Upgrade strfry to 1.0.1

Also set up and use a new Kosmos pubkey/profile and add a relay icon
Use new proxy domain for ejabberd cert
2024-10-16 12:42:49 +02:00 · 2024-10-16 12:40:10 +02:00 · 2024-10-16 12:39:34 +02:00
7 changed files with 21 additions and 21 deletions
--- a/environments/production.json
+++ b/environments/production.json
@ -108,13 +108,15 @@
      "real_ip_header": "x-real-ip",
      "policy_path": "/opt/strfry/strfry-policy.ts",
      "whitelist_pubkeys": [
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
+        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
      ],
      "info": {
        "name": "Kosmos Relay",
        "description": "Members-only nostr relay for kosmos.org users",
-        "pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
-        "contact": "ops@kosmos.org"
+        "pubkey": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
+        "contact": "ops@kosmos.org",
+        "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
      }
    }
  }
--- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
+++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
@ -14,6 +14,10 @@ server {
  listen [::]:443 ssl http2;
  server_name <%= @domain %>;

+  if ($host != $server_name) {
+    return 301 $scheme://$server_name$request_uri;
+  }
+
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

@ -39,6 +43,9 @@ server {

  location @proxy {
    proxy_set_header Host $http_host;
+    set $x_forwarded_host $http_x_forwarded_host;
+    if ($x_forwarded_host = "") { set $x_forwarded_host $host; }
+    proxy_set_header X-Forwarded-Host $x_forwarded_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@ -52,7 +52,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
  end
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@ -10,16 +10,6 @@ upstream _<%= @app_name %> {
 # TODO use cookbook attribute when enabling
 # variables_hash_max_size 2048;

-server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
-  listen [::]:80;
-  server_name <%= @server_name %>;
-  # Redirect to https
-  location / {
-    return 301 https://<%= @server_name %>$request_uri;
-  }
-}
-
 server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
  listen [::]:443 ssl http2;
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_redirect.erb
@ -14,7 +14,5 @@ server {
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

-  location / {
-    return <%= @http_status || 301 %> <%= @target %>;
-  }
+  return <%= @http_status || 307 %> <%= @target %>;
 }
--- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
+++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
@ -2,7 +2,7 @@

 server {
  server_name _;
-  listen 80 default_server;
+  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80 default_server;

  location / {
    return 301 https://<%= @domain %>;
@ -14,6 +14,10 @@ server {
  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;

+  if ($host != $server_name) {
+    return 307 $scheme://$server_name;
+  }
+
  root /var/www/<%= @domain %>/public;

  access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
@ -22,14 +26,13 @@ server {
  gzip_static on;
  gzip_comp_level 5;

-  add_header 'Access-Control-Allow-Origin' '*';
-
  ssl_certificate     <%= @ssl_cert %>;
  ssl_certificate_key <%= @ssl_key %>;

 <% if @accounts_url %>
  location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
    proxy_ssl_server_name on;
+    proxy_set_header X-Forwarded-Host $host;
    proxy_pass https://accounts.kosmos.org;
  }
 <% end %>
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@ -1 +1 @@
-Subproject commit a4756377b480c9bcceba4867969a0c15880913dc
+Subproject commit 8df7c00a147873f5c0ac81dabc993ed25981c544
Author	SHA1	Message	Date
Râu Cao	4d1125ac2b	Upgrade strfry to 1.0.1 Also set up and use a new Kosmos pubkey/profile and add a relay icon	2024-10-16 12:42:49 +02:00
Râu Cao	3853f94ae0	Use new proxy domain for ejabberd cert	2024-10-16 12:40:10 +02:00
Râu Cao	d1097c7688	Fix and improve nginx redirects, akkounts headers	2024-10-16 12:39:34 +02:00