diff --git a/data_bags/credentials/lndhub-go.json b/data_bags/credentials/lndhub-go.json new file mode 100644 index 0000000..d61ccc9 --- /dev/null +++ b/data_bags/credentials/lndhub-go.json @@ -0,0 +1,24 @@ +{ + "id": "lndhub-go", + "jwt_secret": { + "encrypted_data": "cFost8pLsoJ/8Gp5m/TgN8xjMkvk0oZuEZ3XfxDIaYjOVYi3fEX8\n", + "iv": "47gV4v/D+10B6xqu\n", + "auth_tag": "MKEyVFfJ3f5pxWRSyMH4Rw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "postgresql_password": { + "encrypted_data": "YSMEIWdZn08lyrZeJNAUZ5xwKhWHESa1A5MojKJ/5iiE\n", + "iv": "0mlURPOohnKbG+i8\n", + "auth_tag": "bqIOqFEEIxA99wlvpTqxFA==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "admin_token": { + "encrypted_data": "Jv2vQySZT9qn87g24IOYK1dpfSbZoUE/8VtZhzljQGIL\n", + "iv": "kjtrzmjTFKQq+nTV\n", + "auth_tag": "3YbOzU/ndVARbHTU1hoa9g==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/environments/production.json b/environments/production.json index 635c0f3..8c0e97a 100644 --- a/environments/production.json +++ b/environments/production.json @@ -4,7 +4,10 @@ "garage": { "replication_mode": "2", "s3_api_root_domain": ".s3.garage.kosmos.org", - "s3_web_root_domain": ".web.garage.kosmos.org" + "s3_web_root_domain": ".web.garage.kosmos.org", + "s3_web_domains": [ + "s3.kosmos.social" + ] }, "gitea": { "postgresql_host": "pg.kosmos.local:5432", @@ -23,4 +26,4 @@ ] } } -} \ No newline at end of file +} diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json index 0ca0d1e..cbd58f3 100644 --- a/nodes/akkounts-1.json +++ b/nodes/akkounts-1.json @@ -12,7 +12,9 @@ "hostname": "akkounts-1", "ipaddress": "192.168.122.160", "roles": [ + "base", "kvm_guest", + "ldap_client", "akkounts", "postgresql_client" ], @@ -20,6 +22,7 @@ "kosmos-base", "kosmos-base::default", "kosmos_kvm::guest", + "kosmos-dirsrv::hostsfile", "kosmos_postgresql::hostsfile", "kosmos-akkounts", "kosmos-akkounts::default", @@ -46,7 +49,6 @@ "redis::default", "backup::default", "logrotate::default", - "kosmos-dirsrv::hostsfile", "nodejs::npm", "nodejs::install", "kosmos-nginx::default", @@ -83,4 +85,4 @@ "role[ldap_client]", "role[akkounts]" ] -} +} \ No newline at end of file diff --git a/nodes/bitcoin-2.json b/nodes/bitcoin-2.json index 6112db0..5b6faf1 100644 --- a/nodes/bitcoin-2.json +++ b/nodes/bitcoin-2.json @@ -12,9 +12,14 @@ "hostname": "bitcoin-2", "ipaddress": "192.168.122.148", "roles": [ + "base", "kvm_guest", - "btcpay", - "postgresql_client" + "bitcoind", + "cln", + "lnd", + "lndhub", + "postgresql_client", + "btcpay" ], "recipes": [ "kosmos-base", @@ -22,14 +27,16 @@ "kosmos_kvm::guest", "tor-full", "tor-full::default", - "kosmos-bitcoin::source", + "kosmos-bitcoin::bitcoind", "kosmos-bitcoin::c-lightning", "kosmos-bitcoin::lnd", "kosmos-bitcoin::lnd-scb-s3", "kosmos-bitcoin::boltz", "kosmos-bitcoin::rtl", - "kosmos-bitcoin::lndhub", + "kosmos-bitcoin::peerswap-lnd", "kosmos_postgresql::hostsfile", + "kosmos-bitcoin::lndhub", + "kosmos-bitcoin::lndhub-go", "kosmos-bitcoin::dotnet", "kosmos-bitcoin::nbxplorer", "kosmos-bitcoin::btcpay", @@ -70,7 +77,6 @@ "redisio::disable_os_default", "redisio::configure", "redisio::enable", - "kosmos-base::letsencrypt", "kosmos-nginx::default", "nginx::default", "nginx::package", @@ -80,7 +86,8 @@ "nginx::commons_dir", "nginx::commons_script", "nginx::commons_conf", - "kosmos-nginx::firewall" + "kosmos-nginx::firewall", + "kosmos-base::letsencrypt" ], "platform": "ubuntu", "platform_version": "20.04", @@ -97,16 +104,13 @@ } }, "run_list": [ - "recipe[kosmos-base]", + "role[base]", "role[kvm_guest]", "recipe[tor-full]", - "recipe[kosmos-bitcoin::source]", - "recipe[kosmos-bitcoin::c-lightning]", - "recipe[kosmos-bitcoin::lnd]", - "recipe[kosmos-bitcoin::lnd-scb-s3]", - "recipe[kosmos-bitcoin::boltz]", - "recipe[kosmos-bitcoin::rtl]", - "recipe[kosmos-bitcoin::lndhub]", + "role[bitcoind]", + "role[cln]", + "role[lnd]", + "role[lndhub]", "role[btcpay]" ] } \ No newline at end of file diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index b3683d7..71769a1 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -31,20 +31,21 @@ "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", + "kosmos_garage::nginx_web", "kosmos_gitea::nginx", "kosmos_website", "kosmos_website::default", "kosmos-akkounts::nginx_api", + "kosmos-bitcoin::nginx_lndhub", "kosmos-ejabberd::nginx", "kosmos-hubot::nginx_botka_irc-libera-chat", "kosmos-hubot::nginx_hal8000_xmpp", "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", - "kosmos_garage", - "kosmos_garage::default", - "kosmos_garage::firewall_rpc", - "kosmos_garage::nginx_web", "kosmos_zerotier::controller", "kosmos_zerotier::firewall", "kosmos_zerotier::zncui", @@ -73,11 +74,11 @@ "nginx::commons_conf", "kosmos-nginx::firewall", "discourse::nginx", + "firewall::default", + "chef-sugar::default", "git::default", "git::package", "kosmos-base::letsencrypt", - "firewall::default", - "chef-sugar::default", "fail2ban::default" ], "platform": "ubuntu", diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index 6cc24a9..2ddf554 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -21,8 +21,10 @@ "kosmos_kvm::guest", "kosmos_postgresql::primary", "kosmos_postgresql::firewall", - "kosmos_gitea::pg_db", + "kosmos-bitcoin::lndhub-go_pg_db", "kosmos_drone::pg_db", + "kosmos_gitea::pg_db", + "kosmos-mastodon::pg_db", "apt::default", "timezone_iii::default", "timezone_iii::debian", diff --git a/roles/bitcoind.rb b/roles/bitcoind.rb new file mode 100644 index 0000000..e8306dc --- /dev/null +++ b/roles/bitcoind.rb @@ -0,0 +1,5 @@ +name "bitcoind" + +run_list %w( + kosmos-bitcoin::bitcoind +) diff --git a/roles/cln.rb b/roles/cln.rb new file mode 100644 index 0000000..b75b75f --- /dev/null +++ b/roles/cln.rb @@ -0,0 +1,5 @@ +name "cln" + +run_list %w( + kosmos-bitcoin::c-lightning +) diff --git a/roles/lnd.rb b/roles/lnd.rb new file mode 100644 index 0000000..982f9a7 --- /dev/null +++ b/roles/lnd.rb @@ -0,0 +1,9 @@ +name "lnd" + +run_list %w( + kosmos-bitcoin::lnd + kosmos-bitcoin::lnd-scb-s3 + kosmos-bitcoin::boltz + kosmos-bitcoin::rtl + kosmos-bitcoin::peerswap-lnd +) diff --git a/roles/lndhub.rb b/roles/lndhub.rb new file mode 100644 index 0000000..6f67d07 --- /dev/null +++ b/roles/lndhub.rb @@ -0,0 +1,7 @@ +name "lndhub" + +run_list %w( + role[postgresql_client] + kosmos-bitcoin::lndhub + kosmos-bitcoin::lndhub-go +) diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 0edd22b..9aa9cc9 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -18,18 +18,19 @@ default_run_list = %w( kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx + kosmos_garage::default + kosmos_garage::firewall_rpc + kosmos_garage::nginx_web kosmos_gitea::nginx kosmos_website::default kosmos-akkounts::nginx_api + kosmos-bitcoin::nginx_lndhub kosmos-ejabberd::nginx kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx - kosmos_garage::default - kosmos_garage::firewall_rpc - kosmos_garage::nginx_web ) env_run_lists( diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index 183da14..9854b01 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -3,7 +3,8 @@ name "postgresql_primary" run_list %w( kosmos_postgresql::primary kosmos_postgresql::firewall - kosmos_gitea::pg_db + kosmos-bitcoin::lndhub-go_pg_db kosmos_drone::pg_db + kosmos_gitea::pg_db kosmos-mastodon::pg_db ) diff --git a/site-cookbooks/kosmos-akkounts/attributes/default.rb b/site-cookbooks/kosmos-akkounts/attributes/default.rb index 4386c90..5d2759b 100644 --- a/site-cookbooks/kosmos-akkounts/attributes/default.rb +++ b/site-cookbooks/kosmos-akkounts/attributes/default.rb @@ -1,5 +1,5 @@ node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git' -node.default['akkounts']['revision'] = 'master' +node.default['akkounts']['revision'] = 'feature/73-lndhub-go' node.default['akkounts']['port'] = 3000 node.default['akkounts']['domain'] = 'accounts.kosmos.org' diff --git a/site-cookbooks/kosmos-bitcoin/attributes/default.rb b/site-cookbooks/kosmos-bitcoin/attributes/default.rb index 26efdd9..f82d5a2 100644 --- a/site-cookbooks/kosmos-bitcoin/attributes/default.rb +++ b/site-cookbooks/kosmos-bitcoin/attributes/default.rb @@ -79,6 +79,26 @@ node.default['lndhub']['revision'] = 'master' node.default['lndhub']['port'] = '3023' node.default['lndhub']['domain'] = 'lndhub.kosmos.org' +node.default['lndhub-go']['repo'] = 'https://github.com/getAlby/lndhub.go.git' +node.default['lndhub-go']['revision'] = '0.12.0' +node.default['lndhub-go']['source_dir'] = '/opt/lndhub-go' +node.default['lndhub-go']['port'] = 3026 +node.default['lndhub-go']['domain'] = 'lndhub.kosmos.org' +node.default['lndhub-go']['postgres']['database'] = 'lndhub' +node.default['lndhub-go']['postgres']['user'] = 'lndhub' +node.default['lndhub-go']['postgres']['port'] = 5432 +node.default['lndhub-go']['default_rate_limit'] = 20 +node.default['lndhub-go']['strict_rate_limit'] = 1 +node.default['lndhub-go']['burst_rate_limit'] = 10 +node.default['lndhub-go']['branding'] = { + 'title' => 'LndHub - Kosmos Lightning', + 'desc' => 'Kosmos accounts for the Lightning Network', + 'url' => 'https://lndhub.kosmos.org', + 'logo' => 'https://assets.kosmos.org/img/icon-lndhub-400px.png', + 'favicon' => 'https://kosmos.org/favicon.ico', + 'footer' => 'about=https://kosmos.org' +} + node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb" node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991" @@ -98,3 +118,7 @@ node.default["btcpay"]["domain"] = 'btcpay.kosmos.org' node.default['btcpay']['postgres']['port'] = 5432 node.default['btcpay']['postgres']['database'] = 'btcpayserver' node.default['btcpay']['postgres']['user'] = 'satoshi' + +node.default['peerswap']['repo'] = 'https://github.com/ElementsProject/peerswap.git' +node.default['peerswap']['revision'] = 'master' +node.default['peerswap-lnd']['source_dir'] = '/opt/peerswap' diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb index 8f58ce4..cfea78c 100644 --- a/site-cookbooks/kosmos-bitcoin/metadata.rb +++ b/site-cookbooks/kosmos-bitcoin/metadata.rb @@ -7,25 +7,15 @@ long_description 'Installs/configures bitcoin-related software' version '0.1.0' chef_version '>= 14.0' -# The `issues_url` points to the location where issues for this cookbook are -# tracked. A `View Issues` link will be displayed on this cookbook's page when -# uploaded to a Supermarket. -# -# issues_url 'https://github.com//kosmos-bitcoin/issues' - -# The `source_url` points to the development repository for this cookbook. A -# `View Source` link will be displayed on this cookbook's page when uploaded to -# a Supermarket. -# -# source_url 'https://github.com//kosmos-bitcoin' - +depends 'application_javascript' depends 'ark' depends 'backup' +depends 'firewall' depends 'git' depends 'golang' depends 'kosmos-nginx' depends 'kosmos-nodejs' -depends 'firewall' -depends 'application_javascript' -depends 'tor-full' +depends 'kosmos_postgresql' +depends 'postgresql' depends 'redisio' +depends 'tor-full' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/source.rb b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb similarity index 99% rename from site-cookbooks/kosmos-bitcoin/recipes/source.rb rename to site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb index a44cc89..a4991ff 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/source.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/bitcoind.rb @@ -1,6 +1,6 @@ # # Cookbook:: kosmos-bitcoin -# Recipe:: source +# Recipe:: bitcoind # build_essential diff --git a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb index b6ff84b..81fd97e 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/golang.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/golang.rb @@ -1,6 +1,6 @@ # # Cookbook:: kosmos-bitcoin -# Recipe:: boltz +# Recipe:: golang # # Internal recipe for managing the Go installation in one place # diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb new file mode 100644 index 0000000..797e231 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go.rb @@ -0,0 +1,107 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: lndhub-go +# + +include_recipe 'git' +include_recipe 'kosmos-bitcoin::golang' +include_recipe 'kosmos-bitcoin::user' + +bitcoin_user = node['bitcoin']['username'] +bitcoin_group = node['bitcoin']['usergroup'] +lnd_dir = node['lnd']['lnd_dir'] +lncli_bin = '/opt/go/bin/lncli' +source_dir = node['lndhub-go']['source_dir'] +macaroon_path = "#{lnd_dir}/data/lndhub.macaroon" +credentials = data_bag_item('credentials', 'lndhub-go') +postgres_host = "pg.kosmos.local" +postgres_user = node['lndhub-go']['postgres']['user'] +postgres_db = node['lndhub-go']['postgres']['database'] +postgres_port = node['lndhub-go']['postgres']['port'] + +git source_dir do + repository node['lndhub-go']['repo'] + revision node['lndhub-go']['revision'] + action :sync + notifies :run, 'bash[compile_lndhub-go]', :immediately +end + +bash 'compile_lndhub-go' do + cwd source_dir + code 'make' + action :nothing + notifies :restart, 'service[lndhub-go]', :delayed +end + +bash 'bake_lndhub_macaroon' do + user bitcoin_user + cwd lnd_dir + code "#{lncli_bin} bakemacaroon --save_to=./data/lndhub.macaroon info:read invoices:read invoices:write offchain:read offchain:write" + not_if { File.exist?(macaroon_path) } +end + +template "#{source_dir}/.env" do + source 'lndhub-go.env.erb' + owner bitcoin_user + group bitcoin_group + mode 0600 + sensitive true + variables config: { + database_uri: "postgresql://#{postgres_user}:#{credentials['postgresql_password']}@#{postgres_host}:#{postgres_port}/#{postgres_db}?sslmode=disable", + jwt_secret: credentials['jwt_secret'], + lnd_address: 'localhost:10009', # gRPC address, + lnd_macaroon_file: macaroon_path, + lnd_cert_file: "#{lnd_dir}/tls.cert", + custom_name: node['lndhub-go']['domain'], + port: node['lndhub-go']['port'], + admin_token: credentials['admin_token'], + default_rate_limit: node['lndhub-go']['default_rate_limit'], + strict_rate_limit: node['lndhub-go']['strict_rate_limit'], + burst_rate_limit: node['lndhub-go']['burst_rate_limit'], + branding: node['lndhub-go']['branding'] + } + notifies :restart, 'service[lndhub-go]', :delayed +end + +systemd_unit 'lndhub-go.service' do + content({ + Unit: { + Description: 'LndHub compatible API written in Go', + Documentation: ['https://github.com/getAlby/lndhub.go/blob/main/README.md'], + Requires: 'lnd.service', + After: 'lnd.service' + }, + Service: { + User: bitcoin_user, + Group: bitcoin_group, + Type: 'simple', + WorkingDirectory: source_dir, + ExecStart: "#{source_dir}/lndhub", + Restart: 'always', + RestartSec: '10', + TimeoutSec: '60', + PrivateTmp: true, + ProtectSystem: 'full', + NoNewPrivileges: true, + PrivateDevices: true, + MemoryDenyWriteExecute: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end + +service 'lndhub-go' do + action :nothing +end + +firewall_rule 'lndhub-go' do + port node['lndhub-go']['port'] + source '10.1.1.0/24' + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb new file mode 100644 index 0000000..b18d8b8 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub-go_pg_db.rb @@ -0,0 +1,19 @@ +# +# Cookbook Name:: kosmos-bitcoin +# Recipe:: lndhub-go_pg_db +# + +credentials = data_bag_item('credentials', 'lndhub-go') + +postgres_user = node['lndhub-go']['postgres']['user'] +postgres_db = node['lndhub-go']['postgres']['database'] + +postgresql_user postgres_user do + action :create + password credentials['postgresql_password'] +end + +postgresql_database postgres_db do + owner postgres_user + action :create +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb index 1921279..c877a4a 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/lndhub.rb @@ -90,27 +90,7 @@ firewall_rule 'lndhub_private' do command :allow end -unless node.chef_environment == "development" - include_recipe "kosmos-base::letsencrypt" - include_recipe "kosmos-nginx" +return if node.chef_environment == "development" - nginx_certbot_site node[app_name]['domain'] - - template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do - source 'nginx_conf_lndhub.erb' - owner node["nginx"]["user"] - mode 0640 - variables port: node[app_name]['port'], - server_name: node[app_name]['domain'], - ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site node[app_name]['domain'] do - action :enable - end - - node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"] - include_recipe "backup" -end +node.override["backup"]["archives"]["lndhub"] = ["/var/lib/redis/dump-6379.rdb"] +include_recipe "backup" diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb new file mode 100644 index 0000000..dcf54f7 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb @@ -0,0 +1,29 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: nginx_lndhub +# + +include_recipe "kosmos-base::letsencrypt" +include_recipe "kosmos-nginx" + +domain = node['lndhub-go']['domain'] + +nginx_certbot_site domain + +upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"] + +template "#{node['nginx']['dir']}/sites-available/#{domain}" do + source 'nginx_conf_lndhub.erb' + owner node["nginx"]["user"] + mode 0640 + variables port: node['lndhub-go']['port'], + server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_host: upstream_host + notifies :reload, 'service[nginx]', :delayed +end + +nginx_site domain do + action :enable +end diff --git a/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb new file mode 100644 index 0000000..17eaa98 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/recipes/peerswap-lnd.rb @@ -0,0 +1,86 @@ +# +# Cookbook:: kosmos-bitcoin +# Recipe:: peerswap-lnd +# + +include_recipe 'git' +include_recipe 'kosmos-bitcoin::golang' +include_recipe 'kosmos-bitcoin::user' + +bitcoin_user = node['bitcoin']['username'] +bitcoin_group = node['bitcoin']['usergroup'] +lnd_dir = node['lnd']['lnd_dir'] +macaroon_path = "#{lnd_dir}/data/chain/bitcoin/#{node['bitcoin']['network']}/admin.macaroon" +source_dir = node['peerswap-lnd']['source_dir'] +config_dir = "/home/#{bitcoin_user}/.peerswap" + +directory config_dir do + owner bitcoin_user + group bitcoin_group + mode '0700' + action :create +end + +git source_dir do + repository node['peerswap']['repo'] + revision node['peerswap']['revision'] + action :sync + notifies :run, 'bash[compile_peerswap]', :immediately +end + +bash 'compile_peerswap' do + cwd source_dir + environment 'GOPATH' => '/opt/go' + code 'make lnd-release' + action :run + notifies :restart, 'service[peerswap]', :delayed +end + +template "#{config_dir}/peerswap.conf" do + source 'peerswap-lnd.conf.erb' + owner bitcoin_user + group bitcoin_group + mode 0600 + sensitive true + variables config: { + tlscertpath: "#{lnd_dir}/tls.cert", + macaroonpath: macaroon_path + } + notifies :restart, 'service[peerswap]', :delayed +end + +systemd_unit 'peerswap.service' do + content({ + Unit: { + Description: 'PeerSwap Lightning channel balancing', + Documentation: ['https://github.com/ElementsProject/peerswap'], + Requires: 'lnd.service', + After: 'lnd.service' + }, + Service: { + User: bitcoin_user, + Group: bitcoin_group, + Type: 'simple', + WorkingDirectory: source_dir, + ExecStart: "/opt/go/bin/peerswapd", + Restart: 'always', + RestartSec: '10', + TimeoutSec: '60', + PrivateTmp: true, + ProtectSystem: 'full', + NoNewPrivileges: true, + PrivateDevices: true, + MemoryDenyWriteExecute: true + }, + Install: { + WantedBy: 'multi-user.target' + } + }) + verify false + triggers_reload true + action [:create, :enable, :start] +end + +service 'peerswap' do + action :nothing +end diff --git a/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb new file mode 100644 index 0000000..5fd3936 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/lndhub-go.env.erb @@ -0,0 +1,9 @@ +<% @config.each do |key, value| %> +<% if value.is_a?(Hash) %> +<% value.each do |k, v| %> +<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %> +<% end %> +<% else %> +<%= key.upcase %>=<%= value.to_s %> +<% end %> +<% end %> diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb index cd8b3e4..06d258e 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb @@ -2,10 +2,9 @@ # Generated by Chef # upstream _lndhub { - server localhost:<%= @port %>; + server <%= @upstream_host || "localhost" %>:<%= @port %>; } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { listen 443 ssl http2; server_name <%= @server_name %>; @@ -16,10 +15,13 @@ server { error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; location / { + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header Host $http_host; + proxy_redirect off; proxy_pass http://_lndhub; - } + } ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; } -<% end -%> diff --git a/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb b/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb new file mode 100644 index 0000000..dfce355 --- /dev/null +++ b/site-cookbooks/kosmos-bitcoin/templates/peerswap-lnd.conf.erb @@ -0,0 +1,3 @@ +<% @config.each do |k, v| %> +<%= "lnd.#{k}=#{v}" %> +<% end %> diff --git a/site-cookbooks/kosmos_garage/attributes/default.rb b/site-cookbooks/kosmos_garage/attributes/default.rb index 068ede8..68cf18f 100644 --- a/site-cookbooks/kosmos_garage/attributes/default.rb +++ b/site-cookbooks/kosmos_garage/attributes/default.rb @@ -1,5 +1,6 @@ node.default['garage']['version'] = '0.8.0' node.default['garage']['checksum']['amd64'] = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74' +node.default['garage']['replication_mode'] = 'none' node.default['garage']['s3_api_port'] = 3900 node.default['garage']['rpc_port'] = 3901 node.default['garage']['s3_web_port'] = 3902 @@ -7,4 +8,4 @@ node.default['garage']['admin_port'] = 3903 node.default['garage']['k2v_api_port'] = 3904 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost' node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost' -node.default['garage']['replication_mode'] = 'none' +node.default['garage']['s3_web_domains'] = [] diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb new file mode 100644 index 0000000..83e6399 --- /dev/null +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -0,0 +1,26 @@ +# +# Cookbook Name:: kosmos_garage +# Recipe:: nginx_web +# + +include_recipe "kosmos-nginx" + +domains = node['garage']['s3_web_domains'] + +domains.each do |server_name| + nginx_certbot_site server_name + + template "#{node['nginx']['dir']}/sites-available/#{server_name}" do + source 'nginx_conf_web.erb' + owner 'www-data' + mode 0640 + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + notifies :reload, 'service[nginx]', :delayed + end + + nginx_site server_name do + action :enable + end +end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb new file mode 100644 index 0000000..566980f --- /dev/null +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -0,0 +1,33 @@ +upstream garage_web { + server localhost:3902; +} + +proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m + max_size=1g inactive=60m use_temp_path=off; + +server { + listen 443 http2 ssl; + listen [::]:443 http2 ssl; + + server_name <%= @server_name %>; + + access_log off; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + error_page 401 403 404 500 /__empty-page.html; + + location = /__empty-page.html { + internal; + return 200 ""; + } + + location / { + proxy_intercept_errors on; + proxy_cache garage_cache; + proxy_pass http://garage_web; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + } +} diff --git a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb index 7d3c397..18e245d 100644 --- a/site-cookbooks/kosmos_postgresql/libraries/helpers.rb +++ b/site-cookbooks/kosmos_postgresql/libraries/helpers.rb @@ -1,7 +1,7 @@ class Chef class Recipe def postgresql_primary - postgresql_primary = search(:node, "role:postgresql_primary AND chef_environment:#{node.chef_environment}").first + postgresql_primary = search(:node, "role:postgresql_primary").first unless postgresql_primary.nil? primary_ip = ip_for(postgresql_primary)