From 4b08e4fc8ca3cdbed7bbc2b6d796382de270942b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 11:50:24 +0200 Subject: [PATCH 01/30] Add JSON log format to openresty --- nodes/draco.kosmos.org.json | 26 ++++++++++++------- .../kosmos_openresty/recipes/default.rb | 2 ++ 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 0a933ae..b160e79 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -11,7 +11,10 @@ } }, "openresty": { - "listen_ip": "148.251.237.111" + "listen_ip": "148.251.237.111", + "log_formats": { + "json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}" + } } }, "automatic": { @@ -21,24 +24,27 @@ "hostname": "draco", "ipaddress": "148.251.237.73", "roles": [ + "base", + "kvm_host", "openresty_proxy", "openresty" ], "recipes": [ "kosmos-base", "kosmos-base::default", - "kosmos_encfs", - "kosmos_encfs::default", "kosmos_kvm::host", "kosmos_kvm::backup", - "kosmos-ejabberd::firewall", - "kosmos-ipfs::firewall_swarm", - "kosmos-bitcoin::firewall", - "kosmos_zerotier::firewall", "kosmos_openresty", "kosmos_openresty::default", "kosmos_openresty::firewall", "kosmos_assets::nginx_site", + "kosmos-akkounts::nginx", + "kosmos_encfs", + "kosmos_encfs::default", + "kosmos-ejabberd::firewall", + "kosmos-ipfs::firewall_swarm", + "kosmos-bitcoin::firewall", + "kosmos_zerotier::firewall", "sockethub::firewall", "apt::default", "timezone_iii::default", @@ -54,7 +60,6 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "firewall::default", "openresty::apt_package", "openresty::ohai_plugin", "openresty::commons_user", @@ -65,7 +70,8 @@ "openresty::luarocks", "git::default", "git::package", - "kosmos-base::letsencrypt" + "kosmos-base::letsencrypt", + "firewall::default" ], "platform": "ubuntu", "platform_version": "20.04", @@ -85,12 +91,12 @@ "run_list": [ "role[base]", "role[kvm_host]", + "role[openresty_proxy]", "recipe[kosmos_encfs]", "recipe[kosmos-ejabberd::firewall]", "recipe[kosmos-ipfs::firewall_swarm]", "recipe[kosmos-bitcoin::firewall]", "recipe[kosmos_zerotier::firewall]", - "role[openresty_proxy]", "recipe[sockethub::firewall]" ] } diff --git a/site-cookbooks/kosmos_openresty/recipes/default.rb b/site-cookbooks/kosmos_openresty/recipes/default.rb index d2f6f03..2833b07 100644 --- a/site-cookbooks/kosmos_openresty/recipes/default.rb +++ b/site-cookbooks/kosmos_openresty/recipes/default.rb @@ -3,5 +3,7 @@ # Recipe:: default # +node.normal['openresty']['log_formats']['json'] = '{"ip":"$remote_addr","time":"$time_local","host":"$host","method":"$request_method","uri":"$uri","status":$status,"size":$body_bytes_sent,"referer":"$http_referer","upstream_addr":"$upstream_addr","upstream_response_time":"$upstream_response_time","ua":"$http_user_agent"}' + # Install openresty from official packages include_recipe 'openresty::apt_package' -- 2.25.1 From 77c97607d5e8b561e6d6847830e901b16cf7be0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 12:04:09 +0200 Subject: [PATCH 02/30] Update openresty cookbook --- site-cookbooks/openresty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index 867046c..b31d6b0 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit 867046cbd1e120f7b2cb842114dcc725cdf0c2b2 +Subproject commit b31d6b0b01f74179fd035c2dfcc0222f6c0c45c3 -- 2.25.1 From 4b0b4b8d8016ae106f9271e93e7967d8f9466339 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 12:04:36 +0200 Subject: [PATCH 03/30] Migrate akkounts proxy to openresty --- roles/openresty_proxy.rb | 1 + site-cookbooks/kosmos-akkounts/metadata.rb | 2 +- .../kosmos-akkounts/recipes/nginx.rb | 21 +++++++------------ .../templates/nginx_conf_akkounts.erb | 2 +- 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 64ebad6..c66657d 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -45,6 +45,7 @@ default_run_list = %w( production_run_list = %w( role[openresty] kosmos_assets::nginx_site + kosmos-akkounts::nginx ) env_run_lists( diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb index 6ae1ac6..7accd9c 100644 --- a/site-cookbooks/kosmos-akkounts/metadata.rb +++ b/site-cookbooks/kosmos-akkounts/metadata.rb @@ -7,7 +7,7 @@ long_description 'Installs/configures kosmos-akkounts' version '0.2.0' chef_version '>= 18.0' -depends 'kosmos-nginx' +depends 'kosmos_openresty' depends "kosmos-nodejs" depends "redisio" depends "postgresql" diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb index 6ae1bfc..b2ca8ba 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx.rb @@ -3,11 +3,13 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" -app_name = "akkounts" -domain = node[app_name]["domain"] +app_name = "akkounts" +domain = node[app_name]["domain"] -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end upstream_hosts = [] search(:node, "role:akkounts").each do |node| @@ -15,10 +17,8 @@ search(:node, "role:akkounts").each do |node| end upstream_hosts.push("localhost") if upstream_hosts.empty? -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{app_name}.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_#{app_name}.erb" variables port: node[app_name]['port'], domain: domain, upstream_port: node["akkounts"]["port"], @@ -26,9 +26,4 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do root_dir: "/opt/#{app_name}/public", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb index d8e2552..2049a0f 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb @@ -10,7 +10,7 @@ proxy_cache_path /var/cache/nginx/akkounts levels=1:2 max_size=1g inactive=120m use_temp_path=off; server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; -- 2.25.1 From 87657db8a781a717881d7472ea069dc1a86f3c6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 13:39:07 +0200 Subject: [PATCH 04/30] Update openresty cookbook --- site-cookbooks/openresty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index b31d6b0..7b13a95 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit b31d6b0b01f74179fd035c2dfcc0222f6c0c45c3 +Subproject commit 7b13a950f9f4ca1e3be015542e13126dd68bbcc0 -- 2.25.1 From 543b482adbef55324466696a75ecd0d5dad122a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 13:40:03 +0200 Subject: [PATCH 05/30] Migrate discourse proxy to openresty --- nodes/draco.kosmos.org.json | 3 +- roles/openresty_proxy.rb | 3 +- site-cookbooks/discourse/metadata.rb | 1 - site-cookbooks/discourse/recipes/nginx.rb | 39 ------------------- site-cookbooks/kosmos_discourse/metadata.rb | 7 ++-- .../kosmos_discourse/recipes/nginx.rb | 28 ++++++++++++- .../kosmos_discourse/templates/nginx_conf.erb | 2 +- 7 files changed, 35 insertions(+), 48 deletions(-) delete mode 100644 site-cookbooks/discourse/recipes/nginx.rb diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index b160e79..5390f93 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -39,6 +39,7 @@ "kosmos_openresty::firewall", "kosmos_assets::nginx_site", "kosmos-akkounts::nginx", + "kosmos_discourse::nginx", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", @@ -99,4 +100,4 @@ "recipe[kosmos_zerotier::firewall]", "recipe[sockethub::firewall]" ] -} +} \ No newline at end of file diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index c66657d..5cdfcd6 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -21,8 +21,6 @@ development_run_list = %w( default_run_list = %w( role[openresty] tor-full - kosmos_assets::nginx_site - kosmos_discourse::nginx kosmos_drone::nginx kosmos_garage::default kosmos_garage::firewall_rpc @@ -46,6 +44,7 @@ production_run_list = %w( role[openresty] kosmos_assets::nginx_site kosmos-akkounts::nginx + kosmos_discourse::nginx ) env_run_lists( diff --git a/site-cookbooks/discourse/metadata.rb b/site-cookbooks/discourse/metadata.rb index f6b34c8..8631202 100644 --- a/site-cookbooks/discourse/metadata.rb +++ b/site-cookbooks/discourse/metadata.rb @@ -7,5 +7,4 @@ long_description 'Installs/Configures discourse' version '0.1.0' chef_version '>= 14.0' -depends 'kosmos-nginx' depends 'firewall' diff --git a/site-cookbooks/discourse/recipes/nginx.rb b/site-cookbooks/discourse/recipes/nginx.rb deleted file mode 100644 index ed06d6b..0000000 --- a/site-cookbooks/discourse/recipes/nginx.rb +++ /dev/null @@ -1,39 +0,0 @@ -# -# Cookbook:: discourse -# Recipe:: nginx -# - -include_recipe "kosmos-nginx" - -domain = node['discourse']['domain'] -discourse_role = node['discourse']['role'] - -upstream_ip_addresses = [] -search(:node, "role:#{discourse_role}").each do |n| - upstream_ip_addresses << n["knife_zero"]["host"] -end -# No Discourse host, stop here -if upstream_ip_addresses.empty? - Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") - return -end - -nginx_certbot_site domain - -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 - variables server_name: domain, - ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", - upstream_port: node['discourse']['port'], - upstream_name: discourse_role, - upstream_ip_addresses: upstream_ip_addresses - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end diff --git a/site-cookbooks/kosmos_discourse/metadata.rb b/site-cookbooks/kosmos_discourse/metadata.rb index 1a3b1c6..4d026ad 100644 --- a/site-cookbooks/kosmos_discourse/metadata.rb +++ b/site-cookbooks/kosmos_discourse/metadata.rb @@ -2,10 +2,11 @@ name 'kosmos_discourse' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures discourse' -long_description 'Installs/Configures discourse' -version '0.1.0' +description 'Installs/configures Discourse' +long_description 'Installs/configures Discourse' +version '0.2.0' chef_version '>= 14.0' depends 'discourse' depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_discourse/recipes/nginx.rb b/site-cookbooks/kosmos_discourse/recipes/nginx.rb index 081f1fb..b43edce 100644 --- a/site-cookbooks/kosmos_discourse/recipes/nginx.rb +++ b/site-cookbooks/kosmos_discourse/recipes/nginx.rb @@ -3,4 +3,30 @@ # Recipe:: nginx # -include_recipe "discourse::nginx" +domain = node['discourse']['domain'] +discourse_role = node['discourse']['role'] + +upstream_ip_addresses = [] +search(:node, "role:#{discourse_role}").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +if upstream_ip_addresses.empty? + Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") + return +end + +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf.erb" + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: node['discourse']['port'], + upstream_name: discourse_role, + upstream_ip_addresses: upstream_ip_addresses +end diff --git a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb index db939fd..9b328d6 100644 --- a/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_discourse/templates/nginx_conf.erb @@ -8,7 +8,7 @@ upstream _discourse { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; -- 2.25.1 From 53abc2ec9a85ccbe25f815a4d482eada710f088c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:07:48 +0200 Subject: [PATCH 06/30] Migrate Drone CI proxy to openresty --- nodes/draco.kosmos.org.json | 1 + site-cookbooks/kosmos_drone/metadata.rb | 2 +- site-cookbooks/kosmos_drone/recipes/nginx.rb | 17 ++++++----------- .../kosmos_drone/templates/nginx_conf.erb | 4 +--- 4 files changed, 9 insertions(+), 15 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 5390f93..21262c9 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -40,6 +40,7 @@ "kosmos_assets::nginx_site", "kosmos-akkounts::nginx", "kosmos_discourse::nginx", + "kosmos_drone::nginx", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/site-cookbooks/kosmos_drone/metadata.rb b/site-cookbooks/kosmos_drone/metadata.rb index e0ef895..648f5da 100644 --- a/site-cookbooks/kosmos_drone/metadata.rb +++ b/site-cookbooks/kosmos_drone/metadata.rb @@ -8,5 +8,5 @@ version '0.1.0' chef_version '>= 14.0' depends "firewall" -depends "kosmos-nginx" depends "kosmos_gitea" +depends "kosmos_openresty" diff --git a/site-cookbooks/kosmos_drone/recipes/nginx.rb b/site-cookbooks/kosmos_drone/recipes/nginx.rb index fffe902..4c4b564 100644 --- a/site-cookbooks/kosmos_drone/recipes/nginx.rb +++ b/site-cookbooks/kosmos_drone/recipes/nginx.rb @@ -12,21 +12,16 @@ end # No Discourse host, stop here return if upstream_ip_addresses.empty? -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf.erb" variables server_name: domain, upstream_ip_addresses: upstream_ip_addresses, upstream_port: node["kosmos_drone"]["upstream_port"], ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb index f9e1dfa..3c9c741 100644 --- a/site-cookbooks/kosmos_drone/templates/nginx_conf.erb +++ b/site-cookbooks/kosmos_drone/templates/nginx_conf.erb @@ -1,4 +1,3 @@ -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef upstream _drone { <% @upstream_ip_addresses.each do |upstream_ip_address| -%> @@ -8,7 +7,7 @@ upstream _drone { server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; @@ -33,4 +32,3 @@ server { proxy_http_version 1.1; } } -<% end -%> -- 2.25.1 From 4d528d67ef22646ccccf08033dbb44a27e55a3e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:08:44 +0200 Subject: [PATCH 07/30] Migrate RSK proxies to openresty --- nodes/draco.kosmos.org.json | 2 ++ site-cookbooks/kosmos_rsk/metadata.rb | 2 +- .../kosmos_rsk/resources/nginx_site.rb | 20 +++++++------------ .../kosmos_rsk/templates/nginx_conf_rskj.erb | 2 +- 4 files changed, 11 insertions(+), 15 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 21262c9..a73127d 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -41,6 +41,8 @@ "kosmos-akkounts::nginx", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos_rsk::nginx_testnet", + "kosmos_rsk::nginx_mainnet", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/site-cookbooks/kosmos_rsk/metadata.rb b/site-cookbooks/kosmos_rsk/metadata.rb index 6f0c24a..e4eebd3 100644 --- a/site-cookbooks/kosmos_rsk/metadata.rb +++ b/site-cookbooks/kosmos_rsk/metadata.rb @@ -9,4 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' -depends 'kosmos-nginx' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb index 2230655..c1f0026 100644 --- a/site-cookbooks/kosmos_rsk/resources/nginx_site.rb +++ b/site-cookbooks/kosmos_rsk/resources/nginx_site.rb @@ -5,33 +5,27 @@ property :network, String, required: true, name_property: true property :domain, String, required: true action :create do - include_recipe "kosmos-nginx" - network = new_resource.network domain = new_resource.domain - nginx_certbot_site domain - upstream_hosts = [] search(:node, "role:rskj_#{network}").each do |node| upstream_hosts << node["knife_zero"]["host"] end upstream_hosts.push("localhost") if upstream_hosts.empty? - template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_rskj.erb" - owner 'www-data' - mode 0640 + tls_cert_for domain do + auth "gandi_dns" + action :create + end + + openresty_site domain do + template "nginx_conf_rskj.erb" variables domain: domain, upstream_name: "rskj_#{network}", upstream_hosts: upstream_hosts, upstream_port: "4444", ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site domain do - action :enable end end diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 9831d8b..53e5945 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -5,7 +5,7 @@ upstream _<%= @upstream_name %> { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; -- 2.25.1 From 1681942fb1d72f5abd66e61a843b32792b463f90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:15:22 +0200 Subject: [PATCH 08/30] Migrate static website to openresty --- nodes/draco.kosmos.org.json | 2 ++ site-cookbooks/kosmos_website/metadata.rb | 2 +- .../kosmos_website/recipes/default.rb | 23 +++++-------------- .../templates/nginx_conf_website.erb | 8 +++---- 4 files changed, 12 insertions(+), 23 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index a73127d..fba9fb1 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -43,6 +43,8 @@ "kosmos_drone::nginx", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", + "kosmos_website", + "kosmos_website::default", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/site-cookbooks/kosmos_website/metadata.rb b/site-cookbooks/kosmos_website/metadata.rb index bf45804..8c96a5d 100644 --- a/site-cookbooks/kosmos_website/metadata.rb +++ b/site-cookbooks/kosmos_website/metadata.rb @@ -7,5 +7,5 @@ long_description 'Configures the main kosmos.org website' version '1.0.0' chef_version '>= 15.10' if respond_to?(:chef_version) -depends "kosmos-nginx" depends 'git' +depends "kosmos_openresty" diff --git a/site-cookbooks/kosmos_website/recipes/default.rb b/site-cookbooks/kosmos_website/recipes/default.rb index d90cd94..433c9d9 100644 --- a/site-cookbooks/kosmos_website/recipes/default.rb +++ b/site-cookbooks/kosmos_website/recipes/default.rb @@ -3,20 +3,16 @@ # Recipe:: default # -include_recipe "kosmos-nginx" include_recipe "git" domain = node["kosmos_website"]["domain"] -nginx_certbot_site domain - -directory "/var/www/#{domain}/site" do - user node["nginx"]["user"] - group node["nginx"]["group"] - mode "0755" +tls_cert_for domain do + auth "gandi_dns" + action :create end -git "/var/www/#{domain}/site" do +git "/var/www/#{domain}" do user node["nginx"]["user"] group node["nginx"]["group"] repository node["kosmos_website"]["repo"] @@ -24,16 +20,9 @@ git "/var/www/#{domain}/site" do action :sync end -template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do - source "nginx_conf_website.erb" - owner node["nginx"]["user"] - mode 0640 +openresty_site domain do + template "nginx_conf_website.erb" variables domain: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, "service[nginx]", :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb index 1ac08bf..0eb9f81 100644 --- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -1,12 +1,11 @@ -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> # Generated by Chef server { - listen 443 ssl http2; - listen [::]:443 ssl http2; server_name <%= @domain %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; - root /var/www/<%= @domain %>/site/public; + root /var/www/<%= @domain %>/public; access_log off; gzip_static on; @@ -29,4 +28,3 @@ server { proxy_pass https://accounts.kosmos.org; } } -<% end -%> -- 2.25.1 From 4b14297f831ec510948e2f468bcae469df922fcf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:15:46 +0200 Subject: [PATCH 09/30] WIP Migrate Gitea proxy to openresty TODO: Make nginx_ssh stream resource work with openresty cookbook --- nodes/draco.kosmos.org.json | 1 + nodes/fornax.kosmos.org.json | 1 + site-cookbooks/kosmos_gitea/metadata.rb | 20 ++-------- site-cookbooks/kosmos_gitea/recipes/nginx.rb | 37 +++---------------- .../kosmos_gitea/recipes/nginx_ssh.rb | 18 +++++++++ .../templates/default/nginx_conf_web.erb | 13 +------ 6 files changed, 32 insertions(+), 58 deletions(-) create mode 100644 site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index fba9fb1..663ab5d 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -41,6 +41,7 @@ "kosmos-akkounts::nginx", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos_gitea::nginx", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", "kosmos_website", diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index f648554..5d6222f 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -102,6 +102,7 @@ "role[base]", "role[kvm_host]", "role[nginx_proxy]", + "kosmos_gitea::nginx_ssh", "role[zerotier_controller]" ] } diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb index 95cd94a..f842b03 100644 --- a/site-cookbooks/kosmos_gitea/metadata.rb +++ b/site-cookbooks/kosmos_gitea/metadata.rb @@ -2,25 +2,13 @@ name 'kosmos_gitea' maintainer 'Kosmos Developers' maintainer_email 'ops@kosmos.org' license 'MIT' -description 'Installs/Configures kosmos_gitea' -long_description 'Installs/Configures kosmos_gitea' -version '0.1.0' +description 'Installs/configures Gitea' +long_description 'Installs/configures Gitea' +version '0.2.0' chef_version '>= 14.0' -# The `issues_url` points to the location where issues for this cookbook are -# tracked. A `View Issues` link will be displayed on this cookbook's page when -# uploaded to a Supermarket. -# -# issues_url 'https://github.com//kosmos_gitea/issues' - -# The `source_url` points to the development repository for this cookbook. A -# `View Source` link will be displayed on this cookbook's page when uploaded to -# a Supermarket. -# -# source_url 'https://github.com//kosmos_gitea' - depends "firewall" -depends "kosmos-nginx" +depends "kosmos_openresty" depends "kosmos_postgresql" depends "backup" depends "kosmos-dirsrv" diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx.rb b/site-cookbooks/kosmos_gitea/recipes/nginx.rb index 1af4c5a..243e9f9 100644 --- a/site-cookbooks/kosmos_gitea/recipes/nginx.rb +++ b/site-cookbooks/kosmos_gitea/recipes/nginx.rb @@ -3,14 +3,8 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" - domain = node["gitea"]["domain"] -# upstream_ip_addresses = [] -# search(:node, "role:gitea").each do |n| -# upstream_ip_addresses << n["knife_zero"]["host"] -# end begin upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] rescue @@ -18,35 +12,16 @@ rescue return end -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_web.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_web.erb" variables server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_ip_address, upstream_port: node["gitea"]["port"] - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable -end - -template "#{node['nginx']['dir']}/streams-available/ssh" do - source "nginx_conf_ssh.erb" - owner 'www-data' - mode 0640 - variables domain: domain, - upstream_host: upstream_ip_address - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_stream "ssh" do - action :enable end diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb new file mode 100644 index 0000000..16f8e7a --- /dev/null +++ b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb @@ -0,0 +1,18 @@ +# +# Cookbook:: kosmos_gitea +# Recipe:: nginx_ssh +# + +template "#{node['nginx']['dir']}/streams-available/ssh" do + source "nginx_conf_ssh.erb" + owner 'www-data' + mode 0640 + variables domain: domain, + upstream_host: upstream_ip_address + + notifies :reload, 'service[nginx]', :delayed +end + +nginx_stream "ssh" do + action :enable +end diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb index f8b6b22..5d7712b 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb @@ -4,23 +4,14 @@ upstream _gitea_web { } server { -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen 443 ssl http2; - listen [::]:443 ssl http2; server_name <%= @server_name %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; add_header Strict-Transport-Security "max-age=31536000"; -<% else -%> - listen 80; - server_name <%= @server_name %>; - - location /.well-known { - root "/var/www/<%= @server_name %>"; - } -<% end -%> client_max_body_size 20M; -- 2.25.1 From 98d423aa708db221780c411c661fc456542d0d32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:16:33 +0200 Subject: [PATCH 10/30] Update roles --- roles/openresty_proxy.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 5cdfcd6..e582258 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -21,15 +21,10 @@ development_run_list = %w( default_run_list = %w( role[openresty] tor-full - kosmos_drone::nginx kosmos_garage::default kosmos_garage::firewall_rpc kosmos_garage::nginx_web - kosmos_gitea::nginx - kosmos_rsk::nginx_testnet - kosmos_rsk::nginx_mainnet - kosmos_website::default - kosmos-akkounts::nginx + kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub kosmos-ejabberd::nginx @@ -45,6 +40,11 @@ production_run_list = %w( kosmos_assets::nginx_site kosmos-akkounts::nginx kosmos_discourse::nginx + kosmos_drone::nginx + kosmos_gitea::nginx + kosmos_rsk::nginx_testnet + kosmos_rsk::nginx_mainnet + kosmos_website::default ) env_run_lists( -- 2.25.1 From 7b5d46c813beac76443b71df7e882ac13da03545 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:52:16 +0200 Subject: [PATCH 11/30] Update openresty cookbook --- site-cookbooks/openresty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index 7b13a95..d031d59 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit 7b13a950f9f4ca1e3be015542e13126dd68bbcc0 +Subproject commit d031d59fdecff4ee23457d32e8f658c22aa21773 -- 2.25.1 From 1bad2939de52ea9e5793712e37255dd90f544637 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 14:52:37 +0200 Subject: [PATCH 12/30] Migrate accounts API proxy to openresty --- nodes/draco.kosmos.org.json | 4 +++- roles/openresty_proxy.rb | 4 ++-- .../kosmos-akkounts/recipes/nginx_api.rb | 19 +++++++------------ .../templates/nginx_conf_akkounts_api.erb | 2 +- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 663ab5d..d6de9a2 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -38,7 +38,6 @@ "kosmos_openresty::default", "kosmos_openresty::firewall", "kosmos_assets::nginx_site", - "kosmos-akkounts::nginx", "kosmos_discourse::nginx", "kosmos_drone::nginx", "kosmos_gitea::nginx", @@ -46,6 +45,8 @@ "kosmos_rsk::nginx_mainnet", "kosmos_website", "kosmos_website::default", + "kosmos-akkounts::nginx", + "kosmos-akkounts::nginx_api", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", @@ -69,6 +70,7 @@ "hostname::default", "openresty::apt_package", "openresty::ohai_plugin", + "openresty::commons_cleanup", "openresty::commons_user", "openresty::commons_dir", "openresty::commons_script", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index e582258..820bc82 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -25,7 +25,6 @@ default_run_list = %w( kosmos_garage::firewall_rpc kosmos_garage::nginx_web - kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub kosmos-ejabberd::nginx kosmos-hubot::nginx_botka_irc-libera-chat @@ -38,13 +37,14 @@ default_run_list = %w( production_run_list = %w( role[openresty] kosmos_assets::nginx_site - kosmos-akkounts::nginx kosmos_discourse::nginx kosmos_drone::nginx kosmos_gitea::nginx kosmos_rsk::nginx_testnet kosmos_rsk::nginx_mainnet kosmos_website::default + kosmos-akkounts::nginx + kosmos-akkounts::nginx_api ) env_run_lists( diff --git a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb index f120afd..697518e 100644 --- a/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb +++ b/site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb @@ -3,29 +3,24 @@ # Recipe:: nginx_api # -include_recipe "kosmos-nginx" domain = node["akkounts_api"]["domain"] -nginx_certbot_site domain - upstream_hosts = [] search(:node, "role:akkounts").each do |node| upstream_hosts << node["knife_zero"]["host"] end upstream_hosts.push("localhost") if upstream_hosts.empty? -template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do - source "nginx_conf_akkounts_api.erb" - owner "www-data" - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf_akkounts_api.erb" variables domain: domain, upstream_port: node["akkounts"]["port"], upstream_hosts: upstream_hosts, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem" - notifies :reload, "service[nginx]", :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb index 7ef12ff..ffabdc9 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb @@ -6,7 +6,7 @@ upstream _akkounts_api { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @domain %>; -- 2.25.1 From ad59913555b61b8ceed412812507acf08b9de2c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 15:00:55 +0200 Subject: [PATCH 13/30] Migrate lndhub proxy to openresty --- nodes/draco.kosmos.org.json | 1 + roles/openresty_proxy.rb | 2 +- site-cookbooks/kosmos-bitcoin/metadata.rb | 1 + .../kosmos-bitcoin/recipes/nginx_lndhub.rb | 25 +++++++------------ .../templates/nginx_conf_lndhub.erb | 2 +- 5 files changed, 13 insertions(+), 18 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index d6de9a2..09b0d9a 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -47,6 +47,7 @@ "kosmos_website::default", "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", + "kosmos-bitcoin::nginx_lndhub", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 820bc82..6275af9 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -25,7 +25,6 @@ default_run_list = %w( kosmos_garage::firewall_rpc kosmos_garage::nginx_web - kosmos-bitcoin::nginx_lndhub kosmos-ejabberd::nginx kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp @@ -45,6 +44,7 @@ production_run_list = %w( kosmos_website::default kosmos-akkounts::nginx kosmos-akkounts::nginx_api + kosmos-bitcoin::nginx_lndhub ) env_run_lists( diff --git a/site-cookbooks/kosmos-bitcoin/metadata.rb b/site-cookbooks/kosmos-bitcoin/metadata.rb index 1cf8f30..5c23e70 100644 --- a/site-cookbooks/kosmos-bitcoin/metadata.rb +++ b/site-cookbooks/kosmos-bitcoin/metadata.rb @@ -14,6 +14,7 @@ depends 'git' depends 'golang' depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'kosmos_postgresql' depends 'postgresql' depends 'redisio' diff --git a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb index dcf54f7..83cee60 100644 --- a/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb +++ b/site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb @@ -3,27 +3,20 @@ # Recipe:: nginx_lndhub # -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - domain = node['lndhub-go']['domain'] -nginx_certbot_site domain - upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source 'nginx_conf_lndhub.erb' - owner node["nginx"]["user"] - mode 0640 - variables port: node['lndhub-go']['port'], - server_name: domain, +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_lndhub.erb' + variables server_name: domain, + port: node['lndhub-go']['port'], ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb index 07ec9a4..f79a0ae 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb @@ -6,7 +6,7 @@ upstream _lndhub { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; -- 2.25.1 From 15b2ea284af098ac18b36a754fd76d9e1363ee63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 15:44:04 +0200 Subject: [PATCH 14/30] Migrate mastodon proxy to openresty --- nodes/draco.kosmos.org.json | 1 + roles/openresty_proxy.rb | 4 +- site-cookbooks/kosmos-mastodon/metadata.rb | 2 +- .../kosmos-mastodon/recipes/nginx.rb | 37 ++++++++----------- .../templates/default/nginx_conf_mastodon.erb | 6 +-- 5 files changed, 22 insertions(+), 28 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 09b0d9a..a0b0128 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -48,6 +48,7 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", + "kosmos-mastodon::nginx", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 6275af9..0f59edc 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -24,12 +24,11 @@ default_run_list = %w( kosmos_garage::default kosmos_garage::firewall_rpc kosmos_garage::nginx_web - kosmos-ejabberd::nginx + kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway - kosmos-mastodon::nginx remotestorage_discourse::nginx ) @@ -45,6 +44,7 @@ production_run_list = %w( kosmos-akkounts::nginx kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub + kosmos-mastodon::nginx ) env_run_lists( diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index 81fc2bf..c020afc 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -13,7 +13,7 @@ depends 'firewall' depends 'redisio' depends 'tor-full' depends 'postgresql' -depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'kosmos_postgresql' depends 'ruby_build' diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index 3c81e81..f19e052 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -3,57 +3,50 @@ # Recipe:: nginx # -include_recipe "kosmos-nginx" - app_dir = node["kosmos-mastodon"]["directory"] server_name = node["kosmos-mastodon"]["domain"] -is_proxy = node.roles.include?('nginx_proxy') rescue nil -upstream_hosts = [] -if is_proxy +upstream_hosts = [] +search(:node, "role:mastodon").each do |node| + upstream_hosts << node["knife_zero"]["host"] +end +if upstream_hosts.any? web_root_dir = "/var/www/#{server_name}/public" - search(:node, "role:mastodon").each do |node| - upstream_hosts << node["knife_zero"]["host"] - end else web_root_dir = "#{app_dir}/public" upstream_hosts << "localhost" end -directory "#{node['nginx']['dir']}/snippets" do +directory "#{node['openresty']['dir']}/snippets" do action :create owner 'www-data' mode 0640 end -template "#{node['nginx']['dir']}/snippets/mastodon.conf" do +template "#{node['openresty']['dir']}/snippets/mastodon.conf" do source 'nginx_conf_shared.erb' owner 'www-data' mode 0640 variables web_root_dir: web_root_dir, server_name: server_name - notifies :reload, 'service[nginx]', :delayed + notifies :reload, 'service[openresty]', :delayed end -nginx_certbot_site server_name +tls_cert_for server_name do + auth "gandi_dns" + action :create +end onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil -template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_mastodon.erb' - owner 'www-data' - mode 0640 +openresty_site server_name do + template 'nginx_conf_mastodon.erb' variables server_name: server_name, ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem", - shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf", + shared_config_path: "#{node['openresty']['dir']}/snippets/mastodon.conf", app_port: node["kosmos-mastodon"]["app_port"], streaming_port: node["kosmos-mastodon"]["streaming_port"], onion_address: onion_address, upstream_hosts: upstream_hosts - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site server_name do - action :enable end diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index 619f03d..d3c45d8 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -20,7 +20,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2 max_size=1g inactive=120m use_temp_path=off; server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; include <%= @shared_config_path %>; @@ -36,12 +36,12 @@ server { <% if @onion_address %> server { - listen 80; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; -- 2.25.1 From 1362da0add1cf7a634469c0c7c8b6678d6e63a1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 15:57:08 +0200 Subject: [PATCH 15/30] Migrate RS Discourse proxy to openresty --- nodes/draco.kosmos.org.json | 1 + roles/openresty_proxy.rb | 2 +- .../attributes/default.rb | 2 -- .../remotestorage_discourse/metadata.rb | 8 ++++-- .../remotestorage_discourse/recipes/nginx.rb | 28 ++++++++++++++++++- .../templates/nginx_conf.erb | 8 ++---- 6 files changed, 37 insertions(+), 12 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index a0b0128..c4383f5 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -49,6 +49,7 @@ "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", "kosmos-mastodon::nginx", + "remotestorage_discourse::nginx", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 0f59edc..5f379f0 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -29,7 +29,6 @@ default_run_list = %w( kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway - remotestorage_discourse::nginx ) production_run_list = %w( @@ -45,6 +44,7 @@ production_run_list = %w( kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub kosmos-mastodon::nginx + remotestorage_discourse::nginx ) env_run_lists( diff --git a/site-cookbooks/remotestorage_discourse/attributes/default.rb b/site-cookbooks/remotestorage_discourse/attributes/default.rb index 59beba8..e69de29 100644 --- a/site-cookbooks/remotestorage_discourse/attributes/default.rb +++ b/site-cookbooks/remotestorage_discourse/attributes/default.rb @@ -1,2 +0,0 @@ -node.override['discourse']['domain'] = "community.remotestorage.io" -node.override['discourse']['role'] = "remotestorage_discourse" diff --git a/site-cookbooks/remotestorage_discourse/metadata.rb b/site-cookbooks/remotestorage_discourse/metadata.rb index f0de442..42f41e6 100644 --- a/site-cookbooks/remotestorage_discourse/metadata.rb +++ b/site-cookbooks/remotestorage_discourse/metadata.rb @@ -2,9 +2,11 @@ name 'remotestorage_discourse' maintainer 'Kosmos Developers' maintainer_email 'mail@kosmos.org' license 'MIT' -description 'Installs/Configures discourse' -long_description 'Installs/Configures discourse' -version '0.1.0' +description 'Installs/configures Discourse' +long_description 'Installs/configures Discourse' +version '0.2.0' chef_version '>= 14.0' depends 'discourse' +depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/remotestorage_discourse/recipes/nginx.rb b/site-cookbooks/remotestorage_discourse/recipes/nginx.rb index 937a70e..ac3f842 100644 --- a/site-cookbooks/remotestorage_discourse/recipes/nginx.rb +++ b/site-cookbooks/remotestorage_discourse/recipes/nginx.rb @@ -3,4 +3,30 @@ # Recipe:: nginx # -include_recipe "discourse::nginx" +domain = "community.remotestorage.io" +discourse_role = "remotestorage_discourse" + +upstream_ip_addresses = [] +search(:node, "role:#{discourse_role}").each do |n| + upstream_ip_addresses << n["knife_zero"]["host"] +end +# No Discourse host, stop here +if upstream_ip_addresses.empty? + Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.") + return +end + +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template "nginx_conf.erb" + variables server_name: domain, + ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", + upstream_port: node['discourse']['port'], + upstream_name: discourse_role, + upstream_ip_addresses: upstream_ip_addresses +end diff --git a/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb b/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb index 9db6621..7e2618c 100644 --- a/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb +++ b/site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb @@ -1,14 +1,13 @@ # Generated by Chef -upstream _discourse { +upstream _rs_discourse { <% @upstream_ip_addresses.each do |upstream_ip_address| -%> server <%= upstream_ip_address %>:<%= @upstream_port %>; <% end -%> } -<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> server { server_name <%= @server_name %>; - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; ssl_certificate <%= @ssl_cert %>; @@ -28,8 +27,7 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_pass http://_discourse; + proxy_pass http://_rs_discourse; proxy_http_version 1.1; } } -<% end -%> -- 2.25.1 From 027d0ed570c50112c0da4aad88422bf480b7f864 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 16:12:33 +0200 Subject: [PATCH 16/30] Migrate IPFS proxies to openresty --- nodes/draco.kosmos.org.json | 4 +++- roles/openresty_proxy.rb | 2 +- site-cookbooks/kosmos-ipfs/metadata.rb | 2 +- .../recipes/nginx_public_gateway.rb | 18 ++++++------------ .../default/nginx_conf_ipfs.kosmos.org.erb | 7 +++---- 5 files changed, 14 insertions(+), 19 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index c4383f5..810ed1f 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -48,6 +48,7 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", + "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", "kosmos_encfs", @@ -83,7 +84,8 @@ "git::default", "git::package", "kosmos-base::letsencrypt", - "firewall::default" + "firewall::default", + "fail2ban::default" ], "platform": "ubuntu", "platform_version": "20.04", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 5f379f0..c3502d0 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -28,7 +28,6 @@ default_run_list = %w( kosmos-hubot::nginx_botka_irc-libera-chat kosmos-hubot::nginx_hal8000_xmpp - kosmos-ipfs::nginx_public_gateway ) production_run_list = %w( @@ -43,6 +42,7 @@ production_run_list = %w( kosmos-akkounts::nginx kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub + kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx ) diff --git a/site-cookbooks/kosmos-ipfs/metadata.rb b/site-cookbooks/kosmos-ipfs/metadata.rb index 65947e0..9341d73 100644 --- a/site-cookbooks/kosmos-ipfs/metadata.rb +++ b/site-cookbooks/kosmos-ipfs/metadata.rb @@ -9,6 +9,6 @@ version '0.3.0' depends 'ipfs' depends 'fail2ban' depends 'kosmos-base' -depends 'kosmos-nginx' depends 'kosmos-nodejs' +depends 'kosmos_openresty' depends 'firewall' diff --git a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb index c20efe3..c62708a 100644 --- a/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb +++ b/site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb @@ -3,7 +3,6 @@ # Recipe:: nginx_public_gateway # -include_recipe "kosmos-nginx" include_recipe 'firewall' domain = node["kosmos-ipfs"]["nginx"]["domain"] @@ -13,12 +12,13 @@ search(:node, "role:ipfs_gateway").each do |node| ipfs_node_ip_addresses << node["knife_zero"]["host"] end -nginx_certbot_site domain +tls_cert_for domain do + auth "gandi_dns" + action :create +end -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source "nginx_conf_#{domain}.erb" - owner 'www-data' - mode 0640 +openresty_site domain do + template "nginx_conf_#{domain}.erb" variables server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", @@ -26,12 +26,6 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do ipfs_gateway_port: node['kosmos-ipfs']['gateway_port'], ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'], upstream_hosts: ipfs_node_ip_addresses - - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end firewall_rule 'ipfs_api' do diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb index 6f0d69b..f54cea3 100644 --- a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb +++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb @@ -10,10 +10,9 @@ upstream _ipfs_api { } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name <%= @server_name %>; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen [::]:443 ssl http2; access_log /var/log/nginx/<%= @server_name %>.access.log; error_log /var/log/nginx/<%= @server_name %>.error.log; @@ -28,7 +27,7 @@ server { server { <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen <%= @ipfs_external_api_port %> ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %><%= @ipfs_external_api_port %> ssl http2; <% else -%> listen <%= @ipfs_external_api_port %>; <% end -%> -- 2.25.1 From bb2f41fdb34a6aa501a1b140454de9b5d5494e32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 16:21:03 +0200 Subject: [PATCH 17/30] Migrate hubot proxies to openresty --- nodes/draco.kosmos.org.json | 2 ++ roles/openresty_proxy.rb | 5 ++--- site-cookbooks/kosmos-hubot/metadata.rb | 1 + .../recipes/nginx_botka_irc-libera-chat.rb | 21 ++++++------------ .../recipes/nginx_hal8000_xmpp.rb | 22 +++++++------------ .../templates/default/nginx_conf_hubot.erb | 2 +- 6 files changed, 21 insertions(+), 32 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 810ed1f..42117e3 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -48,6 +48,8 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", + "kosmos-hubot::nginx_botka_irc-libera-chat", + "kosmos-hubot::nginx_hal8000_xmpp", "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index c3502d0..ed671eb 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -25,9 +25,6 @@ default_run_list = %w( kosmos_garage::firewall_rpc kosmos_garage::nginx_web kosmos-ejabberd::nginx - - kosmos-hubot::nginx_botka_irc-libera-chat - kosmos-hubot::nginx_hal8000_xmpp ) production_run_list = %w( @@ -42,6 +39,8 @@ production_run_list = %w( kosmos-akkounts::nginx kosmos-akkounts::nginx_api kosmos-bitcoin::nginx_lndhub + kosmos-hubot::nginx_botka_irc-libera-chat + kosmos-hubot::nginx_hal8000_xmpp kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx diff --git a/site-cookbooks/kosmos-hubot/metadata.rb b/site-cookbooks/kosmos-hubot/metadata.rb index 4867b00..f3be70f 100644 --- a/site-cookbooks/kosmos-hubot/metadata.rb +++ b/site-cookbooks/kosmos-hubot/metadata.rb @@ -9,6 +9,7 @@ version '0.2.0' depends 'kosmos-base' depends 'kosmos-nodejs' depends 'kosmos-ipfs' +depends 'kosmos_openresty' depends 'firewall' depends 'git' depends 'redisio' diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb index df0ba8f..62470a9 100644 --- a/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb @@ -1,24 +1,17 @@ -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - domain = "irc-libera-chat.botka.kosmos.chat" -nginx_certbot_site domain - upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{domain}" do - source 'nginx_conf_hubot.erb' - owner node["nginx"]["user"] - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_hubot.erb' variables express_port: node['botka_irc-libera-chat']['http_port'], server_name: domain, ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site domain do - action :enable end diff --git a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb index 75f9d12..f6bc2b3 100644 --- a/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb +++ b/site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb @@ -1,24 +1,18 @@ -include_recipe "kosmos-base::letsencrypt" -include_recipe "kosmos-nginx" - app_name = "hal8000_xmpp" - -nginx_certbot_site node[app_name]['domain'] +domain = node[app_name]['domain'] upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"] -template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do - source 'nginx_conf_hubot.erb' - owner node["nginx"]["user"] - mode 0640 +tls_cert_for domain do + auth "gandi_dns" + action :create +end + +openresty_site domain do + template 'nginx_conf_hubot.erb' variables express_port: node[app_name]['http_port'], server_name: node[app_name]['domain'], ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem", ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem", upstream_host: upstream_host - notifies :reload, 'service[nginx]', :delayed -end - -nginx_site node[app_name]['domain'] do - action :enable end diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index 3c8c426..7cfcb87 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -6,7 +6,7 @@ upstream _express_<%= @server_name.gsub(".", "_") %> { } server { - listen 443 ssl http2; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 ssl http2; server_name <%= @server_name %>; -- 2.25.1 From 53c35fda513b29ad2ba5a1532c58a57570ea40e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 26 Jul 2023 16:42:48 +0200 Subject: [PATCH 18/30] Migrate garage proxies to openresty --- nodes/draco.kosmos.org.json | 9 +++++-- roles/openresty_proxy.rb | 5 ++-- site-cookbooks/kosmos_garage/metadata.rb | 1 + .../kosmos_garage/recipes/nginx_web.rb | 24 +++++++------------ .../templates/nginx_conf_web.erb | 2 +- 5 files changed, 20 insertions(+), 21 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 42117e3..01dc32d 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -27,7 +27,8 @@ "base", "kvm_host", "openresty_proxy", - "openresty" + "openresty", + "garage_gateway" ], "recipes": [ "kosmos-base", @@ -37,9 +38,13 @@ "kosmos_openresty", "kosmos_openresty::default", "kosmos_openresty::firewall", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos_garage::nginx_web", "kosmos_gitea::nginx", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", @@ -83,10 +88,10 @@ "openresty::commons_conf", "logrotate::default", "openresty::luarocks", + "firewall::default", "git::default", "git::package", "kosmos-base::letsencrypt", - "firewall::default", "fail2ban::default" ], "platform": "ubuntu", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index ed671eb..8195e6e 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -21,17 +21,16 @@ development_run_list = %w( default_run_list = %w( role[openresty] tor-full - kosmos_garage::default - kosmos_garage::firewall_rpc - kosmos_garage::nginx_web kosmos-ejabberd::nginx ) production_run_list = %w( role[openresty] + role[garage_gateway] kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx + kosmos_garage::nginx_web kosmos_gitea::nginx kosmos_rsk::nginx_testnet kosmos_rsk::nginx_mainnet diff --git a/site-cookbooks/kosmos_garage/metadata.rb b/site-cookbooks/kosmos_garage/metadata.rb index f1fde81..90a1ddb 100644 --- a/site-cookbooks/kosmos_garage/metadata.rb +++ b/site-cookbooks/kosmos_garage/metadata.rb @@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues' source_url 'https://gitea.kosmos.org/kosmos/chef' depends 'firewall' +depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb index 9da8ab9..76ed235 100644 --- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -3,9 +3,7 @@ # Recipe:: nginx_web # -include_recipe "kosmos-nginx" - -file "/etc/nginx/conf.d/garage.conf" do +file "/etc/openresty/conf.d/garage.conf" do content <<-EOF upstream garage_web { server localhost:3902; @@ -19,19 +17,15 @@ end domains = node['garage']['s3_web_domains'] domains.each do |server_name| - nginx_certbot_site server_name - - template "#{node['nginx']['dir']}/sites-available/#{server_name}" do - source 'nginx_conf_web.erb' - owner 'www-data' - mode 0640 - variables server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed + tls_cert_for server_name do + auth "gandi_dns" + action :create end - nginx_site server_name do - action :enable + openresty_site server_name do + template "nginx_conf_web.erb" + variables server_name: server_name, + ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" end end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb index c925887..49e219c 100644 --- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -1,5 +1,5 @@ server { - listen 443 http2 ssl; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen [::]:443 http2 ssl; server_name <%= @server_name %>; -- 2.25.1 From b1492649191ee801f4a61aa290d0b4c2fa98d7d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sat, 29 Jul 2023 14:30:46 +0200 Subject: [PATCH 19/30] Use paths from node attributes --- site-cookbooks/kosmos_garage/recipes/nginx_web.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb index 76ed235..ed8884c 100644 --- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -3,13 +3,14 @@ # Recipe:: nginx_web # -file "/etc/openresty/conf.d/garage.conf" do +file "#{node['openresty']['dir']}/conf.d/garage.conf" do content <<-EOF upstream garage_web { server localhost:3902; } -proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m +proxy_cache_path #{node['openresty']['cache_dir']}/garage + levels=1:2 keys_zone=garage_cache:10m max_size=1g inactive=60m use_temp_path=off; EOF end -- 2.25.1 From cb0fc27134bbf80669095eb35c35b1fdb615513f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sat, 29 Jul 2023 16:26:20 +0200 Subject: [PATCH 20/30] Refactor tor usage, set up new tor proxy on draco --- data_bags/credentials/tor.json | 10 ++++ nodes/draco.kosmos.org.json | 6 ++- roles/openresty_proxy.rb | 2 +- roles/tor_proxy.rb | 6 +++ .../kosmos-base/recipes/tor_services.rb | 13 +++++ .../kosmos-base/resources/tor_service.rb | 52 +++++++++++++++++++ site-cookbooks/kosmos-mastodon/metadata.rb | 1 - .../kosmos-mastodon/recipes/nginx.rb | 3 +- .../templates/default/nginx_conf_mastodon.erb | 4 +- 9 files changed, 91 insertions(+), 6 deletions(-) create mode 100644 data_bags/credentials/tor.json create mode 100644 roles/tor_proxy.rb create mode 100644 site-cookbooks/kosmos-base/recipes/tor_services.rb create mode 100644 site-cookbooks/kosmos-base/resources/tor_service.rb diff --git a/data_bags/credentials/tor.json b/data_bags/credentials/tor.json new file mode 100644 index 0000000..d9ef877 --- /dev/null +++ b/data_bags/credentials/tor.json @@ -0,0 +1,10 @@ +{ + "id": "tor", + "services": { + "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n", + "iv": "rj5lIBWPovDtMtnh\n", + "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index 01dc32d..ac1ee25 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -28,7 +28,8 @@ "kvm_host", "openresty_proxy", "openresty", - "garage_gateway" + "garage_gateway", + "tor_proxy" ], "recipes": [ "kosmos-base", @@ -58,6 +59,9 @@ "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", + "kosmos-base::tor_services", + "tor-full", + "tor-full::default", "kosmos_encfs", "kosmos_encfs::default", "kosmos-ejabberd::firewall", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 8195e6e..f9f5a7d 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -20,7 +20,6 @@ development_run_list = %w( default_run_list = %w( role[openresty] - tor-full kosmos-ejabberd::nginx ) @@ -43,6 +42,7 @@ production_run_list = %w( kosmos-ipfs::nginx_public_gateway kosmos-mastodon::nginx remotestorage_discourse::nginx + role[tor_proxy] ) env_run_lists( diff --git a/roles/tor_proxy.rb b/roles/tor_proxy.rb new file mode 100644 index 0000000..53acee6 --- /dev/null +++ b/roles/tor_proxy.rb @@ -0,0 +1,6 @@ +name "tor_proxy" + +run_list %w( + kosmos-base::tor_services + tor-full +) diff --git a/site-cookbooks/kosmos-base/recipes/tor_services.rb b/site-cookbooks/kosmos-base/recipes/tor_services.rb new file mode 100644 index 0000000..448d4de --- /dev/null +++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb @@ -0,0 +1,13 @@ +# +# Cookbook Name:: kosmos-base +# Recipe:: tor_services +# + +tor_services = data_bag_item('credentials', 'tor')['services'] + +tor_service "web" do + hostname tor_services['web']['hostname'] + public_key tor_services['web']['public_key'] + secret_key tor_services['web']['secret_key'] + ports ['80 127.0.0.1:80', '443 127.0.0.1:443'] +end diff --git a/site-cookbooks/kosmos-base/resources/tor_service.rb b/site-cookbooks/kosmos-base/resources/tor_service.rb new file mode 100644 index 0000000..83cc032 --- /dev/null +++ b/site-cookbooks/kosmos-base/resources/tor_service.rb @@ -0,0 +1,52 @@ +require "base64" + +resource_name :tor_service +provides :tor_service + +property :name, [String], name_property: true +property :hostname, [String], required: true +property :public_key, [String], required: true +property :secret_key, [String], required: true +property :ports, [Array], required: true + +default_action :create + +action :create do + name = new_resource.name + ports = Array(new_resource.ports) + service_dir = "#{node['tor']['DataDirectory']}/#{name}" + user = "debian-tor" + group = "debian-tor" + + node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports + + directory service_dir do + recursive true + owner user + group group + mode '4700' + end + + file "#{service_dir}/hostname" do + content new_resource.hostname + owner user + group group + mode '0600' + end + + file "#{service_dir}/hs_ed25519_public_key" do + content Base64.decode64(new_resource.public_key) + owner user + group group + mode '0600' + sensitive true + end + + file "#{service_dir}/hs_ed25519_secret_key" do + content Base64.decode64(new_resource.secret_key) + owner user + group group + mode '0600' + sensitive true + end +end diff --git a/site-cookbooks/kosmos-mastodon/metadata.rb b/site-cookbooks/kosmos-mastodon/metadata.rb index c020afc..1f31d47 100644 --- a/site-cookbooks/kosmos-mastodon/metadata.rb +++ b/site-cookbooks/kosmos-mastodon/metadata.rb @@ -11,7 +11,6 @@ depends 'elasticsearch' depends 'java' depends 'firewall' depends 'redisio' -depends 'tor-full' depends 'postgresql' depends 'kosmos-nodejs' depends 'kosmos_openresty' diff --git a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb index f19e052..405be3a 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/nginx.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/nginx.rb @@ -37,7 +37,8 @@ tls_cert_for server_name do action :create end -onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil +tor_services = data_bag_item('credentials', 'tor')['services'] +onion_address = tor_services['web']['hostname'] openresty_site server_name do template 'nginx_conf_mastodon.erb' diff --git a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb index d3c45d8..11d23a3 100644 --- a/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb +++ b/site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb @@ -36,12 +36,12 @@ server { <% if @onion_address %> server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80; + listen 127.0.0.1:80; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; } server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen 127.0.0.1:443 ssl http2; server_name mastodon.<%= @onion_address %>; include <%= @shared_config_path %>; -- 2.25.1 From 27bdc1f60d866fec504a380a38d7fc10eccb8bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 30 Jul 2023 12:34:21 +0200 Subject: [PATCH 21/30] Update openresty cookbook --- site-cookbooks/openresty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index d031d59..fd3e5b0 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit d031d59fdecff4ee23457d32e8f658c22aa21773 +Subproject commit fd3e5b06abaeac5a12a1f82dc830536b3f8e62d7 -- 2.25.1 From 438ee4ace04ad594d19c5109b4bb2b3b8ec031c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 30 Jul 2023 12:35:21 +0200 Subject: [PATCH 22/30] Migrate Gitea SSH stream to openresty --- nodes/draco.kosmos.org.json | 1 + nodes/fornax.kosmos.org.json | 1 - roles/openresty_proxy.rb | 1 + .../kosmos_gitea/recipes/nginx_ssh.rb | 17 ++++++++--------- .../templates/default/nginx_conf_ssh.erb | 2 +- 5 files changed, 11 insertions(+), 11 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index ac1ee25..c2432b1 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -47,6 +47,7 @@ "kosmos_drone::nginx", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", + "kosmos_gitea::nginx_ssh", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", "kosmos_website", diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 5d6222f..f648554 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -102,7 +102,6 @@ "role[base]", "role[kvm_host]", "role[nginx_proxy]", - "kosmos_gitea::nginx_ssh", "role[zerotier_controller]" ] } diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index f9f5a7d..e731403 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -31,6 +31,7 @@ production_run_list = %w( kosmos_drone::nginx kosmos_garage::nginx_web kosmos_gitea::nginx + kosmos_gitea::nginx_ssh kosmos_rsk::nginx_testnet kosmos_rsk::nginx_mainnet kosmos_website::default diff --git a/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb index 16f8e7a..cdc3f5d 100644 --- a/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb +++ b/site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb @@ -3,16 +3,15 @@ # Recipe:: nginx_ssh # -template "#{node['nginx']['dir']}/streams-available/ssh" do - source "nginx_conf_ssh.erb" - owner 'www-data' - mode 0640 - variables domain: domain, - upstream_host: upstream_ip_address - - notifies :reload, 'service[nginx]', :delayed +begin + upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"] +rescue + Chef::Log.warn('No server with "gitea" role. Stopping here.') + return end -nginx_stream "ssh" do +openresty_stream "ssh" do + template "nginx_conf_ssh.erb" + variables upstream_host: upstream_ip_address action :enable end diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb index 085f7ff..9a84533 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb @@ -3,6 +3,6 @@ upstream _gitea_ssh { } server { - listen 148.251.83.201:22; + listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22; proxy_pass _gitea_ssh; } -- 2.25.1 From 68b56789c59adb5453a9adf1decadd36a8f7e47d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 30 Jul 2023 12:36:14 +0200 Subject: [PATCH 23/30] Migrate ejabberd UDP streams to openresty And remove the other streams in the process, in favor of running haproxy on all LBs. --- nodes/draco.kosmos.org.json | 1 + roles/openresty_proxy.rb | 2 +- .../kosmos-ejabberd/recipes/nginx.rb | 17 +----- .../templates/nginx_conf_streams.erb | 56 +------------------ 4 files changed, 6 insertions(+), 70 deletions(-) diff --git a/nodes/draco.kosmos.org.json b/nodes/draco.kosmos.org.json index c2432b1..0116bb3 100644 --- a/nodes/draco.kosmos.org.json +++ b/nodes/draco.kosmos.org.json @@ -45,6 +45,7 @@ "kosmos_assets::nginx_site", "kosmos_discourse::nginx", "kosmos_drone::nginx", + "kosmos-ejabberd::nginx", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", "kosmos_gitea::nginx_ssh", diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index e731403..a3107f4 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -20,7 +20,6 @@ development_run_list = %w( default_run_list = %w( role[openresty] - kosmos-ejabberd::nginx ) production_run_list = %w( @@ -29,6 +28,7 @@ production_run_list = %w( kosmos_assets::nginx_site kosmos_discourse::nginx kosmos_drone::nginx + kosmos-ejabberd::nginx kosmos_garage::nginx_web kosmos_gitea::nginx kosmos_gitea::nginx_ssh diff --git a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb index 328985c..6189c36 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb @@ -17,28 +17,15 @@ rescue IPAddr::InvalidAddressError next end -template "#{node['nginx']['dir']}/streams-available/ejabberd" do - source "nginx_conf_streams.erb" - owner 'www-data' - mode 0640 - # variables ejabberd_hosts: ejabberd_hosts +openresty_stream "ejabberd" do + template "nginx_conf_streams.erb" variables ejabberd_hosts: ["10.1.1.113"], stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], turn_max_port: node["kosmos-ejabberd"]["turn_max_port"] - notifies :reload, 'service[nginx]', :delayed -end - -nginx_stream "ejabberd" do action :enable end -firewall_rule "ejabberd" do - port [5222, 5223, 5269, 5443] - protocol :tcp - command :allow -end - firewall_rule 'ejabberd_stun_turn' do port node["kosmos-ejabberd"]["stun_turn_port"] protocol :udp diff --git a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb index 1b200dc..52ac7ee 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb @@ -5,34 +5,6 @@ log_format proxy '$remote_addr [$time_local] ' access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m; -upstream ejabberd_c2s { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5222; -<% end %> -} - -upstream ejabberd_c2s_tls { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5223; -<% end %> -} - -upstream ejabberd_s2s { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5269; -<% end %> -} - -upstream ejabberd_https { - hash $remote_addr consistent; -<% @ejabberd_hosts.each do |ip_address| %> - server <%= ip_address %>:5443; -<% end %> -} - upstream ejabberd_stun_turn { hash $remote_addr consistent; <% @ejabberd_hosts.each do |ip_address| %> @@ -50,36 +22,12 @@ upstream ejabberd_turn { } server { - listen 5222; - proxy_protocol on; - proxy_pass ejabberd_c2s; -} - -server { - listen 5223; - proxy_protocol on; - proxy_pass ejabberd_c2s; -} - -server { - listen 5269; - proxy_protocol on; - proxy_pass ejabberd_s2s; -} - -server { - listen 5443; - proxy_protocol on; - proxy_pass ejabberd_https; -} - -server { - listen <%= @stun_turn_port %> udp; + listen <%= @stun_turn_port %> udp; proxy_pass ejabberd_stun_turn; } server { - listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp; + listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp; proxy_pass 10.1.1.113:$server_port; #proxy_pass ejabberd_turn; } -- 2.25.1 From 0f12a54eab89da8766bdb27b0308bca77c076d99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 30 Jul 2023 12:39:41 +0200 Subject: [PATCH 24/30] Refactor tor usage entirely Use a custom resource and separate recipe for service configs with pre-set keys and hostnames --- data_bags/credentials/tor.json | 6 +++--- roles/openresty_proxy.rb | 7 ------- site-cookbooks/kosmos-base/recipes/tor_services.rb | 11 +++++++++++ site-cookbooks/kosmos-base/resources/tor_service.rb | 4 ++-- site-cookbooks/kosmos-ejabberd/attributes/default.rb | 8 -------- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 7 ------- site-cookbooks/tor-full/recipes/default.rb | 6 +----- site-cookbooks/tor-full/templates/default/torrc.erb | 2 +- 8 files changed, 18 insertions(+), 33 deletions(-) diff --git a/data_bags/credentials/tor.json b/data_bags/credentials/tor.json index d9ef877..d4ddf42 100644 --- a/data_bags/credentials/tor.json +++ b/data_bags/credentials/tor.json @@ -1,9 +1,9 @@ { "id": "tor", "services": { - "encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n", - "iv": "rj5lIBWPovDtMtnh\n", - "auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n", + "encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n", + "iv": "qtzvl79A/PZc5JjE\n", + "auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index a3107f4..083ce41 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -4,13 +4,6 @@ override_attributes( 'openresty' => { 'server_names_hash_bucket_size' => 128 }, - 'tor' => { - 'HiddenServices' => { - 'web' => { - 'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443'] - } - } - } ) development_run_list = %w( diff --git a/site-cookbooks/kosmos-base/recipes/tor_services.rb b/site-cookbooks/kosmos-base/recipes/tor_services.rb index 448d4de..3b0d841 100644 --- a/site-cookbooks/kosmos-base/recipes/tor_services.rb +++ b/site-cookbooks/kosmos-base/recipes/tor_services.rb @@ -5,6 +5,17 @@ tor_services = data_bag_item('credentials', 'tor')['services'] +tor_service "ejabberd" do + hostname tor_services['ejabberd']['hostname'] + public_key tor_services['ejabberd']['public_key'] + secret_key tor_services['ejabberd']['secret_key'] + # TODO configure IP from node attribute + # (This is hardcoded for draco atm) + ports [ "5222 148.251.237.73:5222", + "5223 148.251.237.73:5223", + "5269 148.251.237.73:5269" ] +end + tor_service "web" do hostname tor_services['web']['hostname'] public_key tor_services['web']['public_key'] diff --git a/site-cookbooks/kosmos-base/resources/tor_service.rb b/site-cookbooks/kosmos-base/resources/tor_service.rb index 83cc032..bd53c8b 100644 --- a/site-cookbooks/kosmos-base/resources/tor_service.rb +++ b/site-cookbooks/kosmos-base/resources/tor_service.rb @@ -5,8 +5,8 @@ provides :tor_service property :name, [String], name_property: true property :hostname, [String], required: true -property :public_key, [String], required: true -property :secret_key, [String], required: true +property :public_key, [String], required: true # base64 encoded content of generated key file +property :secret_key, [String], required: true # base64 encoded content of generated key file property :ports, [Array], required: true default_action :create diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index b0c9ecb..922a35e 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 node.default["kosmos-ejabberd"]["turn_max_port"] = 50050 -node.override["tor"]["HiddenServices"]["ejabberd"] = { - "HiddenServicePorts" => [ - "5222 127.0.0.1:5222", - "5223 127.0.0.1:5223", - "5269 127.0.0.1:5269" - ] -} - node.default["kosmos-ejabberd"]["uploads"] = { "domain" => "uploads.kosmos.chat", "max_upload_size_mb" => "100", diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 7a6e588..5468f52 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do protocol :tcp command :allow end - -# -# Tor hidden service -# -# The attributes for the hidden service are set in attributes/default.rb, due -# to the way the tor-full cookbook builds the path to the hidden service dir -include_recipe "tor-full" diff --git a/site-cookbooks/tor-full/recipes/default.rb b/site-cookbooks/tor-full/recipes/default.rb index c8e7110..a16d021 100644 --- a/site-cookbooks/tor-full/recipes/default.rb +++ b/site-cookbooks/tor-full/recipes/default.rb @@ -85,7 +85,7 @@ ruby_block "read-hostnames" do block do # Set generated hostname for hidden services node['tor']['HiddenServices'].each do |name, service| - path = File.join(service['HiddenServiceDir'], "/hostname") + path = "/var/lib/tor/#{name}/hostname" node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip() end end @@ -96,10 +96,6 @@ template '/etc/tor/torrc' do source 'torrc.erb' notifies :restart, 'service[tor]', :immediately notifies :run, "ruby_block[read-hostnames]" - # Set default HiddenServiceDir - node['tor']['HiddenServices'].each do |name, service| - node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/") - end end # Install exit policy notice diff --git a/site-cookbooks/tor-full/templates/default/torrc.erb b/site-cookbooks/tor-full/templates/default/torrc.erb index ca07818..1a7c033 100644 --- a/site-cookbooks/tor-full/templates/default/torrc.erb +++ b/site-cookbooks/tor-full/templates/default/torrc.erb @@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %> #HiddenServicePort 22 127.0.0.1:22 <% node['tor']['HiddenServices'].each do |name, service| -%> -HiddenServiceDir <%= service['HiddenServiceDir'] %> +HiddenServiceDir /var/lib/tor/<%= name %>/ <% service['HiddenServicePorts'].each do |port| -%> HiddenServicePort <%= port %> <% end -%> -- 2.25.1 From 7f2805831cae8bd0795f741745d5f4ded83d4ae4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:07:18 +0200 Subject: [PATCH 25/30] Remove obsolete cookbook --- site-cookbooks/kosmos-parity/CHANGELOG.md | 4 - site-cookbooks/kosmos-parity/LICENSE | 20 --- site-cookbooks/kosmos-parity/README.md | 52 ------- .../kosmos-parity/attributes/default.rb | 7 - site-cookbooks/kosmos-parity/metadata.rb | 14 -- .../kosmos-parity/recipes/backup.rb | 6 - .../recipes/create_package_from_github.rb | 86 ----------- .../kosmos-parity/recipes/default.rb | 42 ------ .../kosmos-parity/recipes/from_package.rb | 46 ------ .../kosmos-parity/recipes/node_dev.rb | 75 ---------- .../kosmos-parity/recipes/node_mainnet.rb | 74 ---------- .../kosmos-parity/recipes/node_testnet.rb | 75 ---------- site-cookbooks/kosmos-parity/recipes/user.rb | 37 ----- .../kosmos-parity/resources/node.rb | 136 ------------------ .../templates/default/chain-config.json.erb | 34 ----- .../templates/default/nginx_conf_parity.erb | 30 ---- .../default/parity.systemd.service.erb | 11 -- 17 files changed, 749 deletions(-) delete mode 100644 site-cookbooks/kosmos-parity/CHANGELOG.md delete mode 100644 site-cookbooks/kosmos-parity/LICENSE delete mode 100644 site-cookbooks/kosmos-parity/README.md delete mode 100644 site-cookbooks/kosmos-parity/attributes/default.rb delete mode 100644 site-cookbooks/kosmos-parity/metadata.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/backup.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/default.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/from_package.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/node_dev.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/node_mainnet.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/node_testnet.rb delete mode 100644 site-cookbooks/kosmos-parity/recipes/user.rb delete mode 100644 site-cookbooks/kosmos-parity/resources/node.rb delete mode 100644 site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb delete mode 100644 site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb delete mode 100644 site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb diff --git a/site-cookbooks/kosmos-parity/CHANGELOG.md b/site-cookbooks/kosmos-parity/CHANGELOG.md deleted file mode 100644 index 2d37a6a..0000000 --- a/site-cookbooks/kosmos-parity/CHANGELOG.md +++ /dev/null @@ -1,4 +0,0 @@ -# kosmos-parity CHANGELOG - -## 0.1.0 -- [Greg Karékinian] - Initial release of kosmos-parity diff --git a/site-cookbooks/kosmos-parity/LICENSE b/site-cookbooks/kosmos-parity/LICENSE deleted file mode 100644 index f3b5d1c..0000000 --- a/site-cookbooks/kosmos-parity/LICENSE +++ /dev/null @@ -1,20 +0,0 @@ -Copyright (c) 2019 Kosmos Developers - -Permission is hereby granted, free of charge, to any person obtaining -a copy of this software and associated documentation files (the -"Software"), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions: - -The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE -LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos-parity/README.md b/site-cookbooks/kosmos-parity/README.md deleted file mode 100644 index a304316..0000000 --- a/site-cookbooks/kosmos-parity/README.md +++ /dev/null @@ -1,52 +0,0 @@ -# kosmos-parity Cookbook - -This cookbook installs [Parity](https://parity.io/) nodes - -## Requirements - -### Platforms - -- Ubuntu - -### Chef - -- Chef 12.1 or later - -## Attributes - -### kosmos-parity::default - - - - - - - - - - - - - - -
KeyTypeDescriptionDefault
['kosmos-parity']['home_path']StringThe parity user's home path/home/parity
- -## Usage - -### kosmos-parity::default - -### kosmos-parity::node_dev - -Sets up a parity node running on the dev chain on port 8545 (behind nginx, with -HTTPS) - -### kosmos-parity::node_testnet - -Sets up a parity node running on the testnet chain on port 8546 (behind nginx, -with HTTPS) - -## License and Authors - -Authors: - -* Greg Karékinian diff --git a/site-cookbooks/kosmos-parity/attributes/default.rb b/site-cookbooks/kosmos-parity/attributes/default.rb deleted file mode 100644 index 1be87e1..0000000 --- a/site-cookbooks/kosmos-parity/attributes/default.rb +++ /dev/null @@ -1,7 +0,0 @@ -node.default['kosmos-parity']['home_path'] = "/home/parity" -node.default['kosmos-parity']['version'] = "1.6.6" -node.default['kosmos-parity']['package_checksum'] = '7fd51ded7a367774e62c965088ffd15ad0fa42251005d448eb700cbf5db8df24' -node.default['kosmos-parity']['package_version'] = '1.7.0' -node.default['kosmos-parity']['package_timestamp'] = '1493999009' -node.default['kosmos-parity']['debian_package_dir'] = Chef::Config[:file_cache_path] -node.default['kosmos-parity']['hostname'] = "parity.kosmos.org" diff --git a/site-cookbooks/kosmos-parity/metadata.rb b/site-cookbooks/kosmos-parity/metadata.rb deleted file mode 100644 index 83355da..0000000 --- a/site-cookbooks/kosmos-parity/metadata.rb +++ /dev/null @@ -1,14 +0,0 @@ -name 'kosmos-parity' -maintainer 'Kosmos' -maintainer_email 'mail@kosmos.org' -license 'MIT' -description 'Installs/Configures kosmos-parity' -long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.1.0' - -gem 'toml' - -depends 'ark' -depends 'kosmos-nginx' -depends 'firewall' -depends 'backup' diff --git a/site-cookbooks/kosmos-parity/recipes/backup.rb b/site-cookbooks/kosmos-parity/recipes/backup.rb deleted file mode 100644 index 77782b1..0000000 --- a/site-cookbooks/kosmos-parity/recipes/backup.rb +++ /dev/null @@ -1,6 +0,0 @@ - -return if node.chef_environment == "development" - -# Backup the local directory -node.override["backup"]["archives"]["parity"] = ["#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/**/keys"] -include_recipe "backup" diff --git a/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb b/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb deleted file mode 100644 index b99cdd4..0000000 --- a/site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb +++ /dev/null @@ -1,86 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: create_package_from_github -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' -build_essential 'kosmos-parity' -package %w(git libssl-dev pkg-config libudev-dev) -gem_package 'fpm' do - version '1.8.1' -end - -rust_version = '1.17.0' -architecture = node['kernel']['machine'] -rust_canonical_basename = "rust-#{rust_version}-#{architecture}-unknown-linux-gnu" -rust_path = "/usr/local/rust_#{rust_version}" - -url = "https://static.rust-lang.org/dist/#{rust_canonical_basename}.tar.gz" - -ark "rust_#{rust_version}" do - url url - path "/usr/local" - action :put - notifies :run, "execute[install rust]", :immediately -end - -execute "install rust" do - command "./install.sh" - cwd "#{rust_path}" - action :nothing -end - -parity_revision = "0d8920347a72fc50e82b540855eba94c8bbb2c0f" - -git "/home/parity/parity" do - repository "https://github.com/paritytech/parity.git" - revision parity_revision - user "parity" - group "parity" - notifies :run, "execute[build parity]", :immediately -end - -execute "build parity" do - cwd "/home/parity/parity" - environment "HOME" => "/home/parity" - command "cargo build --release" - action :nothing - user "parity" - group "parity" - notifies :run, "execute[copy parity]", :immediately -end - -execute "copy parity" do - command "cp /home/parity/parity/target/release/parity /usr/bin/" - action :run - notifies :run, "execute[create package]", :immediately -end - -timestamp = Time.now.strftime('%s') -parity_version = node['kosmos-parity']['package_version'] -execute "create package" do - cwd node['kosmos-parity']['debian_package_dir'] - command "fpm -s dir -t deb -n parity -v #{parity_version}-#{timestamp} -p parity_#{parity_version}-#{timestamp}.deb /usr/bin/parity" - action :nothing -end diff --git a/site-cookbooks/kosmos-parity/recipes/default.rb b/site-cookbooks/kosmos-parity/recipes/default.rb deleted file mode 100644 index fd3b1ff..0000000 --- a/site-cookbooks/kosmos-parity/recipes/default.rb +++ /dev/null @@ -1,42 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: default -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' - -parity_version = node['kosmos-parity']['version'] -parity_package_path = "#{Chef::Config[:file_cache_path]}/parity_#{parity_version}_amd64.deb" -remote_file parity_package_path do - source "https://d1h4xl4cr1h0mo.cloudfront.net/v#{parity_version}/x86_64-unknown-linux-gnu/parity_#{parity_version}_amd64.deb" - checksum node['kosmos-parity']['checksum'] - mode 0750 - notifies :install, "dpkg_package[parity]", :immediately -end - -dpkg_package "parity" do - source parity_package_path -end - -include_recipe "kosmos-parity::backup" diff --git a/site-cookbooks/kosmos-parity/recipes/from_package.rb b/site-cookbooks/kosmos-parity/recipes/from_package.rb deleted file mode 100644 index 0b7faa4..0000000 --- a/site-cookbooks/kosmos-parity/recipes/from_package.rb +++ /dev/null @@ -1,46 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: default -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe 'kosmos-parity::user' - -parity_version = node['kosmos-parity']['package_version'] -package_timestamp = node['kosmos-parity']['package_timestamp'] -parity_filename = "parity_#{parity_version}-#{package_timestamp}.deb" - -parity_package_path = "#{Chef::Config[:file_cache_path]}/#{parity_filename}" -remote_file parity_package_path do - source "https://dl.5apps.com/#{parity_filename}" - checksum node['kosmos-parity']['checksum'] - mode 0750 - notifies :install, "dpkg_package[parity]", :immediately -end - -dpkg_package "parity" do - source parity_package_path - version "#{parity_version}-#{package_timestamp}" -end - -include_recipe "kosmos-parity::backup" diff --git a/site-cookbooks/kosmos-parity/recipes/node_dev.rb b/site-cookbooks/kosmos-parity/recipes/node_dev.rb deleted file mode 100644 index 4a9e846..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_dev.rb +++ /dev/null @@ -1,75 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_dev -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the dev chain on port 8545 (behind nginx, -# with HTTPS) - -rpc_proxy_port = 8545 -rpc_port = 18545 -dapps_port = 8180 - -parity_node "dev" do - password "parityparity" - config parity: { - chain: "dev", - no_download: true, # Don't download updates - }, - network: { - port: 30303, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - }, - mining: { - reseal_min_period: 0, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_dev" do - port rpc_proxy_port - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb b/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb deleted file mode 100644 index ae65cc1..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_mainnet.rb +++ /dev/null @@ -1,74 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_mainnet -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the mainnet chain on port 8547 (behind -# nginx, with HTTPS) - -rpc_proxy_port = 8547 -rpc_port = 18547 -dapps_port = 8182 - -credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity') - -parity_node "mainnet" do - password credentials["mainnet_password"] - config parity: { - chain: "homestead", - no_download: true, # Don't Download Updates - }, - network: { - port: 30305, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_mainnet" do - port rpc_proxy_port - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/node_testnet.rb b/site-cookbooks/kosmos-parity/recipes/node_testnet.rb deleted file mode 100644 index fb5da62..0000000 --- a/site-cookbooks/kosmos-parity/recipes/node_testnet.rb +++ /dev/null @@ -1,75 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: node_testnet -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -# Sets up a parity node running on the testnet chain on port 8546 (behind -# nginx, with HTTPS) - -rpc_proxy_port = 8546 -rpc_port = 18546 -dapps_port = 8181 -network_port = 30304 - -credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity') - -parity_node "testnet" do - password credentials["testnet_password"] - config parity: { - chain: "ropsten", - no_download: true, # Don't download updates - }, - network: { - port: network_port, - warp: true, - allow_ips: "public" # Don't connect to local IPs - }, - rpc: { - port: rpc_port, - cors: "*", - apis: ["web3", "net", "traces", "rpc", "eth"], - hosts: ["all"], - }, - dapps: { - port: dapps_port, - }, - ui: { - disable: true, - }, - websockets: { - disable: true, - } - rpc_proxy_port rpc_proxy_port -end - -# The firewall_rule doesn't appear to work inside a resource, that's why we're -# doing it here -unless node.chef_environment == "development" - include_recipe 'firewall' - firewall_rule "parity_testnet" do - port [ rpc_proxy_port, network_port ] - protocol :tcp - command :allow - end -end diff --git a/site-cookbooks/kosmos-parity/recipes/user.rb b/site-cookbooks/kosmos-parity/recipes/user.rb deleted file mode 100644 index bf656ff..0000000 --- a/site-cookbooks/kosmos-parity/recipes/user.rb +++ /dev/null @@ -1,37 +0,0 @@ -# -# Cookbook Name:: kosmos-parity -# Recipe:: user -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -group "parity" do - gid 72748 -end - -user "parity" do - system true - manage_home true - comment "parity user" - uid 72748 - gid 72748 -end diff --git a/site-cookbooks/kosmos-parity/resources/node.rb b/site-cookbooks/kosmos-parity/resources/node.rb deleted file mode 100644 index 64b606b..0000000 --- a/site-cookbooks/kosmos-parity/resources/node.rb +++ /dev/null @@ -1,136 +0,0 @@ -require 'toml' - -provides :parity_node - -property :name, String, name_property: true, required: true -property :config, Hash, required: true -property :password, String, required: true -property :rpc_proxy_port, Integer - -action :enable do - node_name = name - parity_service = "parity_#{node_name}" - base_path = "#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/#{node_name}" - config_path = "#{base_path}/config.toml" - - config[:parity][:base_path] = base_path - config[:account] = {} - config[:account][:password] = ["#{base_path}/password"] - - if config[:parity][:chain] == "dev" - config[:parity][:chain] = "#{base_path}/chain-config.json" - end - - directory base_path do - recursive true - owner "parity" - group "parity" - end - - %w(chains keys).each do |subfolder| - directory "#{base_path}/#{subfolder}" do - recursive true - owner "parity" - group "parity" - end - end - - password_path = "#{base_path}/password" - - file password_path do - content password - owner "parity" - group "parity" - mode 0640 - end - - ruby_block "generate config" do - block do - parity_args = "--chain #{config[:parity][:chain]} --base-path #{base_path}" - - parity_account_list = Mixlib::ShellOut.new( - "parity account list #{parity_args}", - user: "parity" - ) - parity_account_list.run_command - - parity_account = parity_account_list.stdout.strip.gsub(/[(\[|\])]/, '') - - if parity_account.empty? - parity_account_create = Mixlib::ShellOut.new( - "parity account new #{parity_args} --password #{base_path}/password", - user: "parity" - ) - parity_account_create.run_command - - parity_account = parity_account_create.stdout.strip - end - - config[:account][:unlock] = [parity_account] - - # Using our own chain config (i.e. dev) - if config[:parity][:chain].include?(".json") - template "#{base_path}/chain-config.json" do - source 'chain-config.json.erb' - variables parity_account: parity_account - owner "parity" - group "parity" - mode 0640 - notifies :restart, "service[#{parity_service}]", :delayed - end - end - - file "config" do - path config_path - content TOML::Generator.new(config).body - owner "parity" - group "parity" - mode 0640 - notifies :restart, "service[#{parity_service}]", :delayed - end - end - end - - execute "systemctl daemon-reload" do - command "systemctl daemon-reload" - action :nothing - end - - template "/lib/systemd/system/#{parity_service}.service" do - source "parity.systemd.service.erb" - variables config_file: config_path - notifies :run, "execute[systemctl daemon-reload]", :delayed - notifies :restart, "service[#{parity_service}]", :delayed - end - - service parity_service do - action [:enable, :start] - end - - if rpc_proxy_port - include_recipe "kosmos-nginx" - - hostname = node['kosmos-parity']['hostname'] - - template "#{node['nginx']['dir']}/sites-available/#{parity_service}" do - source 'nginx_conf_parity.erb' - owner 'www-data' - mode 0640 - variables internal_port: config[:rpc][:port], - external_port: rpc_proxy_port, - parity_service: parity_service, - server_name: hostname, - ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem" - notifies :reload, 'service[nginx]', :delayed - end - - nginx_site parity_service do - action :enable - end - - nginx_certbot_site hostname do - site parity_service - end - end -end diff --git a/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb b/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb deleted file mode 100644 index 9075929..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb +++ /dev/null @@ -1,34 +0,0 @@ -{ - "name": "KreditsChain", - "engine": { - "instantSeal": { "params": {} } - }, - "params": { - "accountStartNonce": "0x00", - "maximumExtraDataSize": "0x20", - "minGasLimit": "0x1388", - "networkID" : "0x11" - }, - "genesis": { - "seal": { - "ethereum": { - "nonce": "0x00006d6f7264656e", - "mixHash": "0x00000000000000000000000000000000000000647572616c65787365646c6578" - } - }, - "difficulty": "0x20000", - "author": "0x0000000000000000000000000000000000000000", - "timestamp": "0x00", - "parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000", - "extraData": "0x", - "gasLimit": "0x5B8D80" - }, - "accounts": { - "0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } }, - "0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } }, - "0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } }, - "0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } }, - "<%= @parity_account %>":{"balance": "1606938044258990275541962092341162602522" } - } -} - diff --git a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb b/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb deleted file mode 100644 index 7fbe815..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb +++ /dev/null @@ -1,30 +0,0 @@ -# Generated by Chef -upstream _<%= @parity_service %> { - server localhost:<%= @internal_port %>; -} - -server { - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - listen <%= @external_port %> ssl http2; - <% else -%> - listen <%= @external_port %>; - <% end -%> - - server_name <%= @server_name %>; - - access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn; - - location / { - # Increase number of buffers. Default is 8 - proxy_buffers 1024 8k; - - proxy_pass http://_<%= @parity_service %>; - proxy_http_version 1.1; - } - - <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; - <% end -%> -} diff --git a/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb b/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb deleted file mode 100644 index 0700f45..0000000 --- a/site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -Description=Parity Daemon (<%= @environment %>) -After=network.target - -[Service] -ExecStart=/usr/bin/parity --config <%= @config_file %> --no-discovery $ARGS -User=parity -Group=parity - -[Install] -WantedBy=default.target -- 2.25.1 From eab94090e8e1f9670c4335c49310bd5323a8da27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:07:35 +0200 Subject: [PATCH 26/30] Use openresty node attributes in openresty templates --- .../kosmos-akkounts/templates/nginx_conf_akkounts.erb | 6 +++--- .../kosmos-akkounts/templates/nginx_conf_akkounts_api.erb | 4 ++-- .../kosmos-bitcoin/templates/nginx_conf_lndhub.erb | 4 ++-- .../kosmos-hubot/templates/default/nginx_conf_hubot.erb | 4 ++-- site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb | 4 ++-- .../kosmos_website/templates/nginx_conf_website.erb | 4 +++- 6 files changed, 14 insertions(+), 12 deletions(-) diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb index 2049a0f..36870a1 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb @@ -5,7 +5,7 @@ upstream _akkounts { <% end %> } -proxy_cache_path /var/cache/nginx/akkounts levels=1:2 +proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2 keys_zone=akkounts_cache:10m max_size=1g inactive=120m use_temp_path=off; @@ -19,8 +19,8 @@ server { add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; root <%= @root_dir %>; diff --git a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb index ffabdc9..945de09 100644 --- a/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb +++ b/site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb @@ -15,8 +15,8 @@ server { add_header 'Strict-Transport-Security' 'max-age=31536000'; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; location /kredits/ { add_header 'Access-Control-Allow-Origin' '*' always; diff --git a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb index f79a0ae..6401f97 100644 --- a/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb +++ b/site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb @@ -12,8 +12,8 @@ server { add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; location / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; diff --git a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb index 7cfcb87..bbb167e 100644 --- a/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb +++ b/site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb @@ -12,8 +12,8 @@ server { add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; location / { # Increase number of buffers. Default is 8 diff --git a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb index 53e5945..659d674 100644 --- a/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb +++ b/site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb @@ -12,8 +12,8 @@ server { add_header Strict-Transport-Security "max-age=15768000"; - access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json; - error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; location / { if ($request_method = 'OPTIONS') { diff --git a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb index 0eb9f81..3432221 100644 --- a/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb +++ b/site-cookbooks/kosmos_website/templates/nginx_conf_website.erb @@ -7,7 +7,9 @@ server { root /var/www/<%= @domain %>/public; - access_log off; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn; + gzip_static on; gzip_comp_level 5; -- 2.25.1 From ec43f4ee0f2982b8ed3d69cd2eb3b99d738ecd32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:56:20 +0200 Subject: [PATCH 27/30] Update openresty cookbook --- site-cookbooks/openresty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site-cookbooks/openresty b/site-cookbooks/openresty index fd3e5b0..bc916b9 160000 --- a/site-cookbooks/openresty +++ b/site-cookbooks/openresty @@ -1 +1 @@ -Subproject commit fd3e5b06abaeac5a12a1f82dc830536b3f8e62d7 +Subproject commit bc916b981cecbbc65dc220ecaa9e878a22d8f6fa -- 2.25.1 From bbd25ebb9cd82e0271cb5d97410db85dbe7c1fd6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:56:40 +0200 Subject: [PATCH 28/30] Add nginx logs for gitea --- .../kosmos_gitea/templates/default/nginx_conf_web.erb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb index 5d7712b..f682191 100644 --- a/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb @@ -11,6 +11,9 @@ server { ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; + access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log; + error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn; + add_header Strict-Transport-Security "max-age=31536000"; client_max_body_size 20M; -- 2.25.1 From 123b304dd036006ff6e96d89453a9120737bd7a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:57:07 +0200 Subject: [PATCH 29/30] Use correct node attributes --- site-cookbooks/kosmos_website/recipes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos_website/recipes/default.rb b/site-cookbooks/kosmos_website/recipes/default.rb index 433c9d9..b8374c6 100644 --- a/site-cookbooks/kosmos_website/recipes/default.rb +++ b/site-cookbooks/kosmos_website/recipes/default.rb @@ -13,8 +13,8 @@ tls_cert_for domain do end git "/var/www/#{domain}" do - user node["nginx"]["user"] - group node["nginx"]["group"] + user node["openresty"]["user"] + group node["openresty"]["group"] repository node["kosmos_website"]["repo"] revision node["kosmos_website"]["revision"] action :sync -- 2.25.1 From 1650e429a86086137afc32b10244f27c902b8824 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Mon, 31 Jul 2023 15:57:13 +0200 Subject: [PATCH 30/30] Migrate fornax nginx to openresty --- nodes/fornax.kosmos.org.json | 62 ++++++++++++++++++++---------------- 1 file changed, 35 insertions(+), 27 deletions(-) diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index f648554..6528412 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -18,7 +18,12 @@ "hostname": "fornax", "ipaddress": "148.251.83.201", "roles": [ - "nginx_proxy", + "base", + "kvm_host", + "openresty_proxy", + "openresty", + "garage_gateway", + "tor_proxy", "zerotier_controller" ], "recipes": [ @@ -26,16 +31,19 @@ "kosmos-base::default", "kosmos_kvm::host", "kosmos_kvm::backup", - "tor-full", - "tor-full::default", - "kosmos_assets::nginx_site", - "kosmos_discourse::nginx", - "kosmos_drone::nginx", + "kosmos_openresty", + "kosmos_openresty::default", + "kosmos_openresty::firewall", "kosmos_garage", "kosmos_garage::default", "kosmos_garage::firewall_rpc", + "kosmos_assets::nginx_site", + "kosmos_discourse::nginx", + "kosmos_drone::nginx", + "kosmos-ejabberd::nginx", "kosmos_garage::nginx_web", "kosmos_gitea::nginx", + "kosmos_gitea::nginx_ssh", "kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_mainnet", "kosmos_website", @@ -43,12 +51,14 @@ "kosmos-akkounts::nginx", "kosmos-akkounts::nginx_api", "kosmos-bitcoin::nginx_lndhub", - "kosmos-ejabberd::nginx", "kosmos-hubot::nginx_botka_irc-libera-chat", "kosmos-hubot::nginx_hal8000_xmpp", "kosmos-ipfs::nginx_public_gateway", "kosmos-mastodon::nginx", "remotestorage_discourse::nginx", + "kosmos-base::tor_services", + "tor-full", + "tor-full::default", "kosmos_zerotier::controller", "kosmos_zerotier::firewall", "kosmos_zerotier::zncui", @@ -66,19 +76,16 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "kosmos-nginx::default", - "nginx::default", - "nginx::package", - "nginx::ohai_plugin", - "nginx::repo", - "nginx::commons", - "nginx::commons_dir", - "nginx::commons_script", - "nginx::commons_conf", - "kosmos-nginx::firewall", - "discourse::nginx", + "openresty::apt_package", + "openresty::ohai_plugin", + "openresty::commons_cleanup", + "openresty::commons_user", + "openresty::commons_dir", + "openresty::commons_script", + "openresty::commons_conf", + "logrotate::default", + "openresty::luarocks", "firewall::default", - "chef-sugar::default", "git::default", "git::package", "kosmos-base::letsencrypt", @@ -88,20 +95,21 @@ "platform_version": "20.04", "cloud": null, "chef_packages": { - "ohai": { - "version": "15.12.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" - }, "chef": { - "version": "15.17.4", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib" + "version": "18.2.7", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib", + "chef_effortless": null + }, + "ohai": { + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, "run_list": [ "role[base]", "role[kvm_host]", - "role[nginx_proxy]", + "role[openresty_proxy]", "role[zerotier_controller]" ] -} +} \ No newline at end of file -- 2.25.1