requires=nginx.service -After=nginx.service [Service] ExecStart=<%= @entry %> From 451d182ca92022e2aa3dc347cd25d1db4a6825d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 11:30:59 +0200 Subject: [PATCH 08/12] Add kredits_github role for the node app and the nginx vhost --- roles/kredits_github.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/kredits_github.rb diff --git a/roles/kredits_github.rb b/roles/kredits_github.rb new file mode 100644 index 0000000..57f3d88 --- /dev/null +++ b/roles/kredits_github.rb @@ -0,0 +1,6 @@ +name "kredits_github" + +run_list %w( + kredits-github::default + kredits-github::nginx +) From 79023a65f24b86a3fd357a3db7d3cb60e34852a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 11:40:33 +0200 Subject: [PATCH 09/12] Move the environment variables to an EnvironmentFile --- .../kredits-github/recipes/default.rb | 24 ++++++++++++++----- .../default/nodejs.systemd.service.erb | 4 +--- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index d452416..a79626f 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -41,6 +41,7 @@ user deploy_user do end path_to_deploy = "/opt/#{app_name}" +environment_file = "/home/deploy/.kredits-github_environment" application path_to_deploy do owner deploy_user group deploy_group @@ -66,6 +67,22 @@ application path_to_deploy do owner deploy_user group deploy_group mode '0440' + sensitive true + end + + env = { + 'LOG_LEVEL' => "info", + 'APP_ID' => credentials['app_id'], + 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", + 'WEBHOOK_SECRET' => credentials['webhook_secret'], + } + + file environment_file do + content env.sort.map {|k, v| "#{k}=#{v}" }.join("\n") + owner deploy_user + owner deploy_group + mode '0440' + sensitive true end template "/lib/systemd/system/#{app_name}.service" do @@ -78,12 +95,7 @@ application path_to_deploy do group: deploy_group, app_dir: path_to_deploy, entry: "/usr/bin/node /usr/bin/npm start", - environment: { - 'LOG_LEVEL' => "info", - 'APP_ID' => credentials['app_id'], - 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", - 'WEBHOOK_SECRET' => credentials['webhook_secret'], - } + environment_file: environment_file ) notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :restart, "service[#{app_name}]", :delayed diff --git a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb index 68f7a05..fb11e4b 100644 --- a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb +++ b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb @@ -6,9 +6,7 @@ ExecStart=<%= @entry %> WorkingDirectory=<%= @app_dir %> User=<%= @user %> Group=<%= @group %> -<% unless @environment.empty? -%> -Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> -<% end -%> +EnvironmentFile=<%= @environment_file %> Restart=always [Install] From ecf5870195669a2e6d01eeaa4b93c215e77cdc79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 11:41:12 +0200 Subject: [PATCH 10/12] Only add the Let's Encrypt set up when not in the dev environment --- site-cookbooks/kredits-github/recipes/nginx.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kredits-github/recipes/nginx.rb b/site-cookbooks/kredits-github/recipes/nginx.rb index 54b576a..1ebec48 100644 --- a/site-cookbooks/kredits-github/recipes/nginx.rb +++ b/site-cookbooks/kredits-github/recipes/nginx.rb @@ -43,4 +43,4 @@ nginx_site server_name do action :enable end -nginx_certbot_site server_name +nginx_certbot_site server_name unless node.chef_environment == "development" From f5051d63522a04b6d452997f2da4ab7ccbab549c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 14:12:16 +0200 Subject: [PATCH 11/12] Revert "Move the environment variables to an EnvironmentFile" This reverts commit 79023a65f24b86a3fd357a3db7d3cb60e34852a9. --- .../kredits-github/recipes/default.rb | 24 +++++-------------- .../default/nodejs.systemd.service.erb | 4 +++- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index a79626f..d452416 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -41,7 +41,6 @@ user deploy_user do end path_to_deploy = "/opt/#{app_name}" -environment_file = "/home/deploy/.kredits-github_environment" application path_to_deploy do owner deploy_user group deploy_group @@ -67,22 +66,6 @@ application path_to_deploy do owner deploy_user group deploy_group mode '0440' - sensitive true - end - - env = { - 'LOG_LEVEL' => "info", - 'APP_ID' => credentials['app_id'], - 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", - 'WEBHOOK_SECRET' => credentials['webhook_secret'], - } - - file environment_file do - content env.sort.map {|k, v| "#{k}=#{v}" }.join("\n") - owner deploy_user - owner deploy_group - mode '0440' - sensitive true end template "/lib/systemd/system/#{app_name}.service" do @@ -95,7 +78,12 @@ application path_to_deploy do group: deploy_group, app_dir: path_to_deploy, entry: "/usr/bin/node /usr/bin/npm start", - environment_file: environment_file + environment: { + 'LOG_LEVEL' => "info", + 'APP_ID' => credentials['app_id'], + 'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem", + 'WEBHOOK_SECRET' => credentials['webhook_secret'], + } ) notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :restart, "service[#{app_name}]", :delayed diff --git a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb index fb11e4b..68f7a05 100644 --- a/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb +++ b/site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb @@ -6,7 +6,9 @@ ExecStart=<%= @entry %> WorkingDirectory=<%= @app_dir %> User=<%= @user %> Group=<%= @group %> -EnvironmentFile=<%= @environment_file %> +<% unless @environment.empty? -%> +Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> +<% end -%> Restart=always [Install] From 2cf611279bad5725094f3ec5a716ac66f730f8b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 23 Apr 2019 14:12:55 +0200 Subject: [PATCH 12/12] Make the systemd unit for kredits-github not world readable This way the environment variables are kept secret. Only root can read `/proc/$ID/environ` --- site-cookbooks/kredits-github/recipes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/kredits-github/recipes/default.rb b/site-cookbooks/kredits-github/recipes/default.rb index d452416..5412cf5 100644 --- a/site-cookbooks/kredits-github/recipes/default.rb +++ b/site-cookbooks/kredits-github/recipes/default.rb @@ -72,7 +72,7 @@ application path_to_deploy do source 'nodejs.systemd.service.erb' owner 'root' group 'root' - mode '0644' + mode '0640' variables( user: deploy_user, group: deploy_group,