diff --git a/data_bags/credentials/tor.json b/data_bags/credentials/tor.json new file mode 100644 index 0000000..d4ddf42 --- /dev/null +++ b/data_bags/credentials/tor.json @@ -0,0 +1,10 @@ +{ + "id": "tor", + "services": { + "encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n", + "iv": "qtzvl79A/PZc5JjE\n", + "auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 0a933ae..0116bb3 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -11,7 +11,10 @@ } }, "openresty": { - "listen_ip": "148.251.237.111" + "listen_ip": "148.251.237.111", + "log_formats": { + "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}" + } } }, "automatic": { @@ -21,24 +24,52 @@ "hostname": "draco", "ipaddress": "148.251.237.73", "roles": [ + "base", + "kvm_host", "openresty_proxy", - "openresty" + "openresty", + "garage_gateway", + "tor_proxy" ], "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos_encfs", - "kosmos_encfs::default", "kosmos_kvm::host", "kosmos_kvm::backup", + "kosmos_openresty", + "kosmos_openresty::default", + "kosmos_openresty::firewall", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", + "kosmos_assets::nginx_site", + "kosmos_discourse::nginx", + "kosmos_drone::nginx", + "kosmos-ejabberd::nginx", + "kosmos_garage::nginx_web", + "kosmos_gitea::nginx", + "kosmos_gitea::nginx_ssh", + "kosmos_rsk::nginx_testnet", + "kosmos_rsk::nginx_mainnet", + "kosmos_website", + "kosmos_website::default", + "kosmos-akkounts::nginx", + "kosmos-akkounts::nginx_api", + "kosmos-bitcoin::nginx_lndhub", + "kosmos-hubot::nginx_botka_irc-libera-chat", + "kosmos-hubot::nginx_hal8000_xmpp", + "kosmos-ipfs::nginx_public_gateway", + "kosmos-mastodon::nginx", + "remotestorage_discourse::nginx", + "kosmos-base::tor_services", + "tor-full", + "tor-full::default", + "kosmos_encfs", + "kosmos_encfs::default", "kosmos-ejabberd::firewall", "kosmos-ipfs::firewall_swarm", "kosmos-bitcoin::firewall", "kosmos_zerotier::firewall", - "kosmos_openresty", - "kosmos_openresty::default", - "kosmos_openresty::firewall", - "kosmos_assets::nginx_site", "sockethub::firewall", "apt::default", "timezone_iii::default", @@ -54,18 +85,20 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "firewall::default", "openresty::apt_package", "openresty::ohai_plugin", + "openresty::commons_cleanup", "openresty::commons_user", "openresty::commons_dir", "openresty::commons_script", "openresty::commons_conf", "logrotate::default", "openresty::luarocks", + "firewall::default", "git::default", "git::package", - "kosmos-base::letsencrypt" + "kosmos-base::letsencrypt", + "fail2ban::default" ], "platform": "ubuntu", "platform_version": "20.04", @@ -85,12 +118,12 @@ "run_list": [ "role[base]", "role[kvm_host]", + "role[openresty_proxy]", "recipe[kosmos_encfs]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-ipfs::firewall_swarm]", "recipe[kosmos-bitcoin::firewall]", "recipe[kosmos_zerotier::firewall]", - "role[openresty_proxy]", "recipe[sockethub::firewall]" ] -} +} \ No newline at end of file diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index f648554..6528412 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -18,7 +18,12 @@ "hostname": "fornax", "ipaddress": "148.251.83.201", "roles": [ - "nginx_proxy", + "base", + "kvm_host", + "openresty_proxy", + "openresty", + "garage_gateway", + "tor_proxy", "zerotier_controller" ], "recipes": [ @@ -26,16 +31,19 @@ "kosmos-base::default", "kosmos_kvm::host", "kosmos_kvm::backup", - "tor-full", - "tor-full::default", - "kosmos_assets::nginx_site", - "kosmos_discourse::nginx", - "kosmos_drone::nginx", + "kosmos_openresty", + "kosmos_openresty::default", + "kosmos_openresty::firewall", "kosmos_garage", "kosmos_garage::default", "kosmos_garage::firewall_rpc", + "kosmos_assets::nginx_site", + "kosmos_discourse::nginx", + "kosmos_drone::nginx", + "kosmos-ejabberd::nginx", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", + "kosmos_gitea::nginx_ssh", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", "kosmos_website", @@ -43,12 +51,14 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", - "kosmos-ejabberd::nginx", "kosmos-hubot::nginx_botka_irc-libera-chat", "kosmos-hubot::nginx_hal8000_xmpp", "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", + "kosmos-base::tor_services", + "tor-full", + "tor-full::default", "kosmos_zerotier::controller", "kosmos_zerotier::firewall", "kosmos_zerotier::zncui", @@ -66,19 +76,16 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "kosmos-nginx::default", - "nginx::default", - "nginx::package", - "nginx::ohai_plugin", - "nginx::repo", - "nginx::commons", - "nginx::commons_dir", - "nginx::commons_script", - "nginx::commons_conf", - "kosmos-nginx::firewall", - "discourse::nginx", + "openresty::apt_package", + "openresty::ohai_plugin", + "openresty::commons_cleanup", + "openresty::commons_user", + "openresty::commons_dir", + "openresty::commons_script", + "openresty::commons_conf", + "logrotate::default", + "openresty::luarocks", "firewall::default", - "chef-sugar::default", "git::default", "git::package", "kosmos-base::letsencrypt", @@ -88,20 +95,21 @@ "platform_version": "20.04", "cloud": null, "chef_packages": { - "ohai": { - "version": "15.12.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" - }, "chef": { - "version": "15.17.4", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib" + "version": "18.2.7", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib", + "chef_effortless": null + }, + "ohai": { + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, "run_list": [ "role[base]", "role[kvm_host]", - "role[nginx_proxy]", + "role[openresty_proxy]", "role[zerotier_controller]" ] -} +} \ No newline at end of file diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 64ebad6..083ce41 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -4,13 +4,6 @@ override_attributes( 'openresty' => { 'server_names_hash_bucket_size' => 128 }, - 'tor' => { - 'HiddenServices' => { - 'web' => { - 'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443'] - } - } - } ) development_run_list = %w( @@ -20,31 +13,30 @@ development_run_list = %w( default_run_list = %w( role[openresty] - tor-full +) + +production_run_list = %w( + role[openresty] + role[garage_gateway] kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx - kosmos_garage::default - kosmos_garage::firewall_rpc + kosmos-ejabberd::nginx kosmos_garage::nginx_web kosmos_gitea::nginx + kosmos_gitea::nginx_ssh kosmos_rsk::nginx_testnet kosmos_rsk::nginx_mainnet kosmos_website::default kosmos-akkounts::nginx kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub - kosmos-ejabberd::nginx kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx -) - -production_run_list = %w( - role[openresty] - kosmos_assets::nginx_site + role[tor_proxy] ) env_run_lists( diff --git a/roles/tor_proxy.rb b/roles/tor_proxy.rb new file mode 100644 index 0000000..53acee6 --- /dev/null +++ b/roles/tor_proxy.rb @@ -0,0 +1,6 @@ +name "tor_proxy" + +run_list %w( + kosmos-base::tor_services + tor-full +) diff --git a/site-cookbooks/discourse/metadata.rb b/site-cookbooks/discourse/metadata.rb index f6b34c8..8631202 100644 --- a/site-cookbooks/discourse/metadata.rb +++ b/site-cookbooks/discourse/metadata.rb @@ -7,5 +7,4 @@ long_description 'Installs/Configures discourse' version '0.1.0' chef_version '>= 14.0' -depends 'kosmos-nginx' depends 'firewall' diff --git a/site-cookbooks/discourse/recipes/nginx.rb b/site-cookbooks/discourse/recipes/nginx.rb deleted file mode 100644 index ed06d6b..0000000 --- a/site-cookbooks/discourse/recipes/nginx.rb +++ /dev/null @@ -1,39 +0,0 @@ -# -# Cookbook:: discourse -# Recipe:: nginx -# - -include_recipe "kosmos-nginx" - -domain = node['discourse']['domain'] -discourse_role = node['discourse']['role'] - -upstream_ip_addresses = [] -search(:node, "role:#{discourse_role}").each do |n| - upstream_ip_addresses << n["knife_zero"]["host"] -end -# No Discourse host, stop here -if upstream_ip_addresses.empty? - Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") - return -end - -nginx_certbot_site domain - -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: node['discourse']['port'], - upstream_name: discourse_role, - upstream_ip_addresses: upstream_ip_addresses - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb index 6ae1ac6..7accd9c 100644 --- a/site-cookbooks/kosmos-akkounts/metadata.rb +++ b/site-cookbooks/kosmos-akkounts/metadata.rb @@ -7,7 +7,7 @@ long_description 'Installs/configures kosmos-akkounts' version '0.2.0' chef_version '>= 18.0' -depends 'kosmos-nginx' +depends 'kosmos_openresty' depends "kosmos-nodejs" depends "redisio" depends "postgresql" diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb index 6ae1bfc..b2ca8ba 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb @@ -3,11 +3,13 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" -app_name = "akkounts" -domain = node[app_name]["domain"] +app_name = "akkounts" +domain = node[app_name]["domain"] -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end upstream_hosts = [] search(:node, "role:akkounts").each do |node| @@ -15,10 +17,8 @@ search(:node, "role:akkounts").each do |node| end upstream_hosts.push("localhost") if upstream_hosts.empty? -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{app_name}.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_#{app_name}.erb" variables port: node[app_name]['port'], domain: domain, upstream_port: node["akkounts"]["port"], @@ -26,9 +26,4 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do root_dir: "/opt/#{app_name}/public", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb index f120afd..697518e 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb @@ -3,29 +3,24 @@ # Recipe:: nginx_api # -include_recipe "kosmos-nginx" domain = node["akkounts_api"]["domain"] -nginx_certbot_site domain - upstream_hosts = [] search(:node, "role:akkounts").each do |node| upstream_hosts << node["knife_zero"]["host"] end upstream_hosts.push("localhost") if upstream_hosts.empty? -template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do - source "nginx_conf_akkounts_api.erb" - owner "www-data" - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf_akkounts_api.erb" variables domain: domain, upstream_port: node["akkounts"]["port"], upstream_hosts: upstream_hosts, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, "service[nginx]", :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb index d8e2552..36870a1 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb @@ -5,12 +5,12 @@ upstream _akkounts { <% end %> } -proxy_cache_path /var/cache/nginx/akkounts levels=1:2 +proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2 keys_zone=akkounts_cache:10m max_size=1g inactive=120m use_temp_path=off; server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; @@ -19,8 +19,8 @@ server { add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; root <%= @root_dir %>; diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb index 7ef12ff..945de09 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb @@ -6,7 +6,7 @@ upstream _akkounts_api { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; @@ -15,8 +15,8 @@ server { add_header 'Strict-Transport-Security' 'max-age=31536000'; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; location /kredits/ { add_header 'Access-Control-Allow-Origin' '*' always; diff --git a/site-cookbooks/kosmos-base/recipes/tor_services.rb b/site-cookbooks/kosmos-base/recipes/tor_services.rb new file mode 100644 index 0000000..3b0d841 --- /dev/null +++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb @@ -0,0 +1,24 @@ +# +# Cookbook Name:: kosmos-base +# Recipe:: tor_services +# + +tor_services = data_bag_item('credentials', 'tor')['services'] + +tor_service "ejabberd" do + hostname tor_services['ejabberd']['hostname'] + public_key tor_services['ejabberd']['public_key'] + secret_key tor_services['ejabberd']['secret_key'] + # TODO configure IP from node attribute + # (This is hardcoded for draco atm) + ports [ "5222 148.251.237.73:5222", + "5223 148.251.237.73:5223", + "5269 148.251.237.73:5269" ] +end + +tor_service "web" do + hostname tor_services['web']['hostname'] + public_key tor_services['web']['public_key'] + secret_key tor_services['web']['secret_key'] + ports ['80 127.0.0.1:80', '443 127.0.0.1:443'] +end diff --git a/site-cookbooks/kosmos-base/resources/tor_service.rb b/site-cookbooks/kosmos-base/resources/tor_service.rb new file mode 100644 index 0000000..bd53c8b --- /dev/null +++ b/site-cookbooks/kosmos-base/resources/tor_service.rb @@ -0,0 +1,52 @@ +require "base64" + +resource_name :tor_service +provides :tor_service + +property :name, [String], name_property: true +property :hostname, [String], required: true +property :public_key, [String], required: true # base64 encoded content of generated key file +property :secret_key, [String], required: true # base64 encoded content of generated key file +property :ports, [Array], required: true + +default_action :create + +action :create do + name = new_resource.name + ports = Array(new_resource.ports) + service_dir = "#{node['tor']['DataDirectory']}/#{name}" + user = "debian-tor" + group = "debian-tor" + + node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports + + directory service_dir do + recursive true + owner user + group group + mode '4700' + end + + file "#{service_dir}/hostname" do + content new_resource.hostname + owner user + group group + mode '0600' + end + + file "#{service_dir}/hs_ed25519_public_key" do + content Base64.decode64(new_resource.public_key) + owner user + group group + mode '0600' + sensitive true + end + + file "#{service_dir}/hs_ed25519_secret_key" do + content Base64.decode64(new_resource.secret_key) + owner user + group group + mode '0600' + sensitive true + end +end diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb index 1cf8f30..5c23e70 100644 --- a/site-cookbooks/kosmos-bitcoin/metadata.rb +++ b/site-cookbooks/kosmos-bitcoin/metadata.rb @@ -14,6 +14,7 @@ depends 'git' depends 'golang' depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'kosmos_postgresql' depends 'postgresql' depends 'redisio' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb index dcf54f7..83cee60 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb @@ -3,27 +3,20 @@ # Recipe:: nginx_lndhub # -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - domain = node['lndhub-go']['domain'] -nginx_certbot_site domain - upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source 'nginx_conf_lndhub.erb' - owner node["nginx"]["user"] - mode 0640 - variables port: node['lndhub-go']['port'], - server_name: domain, +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_lndhub.erb' + variables server_name: domain, + port: node['lndhub-go']['port'], ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb index 07ec9a4..6401f97 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb @@ -6,14 +6,14 @@ upstream _lndhub { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index b0c9ecb..922a35e 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 node.default["kosmos-ejabberd"]["turn_max_port"] = 50050 -node.override["tor"]["HiddenServices"]["ejabberd"] = { - "HiddenServicePorts" => [ - "5222 127.0.0.1:5222", - "5223 127.0.0.1:5223", - "5269 127.0.0.1:5269" - ] -} - node.default["kosmos-ejabberd"]["uploads"] = { "domain" => "uploads.kosmos.chat", "max_upload_size_mb" => "100", diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 7a6e588..5468f52 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do protocol :tcp command :allow end - -# -# Tor hidden service -# -# The attributes for the hidden service are set in attributes/default.rb, due -# to the way the tor-full cookbook builds the path to the hidden service dir -include_recipe "tor-full" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb index 328985c..6189c36 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb @@ -17,28 +17,15 @@ rescue IPAddr::InvalidAddressError next end -template "#{node['nginx']['dir']}/streams-available/ejabberd" do - source "nginx_conf_streams.erb" - owner 'www-data' - mode 0640 - # variables ejabberd_hosts: ejabberd_hosts +openresty_stream "ejabberd" do + template "nginx_conf_streams.erb" variables ejabberd_hosts: ["10.1.1.113"], stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], turn_max_port: node["kosmos-ejabberd"]["turn_max_port"] - notifies :reload, 'service[nginx]', :delayed -end - -nginx_stream "ejabberd" do action :enable end -firewall_rule "ejabberd" do - port [5222, 5223, 5269, 5443] - protocol :tcp - command :allow -end - firewall_rule 'ejabberd_stun_turn' do port node["kosmos-ejabberd"]["stun_turn_port"] protocol :udp diff --git a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb index 1b200dc..52ac7ee 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb @@ -5,34 +5,6 @@ log_format proxy '$remote_addr [$time_local] ' access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m; -upstream ejabberd_c2s { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5222; -<% end %> -} - -upstream ejabberd_c2s_tls { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5223; -<% end %> -} - -upstream ejabberd_s2s { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5269; -<% end %> -} - -upstream ejabberd_https { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5443; -<% end %> -} - upstream ejabberd_stun_turn { hash $remote_addr consistent; <% @ejabberd_hosts.each do |ip_address| %> @@ -50,36 +22,12 @@ upstream ejabberd_turn { } server { - listen 5222; - proxy_protocol on; - proxy_pass ejabberd_c2s; -} - -server { - listen 5223; - proxy_protocol on; - proxy_pass ejabberd_c2s; -} - -server { - listen 5269; - proxy_protocol on; - proxy_pass ejabberd_s2s; -} - -server { - listen 5443; - proxy_protocol on; - proxy_pass ejabberd_https; -} - -server { - listen <%= @stun_turn_port %> udp; + listen <%= @stun_turn_port %> udp; proxy_pass ejabberd_stun_turn; } server { - listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp; + listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp; proxy_pass 10.1.1.113:$server_port; #proxy_pass ejabberd_turn; } diff --git a/site-cookbooks/kosmos-hubot/metadata.rb b/site-cookbooks/kosmos-hubot/metadata.rb index 4867b00..f3be70f 100644 --- a/site-cookbooks/kosmos-hubot/metadata.rb +++ b/site-cookbooks/kosmos-hubot/metadata.rb @@ -9,6 +9,7 @@ version '0.2.0' depends 'kosmos-base' depends 'kosmos-nodejs' depends 'kosmos-ipfs' +depends 'kosmos_openresty' depends 'firewall' depends 'git' depends 'redisio' diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb index df0ba8f..62470a9 100644 --- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb @@ -1,24 +1,17 @@ -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - domain = "irc-libera-chat.botka.kosmos.chat" -nginx_certbot_site domain - upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source 'nginx_conf_hubot.erb' - owner node["nginx"]["user"] - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_hubot.erb' variables express_port: node['botka_irc-libera-chat']['http_port'], server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb index 75f9d12..f6bc2b3 100644 --- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb @@ -1,24 +1,18 @@ -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - app_name = "hal8000_xmpp" - -nginx_certbot_site node[app_name]['domain'] +domain = node[app_name]['domain'] upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do - source 'nginx_conf_hubot.erb' - owner node["nginx"]["user"] - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_hubot.erb' variables express_port: node[app_name]['http_port'], server_name: node[app_name]['domain'], ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site node[app_name]['domain'] do - action :enable end diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index 3c8c426..bbb167e 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -6,14 +6,14 @@ upstream _express_<%= @server_name.gsub(".", "_") %> { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; location / { # Increase number of buffers. Default is 8 diff --git a/site-cookbooks/kosmos-ipfs/metadata.rb b/site-cookbooks/kosmos-ipfs/metadata.rb index 65947e0..9341d73 100644 --- a/site-cookbooks/kosmos-ipfs/metadata.rb +++ b/site-cookbooks/kosmos-ipfs/metadata.rb @@ -9,6 +9,6 @@ version '0.3.0' depends 'ipfs' depends 'fail2ban' depends 'kosmos-base' -depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'firewall' diff --git a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb index c20efe3..c62708a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb @@ -3,7 +3,6 @@ # Recipe:: nginx_public_gateway # -include_recipe "kosmos-nginx" include_recipe 'firewall' domain = node["kosmos-ipfs"]["nginx"]["domain"] @@ -13,12 +12,13 @@ search(:node, "role:ipfs_gateway").each do |node| ipfs_node_ip_addresses << node["knife_zero"]["host"] end -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{domain}.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_#{domain}.erb" variables server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", @@ -26,12 +26,6 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do ipfs_gateway_port: node['kosmos-ipfs']['gateway_port'], ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'], upstream_hosts: ipfs_node_ip_addresses - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end firewall_rule 'ipfs_api' do diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index 6f0d69b..f54cea3 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -10,10 +10,9 @@ upstream _ipfs_api { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name <%= @server_name %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; access_log /var/log/nginx/<%= @server_name %>.access.log; error_log /var/log/nginx/<%= @server_name %>.error.log; @@ -28,7 +27,7 @@ server { server { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen <%= @ipfs_external_api_port %> ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %><%= @ipfs_external_api_port %> ssl http2; <% else -%> listen <%= @ipfs_external_api_port %>; <% end -%> diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index 81fc2bf..1f31d47 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -11,9 +11,8 @@ depends 'elasticsearch' depends 'java' depends 'firewall' depends 'redisio' -depends 'tor-full' depends 'postgresql' -depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'kosmos_postgresql' depends 'ruby_build' diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 3c81e81..405be3a 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -3,57 +3,51 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" - app_dir = node["kosmos-mastodon"]["directory"] server_name = node["kosmos-mastodon"]["domain"] -is_proxy = node.roles.include?('nginx_proxy') rescue nil -upstream_hosts = [] -if is_proxy +upstream_hosts = [] +search(:node, "role:mastodon").each do |node| + upstream_hosts << node["knife_zero"]["host"] +end +if upstream_hosts.any? web_root_dir = "/var/www/#{server_name}/public" - search(:node, "role:mastodon").each do |node| - upstream_hosts << node["knife_zero"]["host"] - end else web_root_dir = "#{app_dir}/public" upstream_hosts << "localhost" end -directory "#{node['nginx']['dir']}/snippets" do +directory "#{node['openresty']['dir']}/snippets" do action :create owner 'www-data' mode 0640 end -template "#{node['nginx']['dir']}/snippets/mastodon.conf" do +template "#{node['openresty']['dir']}/snippets/mastodon.conf" do source 'nginx_conf_shared.erb' owner 'www-data' mode 0640 variables web_root_dir: web_root_dir, server_name: server_name - notifies :reload, 'service[nginx]', :delayed + notifies :reload, 'service[openresty]', :delayed end -nginx_certbot_site server_name +tls_cert_for server_name do + auth "gandi_dns" + action :create +end -onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil +tor_services = data_bag_item('credentials', 'tor')['services'] +onion_address = tor_services['web']['hostname'] -template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_mastodon.erb' - owner 'www-data' - mode 0640 +openresty_site server_name do + template 'nginx_conf_mastodon.erb' variables server_name: server_name, ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", - shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", + shared_config_path: "#{node['openresty']['dir']}/snippets/mastodon.conf", app_port: node["kosmos-mastodon"]["app_port"], streaming_port: node["kosmos-mastodon"]["streaming_port"], onion_address: onion_address, upstream_hosts: upstream_hosts - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site server_name do - action :enable end diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 619f03d..11d23a3 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -20,7 +20,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2 max_size=1g inactive=120m use_temp_path=off; server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; include <%= @shared_config_path %>; @@ -36,12 +36,12 @@ server { <% if @onion_address %> server { - listen 80; + listen 127.0.0.1:80; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; } server { - listen 443 ssl http2; + listen 127.0.0.1:443 ssl http2; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; diff --git a/site-cookbooks/kosmos-parity/CHANGELOG.md b/site-cookbooks/kosmos-parity/CHANGELOG.md deleted file mode 100644 index 2d37a6a..0000000 --- a/site-cookbooks/kosmos-parity/CHANGELOG.md +++ /dev/null @@ -1,4 +0,0 @@ -# kosmos-parity CHANGELOG - -## 0.1.0 -- [Greg Karékinian] - Initial release of kosmos-parity diff --git a/site-cookbooks/kosmos-parity/LICENSE b/site-cookbooks/kosmos-parity/LICENSE deleted file mode 100644 index f3b5d1c..0000000 --- a/site-cookbooks/kosmos-parity/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -Copyright (c) 2019 Kosmos Developers - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos-parity/README.md b/site-cookbooks/kosmos-parity/README.md deleted file mode 100644 index a304316..0000000 --- a/site-cookbooks/kosmos-parity/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# kosmos-parity Cookbook - -This cookbook installs [Parity](https://parity.io/) nodes - -## Requirements - -### Platforms - -- Ubuntu - -### Chef - -- Chef 12.1 or later - -## Attributes - -### kosmos-parity::default - - - - - - - - - - - - - - -
KeyTypeDescriptionDefault
['kosmos-parity']['home_path']StringThe parity user's home path/home/parity
- -## Usage - -### kosmos-parity::default - -### kosmos-parity::node_dev - -Sets up a parity node running on the dev chain on port 8545 (behind nginx, with -HTTPS) - -### kosmos-parity::node_testnet - -Sets up a parity node running on the testnet chain on port 8546 (behind nginx, -with HTTPS) - -## License and Authors - -Authors: - -* Greg Karékinian diff --git a/site-cookbooks/kosmos-parity/attributes/default.rb b/site-cookbooks/kosmos-parity/attributes/default.rb deleted file mode 100644 index 1be87e1..0000000 --- a/site-cookbooks/kosmos-parity/attributes/default.rb +++ /dev/null @@ -1,7 +0,0 @@ -node.default['kosmos-parity']['home_path'] = "/home/parity" -node.default['kosmos-parity']['version'] = "1.6.6" -node.default['kosmos-parity']['package_checksum'] = '7fd51ded7a367774e62c965088ffd15ad0fa42251005d448eb700cbf5db8df24' -node.default['kosmos-parity']['package_version'] = '1.7.0' -node.default['kosmos-parity']['package_timestamp'] = '1493999009' -node.default['kosmos-parity']['debian_package_dir'] = Chef::Config[:file_cache_path] -node.default['kosmos-parity']['hostname'] = "parity.kosmos.org" diff --git a/site-cookbooks/kosmos-parity/metadata.rb b/site-cookbooks/kosmos-parity/metadata.rb deleted file mode 100644 index 83355da..0000000 --- a/site-cookbooks/kosmos-parity/metadata.rb +++ /dev/null @@ -1,14 +0,0 @@ -name 'kosmos-parity' -maintainer 'Kosmos' -maintainer_email 'mail@kosmos.org' -license 'MIT' -description 'Installs/Configures kosmos-parity' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.0' - -gem 'toml' - -depends 'ark' -depends 'kosmos-nginx' -depends 'firewall' -depends 'backup' diff --git a/site-cookbooks/kosmos-parity/recipes/backup.rb b/site-cookbooks/kosmos-parity/recipes/backup.rb deleted file mode 100644 index 77782b1..0000000 --- a/site-cookbooks/kosmos-parity/recipes/backup.rb +++ /dev/null @@ -1,6 +0,0 @@ - -return if node.chef_environment == "development" - -# Backup the local directory -node.override["backup"]["archives"]["parity"] = ["#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/**/keys"] -include_recipe "backup" diff --git a/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb b/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb deleted file mode 100644 index b99cdd4..0000000 --- a/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb +++ /dev/null @@ -1,86 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: create_package_from_github -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' -build_essential 'kosmos-parity' -package %w(git libssl-dev pkg-config libudev-dev) -gem_package 'fpm' do - version '1.8.1' -end - -rust_version = '1.17.0' -architecture = node['kernel']['machine'] -rust_canonical_basename = "rust-#{rust_version}-#{architecture}-unknown-linux-gnu" -rust_path = "/usr/local/rust_#{rust_version}" - -url = "https://static.rust-lang.org/dist/#{rust_canonical_basename}.tar.gz" - -ark "rust_#{rust_version}" do - url url - path "/usr/local" - action :put - notifies :run, "execute[install rust]", :immediately -end - -execute "install rust" do - command "./install.sh" - cwd "#{rust_path}" - action :nothing -end - -parity_revision = "0d8920347a72fc50e82b540855eba94c8bbb2c0f" - -git "/home/parity/parity" do - repository "https://github.com/paritytech/parity.git" - revision parity_revision - user "parity" - group "parity" - notifies :run, "execute[build parity]", :immediately -end - -execute "build parity" do - cwd "/home/parity/parity" - environment "HOME" => "/home/parity" - command "cargo build --release" - action :nothing - user "parity" - group "parity" - notifies :run, "execute[copy parity]", :immediately -end - -execute "copy parity" do - command "cp /home/parity/parity/target/release/parity /usr/bin/" - action :run - notifies :run, "execute[create package]", :immediately -end - -timestamp = Time.now.strftime('%s') -parity_version = node['kosmos-parity']['package_version'] -execute "create package" do - cwd node['kosmos-parity']['debian_package_dir'] - command "fpm -s dir -t deb -n parity -v #{parity_version}-#{timestamp} -p parity_#{parity_version}-#{timestamp}.deb /usr/bin/parity" - action :nothing -end diff --git a/site-cookbooks/kosmos-parity/recipes/default.rb b/site-cookbooks/kosmos-parity/recipes/default.rb deleted file mode 100644 index fd3b1ff..0000000 --- a/site-cookbooks/kosmos-parity/recipes/default.rb +++ /dev/null @@ -1,42 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: default -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' - -parity_version = node['kosmos-parity']['version'] -parity_package_path = "#{Chef::Config[:file_cache_path]}/parity_#{parity_version}_amd64.deb" -remote_file parity_package_path do - source "https://d1h4xl4cr1h0mo.cloudfront.net/v#{parity_version}/x86_64-unknown-linux-gnu/parity_#{parity_version}_amd64.deb" - checksum node['kosmos-parity']['checksum'] - mode 0750 - notifies :install, "dpkg_package[parity]", :immediately -end - -dpkg_package "parity" do - source parity_package_path -end - -include_recipe "kosmos-parity::backup" diff --git a/site-cookbooks/kosmos-parity/recipes/from_package.rb b/site-cookbooks/kosmos-parity/recipes/from_package.rb deleted file mode 100644 index 0b7faa4..0000000 --- a/site-cookbooks/kosmos-parity/recipes/from_package.rb +++ /dev/null @@ -1,46 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: default -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' - -parity_version = node['kosmos-parity']['package_version'] -package_timestamp = node['kosmos-parity']['package_timestamp'] -parity_filename = "parity_#{parity_version}-#{package_timestamp}.deb" - -parity_package_path = "#{Chef::Config[:file_cache_path]}/#{parity_filename}" -remote_file parity_package_path do - source "https://dl.5apps.com/#{parity_filename}" - checksum node['kosmos-parity']['checksum'] - mode 0750 - notifies :install, "dpkg_package[parity]", :immediately -end - -dpkg_package "parity" do - source parity_package_path - version "#{parity_version}-#{package_timestamp}" -end - -include_recipe "kosmos-parity::backup" diff --git a/site-cookbooks/kosmos-parity/recipes/node_dev.rb b/site-cookbooks/kosmos-parity/recipes/node_dev.rb deleted file mode 100644 index 4a9e846..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_dev.rb +++ /dev/null @@ -1,75 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_dev -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the dev chain on port 8545 (behind nginx, -# with HTTPS) - -rpc_proxy_port = 8545 -rpc_port = 18545 -dapps_port = 8180 - -parity_node "dev" do - password "parityparity" - config parity: { - chain: "dev", - no_download: true, # Don't download updates - }, - network: { - port: 30303, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - }, - mining: { - reseal_min_period: 0, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_dev" do - port rpc_proxy_port - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb b/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb deleted file mode 100644 index ae65cc1..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb +++ /dev/null @@ -1,74 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_mainnet -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the mainnet chain on port 8547 (behind -# nginx, with HTTPS) - -rpc_proxy_port = 8547 -rpc_port = 18547 -dapps_port = 8182 - -credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity') - -parity_node "mainnet" do - password credentials["mainnet_password"] - config parity: { - chain: "homestead", - no_download: true, # Don't Download Updates - }, - network: { - port: 30305, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_mainnet" do - port rpc_proxy_port - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/node_testnet.rb b/site-cookbooks/kosmos-parity/recipes/node_testnet.rb deleted file mode 100644 index fb5da62..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_testnet.rb +++ /dev/null @@ -1,75 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_testnet -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the testnet chain on port 8546 (behind -# nginx, with HTTPS) - -rpc_proxy_port = 8546 -rpc_port = 18546 -dapps_port = 8181 -network_port = 30304 - -credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity') - -parity_node "testnet" do - password credentials["testnet_password"] - config parity: { - chain: "ropsten", - no_download: true, # Don't download updates - }, - network: { - port: network_port, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_testnet" do - port [ rpc_proxy_port, network_port ] - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/user.rb b/site-cookbooks/kosmos-parity/recipes/user.rb deleted file mode 100644 index bf656ff..0000000 --- a/site-cookbooks/kosmos-parity/recipes/user.rb +++ /dev/null @@ -1,37 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: user -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -group "parity" do - gid 72748 -end - -user "parity" do - system true - manage_home true - comment "parity user" - uid 72748 - gid 72748 -end diff --git a/site-cookbooks/kosmos-parity/resources/node.rb b/site-cookbooks/kosmos-parity/resources/node.rb deleted file mode 100644 index 64b606b..0000000 --- a/site-cookbooks/kosmos-parity/resources/node.rb +++ /dev/null @@ -1,136 +0,0 @@ -require 'toml' - -provides :parity_node - -property :name, String, name_property: true, required: true -property :config, Hash, required: true -property :password, String, required: true -property :rpc_proxy_port, Integer - -action :enable do - node_name = name - parity_service = "parity_#{node_name}" - base_path = "#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/#{node_name}" - config_path = "#{base_path}/config.toml" - - config[:parity][:base_path] = base_path - config[:account] = {} - config[:account][:password] = ["#{base_path}/password"] - - if config[:parity][:chain] == "dev" - config[:parity][:chain] = "#{base_path}/chain-config.json" - end - - directory base_path do - recursive true - owner "parity" - group "parity" - end - - %w(chains keys).each do |subfolder| - directory "#{base_path}/#{subfolder}" do - recursive true - owner "parity" - group "parity" - end - end - - password_path = "#{base_path}/password" - - file password_path do - content password - owner "parity" - group "parity" - mode 0640 - end - - ruby_block "generate config" do - block do - parity_args = "--chain #{config[:parity][:chain]} --base-path #{base_path}" - - parity_account_list = Mixlib::ShellOut.new( - "parity account list #{parity_args}", - user: "parity" - ) - parity_account_list.run_command - - parity_account = parity_account_list.stdout.strip.gsub(/[(\[|\])]/, '') - - if parity_account.empty? - parity_account_create = Mixlib::ShellOut.new( - "parity account new #{parity_args} --password #{base_path}/password", - user: "parity" - ) - parity_account_create.run_command - - parity_account = parity_account_create.stdout.strip - end - - config[:account][:unlock] = [parity_account] - - # Using our own chain config (i.e. dev) - if config[:parity][:chain].include?(".json") - template "#{base_path}/chain-config.json" do - source 'chain-config.json.erb' - variables parity_account: parity_account - owner "parity" - group "parity" - mode 0640 - notifies :restart, "service[#{parity_service}]", :delayed - end - end - - file "config" do - path config_path - content TOML::Generator.new(config).body - owner "parity" - group "parity" - mode 0640 - notifies :restart, "service[#{parity_service}]", :delayed - end - end - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - template "/lib/systemd/system/#{parity_service}.service" do - source "parity.systemd.service.erb" - variables config_file: config_path - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[#{parity_service}]", :delayed - end - - service parity_service do - action [:enable, :start] - end - - if rpc_proxy_port - include_recipe "kosmos-nginx" - - hostname = node['kosmos-parity']['hostname'] - - template "#{node['nginx']['dir']}/sites-available/#{parity_service}" do - source 'nginx_conf_parity.erb' - owner 'www-data' - mode 0640 - variables internal_port: config[:rpc][:port], - external_port: rpc_proxy_port, - parity_service: parity_service, - server_name: hostname, - ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site parity_service do - action :enable - end - - nginx_certbot_site hostname do - site parity_service - end - end -end diff --git a/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb b/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb deleted file mode 100644 index 9075929..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "KreditsChain", - "engine": { - "instantSeal": { "params": {} } - }, - "params": { - "accountStartNonce": "0x00", - "maximumExtraDataSize": "0x20", - "minGasLimit": "0x1388", - "networkID" : "0x11" - }, - "genesis": { - "seal": { - "ethereum": { - "nonce": "0x00006d6f7264656e", - "mixHash": "0x00000000000000000000000000000000000000647572616c65787365646c6578" - } - }, - "difficulty": "0x20000", - "author": "0x0000000000000000000000000000000000000000", - "timestamp": "0x00", - "parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000", - "extraData": "0x", - "gasLimit": "0x5B8D80" - }, - "accounts": { - "0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } }, - "0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } }, - "0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } }, - "0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } }, - "<%= @parity_account %>":{"balance": "1606938044258990275541962092341162602522" } - } -} - diff --git a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb b/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb deleted file mode 100644 index 7fbe815..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb +++ /dev/null @@ -1,30 +0,0 @@ -# Generated by Chef -upstream _<%= @parity_service %> { - server localhost:<%= @internal_port %>; -} - -server { - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen <%= @external_port %> ssl http2; - <% else -%> - listen <%= @external_port %>; - <% end -%> - - server_name <%= @server_name %>; - - access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn; - - location / { - # Increase number of buffers. Default is 8 - proxy_buffers 1024 8k; - - proxy_pass http://_<%= @parity_service %>; - proxy_http_version 1.1; - } - - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; - <% end -%> -} diff --git a/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb b/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb deleted file mode 100644 index 0700f45..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Parity Daemon (<%= @environment %>) -After=network.target - -[Service] -ExecStart=/usr/bin/parity --config <%= @config_file %> --no-discovery $ARGS -User=parity -Group=parity - -[Install] -WantedBy=default.target diff --git a/site-cookbooks/kosmos_discourse/metadata.rb b/site-cookbooks/kosmos_discourse/metadata.rb index 1a3b1c6..4d026ad 100644 --- a/site-cookbooks/kosmos_discourse/metadata.rb +++ b/site-cookbooks/kosmos_discourse/metadata.rb @@ -2,10 +2,11 @@ name 'kosmos_discourse' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures discourse' -long_description 'Installs/Configures discourse' -version '0.1.0' +description 'Installs/configures Discourse' +long_description 'Installs/configures Discourse' +version '0.2.0' chef_version '>= 14.0' depends 'discourse' depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_discourse/recipes/nginx.rb b/site-cookbooks/kosmos_discourse/recipes/nginx.rb index 081f1fb..b43edce 100644 --- a/site-cookbooks/kosmos_discourse/recipes/nginx.rb +++ b/site-cookbooks/kosmos_discourse/recipes/nginx.rb @@ -3,4 +3,30 @@ # Recipe:: nginx # -include_recipe "discourse::nginx" +domain = node['discourse']['domain'] +discourse_role = node['discourse']['role'] + +upstream_ip_addresses = [] +search(:node, "role:#{discourse_role}").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +if upstream_ip_addresses.empty? + Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") + return +end + +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf.erb" + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: node['discourse']['port'], + upstream_name: discourse_role, + upstream_ip_addresses: upstream_ip_addresses +end diff --git a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb index db939fd..9b328d6 100644 --- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb @@ -8,7 +8,7 @@ upstream _discourse { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb index e0ef895..648f5da 100644 --- a/site-cookbooks/kosmos_drone/metadata.rb +++ b/site-cookbooks/kosmos_drone/metadata.rb @@ -8,5 +8,5 @@ version '0.1.0' chef_version '>= 14.0' depends "firewall" -depends "kosmos-nginx" depends "kosmos_gitea" +depends "kosmos_openresty" diff --git a/site-cookbooks/kosmos_drone/recipes/nginx.rb b/site-cookbooks/kosmos_drone/recipes/nginx.rb index fffe902..4c4b564 100644 --- a/site-cookbooks/kosmos_drone/recipes/nginx.rb +++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb @@ -12,21 +12,16 @@ end # No Discourse host, stop here return if upstream_ip_addresses.empty? -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf.erb" variables server_name: domain, upstream_ip_addresses: upstream_ip_addresses, upstream_port: node["kosmos_drone"]["upstream_port"], ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb index f9e1dfa..3c9c741 100644 --- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb @@ -1,4 +1,3 @@ -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef upstream _drone { <% @upstream_ip_addresses.each do |upstream_ip_address| -%> @@ -8,7 +7,7 @@ upstream _drone { server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; @@ -33,4 +32,3 @@ server { proxy_http_version 1.1; } } -<% end -%> diff --git a/site-cookbooks/kosmos_garage/metadata.rb b/site-cookbooks/kosmos_garage/metadata.rb index f1fde81..90a1ddb 100644 --- a/site-cookbooks/kosmos_garage/metadata.rb +++ b/site-cookbooks/kosmos_garage/metadata.rb @@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb index 9da8ab9..ed8884c 100644 --- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -3,15 +3,14 @@ # Recipe:: nginx_web # -include_recipe "kosmos-nginx" - -file "/etc/nginx/conf.d/garage.conf" do +file "#{node['openresty']['dir']}/conf.d/garage.conf" do content <<-EOF upstream garage_web { server localhost:3902; } -proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m +proxy_cache_path #{node['openresty']['cache_dir']}/garage + levels=1:2 keys_zone=garage_cache:10m max_size=1g inactive=60m use_temp_path=off; EOF end @@ -19,19 +18,15 @@ end domains = node['garage']['s3_web_domains'] domains.each do |server_name| - nginx_certbot_site server_name - - template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_web.erb' - owner 'www-data' - mode 0640 - variables server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed + tls_cert_for server_name do + auth "gandi_dns" + action :create end - nginx_site server_name do - action :enable + openresty_site server_name do + template "nginx_conf_web.erb" + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" end end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb index c925887..49e219c 100644 --- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -1,5 +1,5 @@ server { - listen 443 http2 ssl; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 http2 ssl; server_name <%= @server_name %>; diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 95cd94a..f842b03 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -2,25 +2,13 @@ name 'kosmos_gitea' maintainer 'Kosmos Developers' maintainer_email 'ops@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos_gitea' -long_description 'Installs/Configures kosmos_gitea' -version '0.1.0' +description 'Installs/configures Gitea' +long_description 'Installs/configures Gitea' +version '0.2.0' chef_version '>= 14.0' -# The `issues_url` points to the location where issues for this cookbook are -# tracked. A `View Issues` link will be displayed on this cookbook's page when -# uploaded to a Supermarket. -# -# issues_url 'https://github.com//kosmos_gitea/issues' - -# The `source_url` points to the development repository for this cookbook. A -# `View Source` link will be displayed on this cookbook's page when uploaded to -# a Supermarket. -# -# source_url 'https://github.com//kosmos_gitea' - depends "firewall" -depends "kosmos-nginx" +depends "kosmos_openresty" depends "kosmos_postgresql" depends "backup" depends "kosmos-dirsrv" diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx.rb b/site-cookbooks/kosmos_gitea/recipes/nginx.rb index 1af4c5a..243e9f9 100644 --- a/site-cookbooks/kosmos_gitea/recipes/nginx.rb +++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb @@ -3,14 +3,8 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" - domain = node["gitea"]["domain"] -# upstream_ip_addresses = [] -# search(:node, "role:gitea").each do |n| -# upstream_ip_addresses << n["knife_zero"]["host"] -# end begin upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] rescue @@ -18,35 +12,16 @@ rescue return end -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_web.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_web.erb" variables server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_ip_address, upstream_port: node["gitea"]["port"] - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end - -template "#{node['nginx']['dir']}/streams-available/ssh" do - source "nginx_conf_ssh.erb" - owner 'www-data' - mode 0640 - variables domain: domain, - upstream_host: upstream_ip_address - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_stream "ssh" do - action :enable end diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb new file mode 100644 index 0000000..cdc3f5d --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb @@ -0,0 +1,17 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: nginx_ssh +# + +begin + upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] +rescue + Chef::Log.warn('No server with "gitea" role. Stopping here.') + return +end + +openresty_stream "ssh" do + template "nginx_conf_ssh.erb" + variables upstream_host: upstream_ip_address + action :enable +end diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb index 085f7ff..9a84533 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb @@ -3,6 +3,6 @@ upstream _gitea_ssh { } server { - listen 148.251.83.201:22; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22; proxy_pass _gitea_ssh; } diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb index f8b6b22..f682191 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb @@ -4,23 +4,17 @@ upstream _gitea_web { } server { -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen 443 ssl http2; - listen [::]:443 ssl http2; server_name <%= @server_name %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; - add_header Strict-Transport-Security "max-age=31536000"; -<% else -%> - listen 80; - server_name <%= @server_name %>; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; - location /.well-known { - root "/var/www/<%= @server_name %>"; - } -<% end -%> + add_header Strict-Transport-Security "max-age=31536000"; client_max_body_size 20M; diff --git a/site-cookbooks/kosmos_openresty/recipes/default.rb b/site-cookbooks/kosmos_openresty/recipes/default.rb index d2f6f03..2833b07 100644 --- a/site-cookbooks/kosmos_openresty/recipes/default.rb +++ b/site-cookbooks/kosmos_openresty/recipes/default.rb @@ -3,5 +3,7 @@ # Recipe:: default # +node.normal['openresty']['log_formats']['json'] = '{"ip":"$remote_addr","time":"$time_local","host":"$host","method":"$request_method","uri":"$uri","status":$status,"size":$body_bytes_sent,"referer":"$http_referer","upstream_addr":"$upstream_addr","upstream_response_time":"$upstream_response_time","ua":"$http_user_agent"}' + # Install openresty from official packages include_recipe 'openresty::apt_package' diff --git a/site-cookbooks/kosmos_rsk/metadata.rb b/site-cookbooks/kosmos_rsk/metadata.rb index 6f0c24a..e4eebd3 100644 --- a/site-cookbooks/kosmos_rsk/metadata.rb +++ b/site-cookbooks/kosmos_rsk/metadata.rb @@ -9,4 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' -depends 'kosmos-nginx' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb index 2230655..c1f0026 100644 --- a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb +++ b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb @@ -5,33 +5,27 @@ property :network, String, required: true, name_property: true property :domain, String, required: true action :create do - include_recipe "kosmos-nginx" - network = new_resource.network domain = new_resource.domain - nginx_certbot_site domain - upstream_hosts = [] search(:node, "role:rskj_#{network}").each do |node| upstream_hosts << node["knife_zero"]["host"] end upstream_hosts.push("localhost") if upstream_hosts.empty? - template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_rskj.erb" - owner 'www-data' - mode 0640 + tls_cert_for domain do + auth "gandi_dns" + action :create + end + + openresty_site domain do + template "nginx_conf_rskj.erb" variables domain: domain, upstream_name: "rskj_#{network}", upstream_hosts: upstream_hosts, upstream_port: "4444", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site domain do - action :enable end end diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 9831d8b..659d674 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -5,15 +5,15 @@ upstream _<%= @upstream_name %> { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; location / { if ($request_method = 'OPTIONS') { diff --git a/site-cookbooks/kosmos_website/metadata.rb b/site-cookbooks/kosmos_website/metadata.rb index bf45804..8c96a5d 100644 --- a/site-cookbooks/kosmos_website/metadata.rb +++ b/site-cookbooks/kosmos_website/metadata.rb @@ -7,5 +7,5 @@ long_description 'Configures the main kosmos.org website' version '1.0.0' chef_version '>= 15.10' if respond_to?(:chef_version) -depends "kosmos-nginx" depends 'git' +depends "kosmos_openresty" diff --git a/site-cookbooks/kosmos_website/recipes/default.rb b/site-cookbooks/kosmos_website/recipes/default.rb index d90cd94..b8374c6 100644 --- a/site-cookbooks/kosmos_website/recipes/default.rb +++ b/site-cookbooks/kosmos_website/recipes/default.rb @@ -3,37 +3,26 @@ # Recipe:: default # -include_recipe "kosmos-nginx" include_recipe "git" domain = node["kosmos_website"]["domain"] -nginx_certbot_site domain - -directory "/var/www/#{domain}/site" do - user node["nginx"]["user"] - group node["nginx"]["group"] - mode "0755" +tls_cert_for domain do + auth "gandi_dns" + action :create end -git "/var/www/#{domain}/site" do - user node["nginx"]["user"] - group node["nginx"]["group"] +git "/var/www/#{domain}" do + user node["openresty"]["user"] + group node["openresty"]["group"] repository node["kosmos_website"]["repo"] revision node["kosmos_website"]["revision"] action :sync end -template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do - source "nginx_conf_website.erb" - owner node["nginx"]["user"] - mode 0640 +openresty_site domain do + template "nginx_conf_website.erb" variables domain: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, "service[nginx]", :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb index 1ac08bf..3432221 100644 --- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -1,14 +1,15 @@ -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef server { - listen 443 ssl http2; - listen [::]:443 ssl http2; server_name <%= @domain %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; - root /var/www/<%= @domain %>/site/public; + root /var/www/<%= @domain %>/public; + + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; - access_log off; gzip_static on; gzip_comp_level 5; @@ -29,4 +30,3 @@ server { proxy_pass https://accounts.kosmos.org; } } -<% end -%> diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index 867046c..bc916b9 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit 867046cbd1e120f7b2cb842114dcc725cdf0c2b2 +Subproject commit bc916b981cecbbc65dc220ecaa9e878a22d8f6fa diff --git a/site-cookbooks/remotestorage_discourse/attributes/default.rb b/site-cookbooks/remotestorage_discourse/attributes/default.rb index 59beba8..e69de29 100644 --- a/site-cookbooks/remotestorage_discourse/attributes/default.rb +++ b/site-cookbooks/remotestorage_discourse/attributes/default.rb @@ -1,2 +0,0 @@ -node.override['discourse']['domain'] = "community.remotestorage.io" -node.override['discourse']['role'] = "remotestorage_discourse" diff --git a/site-cookbooks/remotestorage_discourse/metadata.rb b/site-cookbooks/remotestorage_discourse/metadata.rb index f0de442..42f41e6 100644 --- a/site-cookbooks/remotestorage_discourse/metadata.rb +++ b/site-cookbooks/remotestorage_discourse/metadata.rb @@ -2,9 +2,11 @@ name 'remotestorage_discourse' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures discourse' -long_description 'Installs/Configures discourse' -version '0.1.0' +description 'Installs/configures Discourse' +long_description 'Installs/configures Discourse' +version '0.2.0' chef_version '>= 14.0' depends 'discourse' +depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/remotestorage_discourse/recipes/nginx.rb b/site-cookbooks/remotestorage_discourse/recipes/nginx.rb index 937a70e..ac3f842 100644 --- a/site-cookbooks/remotestorage_discourse/recipes/nginx.rb +++ b/site-cookbooks/remotestorage_discourse/recipes/nginx.rb @@ -3,4 +3,30 @@ # Recipe:: nginx # -include_recipe "discourse::nginx" +domain = "community.remotestorage.io" +discourse_role = "remotestorage_discourse" + +upstream_ip_addresses = [] +search(:node, "role:#{discourse_role}").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +if upstream_ip_addresses.empty? + Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") + return +end + +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf.erb" + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: node['discourse']['port'], + upstream_name: discourse_role, + upstream_ip_addresses: upstream_ip_addresses +end diff --git a/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb b/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb index 9db6621..7e2618c 100644 --- a/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb @@ -1,14 +1,13 @@ # Generated by Chef -upstream _discourse { +upstream _rs_discourse { <% @upstream_ip_addresses.each do |upstream_ip_address| -%> server <%= upstream_ip_address %>:<%= @upstream_port %>; <% end -%> } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; @@ -28,8 +27,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://_discourse; + proxy_pass http://_rs_discourse; proxy_http_version 1.1; } } -<% end -%> diff --git a/site-cookbooks/tor-full/recipes/default.rb b/site-cookbooks/tor-full/recipes/default.rb index c8e7110..a16d021 100644 --- a/site-cookbooks/tor-full/recipes/default.rb +++ b/site-cookbooks/tor-full/recipes/default.rb @@ -85,7 +85,7 @@ ruby_block "read-hostnames" do block do # Set generated hostname for hidden services node['tor']['HiddenServices'].each do |name, service| - path = File.join(service['HiddenServiceDir'], "/hostname") + path = "/var/lib/tor/#{name}/hostname" node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip() end end @@ -96,10 +96,6 @@ template '/etc/tor/torrc' do source 'torrc.erb' notifies :restart, 'service[tor]', :immediately notifies :run, "ruby_block[read-hostnames]" - # Set default HiddenServiceDir - node['tor']['HiddenServices'].each do |name, service| - node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/") - end end # Install exit policy notice diff --git a/site-cookbooks/tor-full/templates/default/torrc.erb b/site-cookbooks/tor-full/templates/default/torrc.erb index ca07818..1a7c033 100644 --- a/site-cookbooks/tor-full/templates/default/torrc.erb +++ b/site-cookbooks/tor-full/templates/default/torrc.erb @@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %> #HiddenServicePort 22 127.0.0.1:22 <% node['tor']['HiddenServices'].each do |name, service| -%> -HiddenServiceDir <%= service['HiddenServiceDir'] %> +HiddenServiceDir /var/lib/tor/<%= name %>/ <% service['HiddenServicePorts'].each do |port| -%> HiddenServicePort <%= port %> <% end -%>