nodes/centaurus.kosmos.org.json

@@ -31,6 +31,10 @@
       "kosmos_discourse::default",
       "kosmos_drone",
       "kosmos_drone::default",
+      "kosmos_kvm::host",
+      "kosmos-ejabberd::firewall",
+      "kosmos-postgresql::firewall_replicas",
+      "kosmos_zerotier::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -54,8 +58,7 @@
       "nginx::commons_dir",
       "nginx::commons_script",
       "nginx::commons_conf",
-      "firewall::default",
-      "chef-sugar::default",
+      "kosmos-nginx::firewall",
       "backup::default",
       "logrotate::default",
       "kosmos-base::letsencrypt",
@@ -81,6 +84,10 @@
     "role[gitea]",
     "role[postgresql_replica]",
     "role[discourse]",
-    "role[drone]"
+    "role[drone]",
+    "recipe[kosmos_kvm::host]",
+    "recipe[kosmos-ejabberd::firewall]",
+    "recipe[kosmos-postgresql::firewall_replicas]",
+    "recipe[kosmos_zerotier::firewall]"
   ]
 }

nodes/draco.kosmos.org.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "draco.kosmos.org",
     "os": "linux",
-    "os_version": "5.4.0-42-generic",
+    "os_version": "5.4.0-54-generic",
     "hostname": "draco",
     "ipaddress": "148.251.237.73",
     "roles": [
@@ -20,7 +20,14 @@
       "kosmos_encfs",
       "kosmos_encfs::default",
       "kosmos-postgresql::replica",
-      "kosmos-bitcoin::source",
+      "kosmos_kvm::host",
+      "kosmos-ejabberd::firewall",
+      "kosmos-ipfs::firewall_swarm",
+      "kosmos-ipfs::firewall_public_gateway",
+      "kosmos-postgresql::firewall_replicas",
+      "kosmos-bitcoin::firewall",
+      "kosmos_zerotier::firewall",
+      "kosmos-nginx::firewall",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -36,7 +43,6 @@
       "hostname::default",
       "firewall::default",
       "chef-sugar::default",
-      "ark::default",
       "build-essential::default"
     ],
     "platform": "ubuntu",
@@ -57,6 +63,13 @@
     "recipe[kosmos-base]",
     "recipe[kosmos_encfs]",
     "role[postgresql_replica]",
-    "recipe[kosmos-bitcoin::source]"
+    "recipe[kosmos_kvm::host]",
+    "recipe[kosmos-ejabberd::firewall]",
+    "recipe[kosmos-ipfs::firewall_swarm]",
+    "recipe[kosmos-ipfs::firewall_public_gateway]",
+    "recipe[kosmos-postgresql::firewall_replicas]",
+    "recipe[kosmos-bitcoin::firewall]",
+    "recipe[kosmos_zerotier::firewall]",
+    "recipe[kosmos-nginx::firewall]"
   ]
 }

site-cookbooks/kosmos-base/recipes/default.rb

@@ -64,7 +64,7 @@ unless node.chef_environment == "development"
     ]
   end
 
-  include_recipe 'kosmos-base::firewall'
+  include_recipe "kosmos-base::firewall"
 
   include_recipe 'kosmos-postfix'
 

site-cookbooks/kosmos-bitcoin/recipes/firewall.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook:: kosmos-bitcoin
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+
+firewall_rule 'bitcoind' do
+  port     [8333] # TODO adjust for testnet
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-bitcoin/recipes/source.rb

@@ -158,9 +158,4 @@ systemd_unit 'bitcoind.service' do
   action [:create, :enable, :start]
 end
 
-# TODO move to custom kosmos cookbook before publishing bitcoin cookbook
-firewall_rule 'bitcoind' do
-  port     [8333] # TODO adjust for testnet
-  protocol :tcp
-  command  :allow
-end
+include_recipe "kosmos-bitcoin::firewall"

site-cookbooks/kosmos-btcpayserver/recipes/proxy.rb

@@ -25,7 +25,8 @@ end
 nginx_certbot_site server_name
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
+  include_recipe "kosmos-base::firewall"
+
   firewall_rule "btcpayserver" do
     port     node["kosmos-btcpayserver"]["port"]
     protocol :tcp

site-cookbooks/kosmos-dirsrv/recipes/default.rb

@@ -37,14 +37,9 @@ end
 # with the run context is confusing:
 #
 # https://github.com/chef-cookbooks/firewall/issues/134
-unless node.chef_environment == "development"
-  include_recipe "firewall"
-  firewall_rule "ldap" do
-    port     [389, 636]
-    protocol :tcp
-    command  :allow
-  end
+include_recipe "kosmos-dirsrv::firewall"
 
+unless node.chef_environment == "development"
   # backup the data dir and the config files
   node.override["backup"]["archives"]["dirsrv"] = ["/etc/dirsrv", "/var/lib/dirsrv"]
   include_recipe "backup"

site-cookbooks/kosmos-dirsrv/recipes/firewall.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: kosmos-dirsrv
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "ldap" do
+  port     [389, 636]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -219,35 +219,7 @@ service "ejabberd" do
 end
 
 unless node.chef_environment == "development"
-  firewall_rule 'ejabberd' do
-    port     [5222, 5223, 5269, 5443]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_cluster' do
-    port     [4369]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'erlang_cluster' do
-    port     [4200..4210]
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_stun_turn' do
-    port     3478
-    protocol :tcp
-    command  :allow
-  end
-
-  firewall_rule 'ejabberd_turn' do
-    port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ejabberd::firewall"
 end
 
 #

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -0,0 +1,57 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "ejabberd" do
+  port     [5222, 5223, 5269, 5443]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_cluster' do
+  port     [4369]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'erlang_cluster' do
+  port     [4200..4210]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     3478
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/attributes/default.rb

@@ -17,6 +17,7 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
 node.default['kosmos-ipfs']['nginx']['api_port'] = 5001
 node.default['kosmos-ipfs']['nginx']['gateway_port'] = 9090
 node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
+node.default['kosmos-ipfs']['nginx']['swarm_p2p_port'] = 4001
 node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
 
 node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v1.0.2"

site-cookbooks/kosmos-ipfs/recipes/default.rb

@@ -34,10 +34,5 @@ node['kosmos-ipfs']['ipfs']['config'].each do |k, v|
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'firewall'
-  firewall_rule 'ipfs_swarm_p2p' do
-    port     4001
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ipfs::firewall_swarm"
 end

site-cookbooks/kosmos-ipfs/recipes/firewall_public_gateway.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: kosmos-ipfs
+# Recipe:: firewall_public_gateway
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'firewall'
+firewall_rule 'ipfs_api' do
+  port     node['kosmos-ipfs']['nginx']['external_api_port']
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/recipes/firewall_swarm.rb

@@ -0,0 +1,32 @@
+#
+# Cookbook Name:: kosmos-ipfs
+# Recipe:: firewall_swarm
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe 'firewall'
+firewall_rule 'ipfs_swarm_p2p' do
+  port     node['kosmos-ipfs']['nginx']['swarm_p2p_port']
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-ipfs/recipes/public_gateway.rb

@@ -49,10 +49,5 @@ end
 nginx_certbot_site domain
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
-  firewall_rule 'ipfs_api' do
-    port     node['kosmos-ipfs']['nginx']['external_api_port']
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-ipfs::firewall_public_gateway"
 end

site-cookbooks/kosmos-nginx/recipes/default.rb

@@ -84,11 +84,5 @@ cookbook_file "#{node["nginx"]["user_home"]}/maintenance.html" do
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'kosmos-base::firewall'
-
-  firewall_rule 'http/https' do
-    port     [80, 443]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe "kosmos-nginx::firewall"
 end

site-cookbooks/kosmos-nginx/recipes/firewall.rb

@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: kosmos-nginx
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+firewall_rule "http/https" do
+  port     [80, 443]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/kosmos-nginx/recipes/with_perl.rb

@@ -23,11 +23,5 @@ cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
 end
 
 unless node.chef_environment == "development"
-  include_recipe 'kosmos-base::firewall'
-
-  firewall_rule 'http/https' do
-    port     [80, 443]
-    protocol :tcp
-    command  :allow
-  end
+  include_recipe 'kosmos-nginx::firewall'
 end

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -76,14 +76,8 @@ postgresql_replicas.each do |replica|
     notifies :reload, "service[#{postgresql_service}]", :immediately
   end
 
-  unless node.chef_environment == "development"
-    include_recipe "firewall"
-
-    firewall_rule "postgresql replica #{replica[:hostname]}" do
-      port        5432
-      protocol    :tcp
-      command     :allow
-      source replica[:ipaddress]
-    end
-  end
+end
+
+unless node.chef_environment == "development"
+  include_recipe "kosmos-postgresql::firewall_replicas"
 end

site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb

@@ -0,0 +1,36 @@
+#
+# Cookbook:: kosmos-postgresql
+# Recipe:: firewall_replicas
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+include_recipe "kosmos-base::firewall"
+
+postgresql_replicas.each do |replica|
+  firewall_rule "postgresql replica #{replica[:hostname]}" do
+    port        5432
+    protocol    :tcp
+    command     :allow
+    source replica[:ipaddress]
+  end
+end

site-cookbooks/kosmos-postgresql/recipes/replica.rb

@@ -70,7 +70,7 @@ systemctl start #{postgresql_service}
   node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true
 
   unless node.chef_environment == "development"
-    include_recipe "firewall"
+    include_recipe "kosmos-base::firewall"
 
     firewall_rule "postgresql primary #{primary[:hostname]}" do
       port        5432

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -159,7 +159,3 @@ nginx_site domain do
 end
 
 nginx_certbot_site domain
-
-unless node.chef_environment == "development"
-  include_recipe "firewall"
-end

site-cookbooks/kosmos_kvm/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos_kvm/CHANGELOG.md

@@ -0,0 +1,5 @@
+# kosmos_kvm CHANGELOG
+
+# 0.1.0
+
+Initial release.

site-cookbooks/kosmos_kvm/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/kosmos_kvm/README.md

@@ -0,0 +1,4 @@
+# kosmos_kvm
+
+TODO: Enter the cookbook description here.
+

site-cookbooks/kosmos_kvm/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_kvm/files/create_vm

@@ -0,0 +1,93 @@
+#!/bin/bash
+set -e
+
+if [[ $# -lt 3 ]] ; then
+    cat <<-EOF
+USAGE (RAM in megabytes)
+
+create_vm VMNAME RAM CPUS
+EOF
+    exit 1
+fi
+VMNAME=$1
+RAM=$2
+CPUS=$3
+
+# Directory where image files will be stored
+IMAGE_DIR=/var/lib/libvirt/images
+IMAGE_FILE=${VMNAME}.qcow2
+IMAGE_PATH=$IMAGE_DIR/$IMAGE_FILE
+CIDATA_PATH=${IMAGE_DIR}/cidata-${VMNAME}.iso
+BASE_FILE=${IMAGE_DIR}/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2
+
+# Disk size assigned to the VM
+DISKSIZE=10  # Unit: GB
+
+# Create the VM image if it does not already exist
+if [ ! -f "$IMAGE_PATH" ]; then
+  echo "info: image file $IMAGE_PATH not found. creating new image"
+  # Important: -F qcow2 is required to set the image format
+  qemu-img create -b "$BASE_FILE" -f qcow2 -F qcow2 "$IMAGE_PATH" ${DISKSIZE}G
+  chmod 600 "$IMAGE_PATH"
+  if [ $? -ne 0 ]; then
+    echo "error: failed to create image"
+    exit 1
+  fi
+fi
+
+# Dump the image info
+qemu-img info "$IMAGE_PATH"
+
+# Check if the cloud-init metadata file exists
+# if not, generate it
+if [ ! -r $CIDATA_PATH ]; then
+  pushd $(dirname $CIDATA_PATH)
+  mkdir -p $VMNAME
+  cd $VMNAME
+
+  cat > user-data <<-EOS
+#cloud-config
+ssh_authorized_keys:
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw0I82gT8R4tpsqWGovLyjm2SR2F863MqNz224h3h/wl0xA5Eu0eRro+ELLv2hoebqQbcMsb89X5+7ObhDRar+b7tzDlXq4x+ECkAy6WbDSmBp3kNVd7muT4c9Zw7UxKsIvIm1ven1TkJ3UG80o6PyGiAUlBj4puIQwhp7OVknVutBBe8Rpp4f6BEuWluwpnPxc3KSaGhhr9p10xeX69cfspH40r8vHpI0zp19O5GpfYSOEH64UbwRpN2QypNB8ISmDHFsNGwdz0Ba4qrEOSGU9GveyOcsvEtt630/0fHqtbPBovOYu/FJISQZya2tofDig4EngBCJNfsPCbXFHtlp greg@karekinian.com
+  - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDyUDR7ZE6HWmjvlfKrG8Ci+q5E4adbyboKvyYVkUXaTYt+DgisPPAqfGkd0yAHgVnmOS/3f5c3D6RrIXcxFmzwpV2BtmGZztBnEYvC5q8XPQhmu6AFl6ZDjh9XzUeO52py8tt5ZJ9W1R2ob/rlgX8txNHi6XwzuvPxZ7NR/iNup7cruBzkHABhwTvTfwaErufr6eNmNjh5VatNTei1ld6yWtmvbYJqJlpq6YyPu9vYNYPg0AB7I+OqOJhzHXhelY28GSP9KF3GDcHDtN1bV21g9+COcdKhMShQaw1WIkfQKdiuFictZIOCP0/uYSiFhyyoSvISiC3eT8zIimRbDRj basti@skddc.local
+
+runcmd:
+  # Enable serial console (for virsh)
+  - systemctl enable serial-getty@ttyS0.service && systemctl start serial-getty@ttyS0.service
+  - curl -s 'https://raw.githubusercontent.com/zerotier/ZeroTierOne/master/doc/contact%40zerotier.com.gpg' | gpg --import
+  - curl -s -o /tmp/install_zerotier 'https://install.zerotier.com/'
+  - cat /tmp/install_zerotier | gpg && bash /tmp/install_zerotier
+  - zerotier-cli join 12ac4a1e719d706e
+EOS
+
+  cat > meta-data <<-EOS
+instance-id: $VMNAME
+local-hostname: $VMNAME
+EOS
+
+  genisoimage -output "$CIDATA_PATH" -volid cidata -joliet -rock user-data meta-data
+  chown libvirt-qemu:kvm "$CIDATA_PATH"
+  chmod 600 "$CIDATA_PATH"
+  popd
+fi
+
+# setting --os-variant to ubuntu20.04 and ubuntu18.04 breaks SSH and networking
+virt-install \
+  --name "$VMNAME" \
+  --ram "$RAM" \
+  --vcpus "$CPUS" \
+  --cpu host \
+  --arch x86_64 \
+  --os-type linux \
+  --os-variant ubuntu16.04 \
+  --hvm \
+  --virt-type kvm \
+  --disk "$IMAGE_PATH" \
+  --cdrom "$CIDATA_PATH" \
+  --boot hd \
+  --network=bridge=virbr0,model=virtio \
+  --graphics none \
+  --serial pty \
+  --console pty \
+  --autostart \
+  --import

site-cookbooks/kosmos_kvm/metadata.rb

@@ -0,0 +1,8 @@
+name 'kosmos_kvm'
+maintainer 'Kosmos Developers'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Install virt-install and deploy a script to create VMs'
+long_description 'Install virt-install and deploy a script to create VMs with KVM'
+version '0.1.0'
+chef_version '>= 14.0'

site-cookbooks/kosmos_kvm/recipes/host.rb

@@ -0,0 +1,47 @@
+#
+# Cookbook:: kosmos_kvm
+# Recipe:: host
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+package %w(virtinst libvirt-daemon-system)
+
+directory "/var/lib/libvirt/images/base" do
+  recursive true
+  owner "libvirt-qemu"
+  group "root"
+  mode "0750"
+end
+
+# Base Ubuntu 20.04 image
+remote_file "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.qcow2" do
+  source "http://cloud-images.ubuntu.com/releases/focal/release/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img"
+  owner "libvirt-qemu"
+  group "root"
+  mode "0640"
+end
+
+cookbook_file "/usr/local/sbin/create_vm" do
+  source "create_vm"
+  mode "0750"
+end

site-cookbooks/kosmos_zerotier/.gitignore

@@ -0,0 +1,22 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

site-cookbooks/kosmos_zerotier/CHANGELOG.md

@@ -0,0 +1,7 @@
+# kosmos_zerotier CHANGELOG
+
+# 0.1.0
+
+Initial release.
+
+- For now this only contains the firewall rule

site-cookbooks/kosmos_zerotier/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2020 Kosmos Developers
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

site-cookbooks/kosmos_zerotier/README.md

@@ -0,0 +1,4 @@
+# kosmos_zerotier
+
+TODO: Enter the cookbook description here.
+

site-cookbooks/kosmos_zerotier/attributes/default.rb

@@ -0,0 +1 @@
+node.default["kosmos_zerotier"]["server_port"] = 9993

site-cookbooks/kosmos_zerotier/chefignore

@@ -0,0 +1,110 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+
+# SASS #
+########
+.sass-cache
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+mkmf.log
+REVISION
+TAGS*
+tmtags
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.foodcritic
+.kitchen*
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+azure-pipelines.yml
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+Procfile
+Rakefile
+spec/*
+spec/*
+spec/fixtures/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Cookbooks #
+#############
+CHANGELOG*
+CONTRIBUTING*
+TESTING*
+CODE_OF_CONDUCT*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

site-cookbooks/kosmos_zerotier/metadata.rb

@@ -0,0 +1,10 @@
+name 'kosmos_zerotier'
+maintainer 'Kosmos Developers'
+maintainer_email 'mail@kosmos.org'
+license 'MIT'
+description 'Installs/Configures zerotier'
+long_description 'Installs/Configures zerotier'
+version '0.1.0'
+chef_version '>= 14.0'
+
+depends 'kosmos-base'

site-cookbooks/kosmos_zerotier/recipes/default.rb

@@ -0,0 +1,25 @@
+#
+# Cookbook:: kosmos_zerotier
+# Recipe:: default
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.

site-cookbooks/kosmos_zerotier/recipes/firewall.rb

@@ -0,0 +1,31 @@
+#
+# Cookbook:: kosmos_zerotier
+# Recipe:: firewall
+#
+# The MIT License (MIT)
+#
+# Copyright:: 2020, Kosmos Developers
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+
+firewall_rule "zerotier" do
+  port     node["kosmos_zerotier"]["server_port"]
+  protocol :tcp
+  command  :allow
+end

site-cookbooks/sockethub/recipes/_firewall.rb

@@ -25,7 +25,8 @@
 # THE SOFTWARE.
 
 unless node.chef_environment == "development"
-  include_recipe "firewall"
+  include_recipe "kosmos-base::firewall"
+
   firewall_rule 'sockethub' do
     port     node['sockethub']['external_port'].to_i
     protocol :tcp