Compare commits
5 Commits
543b482adb
...
98d423aa70
| Author | SHA1 | Date | |
|---|---|---|---|
|
98d423aa70
|
||
|
|
4b14297f83
|
||
|
|
1681942fb1
|
||
|
|
4d528d67ef
|
||
|
|
53abc2ec9a
|
@@ -40,6 +40,12 @@
|
||||
"kosmos_assets::nginx_site",
|
||||
"kosmos-akkounts::nginx",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos_encfs",
|
||||
"kosmos_encfs::default",
|
||||
"kosmos-ejabberd::firewall",
|
||||
|
||||
@@ -102,6 +102,7 @@
|
||||
"role[base]",
|
||||
"role[kvm_host]",
|
||||
"role[nginx_proxy]",
|
||||
"kosmos_gitea::nginx_ssh",
|
||||
"role[zerotier_controller]"
|
||||
]
|
||||
}
|
||||
|
||||
@@ -21,15 +21,10 @@ development_run_list = %w(
|
||||
default_run_list = %w(
|
||||
role[openresty]
|
||||
tor-full
|
||||
kosmos_drone::nginx
|
||||
kosmos_garage::default
|
||||
kosmos_garage::firewall_rpc
|
||||
kosmos_garage::nginx_web
|
||||
kosmos_gitea::nginx
|
||||
kosmos_rsk::nginx_testnet
|
||||
kosmos_rsk::nginx_mainnet
|
||||
kosmos_website::default
|
||||
kosmos-akkounts::nginx
|
||||
|
||||
kosmos-akkounts::nginx_api
|
||||
kosmos-bitcoin::nginx_lndhub
|
||||
kosmos-ejabberd::nginx
|
||||
@@ -45,6 +40,11 @@ production_run_list = %w(
|
||||
kosmos_assets::nginx_site
|
||||
kosmos-akkounts::nginx
|
||||
kosmos_discourse::nginx
|
||||
kosmos_drone::nginx
|
||||
kosmos_gitea::nginx
|
||||
kosmos_rsk::nginx_testnet
|
||||
kosmos_rsk::nginx_mainnet
|
||||
kosmos_website::default
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
||||
@@ -8,5 +8,5 @@ version '0.1.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_gitea"
|
||||
depends "kosmos_openresty"
|
||||
|
||||
@@ -12,21 +12,16 @@ end
|
||||
# No Discourse host, stop here
|
||||
return if upstream_ip_addresses.empty?
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf.erb"
|
||||
variables server_name: domain,
|
||||
upstream_ip_addresses: upstream_ip_addresses,
|
||||
upstream_port: node["kosmos_drone"]["upstream_port"],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
# Generated by Chef
|
||||
upstream _drone {
|
||||
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
|
||||
@@ -8,7 +7,7 @@ upstream _drone {
|
||||
|
||||
server {
|
||||
server_name <%= @server_name %>;
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
@@ -33,4 +32,3 @@ server {
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
<% end -%>
|
||||
|
||||
@@ -2,25 +2,13 @@ name 'kosmos_gitea'
|
||||
maintainer 'Kosmos Developers'
|
||||
maintainer_email 'ops@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos_gitea'
|
||||
long_description 'Installs/Configures kosmos_gitea'
|
||||
version '0.1.0'
|
||||
description 'Installs/configures Gitea'
|
||||
long_description 'Installs/configures Gitea'
|
||||
version '0.2.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
# The `issues_url` points to the location where issues for this cookbook are
|
||||
# tracked. A `View Issues` link will be displayed on this cookbook's page when
|
||||
# uploaded to a Supermarket.
|
||||
#
|
||||
# issues_url 'https://github.com/<insert_org_here>/kosmos_gitea/issues'
|
||||
|
||||
# The `source_url` points to the development repository for this cookbook. A
|
||||
# `View Source` link will be displayed on this cookbook's page when uploaded to
|
||||
# a Supermarket.
|
||||
#
|
||||
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_openresty"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "kosmos-dirsrv"
|
||||
|
||||
@@ -3,14 +3,8 @@
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["gitea"]["domain"]
|
||||
|
||||
# upstream_ip_addresses = []
|
||||
# search(:node, "role:gitea").each do |n|
|
||||
# upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
# end
|
||||
begin
|
||||
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
|
||||
rescue
|
||||
@@ -18,35 +12,16 @@ rescue
|
||||
return
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_web.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_web.erb"
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_ip_address,
|
||||
upstream_port: node["gitea"]["port"]
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ssh" do
|
||||
source "nginx_conf_ssh.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
upstream_host: upstream_ip_address
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ssh" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
18
site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb
Normal file
18
site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb
Normal file
@@ -0,0 +1,18 @@
|
||||
#
|
||||
# Cookbook:: kosmos_gitea
|
||||
# Recipe:: nginx_ssh
|
||||
#
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ssh" do
|
||||
source "nginx_conf_ssh.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
upstream_host: upstream_ip_address
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ssh" do
|
||||
action :enable
|
||||
end
|
||||
@@ -4,23 +4,14 @@ upstream _gitea_web {
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
<% else -%>
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @server_name %>";
|
||||
}
|
||||
<% end -%>
|
||||
|
||||
client_max_body_size 20M;
|
||||
|
||||
|
||||
@@ -9,4 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
|
||||
source_url 'https://gitea.kosmos.org/kosmos/chef'
|
||||
|
||||
depends 'firewall'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos_openresty'
|
||||
|
||||
@@ -5,33 +5,27 @@ property :network, String, required: true, name_property: true
|
||||
property :domain, String, required: true
|
||||
|
||||
action :create do
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
network = new_resource.network
|
||||
domain = new_resource.domain
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:rskj_#{network}").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_rskj.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf_rskj.erb"
|
||||
variables domain: domain,
|
||||
upstream_name: "rskj_#{network}",
|
||||
upstream_hosts: upstream_hosts,
|
||||
upstream_port: "4444",
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
end
|
||||
|
||||
@@ -5,7 +5,7 @@ upstream _<%= @upstream_name %> {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name <%= @domain %>;
|
||||
|
||||
@@ -7,5 +7,5 @@ long_description 'Configures the main kosmos.org website'
|
||||
version '1.0.0'
|
||||
chef_version '>= 15.10' if respond_to?(:chef_version)
|
||||
|
||||
depends "kosmos-nginx"
|
||||
depends 'git'
|
||||
depends "kosmos_openresty"
|
||||
|
||||
@@ -3,20 +3,16 @@
|
||||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "git"
|
||||
|
||||
domain = node["kosmos_website"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
directory "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode "0755"
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
git "/var/www/#{domain}/site" do
|
||||
git "/var/www/#{domain}" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
repository node["kosmos_website"]["repo"]
|
||||
@@ -24,16 +20,9 @@ git "/var/www/#{domain}/site" do
|
||||
action :sync
|
||||
end
|
||||
|
||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||
source "nginx_conf_website.erb"
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_website.erb"
|
||||
variables domain: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
@@ -1,12 +1,11 @@
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
root /var/www/<%= @domain %>/site/public;
|
||||
root /var/www/<%= @domain %>/public;
|
||||
|
||||
access_log off;
|
||||
gzip_static on;
|
||||
@@ -29,4 +28,3 @@ server {
|
||||
proxy_pass https://accounts.kosmos.org;
|
||||
}
|
||||
}
|
||||
<% end -%>
|
||||
|
||||
Reference in New Issue
Block a user