Set up Blossom server on blossom.kosmos.org

.gitmodules

@@ -10,3 +10,6 @@
 [submodule "site-cookbooks/deno"]
 	path = site-cookbooks/deno
 	url = git@gitea.kosmos.org:kosmos/deno-cookbook.git
+[submodule "site-cookbooks/blossom"]
+	path = site-cookbooks/blossom
+	url = git@gitea.kosmos.org:kosmos/blossom-cookbook.git

data_bags/credentials/blossom.json

@@ -0,0 +1,24 @@
+{
+  "id": "blossom",
+  "admin_password": {
+    "encrypted_data": "Gd6AzFmySL0p+xo1PnRn9p4Fwge1m3CQj+NRLIUD8P9u1C8=\n",
+    "iv": "l6KVzF9xEEBRRAmh\n",
+    "auth_tag": "P791KMh9TxuHiWJpDKxWQA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_access_key": {
+    "encrypted_data": "S8jB2LDQOxI/p5ugggW1Sk50TS9TJe9sLv04O/VD9/v22SSM7J6ETomTA+Hd\n",
+    "iv": "dUIIZbdAT9q72ioX\n",
+    "auth_tag": "+5fCNOuTE/+FqdV6rDNbkw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "s3_secret_key": {
+    "encrypted_data": "soT63l2frBJDNmHetXmEPvNYBsTpvTyR95FA2rxuZXvVE7hMj21La8/0Amk7\nv+mHOBUMaGG9BTLN0tVFkL0+lGPXdZJTbtDHgluk5l6lLPyc8KY=\n",
+    "iv": "RuXs2pL9C/wpwJ/w\n",
+    "auth_tag": "nu7dE2udTkxaUZCR42h09w==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

environments/production.json

@@ -18,6 +18,16 @@
         "relay_url": "wss://nostr.kosmos.org"
       }
     },
+    "blossom": {
+      "domain": "blossom.kosmos.org",
+      "storage": {
+        "s3": {
+          "endpoint": "s3.kosmos.org",
+          "region": "garage",
+          "bucket": "blossom"
+        }
+      }
+    },
     "discourse": {
       "domain": "community.kosmos.org"
     },

nodes/draco.kosmos.org.json

@@ -46,6 +46,7 @@
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
       "kosmos_assets::nginx_site",
+      "kosmos_blossom::nginx",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
       "kosmos_garage::nginx_web",
@@ -112,13 +113,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
+        "version": "18.10.17",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
+        "version": "18.2.13",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/fornax.kosmos.org.json

@@ -39,6 +39,7 @@
       "kosmos_garage::default",
       "kosmos_garage::firewall_rpc",
       "kosmos_assets::nginx_site",
+      "kosmos_blossom::nginx",
       "kosmos_discourse::nginx",
       "kosmos_drone::nginx",
       "kosmos_garage::nginx_web",
@@ -105,13 +106,13 @@
     "cloud": null,
     "chef_packages": {
       "chef": {
-        "version": "18.2.7",
+        "version": "18.10.17",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.10.17/lib",
         "chef_effortless": null
       },
       "ohai": {
-        "version": "18.1.4",
+        "version": "18.2.13",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.2.13/lib/ohai"
       }
     }
   },

nodes/strfry-1.json

@@ -16,7 +16,8 @@
       "base",
       "kvm_guest",
       "strfry",
-      "ldap_client"
+      "ldap_client",
+      "blossom"
     ],
     "recipes": [
       "kosmos-base",
@@ -28,6 +29,8 @@
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
       "kosmos_strfry::substr",
+      "kosmos_blossom",
+      "kosmos_blossom::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -43,7 +46,8 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
-      "deno::default"
+      "deno::default",
+      "blossom::default"
     ],
     "platform": "ubuntu",
     "platform_version": "22.04",
@@ -63,6 +67,7 @@
   "run_list": [
     "role[base]",
     "role[kvm_guest]",
-    "role[strfry]"
+    "role[strfry]",
+    "role[blossom]"
   ]
 }

roles/blossom.rb

@@ -0,0 +1,15 @@
+name "blossom"
+
+override_attributes(
+  "blossom" => {
+    "allowed_pubkeys" => [
+      "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+      "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
+      "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3"
+    ]
+  },
+)
+
+run_list %w(
+  kosmos_blossom::default
+)

roles/openresty_proxy.rb

@@ -19,6 +19,7 @@ production_run_list = %w(
   role[openresty]
   role[garage_gateway]
   kosmos_assets::nginx_site
+  kosmos_blossom::nginx
   kosmos_discourse::nginx
   kosmos_drone::nginx
   kosmos_garage::nginx_web

site-cookbooks/kosmos_blossom/attributes/default.rb

@@ -0,0 +1 @@
+# No attributes here, use the blossom cookbook's attributes

site-cookbooks/kosmos_blossom/metadata.rb

@@ -0,0 +1,6 @@
+name 'kosmos_blossom'
+description 'Configures Blossom server for Kosmos infrastructure'
+version '0.1.0'
+depends 'blossom'
+depends 'kosmos-base'
+depends 'kosmos_openresty'

site-cookbooks/kosmos_blossom/recipes/default.rb

@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: default
+#
+
+credentials = Chef::EncryptedDataBagItem.load('credentials', 'blossom')
+
+node.default['blossom']['storage']['backend'] = 's3'
+node.default['blossom']['storage']['s3']['access_key'] = credentials['s3_access_key']
+node.default['blossom']['storage']['s3']['secret_key'] = credentials['s3_secret_key']
+
+node.default['blossom']['dashboard']['enabled'] = true
+node.default['blossom']['dashboard']['username'] = credentials['admin_username'] || 'admin'
+node.default['blossom']['dashboard']['password'] = credentials['admin_password']
+
+node.default['blossom']['landing']['title'] = 'Kosmos Blossom Server'
+
+node.default['blossom']['repo_url'] = 'https://github.com/67P/blossom-server.git'
+node.default['blossom']['revision'] = 'master'
+
+include_recipe 'blossom::default'
+
+firewall_rule 'blossom' do
+  port     node['blossom']['port']
+  source   '10.1.1.0/24'
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos_blossom/recipes/nginx.rb

@@ -0,0 +1,28 @@
+#
+# Cookbook Name:: kosmos_blossom
+# Recipe:: nginx
+#
+
+domain = node['blossom']['domain']
+
+blossom_node = search(:node, 'role:blossom').first
+
+if blossom_node.nil?
+  Chef::Log.warn("No node found with 'blossom' role. Not configuring nginx site.")
+  return
+end
+
+tls_cert_for domain do
+  auth 'gandi_dns'
+  action :create
+end
+
+openresty_site domain do
+  template 'nginx_conf_blossom.erb'
+  variables domain: domain,
+            upstream_host: blossom_node['knife_zero']['host'],
+            upstream_port: node['blossom']['port'],
+            max_size_mb: node['blossom']['max_size'] / 1024 / 1024,
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end

site-cookbooks/kosmos_blossom/templates/default/nginx_conf_blossom.erb

@@ -0,0 +1,26 @@
+upstream _blossom {
+  server <%= @upstream_host %>:<%= @upstream_port %>;
+}
+
+server {
+  server_name <%= @domain %>;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen <%= "[#{node['openresty']['listen_ipv6']}]" %>:443 ssl http2;
+
+  access_log "/var/log/nginx/<%= @domain %>.access.log";
+  error_log "/var/log/nginx/<%= @domain %>.error.log";
+
+  client_max_body_size <%= @max_size_mb %>M;
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  location / {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_pass http://_blossom;
+    proxy_http_version 1.1;
+  }
+}