Compare commits
2 Commits
master
...
chore/upgr
Author | SHA1 | Date |
---|---|---|
Basti | 0cda379c19 | |
Basti | 9cb77c54db |
|
@ -25,9 +25,6 @@
|
|||
"kosmos-hubot::botka_freenode",
|
||||
"kosmos-hubot::hal8000",
|
||||
"kosmos-hubot::hal8000_xmpp",
|
||||
"sockethub",
|
||||
"sockethub::default",
|
||||
"sockethub::proxy",
|
||||
"kosmos-dirsrv",
|
||||
"kosmos-dirsrv::default",
|
||||
"apt::default",
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
"kosmos_gitea::nginx",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"sockethub::proxy",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
|
|
@ -79,7 +79,6 @@
|
|||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"recipe[kosmos-hubot::botka_irc-libera-chat]",
|
||||
"role[kredits_github]",
|
||||
"role[sockethub]"
|
||||
"role[kredits_github]"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,6 +6,7 @@ default_run_list = %w(
|
|||
kosmos_drone::nginx
|
||||
kosmos_gitea::nginx
|
||||
kosmos_website::default
|
||||
sockethub::proxy
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
name "sockethub"
|
||||
|
||||
default_attributes 'sockethub' => {
|
||||
'version' => '5.0.0-alpha.1'
|
||||
}
|
||||
|
||||
run_list %w(
|
||||
sockethub::default
|
||||
sockethub::proxy
|
||||
)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
node.default['sockethub']['port'] = '10551'
|
||||
node.default['sockethub']['port'] = '10550'
|
||||
node.default['sockethub']['external_port'] = '10550'
|
||||
node.default['sockethub']['version'] = '4.1.0'
|
||||
node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org'
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
|
||||
include_recipe 'kosmos-nodejs'
|
||||
include_recipe 'kosmos-redis'
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
user = "sockethub"
|
||||
group = "sockethub"
|
||||
|
@ -62,3 +63,12 @@ WantedBy=multi-user.target
|
|||
triggers_reload true
|
||||
action [:create, :enable, :start]
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
firewall_rule 'sockethub' do
|
||||
port [node['sockethub']['port'].to_i]
|
||||
source "10.1.1.0/24"
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: sockethub
|
||||
# Recipe:: firewall
|
||||
#
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
firewall_rule 'sockethub' do
|
||||
port node['sockethub']['external_port'].to_i
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
|
@ -3,50 +3,30 @@
|
|||
# Recipe:: proxy
|
||||
#
|
||||
|
||||
include_recipe 'sockethub::firewall'
|
||||
include_recipe 'kosmos-nginx'
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
server_name = node['sockethub']['nginx']['server_name']
|
||||
|
||||
nginx_post_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
nginx_certbot_site server_name
|
||||
|
||||
set -e
|
||||
|
||||
systemctl reload nginx
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/post/nginx" do
|
||||
content nginx_post_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
upstream_hosts = []
|
||||
search(:node, "role:sockethub").each do |n|
|
||||
upstream_hosts << "#{n["knife_zero"]["host"]}:#{node['sockethub']['port']}"
|
||||
end
|
||||
|
||||
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
|
||||
|
||||
template "/root/gandi_dns_certbot_hook.sh" do
|
||||
variables gandi_api_key: gandi_api_data_bag_item["key"]
|
||||
mode 0770
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
||||
# The systemd timer will take care of renewing
|
||||
execute "letsencrypt cert for sockethub" do
|
||||
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n"
|
||||
not_if do
|
||||
File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem")
|
||||
end
|
||||
if upstream_hosts.empty?
|
||||
Chef::Log.warn('No server with "sockethub" role. Stopping here.')
|
||||
return
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_sockethub.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables sockethub_port: node['sockethub']['port'],
|
||||
variables server_name: server_name,
|
||||
upstream_hosts: upstream_hosts,
|
||||
sockethub_external_port: node['sockethub']['external_port'],
|
||||
server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
|
@ -56,3 +36,10 @@ nginx_site server_name do
|
|||
action :enable
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
firewall_rule 'sockethub' do
|
||||
port node['sockethub']['external_port'].to_i
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
# Generated by Chef
|
||||
upstream _sockethub {
|
||||
server localhost:<%= @sockethub_port %>;
|
||||
<% @upstream_hosts.each do |upstream_host| -%>
|
||||
server <%= upstream_host %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
map $http_upgrade $connection_upgrade {
|
||||
|
|
|
@ -1,63 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
|
||||
set -euf -o pipefail
|
||||
|
||||
# ************** USAGE **************
|
||||
#
|
||||
# Example usage (with this hook file saved in /root/):
|
||||
#
|
||||
# sudo su -
|
||||
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
|
||||
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
|
||||
#
|
||||
# This hook requires configuration, continue reading.
|
||||
#
|
||||
# ************** CONFIGURATION **************
|
||||
#
|
||||
# GANDI_API_KEY: Your Gandi Live API key
|
||||
#
|
||||
# PROVIDER_UPDATE_DELAY:
|
||||
# How many seconds to wait after updating your DNS records. This may be required,
|
||||
# depending on how slow your DNS host is to begin serving new DNS records after updating
|
||||
# them via the API. 30 seconds is a safe default, but some providers can be very slow
|
||||
# (e.g. Linode).
|
||||
#
|
||||
# Defaults to 30 seconds.
|
||||
#
|
||||
GANDI_API_KEY="<%= @gandi_api_key %>"
|
||||
PROVIDER_UPDATE_DELAY=30
|
||||
|
||||
regex='.*\.(.*\..*)'
|
||||
if [[ $CERTBOT_DOMAIN =~ $regex ]]
|
||||
then
|
||||
DOMAIN="${BASH_REMATCH[1]}"
|
||||
else
|
||||
DOMAIN="${CERTBOT_DOMAIN}"
|
||||
fi
|
||||
|
||||
# To be invoked via Certbot's --manual-auth-hook
|
||||
function auth {
|
||||
curl -s -D- -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
|
||||
\"rrset_type\": \"TXT\",
|
||||
\"rrset_ttl\": 3600,
|
||||
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
|
||||
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
|
||||
|
||||
|
||||
sleep ${PROVIDER_UPDATE_DELAY}
|
||||
}
|
||||
|
||||
# To be invoked via Certbot's --manual-cleanup-hook
|
||||
function cleanup {
|
||||
curl -s -X DELETE -H "Content-Type: application/json" \
|
||||
-H "X-Api-Key: ${GANDI_API_KEY}" \
|
||||
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
|
||||
}
|
||||
|
||||
HANDLER=$1; shift;
|
||||
if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then
|
||||
$HANDLER "$@"
|
||||
fi
|
Loading…
Reference in New Issue