Configure kosmos-github

closes #35

data_bags/credentials/kredits-github.json

@@ -0,0 +1,24 @@
+{
+  "id": "kredits-github",
+  "app_id": {
+    "encrypted_data": "DVvsNFAlZIO1NMmo1dVbA05MYdyJfPG9\n",
+    "iv": "JP4lpX3pFT8l43Hl\n",
+    "auth_tag": "EncRbtgQigRvLIfbMS+IxQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "private_key": {
+    "encrypted_data": "nV2ecoeWtL/TIM9grbsDAVh34gkaE/bJFc7qebUA9fOU40eeC7xMQst9pBZ+\nIfok2Y4Q0+ABQEKTrilfhSAOA+Hck66W2k1oNdCKXRcNb40T0Y01L77nNdzO\n0b6+uzopQ9oe2M5PF283gk8JWWQV9qED4eKpXEyU8prooA26KabXSrnsMESU\nIztULMsHNhUbDPHBRiEA6q/YUKlw8R++Sh9BcOjjeAEK+pueiARDh+yNMfJV\nomZRWfqncLlryDY6g+hbWEy5Oh+uMD8Th7zhbO//5dPOP1T6ZJjzHfhVQw+v\ng8txFD505yCBKiv70K4cHy9dF+ExFzJBcgr42gJ60gzShemZywAxOCDIc2yz\nFSEVwxGlxYRs5PLHhOT+KCaDzE7w5JmHDyMzv0j+IJnUtPPeInUUI9CNw42F\nmXygqGaY2BmJXAqYtCqEeMsZBtXijqu3TY3mmqxudupxethRrXZ9uZ0I3Ohf\nw6BCnqTw/sT3JkBxtNRQeEQvF+2G8ysXyLujkbqAyWiT+fCmS14FhisEOr8H\n6ojfRGb5iHHScG5wTwXn6tr4de9jjVk5Hrth3Rj46ZImMd1lzROPYyIcWFlS\no57Y3nmF6j7pjDBz++nInnpGlzPG+17sG4OSp6t0t93Vwkr8q9WNQjLo0Jqc\nLNaziU1ke3g+ZpKnHhUwJ2sCyVk4xvVD98hx4lhwCPzKghGQhWu6Vo2YfN79\nhSMjNw5N/3WFxdb5EuF4vYWOFitBvogPkAusZjrexlhUmGIS2qf+jlKvo6yD\nIl8CrCYZttj1UnyCuDmftIXTY9/7czBDQgq+vHlT33e7hNLHD7tFDeTEaz0t\nS+/I0+BgEnKv7aQHSSKExg3ZNc86yqfREKNsKxf4O6YiceBP7r/0qqFR6VBH\nIOQpUwK2e6cv70VmmtoEIjIpRZIOScrVVc1w2QlCj7xH9WfdEG9GSft3uHqd\nqbpegChVNuq2tEq7DoAC8ednjzbYdka4bpGJCqF6zm1c48WaL0G6VBLioi/r\nwFhCNi6AOEYkX0v3wovxME1aodfzBiu1Q6nEuzflZthr+1zERZXXaXY59VZ8\nqzWnLd5Xd/SxvvODY67fdykP90Kn94Xf+6XD9r72ch3S3ZqoWi66YFyqZ5Aa\n0LVKK+nCUwlGWjdgzcEcGx5OOyvbqm2VVnwWo2HuVk/iTzkrppF9y5nvFWUc\n6FfDdGWytkmzRH3KBZ9GKqgrIrswUmsSoIHESugVouJ+QfbFZZLLQS/0p4wH\nPFT8H8GSUvg8CEbap4JRW3R/+yspqSXipfIH5TrKr6NkyggWSE7EMNYq41eU\nuFWtwqX/z8x0SVVo+thAXkgg7KcZrZ9W4LdSGnfrx90QGZ0/K9Xs27pPY8R1\nSUNpaUc3S4Vxt28ualRBksuiIXT9AJGPGQf5UOgpOzBmDFw0GSjZdzz33tLL\n49Ymktapc6mC1FCxkJO3e+pI/I34+FcD9oiVea5v0Gg1cuuZInGJBYrq0PBE\nTaz0w2e8X/eQ2fVnQlUgmHlPcOugtoK8sLEO2+HDyBmIx9ypCfqFo6tu+MHG\nZTRp1GFmifYKUMnGvyxgo7mMFuSJtzgF/UR4PddbfX9yFAxPUTzM2Ba4s9um\nBZXKQoQB/dS9wXhmZVme9Yjq/D1d8w3wosSOcDV3apNerDxegbFqt8ugYbtQ\nmy35aHCXU560Xi1uyWBggRXsoWSsb3RZhNbTz6vsvsly9kj6pSUtxbAiwvwI\nrZuGwvNUgYHdXaHdQAqyCAiIF3KJfQGTyk2di26BZ3K8eTnP3tKbTT157Adf\nOt4e+sHhfmacjmXN9FFuOlLddOk45Y7YSRDwGgqS3NqTSo21GAPBSDqfwqkr\neG76OKxoijCMYeJQ6h0lqh8lXYO5h376BdbUMvZfiy8PzkfbCZ9j45b/jHQD\n8CSWz+T8LmQM4Mg69MZn3zAYOSrPQj9DMbwuQshqe19qRlrexRRemWATvkSO\nYchQJ2891WGn7WZ2vrd9VpEdiXdC6JmCpDfoBBJ3JcaknTrNx7VBPc/48rli\nIlso0fzzxTGIrJjFbYL38Br20/qZcXzOO+YJXuHY+n5vuZ2870yPck4r1vUX\n6HSRALY768YGSLNWwfg9sDfbOcpfxKrnrNJxF5Nz7cGN63CKm1e6GZG+vSX+\nNBkumwPGyUWtLJO+JE8l6yivOZeq01W+XOjSh8NzrQJ3Tt2XVhuqWy+ruXS0\nA9O2/tdI2pu0ed63TVaWL/ULYrfXtHtCOYyjc5ulIwX7+L9LXU2I9zmycp0u\n3eR50MpHBgGSCyk=\n",
+    "iv": "IlCQ6yNhvGFeTJlP\n",
+    "auth_tag": "bItEhCOGVHB2HMzWKuyExg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "webhook_secret": {
+    "encrypted_data": "5aUw9uwoX7BmUXCXLjJ82VtEOAAaneldYMUnv2XJqL+XUNokmdf/tQwTjI7R\n8Ov1+sXCp2R073apPUk=\n",
+    "iv": "6VeynEodre6uhBE7\n",
+    "auth_tag": "kRGFN3q+N0NKPwoLRrtgtw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

nodes/barnard.kosmos.org.json

@@ -0,0 +1,9 @@
+{
+  "run_list": [
+    "role[base]",
+    "kredits-github"
+  ],
+  "automatic": {
+    "ipaddress": "barnard.kosmos.org"
+  }
+}

site-cookbooks/kredits-github/CHANGELOG.md

@@ -0,0 +1,6 @@
+kredits-github CHANGELOG
+========================
+
+0.1.0
+-----
+- [Râu Cao] - Initial release of kredits-github

site-cookbooks/kredits-github/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2019 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

site-cookbooks/kredits-github/README.md

@@ -0,0 +1,31 @@
+kredits-github Cookbook
+=======================
+
+This cookbook installs [kredits-github](https://github.com/67P/kredits-github).
+
+Attributes
+----------
+
+#### kredits-github::default
+<table>
+  <tr>
+    <th>Key</th>
+    <th>Type</th>
+    <th>Description</th>
+    <th>Default</th>
+  </tr>
+  <tr>
+    <td><tt>['sockethub']['port']</tt></td>
+    <td>Integer</td>
+    <td>The local port to run sockethub on</td>
+    <td><tt>10551</tt></td>
+  </tr>
+  <tr>
+    <td><tt>['sockethub']['external_port']</tt></td>
+    <td>Integer</td>
+    <td>The external port to run sockethub on. This will also open the port on the firewall</td>
+    <td><tt>10550</tt></td>
+  </tr>
+</table>
+
+Right now the nginx vhost is hardcoded: sockethub.kosmos.org

site-cookbooks/kredits-github/attributes/default.rb

@@ -0,0 +1,3 @@
+node.default['kredits-github']['port']          = '3000'
+node.default['kredits-github']['revision']      = 'master'
+node.default['kredits-github']['domain']        = 'kredits-github.kosmos.org'

site-cookbooks/kredits-github/metadata.rb

@@ -0,0 +1,12 @@
+name             'kredits-github'
+maintainer       'Kosmos'
+maintainer_email 'mail@kosmos.org'
+license          'MIT'
+description      'Installs/Configures kredits-github'
+long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version          '0.1.0'
+
+depends 'application_javascript'
+depends 'kosmos-nodejs'
+depends 'kosmos-nginx'
+depends 'firewall'

site-cookbooks/kredits-github/recipes/default.rb

@@ -0,0 +1,96 @@
+#
+# Cookbook Name:: sockethub
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2019, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'kosmos-nodejs'
+include_recipe 'kredits-github::nginx'
+
+app_name     = "kredits-github"
+deploy_user  = "deploy"
+deploy_group = "deploy"
+credentials  = Chef::EncryptedDataBagItem.load('credentials', app_name)
+
+group deploy_group
+
+user deploy_user do
+  group       deploy_group
+  manage_home true
+  shell       "/bin/bash"
+  comment     "deploy user"
+end
+
+path_to_deploy = "/opt/#{app_name}"
+application path_to_deploy do
+  owner deploy_user
+  group deploy_group
+
+  git do
+    user  deploy_user
+    group deploy_group
+    repository "https://github.com/67P/#{app_name}.git"
+    revision   node[app_name]['revision']
+  end
+
+  npm_install do
+    user deploy_user
+  end
+
+  execute "systemctl daemon-reload" do
+    command "systemctl daemon-reload"
+    action :nothing
+  end
+
+  file "#{path_to_deploy}/github_app_key.pem" do
+    content credentials['private_key']
+    owner deploy_user
+    group deploy_group
+    mode '0440'
+  end
+
+  template "/lib/systemd/system/#{app_name}.service" do
+    source 'nodejs.systemd.service.erb'
+    owner 'root'
+    group 'root'
+    mode '0644'
+    variables(
+      user: deploy_user,
+      group: deploy_group,
+      app_dir: path_to_deploy,
+      entry: "/usr/bin/node /usr/bin/npm start",
+      environment: {
+        'LOG_LEVEL'        => "debug",
+        'APP_ID'           => credentials['app_id'],
+        'PRIVATE_KEY_PATH' => "#{path_to_deploy}/github_app_key.pem",
+        'WEBHOOK_SECRET'   => credentials['webhook_secret'],
+      }
+    )
+    notifies :run, "execute[systemctl daemon-reload]", :delayed
+    notifies :restart, "service[#{app_name}]", :delayed
+  end
+
+  service app_name do
+    action [:enable, :start]
+  end
+end

site-cookbooks/kredits-github/recipes/nginx.rb

@@ -0,0 +1,46 @@
+#
+# Cookbook Name:: kredits-github
+# Recipe:: nginx
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2019, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'kosmos-nginx'
+server_name = node['kredits-github']['domain']
+
+template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
+  source 'nginx_conf.erb'
+  owner 'www-data'
+  mode 0640
+  variables app_name:    "kredits-github",
+            nodejs_port: node['kredits-github']['port'],
+            server_name: server_name,
+            ssl_cert:    "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{server_name}/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site server_name do
+  action :enable
+end
+
+nginx_certbot_site server_name

site-cookbooks/kredits-github/templates/default/nginx_conf.erb

@@ -0,0 +1,26 @@
+# Generated by Chef
+upstream _<%= @app_name %> {
+  server   localhost:<%= @nodejs_port %>;
+}
+
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+server {
+  listen 443 ssl http2;
+  add_header Strict-Transport-Security "max-age=15768000";
+
+  server_name <%= @server_name %>;
+
+  access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log json;
+  error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
+
+  gzip on;
+
+  location / {
+    proxy_buffers 1024 8k; # Increase number of buffers. Default is 8
+    proxy_pass http://_<%= @app_name %>;
+   }
+
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+}
+<% end -%>

site-cookbooks/kredits-github/templates/default/nodejs.systemd.service.erb

@@ -0,0 +1,17 @@
+[Unit]
+Description=Start nodejs app
+Requires=nginx.service
+After=nginx.service
+
+[Service]
+ExecStart=<%= @entry %>
+WorkingDirectory=<%= @app_dir %>
+User=<%= @user %>
+Group=<%= @group %>
+<% unless @environment.empty? -%>
+Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %>
+<% end -%>
+Restart=always
+
+[Install]
+WantedBy=multi-user.target