Merge pull request 'Deploy substr' (#579) from feature/substr into master

Reviewed-on: #579

data_bags/credentials/akkounts.json

@@ -1,72 +1,72 @@
 {
   "id": "akkounts",
   "postgresql_username": {
-    "encrypted_data": "bDlOkEmhvMgyVzPeTNUzYnzRLf3T9cc0cDxt\n",
+    "encrypted_data": "v2QoNkkxXGflxEdspIpfJdBjQVraMyF9yHq7\n",
-    "iv": "GCCUoqU5pxQ7fGkv\n",
+    "iv": "du8wubB9xQjOVeOS\n",
-    "auth_tag": "Q7mrSHIBluMe3CGVmoR86Q==\n",
+    "auth_tag": "gDZLYz5/XBCQDlDaFoP6mQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "postgresql_password": {
-    "encrypted_data": "wD0HtdsNe/hl4ZaOy8hyr2k4z8TXQrrSja3KNVE47w==\n",
+    "encrypted_data": "Naz4R5oOCUS/S/CZmW5eoil8BpJ3K1WLUIc3mAihhA==\n",
-    "iv": "tb5yz8WDer0CsGvJ\n",
+    "iv": "0S9Sb1MUoBVWbW9t\n",
-    "auth_tag": "/+K2anuCff/6M7Pu70Smqw==\n",
+    "auth_tag": "L2yGzVMKiKAzfpA+HADRqA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "sentry_dsn": {
-    "encrypted_data": "jCz681x0WVixHYZUb62TO+1cgyJMiJ2UMqWcaztx57yDBOIiKW3oSZjuXdhP\n9WCesfXQF/lgzITZno3IKDqzlKjWgbGLC75y8FLguxidCHI=\n",
+    "encrypted_data": "OXiAeg6lIqEnbplAnKlkwb3o3DTfMJbLC0wnxmguQ8GZiP0RcpPOwUAa9Q3U\naA44f36BCKgHtCxdlVB59TTFA9W24ecU5KWb/jIc7mueSoc=\n",
-    "iv": "IRNOzN/hLwg1iqax\n",
+    "iv": "86cAncfc1K4d43ql\n",
-    "auth_tag": "eg9dWnEK04JDb94e4CFa9Q==\n",
+    "auth_tag": "0i04Y/eFIN+b+5F605d7Dg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "rails_master_key": {
-    "encrypted_data": "nUB77VLRp41rluH7hLBwQqPtnh/HsmfLr2VbcIZHWawL3o2TGuY+mj648f9L\n7XsEpgqY\n",
+    "encrypted_data": "Ypv4g33evnuutOWmGl49kq3Ca3SmfWIswyxGIZA0J/o1ZMGpMOfySim/e7r8\nzdAM/PFo\n",
-    "iv": "fpdbDitqTRHxEKiv\n",
+    "iv": "w2bflz2KIbu/vRT1\n",
-    "auth_tag": "I44fn8Ott3L/Y5LYr56U/Q==\n",
+    "auth_tag": "tpemUQJly8Ft9lN6rP+W4w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "discourse_connect_secret": {
-    "encrypted_data": "ENtMn+1XTVFmdEZw7LU6WGoMbSZY654ggm3vPACGfFgqo6r0LhG60c5OTdqv\nZvT5/Q==\n",
+    "encrypted_data": "DUK6G5SyRiehJh3iHtCKQj8Ki5+suk9Ds5/ZMp6OP1EshdbpziQ4XNey2x+R\nHCTSVg==\n",
-    "iv": "bL1BmvRhgxFqSM1P\n",
+    "iv": "kfhA3apCUAHcNlwH\n",
-    "auth_tag": "sEBZzGWwwYFHn+4B4SsyCA==\n",
+    "auth_tag": "BqRV+CiF9rFrqEToJeisoQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "lndhub_admin_token": {
-    "encrypted_data": "4LPGFoARzI8UYnsJPIk8sax/rAA16pUULEZWn86e2C7L\n",
+    "encrypted_data": "C3aKQIEwcQNCrr+uyLiOY2KAHZh5dUvTZ9IdANPqkGlr\n",
-    "iv": "nvjXrOwgfgutwEVw\n",
+    "iv": "qrhJJzmmced9lNF1\n",
-    "auth_tag": "A89RUf1sdcS3FVscNPWYLg==\n",
+    "auth_tag": "CH1fOwMWsidmWBwX2+4nJg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "btcpay_auth_token": {
-    "encrypted_data": "ky5iWYF06os0Ek6vIRzWqMTekqJhCOh/Q9DTDIeKhSyk8TnT3O71lCNEt1F5\nXCNq6ux3V6oyHVLWj0o=\n",
+    "encrypted_data": "0vRq3ZeYPtNcdlCUQI0ip6YOaQZKBeK/dODL7IxdrAK9pHz+u53aL8LW92nJ\nmHW2DYcv+eX3ltnwu88=\n",
-    "iv": "zk6WnxsY89oNW1F9\n",
+    "iv": "5HenMAvE1Uu5l7jJ\n",
-    "auth_tag": "FAIMXKvQ1T7QKezVSNJbwQ==\n",
+    "auth_tag": "rJzkZPRYar1qw4dauSNV2w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_access_key": {
-    "encrypted_data": "KfhfEGwPjOonlz6rpnNTinXFPqX/sIbqQn/aby0UDi/G/7cvEcOiNcCkfuSz\n",
+    "encrypted_data": "QB7XpwhzCvLczUojhcjXy+KX26rEDQHSSw983KP8W7Nud1SNbheU1PrDEQv/\n",
-    "iv": "Q3rg06v6K9pUDLDY\n",
+    "iv": "DTtUXHNQ2g04E+oE\n",
-    "auth_tag": "G5ugdlJ896KtYtObKLclJA==\n",
+    "auth_tag": "0XSkHE+MG4AnVT4XJR9tzw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "s3_secret_key": {
-    "encrypted_data": "N8s1OoDrYXHjqSydQA0kY7dd68Aelq4+/cgmJlYfP92u4YA17V4TR7fsvQZL\nkqjuUSClNYPc0XiCwf/5gxVirE9AO6OmmvSV7lUyu4hcEY6unrU=\n",
+    "encrypted_data": "IEUzFfOBuOwjzD1DbRyk07+jFlZhQVY+a7riDJ3QU1cNYZ3OTJUgJkowA/u5\nrZ6jqehGIzvPlDuzIezxQwN+Dy0ZJueB/ZEdRqhfkXUxgzkqb2s=\n",
-    "iv": "bXzIVWnX6V0P6PRb\n",
+    "iv": "gs9Igisu2EH+dAC/\n",
-    "auth_tag": "1EOjCfsX9P6ETjUsgBvBsA==\n",
+    "auth_tag": "gDFuQCwlCL5mvys83CGv+w==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "nostr_private_key": {
-    "encrypted_data": "Sf8PEyQ0sqcgxddSlIDxLOVzPjOkTFObsYuTgcxkbEV7igrati4e8QVVUEBD\n1yoLJXelp8jlCr28Ectci29jc53gYSMTLSQsw97uYas2R0dGCqQ=\n",
+    "encrypted_data": "sFnQlwyZF0tfMzbaG/bdwqQLPVdHPpbyDT66FY1+ubssmWUpxsuNtbI71KyY\nI1784c7SSl4qKRgHZRrR658bYMKU4whe836qBgSf7Icczp1VSQY=\n",
-    "iv": "+1CIUyvIUOveLrY4\n",
+    "iv": "x8RJT4dcNdtm59Zz\n",
-    "auth_tag": "GDqS+IuAIfMBmHIeFXaV7A==\n",
+    "auth_tag": "6yxBq1W4jCNDYwP6+cTE6g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

environments/production.json

@@ -107,10 +107,12 @@
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
       "policy_path": "/opt/strfry/strfry-policy.ts",
-      "whitelist_pubkeys": [
+      "known_pubkeys": {
-        "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
+        "_": "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf",
-        "b3e1b7c0ef48294bd856203bfd460625de95d3afb894e5f09b14cd1f0e7097cf"
+        "accounts": "b3e1b7c1660b7db0ecb93ec55c09e67961171a5c4e9e2602f1b47477ea61c50a",
-      ],
+        "bitcoincore": "47750177bb6bb113784e4973f6b2e3dd27ef1eff227d6e38d0046d618969e41a",
+        "fiatjaf": "3bf0c63fcb93463407af97a5e5ee64fa883d107ef9e558472c4eb9aaaefa459d"
+      },
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
@@ -118,6 +120,11 @@
         "contact": "ops@kosmos.org",
         "icon": "https://assets.kosmos.org/img/app-icon-256px.png"
       }
+    },
+    "substr": {
+      "relay_urls": [
+        "ws://localhost:7777"
+      ]
     }
   }
 }

nodes/gitea-2.json

@@ -9,7 +9,7 @@
   "automatic": {
     "fqdn": "gitea-2",
     "os": "linux",
-    "os_version": "5.4.0-1096-kvm",
+    "os_version": "5.4.0-1123-kvm",
     "hostname": "gitea-2",
     "ipaddress": "192.168.122.189",
     "roles": [

nodes/strfry-1.json

@@ -27,6 +27,7 @@
       "strfry::default",
       "kosmos_strfry::policies",
       "kosmos_strfry::firewall",
+      "kosmos_strfry::substr",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

roles/strfry.rb

@@ -5,4 +5,5 @@ run_list %w(
   strfry::default
   kosmos_strfry::policies
   kosmos_strfry::firewall
+  kosmos_strfry::substr
 )

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -231,7 +231,6 @@ modules:
   mod_shared_roster: {}
   mod_stun_disco:
     offer_local_services: false
-    credentials_lifetime: 300
     secret: <%= @stun_secret %>
     services:
       -

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,5 +1,5 @@
-node.default["gitea"]["version"] = "1.22.5"
+node.default["gitea"]["version"] = "1.22.6"
-node.default["gitea"]["checksum"] = "ce2c7e4fff3c1e3ed59f5b5e00e3f2d301f012c34e329fccd564bc5129075460"
+node.default["gitea"]["checksum"] = "fd77f1a0273c85a0950207c1cfa6753a9fa57604e4ab1382484b191cc919ce15"
 node.default["gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["gitea"]["port"] = 3000
 node.default["gitea"]["postgresql_host"] = "localhost:5432"

site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb

@@ -16,7 +16,7 @@ server {
 
   add_header Strict-Transport-Security "max-age=31536000";
 
-  client_max_body_size 20M;
+  client_max_body_size 121M;
 
   location ~ ^/(avatars|repo-avatars)/.*$ {
     proxy_buffers 1024 8k;

site-cookbooks/kosmos_strfry/attributes/default.rb

@@ -1,2 +1,10 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 node.default["strfry"]["extras_dir"] = "/opt/strfry"
+
+# node.default["substr"]["repo"] = "https://gitea.kosmos.org/kosmos/substr.git"
+# node.default["substr"]["revision"] = "master"
+node.default["substr"]["version"] = "nightly"
+node.default["substr"]["download_url"] = "https://gitea.kosmos.org/api/packages/kosmos/generic/substr/#{node["substr"]["version"]}/substr_x86_64-unknown-linux-gnu"
+node.default["substr"]["workdir"] = "/opt/substr"
+node.default["substr"]["port"] = 30023
+node.default["substr"]["relay_urls"] = ["ws://localhost:7777"]

site-cookbooks/kosmos_strfry/recipes/policies.rb

@@ -24,7 +24,7 @@ env = {
   ldap_bind_dn: ldap_credentials["service_dn"],
   ldap_password: ldap_credentials["service_password"],
   ldap_search_dn: node["strfry"]["ldap_search_dn"],
-  whitelist_pubkeys: node["strfry"]["whitelist_pubkeys"].join(",")
+  whitelist_pubkeys: node["strfry"]["known_pubkeys"].values.join(",")
 }
 
 template "#{extras_dir}/.env" do

site-cookbooks/kosmos_strfry/recipes/substr.rb

@@ -0,0 +1,100 @@
+#
+# Cookbook:: kosmos_strfry
+# Recipe:: substr
+#
+
+unless platform?("ubuntu")
+  raise "This recipe only supports Ubuntu installs at the moment"
+end
+
+apt_package "imagemagick"
+
+directory node["substr"]["workdir"] do
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+end
+
+if node["substr"]["download_url"]
+  remote_file '/usr/local/bin/substr' do
+    source node["substr"]["download_url"]
+    checksum node["substr"]["checksum"]
+    mode '0755'
+    show_progress true
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "/usr/local/bin/substr"
+else
+  # TODO Install Deno 2
+
+  git node["substr"]["workdir"] do
+    user node["strfry"]["user"]
+    group node["strfry"]["group"]
+    repository node['substr']['repo']
+    revision node['substr']['revision']
+    action :sync
+    notifies :restart, "service[substr]", :delayed
+  end
+
+  exec_start = "deno task server"
+end
+
+file "#{node["substr"]["workdir"]}/users.yaml" do
+  mode "0644"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  content node["strfry"]["known_pubkeys"].to_yaml
+  notifies :restart, "service[substr]", :delayed
+end
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  port: node['substr']['port'],
+  base_url: "https://#{node["strfry"]["domain"]}",
+  relay_urls: node['substr']['relay_urls'].join(","),
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"],
+}
+
+template "#{node["substr"]["workdir"]}/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[substr]", :delayed
+end
+
+systemd_unit "substr.service" do
+  content({
+    Unit: {
+      Description: "substr for nostr",
+      Documentation: ["https://gitea.kosmos.org/kosmos/substr"],
+    },
+    Service: {
+      Type: "simple",
+      User: node["strfry"]["user"],
+      WorkingDirectory: node["substr"]["workdir"],
+      ExecStart: exec_start,
+      Restart: "on-failure",
+      RestartSec: "5",
+      ProtectHome: "no",
+      NoNewPrivileges: "yes",
+      ProtectSystem: "full"
+    },
+    Install: {
+      WantedBy: "multi-user.target"
+    }
+  })
+  triggers_reload true
+  action :create
+end
+
+service "substr" do
+  action [:enable, :start]
+end

site-cookbooks/kosmos_strfry/templates/nginx_conf_strfry.erb

@@ -4,6 +4,12 @@ upstream _strfry {
 <% end %>
 }
 
+upstream _substr {
+<% @upstream_hosts.each do |host| %>
+  server <%= host %>:30023;
+<% end %>
+}
+
 server {
   server_name <%= @domain %>;
   listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
@@ -15,6 +21,16 @@ server {
   ssl_certificate     <%= @ssl_cert %>;
   ssl_certificate_key <%= @ssl_key %>;
 
+  location = /favicon.ico {
+    alias /var/www/assets.kosmos.org/site/img/favicon.ico;
+  }
+
+  location ~* ^/[@~n]|^/assets {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_pass http://_substr;
+  }
+
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;