From 29a5947d18ba3b84d8573de854bd840f538f3909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 25 Mar 2020 12:43:39 +0100 Subject: [PATCH 1/9] Deploy Sockethub from the npm package This is currently 3.1.4 and is set as an attribute. The recipe is very simple now, it installs the npm package, and the systemd service runs /usr/bin/sockethub and sets the environment variables Closes #145 --- .../sockethub/attributes/default.rb | 2 +- site-cookbooks/sockethub/metadata.rb | 3 +- site-cookbooks/sockethub/recipes/default.rb | 72 ++++++++----------- .../default/nginx_conf_sockethub.erb | 8 ++- .../default/nodejs.systemd.service.erb | 1 - 5 files changed, 37 insertions(+), 49 deletions(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 7935b9b..c3a9599 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,4 +1,4 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['revision'] = 'v3.0.1' +node.default['sockethub']['version'] = '3.1.4' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' diff --git a/site-cookbooks/sockethub/metadata.rb b/site-cookbooks/sockethub/metadata.rb index 0c5347b..db2d286 100644 --- a/site-cookbooks/sockethub/metadata.rb +++ b/site-cookbooks/sockethub/metadata.rb @@ -4,9 +4,8 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures sockethub' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.1' +version '0.2.0' -depends 'application_javascript' depends 'kosmos-redis' depends 'kosmos-nodejs' depends 'kosmos-nginx' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index df30690..156ada0 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -39,47 +39,33 @@ user "sockethub" do shell "/bin/bash" end -path_to_deploy = "/opt/sockethub" -application path_to_deploy do - owner "sockethub" - group "sockethub" - - git do - user "sockethub" - group "sockethub" - repository 'https://github.com/sockethub/sockethub.git' - revision node['sockethub']['revision'] - end - - npm_install do - user "sockethub" - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - template "/lib/systemd/system/sockethub_nodejs.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0644' - variables( - user: "sockethub", - group: "sockethub", - app_dir: path_to_deploy, - entry: "/usr/bin/node /usr/bin/npm start", - environment: { 'DEBUG' => '*', - 'PORT' => node['sockethub']['port'], - # Use the second database (index starts at 0) - 'REDIS_URL' => "redis://localhost:6379/1" } - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[sockethub_nodejs]", :delayed - end - - service "sockethub_nodejs" do - action [:enable, :start] - end +npm_package "sockethub" do + version node['sockethub']['version'] +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +template "/lib/systemd/system/sockethub_nodejs.service" do + source 'nodejs.systemd.service.erb' + owner 'root' + group 'root' + mode '0644' + variables( + user: "sockethub", + group: "sockethub", + entry: "/usr/bin/sockethub", + environment: { 'DEBUG' => '*', + 'PORT' => node['sockethub']['port'], + # Use the second database (index starts at 0) + 'REDIS_URL' => "redis://localhost:6379/1" } + ) + notifies :run, "execute[systemctl daemon-reload]", :delayed + notifies :restart, "service[sockethub_nodejs]", :delayed +end + +service "sockethub_nodejs" do + action [:enable, :start] end diff --git a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb index 4ed2689..a25bd84 100644 --- a/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb +++ b/site-cookbooks/sockethub/templates/default/nginx_conf_sockethub.erb @@ -8,10 +8,13 @@ map $http_upgrade $connection_upgrade { '' close; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> listen <%= @sockethub_external_port %> ssl http2; add_header Strict-Transport-Security "max-age=15768000"; + <% else -%> + listen <%= @sockethub_external_port %>; + <% end -%> server_name <%= @server_name %>; @@ -32,7 +35,8 @@ server { proxy_set_header Connection $connection_upgrade; } + <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; + <% end -%> } -<% end -%> diff --git a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb index 8dc98a9..2c42623 100644 --- a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb +++ b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb @@ -5,7 +5,6 @@ After=redis-server.service [Service] ExecStart=<%= @entry %> -WorkingDirectory=<%= @app_dir %> User=<%= @user %> Group=<%= @group %> <% unless @environment.empty? -%> -- 2.25.1 From 43736cd8e9c78d970af99898e5aab77ba974bfd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 25 Mar 2020 17:51:28 +0100 Subject: [PATCH 2/9] Move the debug logs env variable to an attribute Set it to 'sockethub*' for now as Nick advised, see https://gitea.kosmos.org/kosmos/chef/issues/91 --- site-cookbooks/sockethub/attributes/default.rb | 1 + site-cookbooks/sockethub/recipes/default.rb | 14 ++++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index c3a9599..5d74c1a 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -2,3 +2,4 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' node.default['sockethub']['version'] = '3.1.4' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' +node.default['sockethub']['debug_logs'] = 'sockethub*' diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index 156ada0..052a927 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -48,6 +48,15 @@ execute "systemctl daemon-reload" do action :nothing end +environment_variables = { + 'PORT' => node['sockethub']['port'], + # Use the second database (index starts at 0) + 'REDIS_URL' => "redis://localhost:6379/1" +} +unless node['sockethub']['debug_logs'].nil? + environment_variables['DEBUG'] = node['sockethub']['debug_logs'] +end + template "/lib/systemd/system/sockethub_nodejs.service" do source 'nodejs.systemd.service.erb' owner 'root' @@ -57,10 +66,7 @@ template "/lib/systemd/system/sockethub_nodejs.service" do user: "sockethub", group: "sockethub", entry: "/usr/bin/sockethub", - environment: { 'DEBUG' => '*', - 'PORT' => node['sockethub']['port'], - # Use the second database (index starts at 0) - 'REDIS_URL' => "redis://localhost:6379/1" } + environment: environment_variables ) notifies :run, "execute[systemctl daemon-reload]", :delayed notifies :restart, "service[sockethub_nodejs]", :delayed -- 2.25.1 From e9c86081f7fdfdb1464fbb365b736698dc963734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:32:11 +0200 Subject: [PATCH 3/9] Update sockethub to the latest npm release --- site-cookbooks/sockethub/attributes/default.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/sockethub/attributes/default.rb b/site-cookbooks/sockethub/attributes/default.rb index 5d74c1a..c852d3b 100644 --- a/site-cookbooks/sockethub/attributes/default.rb +++ b/site-cookbooks/sockethub/attributes/default.rb @@ -1,5 +1,5 @@ node.default['sockethub']['port'] = '10551' node.default['sockethub']['external_port'] = '10550' -node.default['sockethub']['version'] = '3.1.4' +node.default['sockethub']['version'] = '4.0.1' node.default['sockethub']['nginx']['server_name'] = 'sockethub.kosmos.org' node.default['sockethub']['debug_logs'] = 'sockethub*' -- 2.25.1 From d135b3873c3c05c8cdaa065ced017ea8f7d1a936 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:32:33 +0200 Subject: [PATCH 4/9] Switch to a systemd unit Chef resource --- site-cookbooks/sockethub/recipes/default.rb | 44 +++++++++++-------- .../default/nodejs.systemd.service.erb | 16 ------- 2 files changed, 26 insertions(+), 34 deletions(-) delete mode 100644 site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb diff --git a/site-cookbooks/sockethub/recipes/default.rb b/site-cookbooks/sockethub/recipes/default.rb index 052a927..59f6412 100644 --- a/site-cookbooks/sockethub/recipes/default.rb +++ b/site-cookbooks/sockethub/recipes/default.rb @@ -27,11 +27,15 @@ include_recipe 'kosmos-nodejs' include_recipe 'kosmos-redis' -group "sockethub" do +user = "sockethub" +group = "sockethub" +entry = "/usr/bin/sockethub" + +group group do gid 7625 end -user "sockethub" do +user user do comment "sockethub user" uid 7625 gid 7625 @@ -57,21 +61,25 @@ unless node['sockethub']['debug_logs'].nil? environment_variables['DEBUG'] = node['sockethub']['debug_logs'] end -template "/lib/systemd/system/sockethub_nodejs.service" do - source 'nodejs.systemd.service.erb' - owner 'root' - group 'root' - mode '0644' - variables( - user: "sockethub", - group: "sockethub", - entry: "/usr/bin/sockethub", - environment: environment_variables - ) - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[sockethub_nodejs]", :delayed -end +environment = environment_variables.map{|k, v| "'#{k}=#{v}'"}.join(' ') -service "sockethub_nodejs" do - action [:enable, :start] +systemd_unit "sockethub_nodejs.service" do + content <<-EOF +[Unit] +Description=Start sockethub +Requires=redis-server.service +After=redis-server.service + +[Service] +ExecStart=#{entry} +User=#{user} +Group=#{group} +Environment=#{environment} +Restart=always + +[Install] +WantedBy=multi-user.target + EOF + triggers_reload true + action [:create, :enable, :start] end diff --git a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb b/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb deleted file mode 100644 index 2c42623..0000000 --- a/site-cookbooks/sockethub/templates/default/nodejs.systemd.service.erb +++ /dev/null @@ -1,16 +0,0 @@ -[Unit] -Description=Start nodejs app -Requires=redis-server.service -After=redis-server.service - -[Service] -ExecStart=<%= @entry %> -User=<%= @user %> -Group=<%= @group %> -<% unless @environment.empty? -%> -Environment=<% @environment.each do |key, value| -%>'<%= key %>=<%= value %>' <% end %> -<% end -%> -Restart=always - -[Install] -WantedBy=multi-user.target -- 2.25.1 From 7c2aae66501139277cbf817255635f8eae7b25a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 9 Jul 2021 11:52:58 +0200 Subject: [PATCH 5/9] Add sockethub to nodejs-2's run list --- nodes/nodejs-2.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 17fcf80..85d5115 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -21,6 +21,8 @@ "kredits-github", "kredits-github::default", "kredits-github::nginx", + "sockethub", + "sockethub::default", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -51,6 +53,13 @@ "nginx::commons_script", "nginx::commons_conf", "kosmos-nginx::firewall", + "kosmos-redis::default", + "redis::server", + "redis::default", + "backup::default", + "logrotate::default", + "nodejs::npm", + "nodejs::install", "kosmos-base::letsencrypt" ], "platform": "ubuntu", @@ -70,6 +79,7 @@ "run_list": [ "recipe[kosmos-base]", "recipe[kosmos-hubot::wormhole]", - "role[kredits_github]" + "role[kredits_github]", + "recipe[sockethub::default]" ] } \ No newline at end of file -- 2.25.1 From b5e7e4ab8574ed41a37572a279f86f8475304ce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:13:35 +0200 Subject: [PATCH 6/9] Use DNS validation to generate/renew the TLS cert --- site-cookbooks/sockethub/recipes/proxy.rb | 39 ++++++++++-- .../templates/gandi_dns_certbot_hook.sh.erb | 63 +++++++++++++++++++ 2 files changed, 96 insertions(+), 6 deletions(-) create mode 100755 site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb diff --git a/site-cookbooks/sockethub/recipes/proxy.rb b/site-cookbooks/sockethub/recipes/proxy.rb index b707693..29c753c 100644 --- a/site-cookbooks/sockethub/recipes/proxy.rb +++ b/site-cookbooks/sockethub/recipes/proxy.rb @@ -26,8 +26,41 @@ include_recipe 'sockethub::_firewall' include_recipe 'kosmos-nginx' +include_recipe "kosmos-base::letsencrypt" + server_name = node['sockethub']['nginx']['server_name'] +nginx_post_hook = <<-EOF +#!/usr/bin/env bash + +set -e + +systemctl reload nginx +EOF + +file "/etc/letsencrypt/renewal-hooks/post/nginx" do + content nginx_post_hook + mode 0755 + owner "root" + group "root" +end + +gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') + +template "/root/gandi_dns_certbot_hook.sh" do + variables gandi_api_key: gandi_api_data_bag_item["key"] + mode 0770 +end + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for sockethub" do + command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/nginx\" --email ops@kosmos.org -d #{server_name} -n" + not_if do + File.exist?("/etc/letsencrypt/live/#{server_name}/fullchain.pem") + end +end + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do source 'nginx_conf_sockethub.erb' owner 'www-data' @@ -40,13 +73,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do notifies :reload, 'service[nginx]', :delayed end -# Legacy vhost -nginx_site "sockethub" do - action :disable -end - nginx_site server_name do action :enable end -nginx_certbot_site server_name diff --git a/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb new file mode 100755 index 0000000..d0ed9dc --- /dev/null +++ b/site-cookbooks/sockethub/templates/gandi_dns_certbot_hook.sh.erb @@ -0,0 +1,63 @@ +#!/usr/bin/env bash +# + +set -euf -o pipefail + +# ************** USAGE ************** +# +# Example usage (with this hook file saved in /root/): +# +# sudo su - +# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \ +# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup" +# +# This hook requires configuration, continue reading. +# +# ************** CONFIGURATION ************** +# +# GANDI_API_KEY: Your Gandi Live API key +# +# PROVIDER_UPDATE_DELAY: +# How many seconds to wait after updating your DNS records. This may be required, +# depending on how slow your DNS host is to begin serving new DNS records after updating +# them via the API. 30 seconds is a safe default, but some providers can be very slow +# (e.g. Linode). +# +# Defaults to 30 seconds. +# +GANDI_API_KEY="<%= @gandi_api_key %>" +PROVIDER_UPDATE_DELAY=30 + +regex='.*\.(.*\..*)' +if [[ $CERTBOT_DOMAIN =~ $regex ]] +then + DOMAIN="${BASH_REMATCH[1]}" +else + DOMAIN="${CERTBOT_DOMAIN}" +fi + +# To be invoked via Certbot's --manual-auth-hook +function auth { + curl -s -D- -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + -d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\", + \"rrset_type\": \"TXT\", + \"rrset_ttl\": 3600, + \"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \ + "https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records" + + + sleep ${PROVIDER_UPDATE_DELAY} +} + +# To be invoked via Certbot's --manual-cleanup-hook +function cleanup { + curl -s -X DELETE -H "Content-Type: application/json" \ + -H "X-Api-Key: ${GANDI_API_KEY}" \ + https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT +} + +HANDLER=$1; shift; +if [ -n "$(type -t $HANDLER)" ] && [ "$(type -t $HANDLER)" = function ]; then + $HANDLER "$@" +fi -- 2.25.1 From eed27713ff27a221a7b9c3d36c5c39a82788615c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:07 +0200 Subject: [PATCH 7/9] Add the sockethub firewall rule to centaurus --- nodes/centaurus.kosmos.org.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index 539fe71..70f42cc 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -34,6 +34,7 @@ "kosmos_kvm::host", "kosmos-ejabberd::firewall", "kosmos_zerotier::firewall", + "sockethub::_firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -85,6 +86,7 @@ "recipe[kosmos_assets::nginx_site]", "recipe[kosmos_kvm::host]", "recipe[kosmos-ejabberd::firewall]", - "recipe[kosmos_zerotier::firewall]" + "recipe[kosmos_zerotier::firewall]", + "recipe[sockethub::_firewall]" ] } \ No newline at end of file -- 2.25.1 From 383a46676e5605046c8c85c22d0201bbd1875daf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:28 +0200 Subject: [PATCH 8/9] Create a role for sockethub --- roles/sockethub.rb | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/sockethub.rb diff --git a/roles/sockethub.rb b/roles/sockethub.rb new file mode 100644 index 0000000..277bd23 --- /dev/null +++ b/roles/sockethub.rb @@ -0,0 +1,6 @@ +name "sockethub" + +run_list %w( + sockethub::default + sockethub::proxy +) -- 2.25.1 From e00d6c3a86f40e063e233c055c19437ca3344398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 14 Jul 2021 10:14:38 +0200 Subject: [PATCH 9/9] Use the sockethub role in the run list --- nodes/nodejs-2.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/nodes/nodejs-2.json b/nodes/nodejs-2.json index 85d5115..f470672 100644 --- a/nodes/nodejs-2.json +++ b/nodes/nodejs-2.json @@ -12,7 +12,8 @@ "hostname": "nodejs-2", "ipaddress": "192.168.122.243", "roles": [ - "kredits_github" + "kredits_github", + "sockethub" ], "recipes": [ "kosmos-base", @@ -23,6 +24,7 @@ "kredits-github::nginx", "sockethub", "sockethub::default", + "sockethub::proxy", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -60,6 +62,7 @@ "logrotate::default", "nodejs::npm", "nodejs::install", + "sockethub::_firewall", "kosmos-base::letsencrypt" ], "platform": "ubuntu", @@ -80,6 +83,6 @@ "recipe[kosmos-base]", "recipe[kosmos-hubot::wormhole]", "role[kredits_github]", - "recipe[sockethub::default]" + "role[sockethub]" ] } \ No newline at end of file -- 2.25.1