diff --git a/.gitmodules b/.gitmodules index 3f36f91..4c37523 100644 --- a/.gitmodules +++ b/.gitmodules @@ -10,3 +10,6 @@ [submodule "site-cookbooks/deno"] path = site-cookbooks/deno url = git@gitea.kosmos.org:kosmos/deno-cookbook.git +[submodule "site-cookbooks/blossom"] + path = site-cookbooks/blossom + url = git@gitea.kosmos.org:kosmos/blossom-cookbook.git diff --git a/data_bags/credentials/blossom.json b/data_bags/credentials/blossom.json new file mode 100644 index 0000000..e3f8365 --- /dev/null +++ b/data_bags/credentials/blossom.json @@ -0,0 +1,24 @@ +{ + "id": "blossom", + "admin_password": { + "encrypted_data": "Gd6AzFmySL0p+xo1PnRn9p4Fwge1m3CQj+NRLIUD8P9u1C8=\n", + "iv": "l6KVzF9xEEBRRAmh\n", + "auth_tag": "P791KMh9TxuHiWJpDKxWQA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_access_key": { + "encrypted_data": "S8jB2LDQOxI/p5ugggW1Sk50TS9TJe9sLv04O/VD9/v22SSM7J6ETomTA+Hd\n", + "iv": "dUIIZbdAT9q72ioX\n", + "auth_tag": "+5fCNOuTE/+FqdV6rDNbkw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_secret_key": { + "encrypted_data": "soT63l2frBJDNmHetXmEPvNYBsTpvTyR95FA2rxuZXvVE7hMj21La8/0Amk7\nv+mHOBUMaGG9BTLN0tVFkL0+lGPXdZJTbtDHgluk5l6lLPyc8KY=\n", + "iv": "RuXs2pL9C/wpwJ/w\n", + "auth_tag": "nu7dE2udTkxaUZCR42h09w==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/environments/production.json b/environments/production.json index 6a8bd1c..9a3e2cb 100644 --- a/environments/production.json +++ b/environments/production.json @@ -18,6 +18,16 @@ "relay_url": "wss://nostr.kosmos.org" } }, + "blossom": { + "domain": "blossom.kosmos.org", + "storage": { + "s3": { + "endpoint": "s3.kosmos.org", + "region": "garage", + "bucket": "blossom" + } + } + }, "discourse": { "domain": "community.kosmos.org" }, diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 2a12862..8ae21b4 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -46,6 +46,7 @@ "kosmos_garage::default", "kosmos_garage::firewall_rpc", "kosmos_assets::nginx_site", + "kosmos_blossom::nginx", "kosmos_discourse::nginx", "kosmos_drone::nginx", "kosmos_garage::nginx_web", @@ -112,13 +113,13 @@ "cloud": null, "chef_packages": { "chef": { - "version": "18.2.7", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib", + "version": "18.10.17", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib", "chef_effortless": null }, "ohai": { - "version": "18.1.4", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" + "version": "18.2.13", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai" } } }, diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 5932a0a..a57af22 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -39,6 +39,7 @@ "kosmos_garage::default", "kosmos_garage::firewall_rpc", "kosmos_assets::nginx_site", + "kosmos_blossom::nginx", "kosmos_discourse::nginx", "kosmos_drone::nginx", "kosmos_garage::nginx_web", @@ -105,13 +106,13 @@ "cloud": null, "chef_packages": { "chef": { - "version": "18.2.7", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib", + "version": "18.10.17", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib", "chef_effortless": null }, "ohai": { - "version": "18.1.4", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" + "version": "18.2.13", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai" } } }, diff --git a/nodes/strfry-1.json b/nodes/strfry-1.json index 3118b9d..1e9de13 100644 --- a/nodes/strfry-1.json +++ b/nodes/strfry-1.json @@ -16,7 +16,8 @@ "base", "kvm_guest", "strfry", - "ldap_client" + "ldap_client", + "blossom" ], "recipes": [ "kosmos-base", @@ -28,6 +29,8 @@ "kosmos_strfry::policies", "kosmos_strfry::firewall", "kosmos_strfry::substr", + "kosmos_blossom", + "kosmos_blossom::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -43,7 +46,8 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "deno::default" + "deno::default", + "blossom::default" ], "platform": "ubuntu", "platform_version": "22.04", @@ -63,6 +67,7 @@ "run_list": [ "role[base]", "role[kvm_guest]", - "role[strfry]" + "role[strfry]", + "role[blossom]" ] } diff --git a/roles/blossom.rb b/roles/blossom.rb new file mode 100644 index 0000000..687c3fc --- /dev/null +++ b/roles/blossom.rb @@ -0,0 +1,15 @@ +name "blossom" + +override_attributes( + "blossom" => { + "allowed_pubkeys" => [ + "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf", + "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb", + "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3" + ] + }, +) + +run_list %w( + kosmos_blossom::default +) diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 1721a4e..42a3ff2 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -19,6 +19,7 @@ production_run_list = %w( role[openresty] role[garage_gateway] kosmos_assets::nginx_site + kosmos_blossom::nginx kosmos_discourse::nginx kosmos_drone::nginx kosmos_garage::nginx_web diff --git a/site-cookbooks/blossom b/site-cookbooks/blossom new file mode 160000 index 0000000..1407dc1 --- /dev/null +++ b/site-cookbooks/blossom @@ -0,0 +1 @@ +Subproject commit 1407dc16e571502d4f165d1e0482faa59b95f61a diff --git a/site-cookbooks/deno b/site-cookbooks/deno index 92839b2..3795c9e 160000 --- a/site-cookbooks/deno +++ b/site-cookbooks/deno @@ -1 +1 @@ -Subproject commit 92839b20a4c3b0a15b99bd86ea7cae16645570a6 +Subproject commit 3795c9e67247ce7f29187656aff460d75cff64da diff --git a/site-cookbooks/kosmos_blossom/attributes/default.rb b/site-cookbooks/kosmos_blossom/attributes/default.rb new file mode 100644 index 0000000..b37838e --- /dev/null +++ b/site-cookbooks/kosmos_blossom/attributes/default.rb @@ -0,0 +1 @@ +# No attributes here, use the blossom cookbook's attributes diff --git a/site-cookbooks/kosmos_blossom/metadata.rb b/site-cookbooks/kosmos_blossom/metadata.rb new file mode 100644 index 0000000..b2b5a3e --- /dev/null +++ b/site-cookbooks/kosmos_blossom/metadata.rb @@ -0,0 +1,6 @@ +name 'kosmos_blossom' +description 'Configures Blossom server for Kosmos infrastructure' +version '0.1.0' +depends 'blossom' +depends 'kosmos-base' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_blossom/recipes/default.rb b/site-cookbooks/kosmos_blossom/recipes/default.rb new file mode 100644 index 0000000..5739767 --- /dev/null +++ b/site-cookbooks/kosmos_blossom/recipes/default.rb @@ -0,0 +1,28 @@ +# +# Cookbook Name:: kosmos_blossom +# Recipe:: default +# + +credentials = Chef::EncryptedDataBagItem.load('credentials', 'blossom') + +node.default['blossom']['storage']['backend'] = 's3' +node.default['blossom']['storage']['s3']['access_key'] = credentials['s3_access_key'] +node.default['blossom']['storage']['s3']['secret_key'] = credentials['s3_secret_key'] + +node.default['blossom']['dashboard']['enabled'] = true +node.default['blossom']['dashboard']['username'] = credentials['admin_username'] || 'admin' +node.default['blossom']['dashboard']['password'] = credentials['admin_password'] + +node.default['blossom']['landing']['title'] = 'Kosmos Blossom Server' + +node.default['blossom']['repo_url'] = 'https://github.com/67P/blossom-server.git' +node.default['blossom']['revision'] = 'master' + +include_recipe 'blossom::default' + +firewall_rule 'blossom' do + port node['blossom']['port'] + source '10.1.1.0/24' + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos_blossom/recipes/nginx.rb b/site-cookbooks/kosmos_blossom/recipes/nginx.rb new file mode 100644 index 0000000..85c83c1 --- /dev/null +++ b/site-cookbooks/kosmos_blossom/recipes/nginx.rb @@ -0,0 +1,28 @@ +# +# Cookbook Name:: kosmos_blossom +# Recipe:: nginx +# + +domain = node['blossom']['domain'] + +blossom_node = search(:node, 'role:blossom').first + +if blossom_node.nil? + Chef::Log.warn("No node found with 'blossom' role. Not configuring nginx site.") + return +end + +tls_cert_for domain do + auth 'gandi_dns' + action :create +end + +openresty_site domain do + template 'nginx_conf_blossom.erb' + variables domain: domain, + upstream_host: blossom_node['knife_zero']['host'], + upstream_port: node['blossom']['port'], + max_size_mb: node['blossom']['max_size'] / 1024 / 1024, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" +end diff --git a/site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb b/site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb new file mode 100644 index 0000000..d76af4c --- /dev/null +++ b/site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb @@ -0,0 +1,26 @@ +upstream _blossom { + server <%= @upstream_host %>:<%= @upstream_port %>; +} + +server { + server_name <%= @domain %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2; + + access_log "/var/log/nginx/<%= @domain %>.access.log"; + error_log "/var/log/nginx/<%= @domain %>.error.log"; + + client_max_body_size <%= @max_size_mb %>M; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://_blossom; + proxy_http_version 1.1; + } +}