Deploy liquor-cabinet proxy to production

Add liquor-cabinet proxy recipe
2024-01-26 08:16:26 +03:00 · 2024-01-26 08:15:53 +03:00
7 changed files with 119 additions and 1 deletions
--- a/environments/production.json
+++ b/environments/production.json
@ -81,7 +81,9 @@
      "ufw_source_allowed": "10.1.1.0/24",
      "s3_endpoint": "http://localhost:3900",
      "s3_region": "garage",
-      "s3_bucket": "rs-kosmos"
+      "s3_bucket": "rs-kosmos",
+      "domain": "storage.kosmos.org",
+      "root_redirect_url": "https://accounts.kosmos.org"
    },
    "mediawiki": {
      "url": "https://wiki.kosmos.org"
--- a/nodes/draco.kosmos.org.json
+++ b/nodes/draco.kosmos.org.json
@ -52,6 +52,7 @@
      "kosmos_garage::nginx_s3",
      "kosmos_gitea::nginx",
      "kosmos_gitea::nginx_ssh",
+      "kosmos_liquor-cabinet::nginx",
      "kosmos_rsk::nginx_testnet",
      "kosmos_rsk::nginx_mainnet",
      "kosmos_website",
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -45,6 +45,7 @@
      "kosmos_garage::nginx_s3",
      "kosmos_gitea::nginx",
      "kosmos_gitea::nginx_ssh",
+      "kosmos_liquor-cabinet::nginx",
      "kosmos_rsk::nginx_testnet",
      "kosmos_rsk::nginx_mainnet",
      "kosmos_website",
--- a/roles/openresty_proxy.rb
+++ b/roles/openresty_proxy.rb
@ -26,6 +26,7 @@ production_run_list = %w(
  kosmos_garage::nginx_s3
  kosmos_gitea::nginx
  kosmos_gitea::nginx_ssh
+  kosmos_liquor-cabinet::nginx
  kosmos_rsk::nginx_testnet
  kosmos_rsk::nginx_mainnet
  kosmos_website::default
--- a/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb
+++ b/site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb
@ -0,0 +1,4 @@
+node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
+node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
+node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
+node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'
--- a/site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb
+++ b/site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb
@ -0,0 +1,30 @@
+#
+# Cookbook:: kosmos_liquor-cabinet
+# Recipe:: nginx
+#
+
+app_name = node['liquor-cabinet']['app_name']
+domain   = node[app_name]['domain']
+
+tls_cert_for domain do
+  auth "gandi_dns"
+  action :create
+end
+
+upstream_hosts = []
+search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
+  upstream_hosts << node["knife_zero"]["host"]
+end
+upstream_hosts.push("localhost") if upstream_hosts.empty?
+
+openresty_site domain do
+  template "nginx_conf_liquor-cabinet.erb"
+  variables app_name: app_name,
+            server_name: domain,
+            root_redirect_url: node[app_name]['root_redirect_url'],
+            max_upload_size: node['liquor-cabinet']['max_upload_size'],
+            upstream_hosts: upstream_hosts,
+            upstream_port: node[app_name]['rainbows']['port'],
+            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
+end
--- a/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
+++ b/site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb
@ -0,0 +1,79 @@
+#
+# Generated by Chef
+#
+upstream _<%= @app_name %> {
+<% @upstream_hosts.each do |host| -%>
+  server <%= host %>:<%= @upstream_port %>;
+<% end -%>
+}
+
+# TODO use cookbook attribute when enabling
+# variables_hash_max_size 2048;
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name <%= @server_name %>;
+  # Redirect to https
+  location / {
+    return 301 https://<%= @server_name %>$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
+
+  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
+
+  # TODO
+  # log_by_lua_file "<%= @log_by_lua_file %>";
+
+  # We need strong ETags, disable compression
+  gzip off;
+  # brotli off;
+  # pagespeed off;
+
+  # Set a large maximum upload size
+  client_max_body_size <%= @max_upload_size %>m;
+
+  # TODO
+  # Use rate limiting (the zone is defined in
+  # /etc/nginx/conf.d/rate_limiting.conf)
+  # limit_req zone=per_ip burst=5000;
+
+  location = / {
+    return 301 <%= @root_redirect_url %>;
+  }
+
+  location / {
+    try_files $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Host $http_host;
+
+    proxy_redirect off;
+
+    proxy_buffering on;
+    # Increase number of buffers. Default is 8
+    proxy_buffers 1024 8k;
+
+    # Needed for big uploads
+    proxy_read_timeout 180s;
+    proxy_send_timeout 180s;
+
+    proxy_pass http://_<%= @app_name %>;
+
+    proxy_next_upstream error timeout http_502 http_500;
+  }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}
Author	SHA1	Message	Date
Râu Cao	e10e54c12a	Deploy liquor-cabinet proxy to production	2024-01-26 08:16:26 +03:00
Râu Cao	6114f0f799	Add liquor-cabinet proxy recipe	2024-01-26 08:15:53 +03:00