.chef/config.rb

@@ -27,7 +27,7 @@ knife[:automatic_attribute_whitelist] = %w[
 ]
 
 knife[:default_attribute_whitelist] = []
-knife[:normal_attribute_whitelist] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd', 'openresty']
+knife[:normal_attribute_whitelist] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd']
 knife[:override_attribute_whitelist] = []
 
-knife[:allowed_normal_attributes] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd', 'openresty']
+knife[:allowed_normal_attributes] = ['knife_zero', 'kosmos_kvm', 'kosmos-ejabberd']

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -52,17 +52,16 @@ end
   end
 end
 
-if node.run_list.roles.include?("openresty_proxy")
-  file "/etc/letsencrypt/renewal-hooks/post/openresty" do
-    content <<-EOF
-  #!/usr/bin/env bash
-  # Reloading openresty is enough to read the new certificates
-  systemctl reload openresty
-    EOF
-    mode 0755
-    owner "root"
-    group "root"
-  end
+# TODO check if nginx is installed/running on the node
+file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
+  content <<-EOF
+#!/usr/bin/env bash
+# Reloading nginx is enough to read the new certificates
+systemctl reload nginx
+  EOF
+  mode 0755
+  owner "root"
+  group "root"
 end
 
 # include_recipe 'kosmos-base::systemd_emails'

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -1,46 +0,0 @@
-resource_name :tls_cert_for
-provides :tls_cert_for
-
-property :domain, [String, Array], name_property: true
-property :auth, [String, NilClass], default: nil
-
-default_action :create
-
-action :create do
-  include_recipe 'kosmos-base::letsencrypt'
-
-  domains = Array(new_resource.domain)
-
-  case new_resource.auth
-  when "gandi_dns"
-    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
-
-    hook_path = "/root/gandi_dns_certbot_hook.sh"
-    template hook_path do
-      cookbook "kosmos-base"
-      variables gandi_api_key: gandi_api_data_bag_item["key"]
-      mode 0770
-    end
-
-    # Generate a Let's Encrypt cert (only if no cert has been generated before).
-    # The systemd timer will take care of renewing
-    execute "letsencrypt cert for #{domains.join(', ')}" do
-      command <<-CMD
-      certbot certonly --manual -n \
-        --preferred-challenges dns \
-        --manual-public-ip-logging-ok \
-        --agree-tos \
-        --manual-auth-hook '#{hook_path} auth' \
-        --manual-cleanup-hook '#{hook_path} cleanup' \
-        --deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
-        --email ops@kosmos.org \
-        #{domains.map {|d| "-d #{d}" }.join(" ")}
-      CMD
-      not_if do
-        ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
-      end
-    end
-  else
-    # regular http auth
-  end
-end

site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-
-set -euf -o pipefail
-
-# ************** USAGE **************
-#
-# Example usage (with this hook file saved in /root/):
-#
-#   sudo su -
-#   certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
-#     --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
-#
-# This hook requires configuration, continue reading.
-#
-# ************** CONFIGURATION **************
-#
-# GANDI_API_KEY: Your Gandi Live API key
-#
-# PROVIDER_UPDATE_DELAY:
-#   How many seconds to wait after updating your DNS records. This may be required,
-#   depending on how slow your DNS host is to begin serving new DNS records after updating
-#   them via the API. 30 seconds is a safe default, but some providers can be very slow
-#   (e.g. Linode).
-#
-#   Defaults to 30 seconds.
-#
-GANDI_API_KEY="<%= @gandi_api_key %>"
-PROVIDER_UPDATE_DELAY=2
-
-regex='.*\.(.*\..*)'
-if [[ $CERTBOT_DOMAIN =~ $regex ]]
-then
-  DOMAIN="${BASH_REMATCH[1]}"
-else
-  DOMAIN="${CERTBOT_DOMAIN}"
-fi
-
-# To be invoked via Certbot's --manual-auth-hook
-function auth {
-    curl -s -D- -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
-             \"rrset_type\": \"TXT\",
-             \"rrset_ttl\": 3600,
-             \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
-        "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
-
-
-    sleep ${PROVIDER_UPDATE_DELAY}
-}
-
-# To be invoked via Certbot's --manual-cleanup-hook
-function cleanup {
-    curl -s -X DELETE -H "Content-Type: application/json" \
-        -H "X-Api-Key: ${GANDI_API_KEY}" \
-        https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
-}
-
-HANDLER=$1; shift;
-if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
-  $HANDLER "$@"
-fi

site-cookbooks/kosmos_assets/metadata.rb

@@ -7,5 +7,4 @@ long_description 'Configures static asset Web hosting'
 version '1.0.0'
 chef_version '>= 15.10' if respond_to?(:chef_version)
 
-depends "kosmos-base"
-depends "kosmos_openresty"
+depends "kosmos-nginx"

site-cookbooks/kosmos_assets/recipes/nginx_site.rb

@@ -1,35 +1,38 @@
 #
 # Cookbook:: kosmos_assets
-# Recipe:: openresty_site
+# Recipe:: nginx_site
 #
 
-include_recipe "kosmos_openresty"
+include_recipe "kosmos-nginx"
 
 domain = node["kosmos_assets"]["domain"]
 
-tls_cert_for domain do
-  auth "gandi_dns"
-  action :create
-end
+nginx_certbot_site domain
 
 directory "/var/www/#{domain}/site" do
-  user node["openresty"]["user"]
-  group node["openresty"]["group"]
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
   mode "0755"
-  recursive true
 end
 
 git "/var/www/#{domain}/site" do
-  user node["openresty"]["user"]
-  group node["openresty"]["group"]
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
   repository node["kosmos_assets"]["repo"]
   revision node["kosmos_assets"]["revision"]
   action :sync
 end
 
-openresty_site domain do
-  template "nginx_conf_assets.erb"
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_assets.erb"
+  owner node["nginx"]["user"]
+  mode 0640
   variables domain: domain,
-            ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
-            ssl_key:  "/etc/letsencrypt/live/#{domain}/privkey.pem"
+            ssl_cert:    "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain}/privkey.pem"
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
 end

site-cookbooks/kosmos_assets/templates/nginx_conf_assets.erb

@@ -2,7 +2,7 @@
 # Generated by Chef
 
 server {
-  listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
+  listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name <%= @domain %>;
 

site-cookbooks/kosmos_openresty/recipes/default.rb

@@ -5,8 +5,3 @@
 
 # Install openresty from official packages
 include_recipe 'openresty::apt_package'
-
-openresty_site 'hello_world' do
-  template 'hello_world.conf.erb'
-  action :enable
-end

site-cookbooks/kosmos_openresty/templates/hello_world.conf.erb

@@ -1,9 +0,0 @@
-server {
-        listen 80 reuseport;
-        location / {
-                default_type text/plain;
-                content_by_lua_block {
-                        ngx.say("Hello World")
-                }
-        }
-}

site-cookbooks/openresty

@@ -1 +1 @@
-Subproject commit f48675c7f6aa03498dcd966a21f38d8f8f25f9f4
+Subproject commit 0406e84985a43afc9253b238f563a0850aca892e