Compare commits
11 Commits
0ffddb9d0f
...
483481b141
| Author | SHA1 | Date | |
|---|---|---|---|
| 483481b141 | |||
|
e00d6c3a86 | ||
|
|
383a46676e | ||
|
|
eed27713ff | ||
|
|
b5e7e4ab85 | ||
|
|
7c2aae6650 | ||
|
|
d135b3873c | ||
|
|
e9c86081f7 | ||
|
|
b8ac5e1c07 | ||
|
|
43736cd8e9 | ||
|
|
29a5947d18 |
@@ -34,6 +34,7 @@
|
||||
"kosmos_kvm::host",
|
||||
"kosmos-ejabberd::firewall",
|
||||
"kosmos_zerotier::firewall",
|
||||
"sockethub::_firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
@@ -85,6 +86,7 @@
|
||||
"recipe[kosmos_assets::nginx_site]",
|
||||
"recipe[kosmos_kvm::host]",
|
||||
"recipe[kosmos-ejabberd::firewall]",
|
||||
"recipe[kosmos_zerotier::firewall]"
|
||||
"recipe[kosmos_zerotier::firewall]",
|
||||
"recipe[sockethub::_firewall]"
|
||||
]
|
||||
}
|
||||
@@ -12,7 +12,8 @@
|
||||
"hostname": "nodejs-2",
|
||||
"ipaddress": "192.168.122.243",
|
||||
"roles": [
|
||||
"kredits_github"
|
||||
"kredits_github",
|
||||
"sockethub"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
@@ -21,6 +22,9 @@
|
||||
"kredits-github",
|
||||
"kredits-github::default",
|
||||
"kredits-github::nginx",
|
||||
"sockethub",
|
||||
"sockethub::default",
|
||||
"sockethub::proxy",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
@@ -51,6 +55,14 @@
|
||||
"nginx::commons_script",
|
||||
"nginx::commons_conf",
|
||||
"kosmos-nginx::firewall",
|
||||
"kosmos-redis::default",
|
||||
"redis::server",
|
||||
"redis::default",
|
||||
"backup::default",
|
||||
"logrotate::default",
|
||||
"nodejs::npm",
|
||||
"nodejs::install",
|
||||
"sockethub::_firewall",
|
||||
"kosmos-base::letsencrypt"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
@@ -70,6 +82,7 @@
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[kosmos-hubot::wormhole]",
|
||||
"role[kredits_github]"
|
||||
"role[kredits_github]",
|
||||
"role[sockethub]"
|
||||
]
|
||||
}
|
||||
6
roles/sockethub.rb
Normal file
6
roles/sockethub.rb
Normal file
@@ -0,0 +1,6 @@
|
||||
name "sockethub"
|
||||
|
||||
run_list %w(
|
||||
sockethub::default
|
||||
sockethub::proxy
|
||||
)
|
||||
@@ -1,4 +1,5 @@
|
||||
node.default['sockethub']['port'] = '10551'
|
||||
node.default['sockethub']['external_port'] = '10550'
|
||||
node.default['sockethub']['revision'] = 'v3.0.1'
|
||||
node.default['sockethub']['version'] = '4.0.1'
|
||||
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
|
||||
node.default['sockethub']['debug_logs'] = 'sockethub*'
|
||||
|
||||
@@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures sockethub'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.1.1'
|
||||
version '0.2.0'
|
||||
|
||||
depends 'application_javascript'
|
||||
depends 'kosmos-redis'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos-nginx'
|
||||
|
||||
@@ -27,11 +27,15 @@
|
||||
include_recipe 'kosmos-nodejs'
|
||||
include_recipe 'kosmos-redis'
|
||||
|
||||
group "sockethub" do
|
||||
user = "sockethub"
|
||||
group = "sockethub"
|
||||
entry = "/usr/bin/sockethub"
|
||||
|
||||
group group do
|
||||
gid 7625
|
||||
end
|
||||
|
||||
user "sockethub" do
|
||||
user user do
|
||||
comment "sockethub user"
|
||||
uid 7625
|
||||
gid 7625
|
||||
@@ -39,47 +43,43 @@ user "sockethub" do
|
||||
shell "/bin/bash"
|
||||
end
|
||||
|
||||
path_to_deploy = "/opt/sockethub"
|
||||
application path_to_deploy do
|
||||
owner "sockethub"
|
||||
group "sockethub"
|
||||
|
||||
git do
|
||||
user "sockethub"
|
||||
group "sockethub"
|
||||
repository 'https://github.com/sockethub/sockethub.git'
|
||||
revision node['sockethub']['revision']
|
||||
end
|
||||
|
||||
npm_install do
|
||||
user "sockethub"
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
template "/lib/systemd/system/sockethub_nodejs.service" do
|
||||
source 'nodejs.systemd.service.erb'
|
||||
owner 'root'
|
||||
group 'root'
|
||||
mode '0644'
|
||||
variables(
|
||||
user: "sockethub",
|
||||
group: "sockethub",
|
||||
app_dir: path_to_deploy,
|
||||
entry: "/usr/bin/node /usr/bin/npm start",
|
||||
environment: { 'DEBUG' => '*',
|
||||
'PORT' => node['sockethub']['port'],
|
||||
# Use the second database (index starts at 0)
|
||||
'REDIS_URL' => "redis://localhost:6379/1" }
|
||||
)
|
||||
notifies :run, "execute[systemctl daemon-reload]", :delayed
|
||||
notifies :restart, "service[sockethub_nodejs]", :delayed
|
||||
end
|
||||
|
||||
service "sockethub_nodejs" do
|
||||
action [:enable, :start]
|
||||
end
|
||||
npm_package "sockethub" do
|
||||
version node['sockethub']['version']
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
environment_variables = {
|
||||
'PORT' => node['sockethub']['port'],
|
||||
# Use the second database (index starts at 0)
|
||||
'REDIS_URL' => "redis://localhost:6379/1"
|
||||
}
|
||||
unless node['sockethub']['debug_logs'].nil?
|
||||
environment_variables['DEBUG'] = node['sockethub']['debug_logs']
|
||||
end
|
||||
|
||||
environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ')
|
||||
|
||||
systemd_unit "sockethub_nodejs.service" do
|
||||
content <<-EOF
|
||||
[Unit]
|
||||
Description=Start sockethub
|
||||
Requires=redis-server.service
|
||||
After=redis-server.service
|
||||
|
||||
[Service]
|
||||
ExecStart=#{entry}
|
||||
User=#{user}
|
||||
Group=#{group}
|
||||
Environment=#{environment}
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
EOF
|
||||
triggers_reload true
|
||||
action [:create, :enable, :start]
|
||||
end
|
||||
|
||||
@@ -26,8 +26,41 @@
|
||||
|
||||
include_recipe 'sockethub::_firewall'
|
||||
include_recipe 'kosmos-nginx'
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
server_name = node['sockethub']['nginx']['server_name']
|
||||
|
||||
nginx_post_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
systemctl reload nginx
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/post/nginx" do
|
||||
content nginx_post_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
|
||||
|
||||
template "/root/gandi_dns_certbot_hook.sh" do
|
||||
variables gandi_api_key: gandi_api_data_bag_item["key"]
|
||||
mode 0770
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
||||
# The systemd timer will take care of renewing
|
||||
execute "letsencrypt cert for sockethub" do
|
||||
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n"
|
||||
not_if do
|
||||
File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
|
||||
end
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
owner 'www-data'
|
||||
@@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
# Legacy vhost
|
||||
nginx_site "sockethub" do
|
||||
action :disable
|
||||
end
|
||||
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
|
||||
@@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade {
|
||||
'' close;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @sockethub_external_port %> ssl http2;
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
<% else -%>
|
||||
listen <%= @sockethub_external_port %>;
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
@@ -32,7 +35,8 @@ server {
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
||||
<% end -%>
|
||||
|
||||
@@ -1,17 +0,0 @@
|
||||
[Unit]
|
||||
Description=Start nodejs app
|
||||
Requires=redis-server.service
|
||||
After=redis-server.service
|
||||
|
||||
[Service]
|
||||
ExecStart=<%= @entry %>
|
||||
WorkingDirectory=<%= @app_dir %>
|
||||
User=<%= @user %>
|
||||
Group=<%= @group %>
|
||||
<% unless @environment.empty? -%>
|
||||
Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
|
||||
<% end -%>
|
||||
Restart=always
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
63
site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb
Executable file
63
site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb
Executable file
@@ -0,0 +1,63 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
set -euf -o pipefail
|
||||
|
||||
# ************** USAGE **************
|
||||
#
|
||||
# Example usage (with this hook file saved in /root/):
|
||||
#
|
||||
# sudo su -
|
||||
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
|
||||
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
|
||||
#
|
||||
# This hook requires configuration, continue reading.
|
||||
#
|
||||
# ************** CONFIGURATION **************
|
||||
#
|
||||
# GANDI_API_KEY: Your Gandi Live API key
|
||||
#
|
||||
# PROVIDER_UPDATE_DELAY:
|
||||
# How many seconds to wait after updating your DNS records. This may be required,
|
||||
# depending on how slow your DNS host is to begin serving new DNS records after updating
|
||||
# them via the API. 30 seconds is a safe default, but some providers can be very slow
|
||||
# (e.g. Linode).
|
||||
#
|
||||
# Defaults to 30 seconds.
|
||||
#
|
||||
GANDI_API_KEY="<%= @gandi_api_key %>"
|
||||
PROVIDER_UPDATE_DELAY=30
|
||||
|
||||
regex='.*\.(.*\..*)'
|
||||
if [[ $CERTBOT_DOMAIN =~ $regex ]]
|
||||
then
|
||||
DOMAIN="${BASH_REMATCH[1]}"
|
||||
else
|
||||
DOMAIN="${CERTBOT_DOMAIN}"
|
||||
fi
|
||||
|
||||
# To be invoked via Certbot's --manual-auth-hook
|
||||
function auth {
|
||||
curl -s -D- -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
|
||||
\"rrset_type\": \"TXT\",
|
||||
\"rrset_ttl\": 3600,
|
||||
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
|
||||
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
|
||||
|
||||
|
||||
sleep ${PROVIDER_UPDATE_DELAY}
|
||||
}
|
||||
|
||||
# To be invoked via Certbot's --manual-cleanup-hook
|
||||
function cleanup {
|
||||
curl -s -X DELETE -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
|
||||
}
|
||||
|
||||
HANDLER=$1; shift;
|
||||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
||||
$HANDLER "$@"
|
||||
fi
|
||||
Reference in New Issue
Block a user