Set up Blossom server on blossom.kosmos.org

2026-04-18 14:28:18 +04:00
parent 36e9ea8a01
commit f8ce544452
15 changed files with 162 additions and 12 deletions
--- a/site-cookbooks/blossom
+++ b/site-cookbooks/blossom
--- a/site-cookbooks/deno
+++ b/site-cookbooks/deno
--- a/site-cookbooks/kosmos_blossom/attributes/default.rb
+++ b/site-cookbooks/kosmos_blossom/attributes/default.rb
@@ -0,0 +1 @@
+# No attributes here, use the blossom cookbook's attributes
--- a/site-cookbooks/kosmos_blossom/metadata.rb
+++ b/site-cookbooks/kosmos_blossom/metadata.rb
@@ -0,0 +1,6 @@
+name 'kosmos_blossom'
+description 'Configures Blossom server for Kosmos infrastructure'
+version '0.1.0'
+depends 'blossom'
+depends 'kosmos-base'
+depends 'kosmos_openresty'
--- a/site-cookbooks/kosmos_blossom/recipes/default.rb
+++ b/site-cookbooks/kosmos_blossom/recipes/default.rb
@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: default
+#
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'blossom')
+
+node.default['blossom']['storage']['backend'] = 's3'
+node.default['blossom']['storage']['s3']['access_key'] = credentials['s3_access_key']
+node.default['blossom']['storage']['s3']['secret_key'] = credentials['s3_secret_key']
+
+node.default['blossom']['dashboard']['enabled'] = true
+node.default['blossom']['dashboard']['username'] = credentials['admin_username'] || 'admin'
+node.default['blossom']['dashboard']['password'] = credentials['admin_password']
+
+node.default['blossom']['landing']['title'] = 'Kosmos Blossom Server'
+
+node.default['blossom']['repo_url'] = 'https://github.com/67P/blossom-server.git'
+node.default['blossom']['revision'] = 'master'
+
+include_recipe 'blossom::default'
+
+firewall_rule 'blossom' do
+  port     node['blossom']['port']
+  source   '10.1.1.0/24'
+  protocol :tcp
+  command  :allow
+end
--- a/site-cookbooks/kosmos_blossom/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_blossom/recipes/nginx.rb
@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: nginx
+#
+
+domain = node['blossom']['domain']
+
+blossom_node = search(:node, 'role:blossom').first
+
+if blossom_node.nil?
+  Chef::Log.warn("No node found with 'blossom' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth 'gandi_dns'
+  action :create
+end
+
+openresty_site domain do
+  template 'nginx_conf_blossom.erb'
+  variables domain: domain,
+            upstream_host: blossom_node['knife_zero']['host'],
+            upstream_port: node['blossom']['port'],
+            max_size_mb: node['blossom']['max_size'] / 1024 / 1024,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end
--- a/site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb
+++ b/site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb
@@ -0,0 +1,26 @@
+upstream _blossom {
+  server <%= @upstream_host %>:<%= @upstream_port %>;
+}
+
+server {
+  server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  client_max_body_size <%= @max_size_mb %>M;
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass http://_blossom;
+    proxy_http_version 1.1;
+  }
+}
				`@@ -0,0 +1 @@`
				`# No attributes here, use the blossom cookbook's attributes`