kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Compare commits

base: kosmos:1c7aecf3dcb42da7b94c0ea2faeed49587caca1e
Branches Tags
kosmos:master kosmos:feature/237-gitea_ssh_signing kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish
..
compare: kosmos:chore/ejabberd_service_avatar
Branches Tags
kosmos:feature/237-gitea_ssh_signing kosmos:master kosmos:bugfix/substr_url_matching kosmos:notes/ejabberd_ldap_photo kosmos:feature/akaunting kosmos:chore/ejabberd_service_avatar kosmos:feature/237-gitea_gpg kosmos:jammy_jellyfish

19 Commits
1c7aecf3dc ... chore/ejab

Author SHA1 Message Date
Râu Cao
9f79077bcf Set vcard with avatar for kosmos.org itself 2024-08-21 16:53:41 +02:00
Râu Cao
d048bbb297 Merge pull request 'Upgrade Gitea to 1.22.1' (#568) from chore/upgrade_gitea into master 
Reviewed-on: #568
 2024-08-10 11:45:39 +00:00
Râu Cao
61bd121709 Upgrade Gitea to 1.22.1 2024-08-10 13:44:39 +02:00
Râu Cao
ec9b912e45 Merge pull request 'Configure nginx default vhost, add specific redirects for some domains' (#565) from chore/nginx_redirects into master 
Reviewed-on: #565
 2024-08-09 12:44:29 +00:00
Râu Cao
d53ba42a1d Make kosmos.org the default nginx vhost 2024-08-04 16:51:57 +02:00
Râu Cao
a99f7f7574 Add config for accounts .well-known proxyying 2024-08-04 16:51:18 +02:00
Râu Cao
1c8ee14bb3 Add HTTP redirects for kosmos.chat and kosmos.cash 2024-08-04 16:49:20 +02:00
Râu Cao
cdedf49be3 Merge pull request 'Fix download URLs for Mastodon exports/archives' (#564) from bugfix/mastodon_archive_download_urls into master 
Reviewed-on: #564
 2024-08-04 14:46:26 +00:00
Râu Cao
5e727ec279 Fix download URLs for Mastodon exports/archives 
See https://github.com/mastodon/mastodon/issues/24380
 2024-08-04 14:55:22 +02:00
Râu Cao
9d928298d2 Fix Gitea user/repo avatar URLs in certain situations 
I encountered a CORS proxy which somehow ended up with http://_gitea_web
URLs.
 2024-07-10 11:36:07 +02:00
Râu Cao
1174661b46 Use proxy domain for RS Discourse ACME challenge 2024-07-08 20:31:46 +02:00
Greg
2dff7cf850 Merge pull request 'Add new service: nostr.kosmos.org (members-only nostr relay)' (#559) from feature/strfry into master 
Reviewed-on: #559
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-07-05 07:33:40 +00:00
Râu Cao
232360efba Remove commented code 2024-07-03 09:23:13 +02:00
Râu Cao
8b8e8f3438 Move strfry extras into their own directory 2024-07-03 09:22:50 +02:00
Râu Cao
522c213b09 Add Deno lockfile 2024-06-20 18:16:27 +02:00
Râu Cao
80eddfbf56 Configure strfry whitelist 
Allow akkounts pubkey to publish to our own relay
 2024-06-20 15:38:27 +02:00
Râu Cao
7e664723a1 Configure akkounts nostr relay URL in production 2024-06-20 15:04:17 +02:00
Râu Cao
f5961af7fe Create/deploy strfry VM 2024-06-11 23:17:33 +02:00
Greg
f843a31e03 Merge pull request 'Improve mail server TLS certificate management' (#556) from chore/mail_server_cert into master 
Reviewed-on: #556
Reviewed-by: Greg <greg@noreply.kosmos.org>
 2024-06-05 14:49:01 +00:00
21 changed files with 172 additions and 29 deletions
Expand all files Collapse all files

8
environments/production.json
View File

@@ -14,7 +14,8 @@
"public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946" "public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
}, },
"nostr": { "nostr": {
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a" "public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
"relay_url": "wss://nostr.kosmos.org"
} }
}, },
"discourse": { "discourse": {
@@ -105,7 +106,10 @@
"strfry": { "strfry": {
"domain": "nostr.kosmos.org", "domain": "nostr.kosmos.org",
"real_ip_header": "x-real-ip", "real_ip_header": "x-real-ip",
"policy_path": "/opt/strfry-policy.ts", "policy_path": "/opt/strfry/strfry-policy.ts",
"whitelist_pubkeys": [
"b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
],
"info": { "info": {
"name": "Kosmos Relay", "name": "Kosmos Relay",
"description": "Members-only nostr relay for kosmos.org users", "description": "Members-only nostr relay for kosmos.org users",

1
nodes/draco.kosmos.org.json
View File

@@ -57,6 +57,7 @@
"kosmos_strfry::nginx", "kosmos_strfry::nginx",
"kosmos_website", "kosmos_website",
"kosmos_website::default", "kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx", "kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api", "kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub", "kosmos-bitcoin::nginx_lndhub",

1
nodes/fornax.kosmos.org.json
View File

@@ -51,6 +51,7 @@
"kosmos_strfry::nginx", "kosmos_strfry::nginx",
"kosmos_website", "kosmos_website",
"kosmos_website::default", "kosmos_website::default",
"kosmos_website::redirects",
"kosmos-akkounts::nginx", "kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api", "kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub", "kosmos-bitcoin::nginx_lndhub",

1
roles/openresty_proxy.rb
View File

@@ -30,6 +30,7 @@ production_run_list = %w(
kosmos_rsk::nginx_mainnet kosmos_rsk::nginx_mainnet
kosmos_strfry::nginx kosmos_strfry::nginx
kosmos_website::default kosmos_website::default
kosmos_website::redirects
kosmos-akkounts::nginx kosmos-akkounts::nginx
kosmos-akkounts::nginx_api kosmos-akkounts::nginx_api
kosmos-bitcoin::nginx_lndhub kosmos-bitcoin::nginx_lndhub

1
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@@ -22,6 +22,7 @@ node.default['akkounts']['lndhub']['public_key'] = nil
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub' node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
node.default['akkounts']['nostr']['public_key'] = nil node.default['akkounts']['nostr']['public_key'] = nil
node.default['akkounts']['nostr']['relay_url'] = nil
node.default['akkounts']['s3_enabled'] = true node.default['akkounts']['s3_enabled'] = true
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org" node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"

1
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -163,6 +163,7 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
env[:nostr_private_key] = credentials['nostr_private_key'] env[:nostr_private_key] = credentials['nostr_private_key']
env[:nostr_public_key] = node['akkounts']['nostr']['public_key'] env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
# #
# remoteStorage / Liquor Cabinet # remoteStorage / Liquor Cabinet

12
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

File diff suppressed because one or more lines are too long

4
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -216,7 +216,7 @@ modules:
access_createnode: pubsub_createnode access_createnode: pubsub_createnode
ignore_pep_from_offline: false ignore_pep_from_offline: false
last_item_cache: false last_item_cache: false
max_items_node: 10 max_items_node: 1000
plugins: plugins:
- "flat" - "flat"
- "pep" # pep requires mod_caps - "pep" # pep requires mod_caps
@@ -258,8 +258,6 @@ modules:
type: turns type: turns
transport: tcp transport: tcp
restricted: true restricted: true
mod_vcard:
search: false
mod_vcard_xupdate: {} mod_vcard_xupdate: {}
mod_avatar: {} mod_avatar: {}
mod_version: {} mod_version: {}

4
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@@ -28,7 +28,9 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
owner 'www-data' owner 'www-data'
mode 0640 mode 0640
variables web_root_dir: web_root_dir, variables web_root_dir: web_root_dir,
server_name: server_name server_name: server_name,
s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
notifies :reload, 'service[openresty]', :delayed notifies :reload, 'service[openresty]', :delayed
end end

4
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_shared.erb
View File

@@ -108,11 +108,13 @@ location @proxy {
proxy_pass http://mastodon_app; proxy_pass http://mastodon_app;
proxy_buffering on; proxy_buffering on;
proxy_redirect off;
proxy_http_version 1.1; proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade; proxy_set_header Connection $connection_upgrade;
# https://github.com/mastodon/mastodon/issues/24380
proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
tcp_nodelay on; tcp_nodelay on;
} }

4
site-cookbooks/kosmos_gitea/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default["gitea"]["version"] = "1.22.0" node.default["gitea"]["version"] = "1.22.1"
node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d" node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
node.default["gitea"]["working_directory"] = "/var/lib/gitea" node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000 node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432" node.default["gitea"]["postgresql_host"] = "localhost:5432"

21
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@@ -21,8 +21,13 @@ server {
location ~ ^/(avatars|repo-avatars)/.*$ { location ~ ^/(avatars|repo-avatars)/.*$ {
proxy_buffers 1024 8k; proxy_buffers 1024 8k;
proxy_pass http://_gitea_web; proxy_pass http://_gitea_web;
proxy_http_version 1.1;
expires 30d; expires 30d;
proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
} }
# Docker registry # Docker registry
@@ -30,12 +35,22 @@ server {
client_max_body_size 0; client_max_body_size 0;
proxy_buffers 1024 8k; proxy_buffers 1024 8k;
proxy_pass http://_gitea_web; proxy_pass http://_gitea_web;
proxy_http_version 1.1; proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
} }
location / { location / {
proxy_buffers 1024 8k; proxy_buffers 1024 8k;
proxy_pass http://_gitea_web; proxy_pass http://_gitea_web;
proxy_http_version 1.1; proxy_set_header Connection $http_connection;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
} }
} }

1
site-cookbooks/kosmos_strfry/attributes/default.rb
View File

@@ -1 +1,2 @@
node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org" node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
node.default["strfry"]["extras_dir"] = "/opt/strfry"

41
site-cookbooks/kosmos_strfry/recipes/policies.rb
View File

@@ -11,14 +11,23 @@ include_recipe "deno"
ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv') ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
extras_dir = node["strfry"]["extras_dir"]
directory extras_dir do
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0755"
end
env = { env = {
ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
ldap_bind_dn: ldap_credentials["service_dn"], ldap_bind_dn: ldap_credentials["service_dn"],
ldap_password: ldap_credentials["service_password"], ldap_password: ldap_credentials["service_password"],
ldap_search_dn: node["strfry"]["ldap_search_dn"] ldap_search_dn: node["strfry"]["ldap_search_dn"],
whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
} }
template "/opt/.env" do template "#{extras_dir}/.env" do
source 'env.erb' source 'env.erb'
owner node["strfry"]["user"] owner node["strfry"]["user"]
group node["strfry"]["group"] group node["strfry"]["group"]
@@ -32,9 +41,25 @@ end
# strfry deno scripts # strfry deno scripts
# #
base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry" base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
remote_file "/opt/strfry-policy.ts" do remote_file "#{extras_dir}/deno.json" do
source "#{base_url}/deno.json"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/deno.lock" do
source "#{base_url}/deno.lock"
owner node["strfry"]["user"]
group node["strfry"]["group"]
mode "0644"
notifies :restart, "service[strfry]", :delayed
end
remote_file "#{extras_dir}/strfry-policy.ts" do
source "#{base_url}/strfry-policy.ts" source "#{base_url}/strfry-policy.ts"
owner node["strfry"]["user"] owner node["strfry"]["user"]
group node["strfry"]["group"] group node["strfry"]["group"]
@@ -42,7 +67,7 @@ remote_file "/opt/strfry-policy.ts" do
notifies :restart, "service[strfry]", :delayed notifies :restart, "service[strfry]", :delayed
end end
remote_file "/opt/ldap-policy.ts" do remote_file "#{extras_dir}/ldap-policy.ts" do
source "#{base_url}/ldap-policy.ts" source "#{base_url}/ldap-policy.ts"
owner node["strfry"]["user"] owner node["strfry"]["user"]
group node["strfry"]["group"] group node["strfry"]["group"]
@@ -50,13 +75,9 @@ remote_file "/opt/ldap-policy.ts" do
notifies :restart, "service[strfry]", :delayed notifies :restart, "service[strfry]", :delayed
end end
remote_file "/opt/strfry-sync.ts" do remote_file "#{extras_dir}/strfry-sync.ts" do
source "#{base_url}/strfry-sync.ts" source "#{base_url}/strfry-sync.ts"
owner node["strfry"]["user"] owner node["strfry"]["user"]
group node["strfry"]["group"] group node["strfry"]["group"]
mode "0644" mode "0644"
end end
# service "strfry" do
# action :nothing
# end

7
site-cookbooks/kosmos_website/attributes/default.rb
View File

@@ -1,3 +1,4 @@
node.default["kosmos_website"]["domain"] = "kosmos.org" node.default["kosmos_website"]["domain"] = "kosmos.org"
node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git" node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git"
node.default["kosmos_website"]["revision"] = "chore/content" node.default["kosmos_website"]["revision"] = "chore/content"
node.default["kosmos_website"]["accounts_url"] = "https://accounts.kosmos.org"

1
site-cookbooks/kosmos_website/recipes/default.rb
View File

@@ -23,6 +23,7 @@ end
openresty_site domain do openresty_site domain do
template "nginx_conf_website.erb" template "nginx_conf_website.erb"
variables domain: domain, variables domain: domain,
accounts_url: node.default["kosmos_website"]["accounts_url"],
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
end end

35
site-cookbooks/kosmos_website/recipes/redirects.rb Normal file
View File

@@ -0,0 +1,35 @@
#
# Cookbook:: kosmos_website
# Recipe:: redirects
#
redirects = [
{
domain: "kosmos.chat",
target: "https://kosmos.org",
http_status: 307
},
{
domain: "kosmos.cash",
acme_domain: "letsencrypt.kosmos.org",
target: "https://kosmos.org",
http_status: 307
}
]
redirects.each do |redirect|
tls_cert_for redirect[:domain] do
auth "gandi_dns"
acme_domain redirect[:acme_domain] unless redirect[:acme_domain].nil?
action :create
end
openresty_site redirect[:domain] do
template "nginx_conf_redirect.erb"
variables domain: redirect[:domain],
target: redirect[:target],
http_status: redirect[:http_status],
ssl_cert: "/etc/letsencrypt/live/#{redirect[:domain]}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{redirect[:domain]}/privkey.pem"
end
end

20
site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb Normal file
View File

@@ -0,0 +1,20 @@
# Generated by Chef
server {
server_name <%= @domain %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
gzip_static on;
gzip_comp_level 5;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
location / {
return <%= @http_status || 301 %> <%= @target %>;
}
}

18
site-cookbooks/kosmos_website/templates/nginx_conf_simple.erb Normal file
View File

@@ -0,0 +1,18 @@
# Generated by Chef
server {
server_name <%= @domain %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/<%= @domain %>/public;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
gzip_static on;
gzip_comp_level 5;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
}

15
site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
View File

@@ -1,9 +1,18 @@
# Generated by Chef # Generated by Chef
server {
server_name _;
listen 80 default_server;
location / {
return 301 https://<%= @domain %>;
}
}
server { server {
server_name <%= @domain %>; server_name <%= @domain %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
listen [::]:443 ssl http2; listen [::]:443 ssl http2 default_server;
root /var/www/<%= @domain %>/public; root /var/www/<%= @domain %>/public;
@@ -18,8 +27,10 @@ server {
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
<% if @accounts_url %>
location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) { location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
proxy_ssl_server_name on; proxy_ssl_server_name on;
proxy_pass https://accounts.kosmos.org; proxy_pass https://accounts.kosmos.org;
} }
<% end %>
} }

1
site-cookbooks/remotestorage_discourse/recipes/nginx.rb
View File

@@ -18,6 +18,7 @@ end
tls_cert_for domain do tls_cert_for domain do
auth "gandi_dns" auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create action :create
end end