Compare commits
1 Commits
chore/ejab
...
f82fdd96cf
| Author | SHA1 | Date | |
|---|---|---|---|
f82fdd96cf
|
6
.gitmodules
vendored
6
.gitmodules
vendored
@@ -4,9 +4,3 @@
|
||||
[submodule "site-cookbooks/openresty"]
|
||||
path = site-cookbooks/openresty
|
||||
url = https://github.com/67P/chef-openresty.git
|
||||
[submodule "site-cookbooks/strfry"]
|
||||
path = site-cookbooks/strfry
|
||||
url = git@gitea.kosmos.org:kosmos/strfry-cookbook.git
|
||||
[submodule "site-cookbooks/deno"]
|
||||
path = site-cookbooks/deno
|
||||
url = git@gitea.kosmos.org:kosmos/deno-cookbook.git
|
||||
|
||||
@@ -1,4 +0,0 @@
|
||||
{
|
||||
"name": "strfry-1",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzDV/RMGMXVDbvoA6PNh8\nQzhtHwYDCFcUSkbrwP6tzh6GpVunGEOdOdhj2V63T2tF1H+lujxQXh5pK7C0D6VZ\niO04ftJlo7/svyxUcwWr+znyN5sFdQRh3cBZiGSBYolizwoqgtPFlbNhmWAzV0Du\n9t8mhz70IK3B+UdwWyHtoK0NNsJGnQ9YzAvcjyDmEO/3sCjAhNnxVpmXftpcSmd9\nMonzFtIDBbRRll4AHZYRbmXCzx63+VmelvdnufnbY82liol0zzBwJaBD1wyNlG0y\ni96p3Kx03bLNlIaYVGbjZeJi+6oo2VDWJ4OloLLAYoHDSipeHT9qWfUdnE6ge4Lm\nywIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
||||
@@ -1,30 +1,9 @@
|
||||
{
|
||||
"id": "dirsrv",
|
||||
"admin_dn": {
|
||||
"encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
|
||||
"iv": "xfIXMhEBHBWqa4Dz\n",
|
||||
"auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"admin_password": {
|
||||
"encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
|
||||
"iv": "Lcwc4NDzrfcBaIKQ\n",
|
||||
"auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"service_dn": {
|
||||
"encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
|
||||
"iv": "GUEGtyRJXrPhWcUs\n",
|
||||
"auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"service_password": {
|
||||
"encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
|
||||
"iv": "rOnUoxbnkaJtodM+\n",
|
||||
"auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
|
||||
"encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
|
||||
"iv": "KNW2B8tpX7ywZwbg\n",
|
||||
"auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
||||
@@ -14,8 +14,7 @@
|
||||
"public_key": "024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946"
|
||||
},
|
||||
"nostr": {
|
||||
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
|
||||
"relay_url": "wss://nostr.kosmos.org"
|
||||
"public_key": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
|
||||
}
|
||||
},
|
||||
"discourse": {
|
||||
@@ -102,20 +101,6 @@
|
||||
},
|
||||
"sentry": {
|
||||
"allowed_ips": "10.1.1.0/24"
|
||||
},
|
||||
"strfry": {
|
||||
"domain": "nostr.kosmos.org",
|
||||
"real_ip_header": "x-real-ip",
|
||||
"policy_path": "/opt/strfry/strfry-policy.ts",
|
||||
"whitelist_pubkeys": [
|
||||
"b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a"
|
||||
],
|
||||
"info": {
|
||||
"name": "Kosmos Relay",
|
||||
"description": "Members-only nostr relay for kosmos.org users",
|
||||
"pubkey": "1f79058c77a224e5be226c8f024cacdad4d741855d75ed9f11473ba8eb86e1cb",
|
||||
"contact": "ops@kosmos.org"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -54,10 +54,8 @@
|
||||
"kosmos_liquor-cabinet::nginx",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_strfry::nginx",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos_website::redirects",
|
||||
"kosmos-akkounts::nginx",
|
||||
"kosmos-akkounts::nginx_api",
|
||||
"kosmos-bitcoin::nginx_lndhub",
|
||||
|
||||
@@ -48,10 +48,8 @@
|
||||
"kosmos_liquor-cabinet::nginx",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_strfry::nginx",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos_website::redirects",
|
||||
"kosmos-akkounts::nginx",
|
||||
"kosmos-akkounts::nginx_api",
|
||||
"kosmos-bitcoin::nginx_lndhub",
|
||||
|
||||
@@ -1,66 +0,0 @@
|
||||
{
|
||||
"name": "strfry-1",
|
||||
"chef_environment": "production",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.164"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "strfry-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.15.0-1060-kvm",
|
||||
"hostname": "strfry-1",
|
||||
"ipaddress": "192.168.122.54",
|
||||
"roles": [
|
||||
"base",
|
||||
"kvm_guest",
|
||||
"strfry",
|
||||
"ldap_client"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_kvm::guest",
|
||||
"kosmos-dirsrv::hostsfile",
|
||||
"strfry",
|
||||
"strfry::default",
|
||||
"kosmos_strfry::policies",
|
||||
"kosmos_strfry::firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"deno::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "22.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "18.4.12",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.4.12/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "18.1.11",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.11/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"role[base]",
|
||||
"role[kvm_guest]",
|
||||
"role[strfry]"
|
||||
]
|
||||
}
|
||||
@@ -28,9 +28,7 @@ production_run_list = %w(
|
||||
kosmos_liquor-cabinet::nginx
|
||||
kosmos_rsk::nginx_testnet
|
||||
kosmos_rsk::nginx_mainnet
|
||||
kosmos_strfry::nginx
|
||||
kosmos_website::default
|
||||
kosmos_website::redirects
|
||||
kosmos-akkounts::nginx
|
||||
kosmos-akkounts::nginx_api
|
||||
kosmos-bitcoin::nginx_lndhub
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
name "strfry"
|
||||
|
||||
run_list %w(
|
||||
role[ldap_client]
|
||||
strfry::default
|
||||
kosmos_strfry::policies
|
||||
kosmos_strfry::firewall
|
||||
)
|
||||
Submodule site-cookbooks/deno deleted from 617f7959ab
@@ -22,7 +22,6 @@ node.default['akkounts']['lndhub']['public_key'] = nil
|
||||
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
|
||||
|
||||
node.default['akkounts']['nostr']['public_key'] = nil
|
||||
node.default['akkounts']['nostr']['relay_url'] = nil
|
||||
|
||||
node.default['akkounts']['s3_enabled'] = true
|
||||
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
|
||||
|
||||
@@ -163,7 +163,6 @@ env[:mediawiki_public_url] = node['mediawiki']['url']
|
||||
|
||||
env[:nostr_private_key] = credentials['nostr_private_key']
|
||||
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
|
||||
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
|
||||
|
||||
#
|
||||
# remoteStorage / Liquor Cabinet
|
||||
|
||||
@@ -3,7 +3,6 @@ provides :tls_cert_for
|
||||
|
||||
property :domain, [String, Array], name_property: true
|
||||
property :auth, [String, NilClass], default: nil
|
||||
property :deploy_hook, [String, NilClass], default: nil
|
||||
property :acme_domain, [String, NilClass], default: nil
|
||||
|
||||
default_action :create
|
||||
@@ -37,19 +36,6 @@ action :create do
|
||||
sensitive true
|
||||
end
|
||||
|
||||
if new_resource.deploy_hook
|
||||
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
|
||||
|
||||
file deploy_hook_path do
|
||||
content new_resource.deploy_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
elsif node.run_list.roles.include?("openresty_proxy")
|
||||
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
||||
# The systemd timer will take care of renewing
|
||||
execute "letsencrypt cert for #{domains.join(', ')}" do
|
||||
@@ -61,7 +47,7 @@ action :create do
|
||||
--manual-auth-hook '#{hook_auth_command}' \
|
||||
--manual-cleanup-hook '#{hook_cleanup_command}' \
|
||||
--email ops@kosmos.org \
|
||||
#{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
|
||||
#{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
|
||||
#{domains.map {|d| "-d #{d}" }.join(" ")}
|
||||
CMD
|
||||
not_if do
|
||||
|
||||
File diff suppressed because one or more lines are too long
@@ -216,7 +216,7 @@ modules:
|
||||
access_createnode: pubsub_createnode
|
||||
ignore_pep_from_offline: false
|
||||
last_item_cache: false
|
||||
max_items_node: 1000
|
||||
max_items_node: 10
|
||||
plugins:
|
||||
- "flat"
|
||||
- "pep" # pep requires mod_caps
|
||||
@@ -258,6 +258,8 @@ modules:
|
||||
type: turns
|
||||
transport: tcp
|
||||
restricted: true
|
||||
mod_vcard:
|
||||
search: false
|
||||
mod_vcard_xupdate: {}
|
||||
mod_avatar: {}
|
||||
mod_version: {}
|
||||
|
||||
@@ -28,9 +28,7 @@ template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables web_root_dir: web_root_dir,
|
||||
server_name: server_name,
|
||||
s3_private_url: "#{node["kosmos-mastodon"]["s3_endpoint"]}/#{node["kosmos-mastodon"]["s3_bucket"]}/",
|
||||
s3_public_url: "https://#{node["kosmos-mastodon"]["s3_alias_host"]}/"
|
||||
server_name: server_name
|
||||
notifies :reload, 'service[openresty]', :delayed
|
||||
end
|
||||
|
||||
|
||||
@@ -108,13 +108,11 @@ location @proxy {
|
||||
|
||||
proxy_pass http://mastodon_app;
|
||||
proxy_buffering on;
|
||||
proxy_redirect off;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection $connection_upgrade;
|
||||
|
||||
# https://github.com/mastodon/mastodon/issues/24380
|
||||
proxy_redirect <%= @s3_private_url %> <%= @s3_public_url %>;
|
||||
|
||||
tcp_nodelay on;
|
||||
}
|
||||
|
||||
|
||||
@@ -26,7 +26,6 @@ end
|
||||
tls_cert_for hostname do
|
||||
domain ([hostname]+extra_hostnames)
|
||||
auth "gandi_dns"
|
||||
deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
|
||||
action :create
|
||||
end
|
||||
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
node.default["gitea"]["version"] = "1.22.1"
|
||||
node.default["gitea"]["checksum"] = "b8043324545eec269fc8f18c22b49fc365ed367e0dd41e081b79832de2570f9c"
|
||||
node.default["gitea"]["version"] = "1.22.0"
|
||||
node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
|
||||
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
node.default["gitea"]["port"] = 3000
|
||||
node.default["gitea"]["postgresql_host"] = "localhost:5432"
|
||||
|
||||
@@ -21,13 +21,8 @@ server {
|
||||
location ~ ^/(avatars|repo-avatars)/.*$ {
|
||||
proxy_buffers 1024 8k;
|
||||
proxy_pass http://_gitea_web;
|
||||
proxy_http_version 1.1;
|
||||
expires 30d;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# Docker registry
|
||||
@@ -35,22 +30,12 @@ server {
|
||||
client_max_body_size 0;
|
||||
proxy_buffers 1024 8k;
|
||||
proxy_pass http://_gitea_web;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_buffers 1024 8k;
|
||||
proxy_pass http://_gitea_web;
|
||||
proxy_set_header Connection $http_connection;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,10 +1,9 @@
|
||||
release = "20240514"
|
||||
img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
|
||||
ubuntu_server_cloud_image_release = "20230506"
|
||||
|
||||
node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
|
||||
"url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
|
||||
"checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
|
||||
"path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
|
||||
"url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
|
||||
"checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
|
||||
"path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
|
||||
}
|
||||
|
||||
# A systemd.timer OnCalendar config value
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
Copyright (c) 2024 Kosmos Developers
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||
@@ -1,4 +0,0 @@
|
||||
kosmos_strfry
|
||||
=============
|
||||
|
||||
Installs/configures a strfry relay and its reverse proxy config
|
||||
@@ -1,2 +0,0 @@
|
||||
node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
|
||||
node.default["strfry"]["extras_dir"] = "/opt/strfry"
|
||||
@@ -1,10 +0,0 @@
|
||||
name 'kosmos_strfry'
|
||||
maintainer 'Kosmos'
|
||||
maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'strfry wrapper cookbook'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.1.0'
|
||||
|
||||
depends 'kosmos_openresty'
|
||||
depends 'deno'
|
||||
@@ -1,13 +0,0 @@
|
||||
#
|
||||
# Cookbook Name:: kosmos_strfry
|
||||
# Recipe:: firewall
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
firewall_rule "strfry" do
|
||||
port node["strfry"]["port"]
|
||||
source "10.1.1.0/24"
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
@@ -1,29 +0,0 @@
|
||||
#
|
||||
# Cookbook Name:: kosmos_strfry
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
domain = node["strfry"]["domain"]
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, 'role:strfry').each do |node|
|
||||
upstream_hosts << node['knife_zero']['host']
|
||||
end
|
||||
if upstream_hosts.empty?
|
||||
Chef::Log.warn("No node found with 'strfry' role. Not configuring nginx site.")
|
||||
return
|
||||
end
|
||||
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf_strfry.erb"
|
||||
variables domain: domain,
|
||||
upstream_port: node['strfry']['port'],
|
||||
upstream_hosts: upstream_hosts,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
end
|
||||
@@ -1,83 +0,0 @@
|
||||
#
|
||||
# Cookbook Name:: kosmos_strfry
|
||||
# Recipe:: policies
|
||||
#
|
||||
|
||||
include_recipe "deno"
|
||||
|
||||
#
|
||||
# config
|
||||
#
|
||||
|
||||
ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
|
||||
|
||||
extras_dir = node["strfry"]["extras_dir"]
|
||||
|
||||
directory extras_dir do
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0755"
|
||||
end
|
||||
|
||||
env = {
|
||||
ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
|
||||
ldap_bind_dn: ldap_credentials["service_dn"],
|
||||
ldap_password: ldap_credentials["service_password"],
|
||||
ldap_search_dn: node["strfry"]["ldap_search_dn"],
|
||||
whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
|
||||
}
|
||||
|
||||
template "#{extras_dir}/.env" do
|
||||
source 'env.erb'
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode 0600
|
||||
sensitive true
|
||||
variables config: env
|
||||
notifies :restart, "service[strfry]", :delayed
|
||||
end
|
||||
|
||||
#
|
||||
# strfry deno scripts
|
||||
#
|
||||
|
||||
base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/live/extras/strfry"
|
||||
|
||||
remote_file "#{extras_dir}/deno.json" do
|
||||
source "#{base_url}/deno.json"
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0644"
|
||||
notifies :restart, "service[strfry]", :delayed
|
||||
end
|
||||
|
||||
remote_file "#{extras_dir}/deno.lock" do
|
||||
source "#{base_url}/deno.lock"
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0644"
|
||||
notifies :restart, "service[strfry]", :delayed
|
||||
end
|
||||
|
||||
remote_file "#{extras_dir}/strfry-policy.ts" do
|
||||
source "#{base_url}/strfry-policy.ts"
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0755"
|
||||
notifies :restart, "service[strfry]", :delayed
|
||||
end
|
||||
|
||||
remote_file "#{extras_dir}/ldap-policy.ts" do
|
||||
source "#{base_url}/ldap-policy.ts"
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0644"
|
||||
notifies :restart, "service[strfry]", :delayed
|
||||
end
|
||||
|
||||
remote_file "#{extras_dir}/strfry-sync.ts" do
|
||||
source "#{base_url}/strfry-sync.ts"
|
||||
owner node["strfry"]["user"]
|
||||
group node["strfry"]["group"]
|
||||
mode "0644"
|
||||
end
|
||||
@@ -1,11 +0,0 @@
|
||||
<% @config.each do |key, value| %>
|
||||
<% if value.is_a?(Hash) %>
|
||||
<% value.each do |k, v| %>
|
||||
<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
|
||||
<% end %>
|
||||
<% else %>
|
||||
<% if value %>
|
||||
<%= key.upcase %>=<%= value.to_s %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
<% end %>
|
||||
@@ -1,25 +0,0 @@
|
||||
upstream _strfry {
|
||||
<% @upstream_hosts.each do |host| %>
|
||||
server <%= host %>:<%= @upstream_port || "7777" %>;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
|
||||
access_log "/var/log/nginx/<%= @domain %>.access.log";
|
||||
error_log "/var/log/nginx/<%= @domain %>.error.log";
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
location / {
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_pass http://_strfry;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
@@ -1,4 +1,3 @@
|
||||
node.default["kosmos_website"]["domain"] = "kosmos.org"
|
||||
node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git"
|
||||
node.default["kosmos_website"]["revision"] = "chore/content"
|
||||
node.default["kosmos_website"]["accounts_url"] = "https://accounts.kosmos.org"
|
||||
node.default["kosmos_website"]["domain"] = "kosmos.org"
|
||||
node.default["kosmos_website"]["repo"] = "https://gitea.kosmos.org/kosmos/website.git"
|
||||
node.default["kosmos_website"]["revision"] = "chore/content"
|
||||
|
||||
@@ -23,7 +23,6 @@ end
|
||||
openresty_site domain do
|
||||
template "nginx_conf_website.erb"
|
||||
variables domain: domain,
|
||||
accounts_url: node.default["kosmos_website"]["accounts_url"],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
end
|
||||
|
||||
@@ -1,35 +0,0 @@
|
||||
#
|
||||
# Cookbook:: kosmos_website
|
||||
# Recipe:: redirects
|
||||
#
|
||||
|
||||
redirects = [
|
||||
{
|
||||
domain: "kosmos.chat",
|
||||
target: "https://kosmos.org",
|
||||
http_status: 307
|
||||
},
|
||||
{
|
||||
domain: "kosmos.cash",
|
||||
acme_domain: "letsencrypt.kosmos.org",
|
||||
target: "https://kosmos.org",
|
||||
http_status: 307
|
||||
}
|
||||
]
|
||||
|
||||
redirects.each do |redirect|
|
||||
tls_cert_for redirect[:domain] do
|
||||
auth "gandi_dns"
|
||||
acme_domain redirect[:acme_domain] unless redirect[:acme_domain].nil?
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site redirect[:domain] do
|
||||
template "nginx_conf_redirect.erb"
|
||||
variables domain: redirect[:domain],
|
||||
target: redirect[:target],
|
||||
http_status: redirect[:http_status],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{redirect[:domain]}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{redirect[:domain]}/privkey.pem"
|
||||
end
|
||||
end
|
||||
@@ -1,20 +0,0 @@
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
server_name <%= @domain %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
gzip_static on;
|
||||
gzip_comp_level 5;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
location / {
|
||||
return <%= @http_status || 301 %> <%= @target %>;
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
server_name <%= @domain %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
root /var/www/<%= @domain %>/public;
|
||||
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
gzip_static on;
|
||||
gzip_comp_level 5;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
}
|
||||
@@ -1,18 +1,9 @@
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
server_name _;
|
||||
listen 80 default_server;
|
||||
|
||||
location / {
|
||||
return 301 https://<%= @domain %>;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
server_name <%= @domain %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2 default_server;
|
||||
listen [::]:443 ssl http2 default_server;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
root /var/www/<%= @domain %>/public;
|
||||
|
||||
@@ -27,10 +18,8 @@ server {
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
<% if @accounts_url %>
|
||||
location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
|
||||
proxy_ssl_server_name on;
|
||||
proxy_pass https://accounts.kosmos.org;
|
||||
}
|
||||
<% end %>
|
||||
}
|
||||
|
||||
@@ -18,7 +18,6 @@ end
|
||||
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
acme_domain "letsencrypt.kosmos.org"
|
||||
action :create
|
||||
end
|
||||
|
||||
|
||||
Submodule site-cookbooks/strfry deleted from a4756377b4
Reference in New Issue
Block a user