diff --git a/nodes/centaurus.kosmos.org.json b/nodes/centaurus.kosmos.org.json index dd3d075..59c6b79 100644 --- a/nodes/centaurus.kosmos.org.json +++ b/nodes/centaurus.kosmos.org.json @@ -31,6 +31,10 @@ "kosmos_discourse::default", "kosmos_drone", "kosmos_drone::default", + "kosmos_kvm::host", + "kosmos-ejabberd::firewall", + "kosmos-postgresql::firewall_replicas", + "kosmos_zerotier::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -54,8 +58,7 @@ "nginx::commons_dir", "nginx::commons_script", "nginx::commons_conf", - "firewall::default", - "chef-sugar::default", + "kosmos-nginx::firewall", "backup::default", "logrotate::default", "kosmos-base::letsencrypt", @@ -81,6 +84,10 @@ "role[gitea]", "role[postgresql_replica]", "role[discourse]", - "role[drone]" + "role[drone]", + "recipe[kosmos_kvm::host]", + "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos-postgresql::firewall_replicas]", + "recipe[kosmos_zerotier::firewall]" ] } \ No newline at end of file diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 34a8a7c..f463aad 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -8,7 +8,7 @@ "automatic": { "fqdn": "draco.kosmos.org", "os": "linux", - "os_version": "5.4.0-42-generic", + "os_version": "5.4.0-54-generic", "hostname": "draco", "ipaddress": "148.251.237.73", "roles": [ @@ -20,7 +20,14 @@ "kosmos_encfs", "kosmos_encfs::default", "kosmos-postgresql::replica", - "kosmos-bitcoin::source", + "kosmos_kvm::host", + "kosmos-ejabberd::firewall", + "kosmos-ipfs::firewall_swarm", + "kosmos-ipfs::firewall_public_gateway", + "kosmos-postgresql::firewall_replicas", + "kosmos-bitcoin::firewall", + "kosmos_zerotier::firewall", + "kosmos-nginx::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -36,7 +43,6 @@ "hostname::default", "firewall::default", "chef-sugar::default", - "ark::default", "build-essential::default" ], "platform": "ubuntu", @@ -57,6 +63,13 @@ "recipe[kosmos-base]", "recipe[kosmos_encfs]", "role[postgresql_replica]", - "recipe[kosmos-bitcoin::source]" + "recipe[kosmos_kvm::host]", + "recipe[kosmos-ejabberd::firewall]", + "recipe[kosmos-ipfs::firewall_swarm]", + "recipe[kosmos-ipfs::firewall_public_gateway]", + "recipe[kosmos-postgresql::firewall_replicas]", + "recipe[kosmos-bitcoin::firewall]", + "recipe[kosmos_zerotier::firewall]", + "recipe[kosmos-nginx::firewall]" ] } \ No newline at end of file diff --git a/site-cookbooks/kosmos-base/recipes/default.rb b/site-cookbooks/kosmos-base/recipes/default.rb index 9ee8ab8..d5df463 100644 --- a/site-cookbooks/kosmos-base/recipes/default.rb +++ b/site-cookbooks/kosmos-base/recipes/default.rb @@ -64,7 +64,7 @@ unless node.chef_environment == "development" ] end - include_recipe 'kosmos-base::firewall' + include_recipe "kosmos-base::firewall" include_recipe 'kosmos-postfix' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb new file mode 100644 index 0000000..f1018d1 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/firewall.rb @@ -0,0 +1,32 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. +# + +firewall_rule 'bitcoind' do + port [8333] # TODO adjust for testnet + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/source.rb index d93f004..0d60853 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/source.rb @@ -158,9 +158,4 @@ systemd_unit 'bitcoind.service' do action [:create, :enable, :start] end -# TODO move to custom kosmos cookbook before publishing bitcoin cookbook -firewall_rule 'bitcoind' do - port [8333] # TODO adjust for testnet - protocol :tcp - command :allow -end +include_recipe "kosmos-bitcoin::firewall" diff --git a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb index 4a47729..621161e 100644 --- a/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb +++ b/site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb @@ -25,7 +25,8 @@ end nginx_certbot_site server_name unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule "btcpayserver" do port node["kosmos-btcpayserver"]["port"] protocol :tcp diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb index 2f189df..6bcb871 100644 --- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb +++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb @@ -37,14 +37,9 @@ end # with the run context is confusing: # # https://github.com/chef-cookbooks/firewall/issues/134 -unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule "ldap" do - port [389, 636] - protocol :tcp - command :allow - end +include_recipe "kosmos-dirsrv::firewall" +unless node.chef_environment == "development" # backup the data dir and the config files node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"] include_recipe "backup" diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb new file mode 100644 index 0000000..b466666 --- /dev/null +++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-dirsrv +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ldap" do + port [389, 636] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 0cde474..01225cb 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -219,35 +219,7 @@ service "ejabberd" do end unless node.chef_environment == "development" - firewall_rule 'ejabberd' do - port [5222, 5223, 5269, 5443] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_cluster' do - port [4369] - protocol :tcp - command :allow - end - - firewall_rule 'erlang_cluster' do - port [4200..4210] - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_stun_turn' do - port 3478 - protocol :tcp - command :allow - end - - firewall_rule 'ejabberd_turn' do - port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] - protocol :tcp - command :allow - end + include_recipe "kosmos-ejabberd::firewall" end # diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb new file mode 100644 index 0000000..5d2ac3a --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -0,0 +1,57 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "ejabberd" do + port [5222, 5223, 5269, 5443] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_cluster' do + port [4369] + protocol :tcp + command :allow +end + +firewall_rule 'erlang_cluster' do + port [4200..4210] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_stun_turn' do + port 3478 + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_turn' do + port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/attributes/default.rb b/site-cookbooks/kosmos-ipfs/attributes/default.rb index bce7a81..860fb87 100644 --- a/site-cookbooks/kosmos-ipfs/attributes/default.rb +++ b/site-cookbooks/kosmos-ipfs/attributes/default.rb @@ -17,6 +17,7 @@ node.default['kosmos-ipfs']['ipfs']['config'] = { node.default['kosmos-ipfs']['nginx']['api_port'] = 5001 node.default['kosmos-ipfs']['nginx']['gateway_port'] = 9090 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444 +node.default['kosmos-ipfs']['nginx']['swarm_p2p_port'] = 4001 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org" node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v1.0.2" diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb index 202faf4..b642a8c 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/default.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb @@ -34,10 +34,5 @@ node['kosmos-ipfs']['ipfs']['config'].each do |k, v| end unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule 'ipfs_swarm_p2p' do - port 4001 - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_swarm" end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb new file mode 100644 index 0000000..116c436 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_public_gateway +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_api' do + port node['kosmos-ipfs']['nginx']['external_api_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb new file mode 100644 index 0000000..056d288 --- /dev/null +++ b/site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb @@ -0,0 +1,32 @@ +# +# Cookbook Name:: kosmos-ipfs +# Recipe:: firewall_swarm +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe 'firewall' +firewall_rule 'ipfs_swarm_p2p' do + port node['kosmos-ipfs']['nginx']['swarm_p2p_port'] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb index 3ed5fe1..7d9927f 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb @@ -49,10 +49,5 @@ end nginx_certbot_site domain unless node.chef_environment == "development" - include_recipe "firewall" - firewall_rule 'ipfs_api' do - port node['kosmos-ipfs']['nginx']['external_api_port'] - protocol :tcp - command :allow - end + include_recipe "kosmos-ipfs::firewall_public_gateway" end diff --git a/site-cookbooks/kosmos-nginx/recipes/default.rb b/site-cookbooks/kosmos-nginx/recipes/default.rb index 87f386f..c01301e 100644 --- a/site-cookbooks/kosmos-nginx/recipes/default.rb +++ b/site-cookbooks/kosmos-nginx/recipes/default.rb @@ -84,11 +84,5 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe "kosmos-nginx::firewall" end diff --git a/site-cookbooks/kosmos-nginx/recipes/firewall.rb b/site-cookbooks/kosmos-nginx/recipes/firewall.rb new file mode 100644 index 0000000..ca6cbe2 --- /dev/null +++ b/site-cookbooks/kosmos-nginx/recipes/firewall.rb @@ -0,0 +1,33 @@ +# +# Cookbook Name:: kosmos-nginx +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +firewall_rule "http/https" do + port [80, 443] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb index bac0223..5be4fda 100644 --- a/site-cookbooks/kosmos-nginx/recipes/with_perl.rb +++ b/site-cookbooks/kosmos-nginx/recipes/with_perl.rb @@ -23,11 +23,5 @@ cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do end unless node.chef_environment == "development" - include_recipe 'kosmos-base::firewall' - - firewall_rule 'http/https' do - port [80, 443] - protocol :tcp - command :allow - end + include_recipe 'kosmos-nginx::firewall' end diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb index c7d289b..b3c9f4f 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/default.rb @@ -76,14 +76,8 @@ postgresql_replicas.each do |replica| notifies :reload, "service[#{postgresql_service}]", :immediately end - unless node.chef_environment == "development" - include_recipe "firewall" - - firewall_rule "postgresql replica #{replica[:hostname]}" do - port 5432 - protocol :tcp - command :allow - source replica[:ipaddress] - end - end +end + +unless node.chef_environment == "development" + include_recipe "kosmos-postgresql::firewall_replicas" end diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb new file mode 100644 index 0000000..0ad0a47 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb @@ -0,0 +1,36 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: firewall_replicas +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +include_recipe "kosmos-base::firewall" + +postgresql_replicas.each do |replica| + firewall_rule "postgresql replica #{replica[:hostname]}" do + port 5432 + protocol :tcp + command :allow + source replica[:ipaddress] + end +end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index b063edf..651b18a 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -70,7 +70,7 @@ systemctl start #{postgresql_service} node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" firewall_rule "postgresql primary #{primary[:hostname]}" do port 5432 diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb index 2cc43c5..724572e 100644 --- a/site-cookbooks/kosmos_gitea/recipes/default.rb +++ b/site-cookbooks/kosmos_gitea/recipes/default.rb @@ -159,7 +159,3 @@ nginx_site domain do end nginx_certbot_site domain - -unless node.chef_environment == "development" - include_recipe "firewall" -end diff --git a/site-cookbooks/kosmos_kvm/.gitignore b/site-cookbooks/kosmos_kvm/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_kvm/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_kvm/CHANGELOG.md b/site-cookbooks/kosmos_kvm/CHANGELOG.md new file mode 100644 index 0000000..79223d6 --- /dev/null +++ b/site-cookbooks/kosmos_kvm/CHANGELOG.md @@ -0,0 +1,5 @@ +# kosmos_kvm CHANGELOG + +# 0.1.0 + +Initial release. diff --git a/site-cookbooks/kosmos_kvm/LICENSE b/site-cookbooks/kosmos_kvm/LICENSE new file mode 100644 index 0000000..dd321fd --- /dev/null +++ b/site-cookbooks/kosmos_kvm/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/site-cookbooks/kosmos_kvm/README.md b/site-cookbooks/kosmos_kvm/README.md new file mode 100644 index 0000000..650ceaf --- /dev/null +++ b/site-cookbooks/kosmos_kvm/README.md @@ -0,0 +1,4 @@ +# kosmos_kvm + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_kvm/chefignore b/site-cookbooks/kosmos_kvm/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_kvm/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_kvm/files/create_vm b/site-cookbooks/kosmos_kvm/files/create_vm new file mode 100644 index 0000000..93375da --- /dev/null +++ b/site-cookbooks/kosmos_kvm/files/create_vm @@ -0,0 +1,93 @@ +#!/bin/bash +set -e + +if [[ $# -lt 3 ]] ; then + cat <<-EOF +USAGE (RAM in megabytes) + +create_vm VMNAME RAM CPUS +EOF + exit 1 +fi +VMNAME=$1 +RAM=$2 +CPUS=$3 + +# Directory where image files will be stored +IMAGE_DIR=/var/lib/libvirt/images +IMAGE_FILE=${VMNAME}.qcow2 +IMAGE_PATH=$IMAGE_DIR/$IMAGE_FILE +CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso +BASE_FILE=${IMAGE_DIR}/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2 + +# Disk size assigned to the VM +DISKSIZE=10 # Unit: GB + +# Create the VM image if it does not already exist +if [ ! -f "$IMAGE_PATH" ]; then + echo "info: image file $IMAGE_PATH not found. creating new image" + # Important: -F qcow2 is required to set the image format + qemu-img create -b "$BASE_FILE" -f qcow2 -F qcow2 "$IMAGE_PATH" ${DISKSIZE}G + chmod 600 "$IMAGE_PATH" + if [ $? -ne 0 ]; then + echo "error: failed to create image" + exit 1 + fi +fi + +# Dump the image info +qemu-img info "$IMAGE_PATH" + +# Check if the cloud-init metadata file exists +# if not, generate it +if [ ! -r $CIDATA_PATH ]; then + pushd $(dirname $CIDATA_PATH) + mkdir -p $VMNAME + cd $VMNAME + + cat > user-data <<-EOS +#cloud-config +ssh_authorized_keys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw0I82gT8R4tpsqWGovLyjm2SR2F863MqNz224h3h/wl0xA5Eu0eRro+ELLv2hoebqQbcMsb89X5+7ObhDRar+b7tzDlXq4x+ECkAy6WbDSmBp3kNVd7muT4c9Zw7UxKsIvIm1ven1TkJ3UG80o6PyGiAUlBj4puIQwhp7OVknVutBBe8Rpp4f6BEuWluwpnPxc3KSaGhhr9p10xeX69cfspH40r8vHpI0zp19O5GpfYSOEH64UbwRpN2QypNB8ISmDHFsNGwdz0Ba4qrEOSGU9GveyOcsvEtt630/0fHqtbPBovOYu/FJISQZya2tofDig4EngBCJNfsPCbXFHtlp greg@karekinian.com + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDyUDR7ZE6HWmjvlfKrG8Ci+q5E4adbyboKvyYVkUXaTYt+DgisPPAqfGkd0yAHgVnmOS/3f5c3D6RrIXcxFmzwpV2BtmGZztBnEYvC5q8XPQhmu6AFl6ZDjh9XzUeO52py8tt5ZJ9W1R2ob/rlgX8txNHi6XwzuvPxZ7NR/iNup7cruBzkHABhwTvTfwaErufr6eNmNjh5VatNTei1ld6yWtmvbYJqJlpq6YyPu9vYNYPg0AB7I+OqOJhzHXhelY28GSP9KF3GDcHDtN1bV21g9+COcdKhMShQaw1WIkfQKdiuFictZIOCP0/uYSiFhyyoSvISiC3eT8zIimRbDRj basti@skddc.local + +runcmd: + # Enable serial console (for virsh) + - systemctl enable serial-getty@ttyS0.service && systemctl start serial-getty@ttyS0.service + - curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import + - curl -s -o /tmp/install_zerotier 'https://install.zerotier.com/' + - cat /tmp/install_zerotier | gpg && bash /tmp/install_zerotier + - zerotier-cli join 12ac4a1e719d706e +EOS + + cat > meta-data <<-EOS +instance-id: $VMNAME +local-hostname: $VMNAME +EOS + + genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data + chown libvirt-qemu:kvm "$CIDATA_PATH" + chmod 600 "$CIDATA_PATH" + popd +fi + +# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking +virt-install \ + --name "$VMNAME" \ + --ram "$RAM" \ + --vcpus "$CPUS" \ + --cpu host \ + --arch x86_64 \ + --os-type linux \ + --os-variant ubuntu16.04 \ + --hvm \ + --virt-type kvm \ + --disk "$IMAGE_PATH" \ + --cdrom "$CIDATA_PATH" \ + --boot hd \ + --network=bridge=virbr0,model=virtio \ + --graphics none \ + --serial pty \ + --console pty \ + --autostart \ + --import diff --git a/site-cookbooks/kosmos_kvm/metadata.rb b/site-cookbooks/kosmos_kvm/metadata.rb new file mode 100644 index 0000000..966d2da --- /dev/null +++ b/site-cookbooks/kosmos_kvm/metadata.rb @@ -0,0 +1,8 @@ +name 'kosmos_kvm' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Install virt-install and deploy a script to create VMs' +long_description 'Install virt-install and deploy a script to create VMs with KVM' +version '0.1.0' +chef_version '>= 14.0' diff --git a/site-cookbooks/kosmos_kvm/recipes/host.rb b/site-cookbooks/kosmos_kvm/recipes/host.rb new file mode 100644 index 0000000..a89f7eb --- /dev/null +++ b/site-cookbooks/kosmos_kvm/recipes/host.rb @@ -0,0 +1,47 @@ +# +# Cookbook:: kosmos_kvm +# Recipe:: host +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +package %w(virtinst libvirt-daemon-system) + +directory "/var/lib/libvirt/images/base" do + recursive true + owner "libvirt-qemu" + group "root" + mode "0750" +end + +# Base Ubuntu 20.04 image +remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do + source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img" + owner "libvirt-qemu" + group "root" + mode "0640" +end + +cookbook_file "/usr/local/sbin/create_vm" do + source "create_vm" + mode "0750" +end diff --git a/site-cookbooks/kosmos_zerotier/.gitignore b/site-cookbooks/kosmos_zerotier/.gitignore new file mode 100644 index 0000000..9abf29f --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos_zerotier/CHANGELOG.md b/site-cookbooks/kosmos_zerotier/CHANGELOG.md new file mode 100644 index 0000000..a5b0f4e --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/CHANGELOG.md @@ -0,0 +1,7 @@ +# kosmos_zerotier CHANGELOG + +# 0.1.0 + +Initial release. + +- For now this only contains the firewall rule diff --git a/site-cookbooks/kosmos_zerotier/LICENSE b/site-cookbooks/kosmos_zerotier/LICENSE new file mode 100644 index 0000000..dd321fd --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2020 Kosmos Developers + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/site-cookbooks/kosmos_zerotier/README.md b/site-cookbooks/kosmos_zerotier/README.md new file mode 100644 index 0000000..8645fb0 --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/README.md @@ -0,0 +1,4 @@ +# kosmos_zerotier + +TODO: Enter the cookbook description here. + diff --git a/site-cookbooks/kosmos_zerotier/attributes/default.rb b/site-cookbooks/kosmos_zerotier/attributes/default.rb new file mode 100644 index 0000000..5f017af --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/attributes/default.rb @@ -0,0 +1 @@ +node.default["kosmos_zerotier"]["server_port"] = 9993 diff --git a/site-cookbooks/kosmos_zerotier/chefignore b/site-cookbooks/kosmos_zerotier/chefignore new file mode 100644 index 0000000..5039e1c --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/chefignore @@ -0,0 +1,110 @@ +# Put files/directories that should be ignored in this file when uploading +# to a Chef Infra Server or Supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +ehthumbs.db +Icon? +nohup.out +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +.#* +.project +.settings +*_flymake +*_flymake.* +*.bak +*.sw[a-z] +*.tmproj +*~ +\#* +mkmf.log +REVISION +TAGS* +tmtags + +## COMPILED ## +############## +*.class +*.com +*.dll +*.exe +*.o +*.pyc +*.so +*/rdoc/ +a.out + +# Testing # +########### +.circleci/* +.codeclimate.yml +.foodcritic +.kitchen* +.rspec +.rubocop.yml +.travis.yml +.watchr +azure-pipelines.yml +examples/* +features/* +Guardfile +kitchen.yml* +Procfile +Rakefile +spec/* +spec/* +spec/fixtures/* +test/* + +# SCM # +####### +.git +.gitattributes +.gitconfig +.github/* +.gitignore +.gitmodules +.svn +*/.bzr/* +*/.git +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* +Gemfile +Gemfile.lock + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CHANGELOG* +CONTRIBUTING* +TESTING* +CODE_OF_CONDUCT* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos_zerotier/metadata.rb b/site-cookbooks/kosmos_zerotier/metadata.rb new file mode 100644 index 0000000..a67848b --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/metadata.rb @@ -0,0 +1,10 @@ +name 'kosmos_zerotier' +maintainer 'Kosmos Developers' +maintainer_email 'mail@kosmos.org' +license 'MIT' +description 'Installs/Configures zerotier' +long_description 'Installs/Configures zerotier' +version '0.1.0' +chef_version '>= 14.0' + +depends 'kosmos-base' diff --git a/site-cookbooks/kosmos_zerotier/recipes/default.rb b/site-cookbooks/kosmos_zerotier/recipes/default.rb new file mode 100644 index 0000000..1125c4a --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/recipes/default.rb @@ -0,0 +1,25 @@ +# +# Cookbook:: kosmos_zerotier +# Recipe:: default +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. diff --git a/site-cookbooks/kosmos_zerotier/recipes/firewall.rb b/site-cookbooks/kosmos_zerotier/recipes/firewall.rb new file mode 100644 index 0000000..b179103 --- /dev/null +++ b/site-cookbooks/kosmos_zerotier/recipes/firewall.rb @@ -0,0 +1,31 @@ +# +# Cookbook:: kosmos_zerotier +# Recipe:: firewall +# +# The MIT License (MIT) +# +# Copyright:: 2020, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. + +firewall_rule "zerotier" do + port node["kosmos_zerotier"]["server_port"] + protocol :tcp + command :allow +end diff --git a/site-cookbooks/sockethub/recipes/_firewall.rb b/site-cookbooks/sockethub/recipes/_firewall.rb index 0c46c53..dd61637 100644 --- a/site-cookbooks/sockethub/recipes/_firewall.rb +++ b/site-cookbooks/sockethub/recipes/_firewall.rb @@ -25,7 +25,8 @@ # THE SOFTWARE. unless node.chef_environment == "development" - include_recipe "firewall" + include_recipe "kosmos-base::firewall" + firewall_rule 'sockethub' do port node['sockethub']['external_port'].to_i protocol :tcp