kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 1 Projects 1 Activity

Migrate nginx sites to openresty #511

Merged
greg merged 30 commits from chore/migrate_nginx_sites_to_openresty into master 2023-08-01 13:02:33 +00:00
Conversation 1 Commits 30 Files Changed 76 +422 -1213
76 changed files with 422 additions and 1213 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
data_bags/credentials/tor.json Normal file
View File

@ -0,0 +1,10 @@
{
"id": "tor",
"services": {
"encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n",
"iv": "qtzvl79A/PZc5JjE\n",
"auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n",
"version": 3,
"cipher": "aes-256-gcm"
}
}

57
nodes/draco.kosmos.org.json
View File

@ -11,7 +11,10 @@
}
},
"openresty": {
"listen_ip": "148.251.237.111"
"listen_ip": "148.251.237.111",
"log_formats": {
"json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
}
}
},
"automatic": {
@ -21,24 +24,52 @@
"hostname": "draco",
"ipaddress": "148.251.237.73",
"roles": [
"base",
"kvm_host",
"openresty_proxy",
"openresty"
"openresty",
"garage_gateway",
"tor_proxy"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_encfs",
"kosmos_encfs::default",
"kosmos_kvm::host",
"kosmos_kvm::backup",
"kosmos_openresty",
"kosmos_openresty::default",
"kosmos_openresty::firewall",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_assets::nginx_site",
"kosmos_discourse::nginx",
"kosmos_drone::nginx",
"kosmos-ejabberd::nginx",
"kosmos_garage::nginx_web",
"kosmos_gitea::nginx",
"kosmos_gitea::nginx_ssh",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_website",
"kosmos_website::default",
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",
"kosmos-hubot::nginx_botka_irc-libera-chat",
"kosmos-hubot::nginx_hal8000_xmpp",
"kosmos-ipfs::nginx_public_gateway",
"kosmos-mastodon::nginx",
"remotestorage_discourse::nginx",
"kosmos-base::tor_services",
"tor-full",
"tor-full::default",
"kosmos_encfs",
"kosmos_encfs::default",
"kosmos-ejabberd::firewall",
"kosmos-ipfs::firewall_swarm",
"kosmos-bitcoin::firewall",
"kosmos_zerotier::firewall",
"kosmos_openresty",
"kosmos_openresty::default",
"kosmos_openresty::firewall",
"kosmos_assets::nginx_site",
"sockethub::firewall",
"apt::default",
"timezone_iii::default",
@ -54,18 +85,20 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default",
"openresty::apt_package",
"openresty::ohai_plugin",
"openresty::commons_cleanup",
"openresty::commons_user",
"openresty::commons_dir",
"openresty::commons_script",
"openresty::commons_conf",
"logrotate::default",
"openresty::luarocks",
"firewall::default",
"git::default",
"git::package",
"kosmos-base::letsencrypt"
"kosmos-base::letsencrypt",
"fail2ban::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
@ -85,12 +118,12 @@
"run_list": [
"role[base]",
"role[kvm_host]",
"role[openresty_proxy]",
"recipe[kosmos_encfs]",
"recipe[kosmos-ejabberd::firewall]",
"recipe[kosmos-ipfs::firewall_swarm]",
"recipe[kosmos-bitcoin::firewall]",
"recipe[kosmos_zerotier::firewall]",
"role[openresty_proxy]",
"recipe[sockethub::firewall]"
]
}
}

62
nodes/fornax.kosmos.org.json
View File

@ -18,7 +18,12 @@
"hostname": "fornax",
"ipaddress": "148.251.83.201",
"roles": [
"nginx_proxy",
"base",
"kvm_host",
"openresty_proxy",
"openresty",
"garage_gateway",
"tor_proxy",
"zerotier_controller"
],
"recipes": [
@ -26,16 +31,19 @@
"kosmos-base::default",
"kosmos_kvm::host",
"kosmos_kvm::backup",
"tor-full",
"tor-full::default",
"kosmos_assets::nginx_site",
"kosmos_discourse::nginx",
"kosmos_drone::nginx",
"kosmos_openresty",
"kosmos_openresty::default",
"kosmos_openresty::firewall",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_assets::nginx_site",
"kosmos_discourse::nginx",
"kosmos_drone::nginx",
"kosmos-ejabberd::nginx",
"kosmos_garage::nginx_web",
"kosmos_gitea::nginx",
"kosmos_gitea::nginx_ssh",
"kosmos_rsk::nginx_testnet",
"kosmos_rsk::nginx_mainnet",
"kosmos_website",
@ -43,12 +51,14 @@
"kosmos-akkounts::nginx",
"kosmos-akkounts::nginx_api",
"kosmos-bitcoin::nginx_lndhub",
"kosmos-ejabberd::nginx",
"kosmos-hubot::nginx_botka_irc-libera-chat",
"kosmos-hubot::nginx_hal8000_xmpp",
"kosmos-ipfs::nginx_public_gateway",
"kosmos-mastodon::nginx",
"remotestorage_discourse::nginx",
"kosmos-base::tor_services",
"tor-full",
"tor-full::default",
"kosmos_zerotier::controller",
"kosmos_zerotier::firewall",
"kosmos_zerotier::zncui",
@ -66,19 +76,16 @@
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"kosmos-nginx::default",
"nginx::default",
"nginx::package",
"nginx::ohai_plugin",
"nginx::repo",
"nginx::commons",
"nginx::commons_dir",
"nginx::commons_script",
"nginx::commons_conf",
"kosmos-nginx::firewall",
"discourse::nginx",
"openresty::apt_package",
"openresty::ohai_plugin",
"openresty::commons_cleanup",
"openresty::commons_user",
"openresty::commons_dir",
"openresty::commons_script",
"openresty::commons_conf",
"logrotate::default",
"openresty::luarocks",
"firewall::default",
"chef-sugar::default",
"git::default",
"git::package",
"kosmos-base::letsencrypt",
@ -88,20 +95,21 @@
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"ohai": {
"version": "15.12.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
},
"chef": {
"version": "15.17.4",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib"
"version": "18.2.7",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_host]",
"role[nginx_proxy]",
"role[openresty_proxy]",
"role[zerotier_controller]"
]
}
}

24
roles/openresty_proxy.rb
View File

@ -4,13 +4,6 @@ override_attributes(
'openresty' => {
'server_names_hash_bucket_size' => 128
},
'tor' => {
'HiddenServices' => {
'web' => {
'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443']
}
}
}
)
development_run_list = %w(
@ -20,31 +13,30 @@ development_run_list = %w(
default_run_list = %w(
role[openresty]
tor-full
)
production_run_list = %w(
role[openresty]
role[garage_gateway]
kosmos_assets::nginx_site
kosmos_discourse::nginx
kosmos_drone::nginx
kosmos_garage::default
kosmos_garage::firewall_rpc
kosmos-ejabberd::nginx
kosmos_garage::nginx_web
kosmos_gitea::nginx
kosmos_gitea::nginx_ssh
kosmos_rsk::nginx_testnet
kosmos_rsk::nginx_mainnet
kosmos_website::default
kosmos-akkounts::nginx
kosmos-akkounts::nginx_api
kosmos-bitcoin::nginx_lndhub
kosmos-ejabberd::nginx
kosmos-hubot::nginx_botka_irc-libera-chat
kosmos-hubot::nginx_hal8000_xmpp
kosmos-ipfs::nginx_public_gateway
kosmos-mastodon::nginx
remotestorage_discourse::nginx
)
production_run_list = %w(
role[openresty]
kosmos_assets::nginx_site
role[tor_proxy]
)
env_run_lists(

6
roles/tor_proxy.rb Normal file
View File

@ -0,0 +1,6 @@
name "tor_proxy"
run_list %w(
kosmos-base::tor_services
tor-full
)

1
site-cookbooks/discourse/metadata.rb
View File

@ -7,5 +7,4 @@ long_description 'Installs/Configures discourse'
version '0.1.0'
chef_version '>= 14.0'
depends 'kosmos-nginx'
depends 'firewall'

39
site-cookbooks/discourse/recipes/nginx.rb
View File

@ -1,39 +0,0 @@
#
# Cookbook:: discourse
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
domain = node['discourse']['domain']
discourse_role = node['discourse']['role']
upstream_ip_addresses = []
search(:node, "role:#{discourse_role}").each do |n|
upstream_ip_addresses << n["knife_zero"]["host"]
end
# No Discourse host, stop here
if upstream_ip_addresses.empty?
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
return
end
nginx_certbot_site domain
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: node['discourse']['port'],
upstream_name: discourse_role,
upstream_ip_addresses: upstream_ip_addresses
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

2
site-cookbooks/kosmos-akkounts/metadata.rb
View File

@ -7,7 +7,7 @@ long_description 'Installs/configures kosmos-akkounts'
version '0.2.0'
chef_version '>= 18.0'
depends 'kosmos-nginx'
depends 'kosmos_openresty'
depends "kosmos-nodejs"
depends "redisio"
depends "postgresql"

21
site-cookbooks/kosmos-akkounts/recipes/nginx.rb
View File

@ -3,11 +3,13 @@
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
app_name = "akkounts"
domain = node[app_name]["domain"]
app_name = "akkounts"
domain = node[app_name]["domain"]
nginx_certbot_site domain
tls_cert_for domain do
auth "gandi_dns"
action :create
end
upstream_hosts = []
search(:node, "role:akkounts").each do |node|
@ -15,10 +17,8 @@ search(:node, "role:akkounts").each do |node|
end
upstream_hosts.push("localhost") if upstream_hosts.empty?
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_#{app_name}.erb"
owner 'www-data'
mode 0640
openresty_site domain do
template "nginx_conf_#{app_name}.erb"
variables port: node[app_name]['port'],
domain: domain,
upstream_port: node["akkounts"]["port"],
@ -26,9 +26,4 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
root_dir: "/opt/#{app_name}/public",
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

19
site-cookbooks/kosmos-akkounts/recipes/nginx_api.rb
View File

@ -3,29 +3,24 @@
# Recipe:: nginx_api
#
include_recipe "kosmos-nginx"
domain = node["akkounts_api"]["domain"]
nginx_certbot_site domain
upstream_hosts = []
search(:node, "role:akkounts").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
upstream_hosts.push("localhost") if upstream_hosts.empty?
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
source "nginx_conf_akkounts_api.erb"
owner "www-data"
mode 0640
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template "nginx_conf_akkounts_api.erb"
variables domain: domain,
upstream_port: node["akkounts"]["port"],
upstream_hosts: upstream_hosts,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, "service[nginx]", :delayed
end
nginx_site domain do
action :enable
end

8
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts.erb
View File

@ -5,12 +5,12 @@ upstream _akkounts {
<% end %>
}
proxy_cache_path /var/cache/nginx/akkounts levels=1:2
proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
keys_zone=akkounts_cache:10m
max_size=1g inactive=120m use_temp_path=off;
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @domain %>;
@ -19,8 +19,8 @@ server {
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
root <%= @root_dir %>;

6
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
View File

@ -6,7 +6,7 @@ upstream _akkounts_api {
}
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @domain %>;
@ -15,8 +15,8 @@ server {
add_header 'Strict-Transport-Security' 'max-age=31536000';
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
location /kredits/ {
add_header 'Access-Control-Allow-Origin' '*' always;

24
site-cookbooks/kosmos-base/recipes/tor_services.rb Normal file
View File

@ -0,0 +1,24 @@
#
# Cookbook Name:: kosmos-base
# Recipe:: tor_services
#
tor_services = data_bag_item('credentials', 'tor')['services']
tor_service "ejabberd" do
hostname tor_services['ejabberd']['hostname']
public_key tor_services['ejabberd']['public_key']
secret_key tor_services['ejabberd']['secret_key']
# TODO configure IP from node attribute
# (This is hardcoded for draco atm)
ports [ "5222 148.251.237.73:5222",
"5223 148.251.237.73:5223",
"5269 148.251.237.73:5269" ]
end
tor_service "web" do
hostname tor_services['web']['hostname']
public_key tor_services['web']['public_key']
secret_key tor_services['web']['secret_key']
ports ['80 127.0.0.1:80', '443 127.0.0.1:443']
end

52
site-cookbooks/kosmos-base/resources/tor_service.rb Normal file
View File

@ -0,0 +1,52 @@
require "base64"
resource_name :tor_service
provides :tor_service
property :name, [String], name_property: true
property :hostname, [String], required: true
property :public_key, [String], required: true # base64 encoded content of generated key file
property :secret_key, [String], required: true # base64 encoded content of generated key file
property :ports, [Array], required: true
default_action :create
action :create do
name = new_resource.name
ports = Array(new_resource.ports)
service_dir = "#{node['tor']['DataDirectory']}/#{name}"
user = "debian-tor"
group = "debian-tor"
node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports
directory service_dir do
recursive true
owner user
group group
mode '4700'
end
file "#{service_dir}/hostname" do
content new_resource.hostname
owner user
group group
mode '0600'
end
file "#{service_dir}/hs_ed25519_public_key" do
content Base64.decode64(new_resource.public_key)
owner user
group group
mode '0600'
sensitive true
end
file "#{service_dir}/hs_ed25519_secret_key" do
content Base64.decode64(new_resource.secret_key)
owner user
group group
mode '0600'
sensitive true
end
end

1
site-cookbooks/kosmos-bitcoin/metadata.rb
View File

@ -14,6 +14,7 @@ depends 'git'
depends 'golang'
depends 'kosmos-nginx'
depends 'kosmos-nodejs'
depends 'kosmos_openresty'
depends 'kosmos_postgresql'
depends 'postgresql'
depends 'redisio'

25
site-cookbooks/kosmos-bitcoin/recipes/nginx_lndhub.rb
View File

@ -3,27 +3,20 @@
# Recipe:: nginx_lndhub
#
include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx"
domain = node['lndhub-go']['domain']
nginx_certbot_site domain
upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"]
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source 'nginx_conf_lndhub.erb'
owner node["nginx"]["user"]
mode 0640
variables port: node['lndhub-go']['port'],
server_name: domain,
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template 'nginx_conf_lndhub.erb'
variables server_name: domain,
port: node['lndhub-go']['port'],
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_host
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

6
site-cookbooks/kosmos-bitcoin/templates/nginx_conf_lndhub.erb
View File

@ -6,14 +6,14 @@ upstream _lndhub {
}
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

8
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
node.override["tor"]["HiddenServices"]["ejabberd"] = {
"HiddenServicePorts" => [
"5222 127.0.0.1:5222",
"5223 127.0.0.1:5223",
"5269 127.0.0.1:5269"
]
}
node.default["kosmos-ejabberd"]["uploads"] = {
"domain" => "uploads.kosmos.chat",
"max_upload_size_mb" => "100",

7
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do
protocol :tcp
command :allow
end
#
# Tor hidden service
#
# The attributes for the hidden service are set in attributes/default.rb, due
# to the way the tor-full cookbook builds the path to the hidden service dir
include_recipe "tor-full"

17
site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
View File

@ -17,28 +17,15 @@ rescue IPAddr::InvalidAddressError
next
end
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
source "nginx_conf_streams.erb"
owner 'www-data'
mode 0640
# variables ejabberd_hosts: ejabberd_hosts
openresty_stream "ejabberd" do
template "nginx_conf_streams.erb"
variables ejabberd_hosts: ["10.1.1.113"],
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ejabberd" do
action :enable
end
firewall_rule "ejabberd" do
port [5222, 5223, 5269, 5443]
protocol :tcp
command :allow
end
firewall_rule 'ejabberd_stun_turn' do
port node["kosmos-ejabberd"]["stun_turn_port"]
protocol :udp

56
site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb
View File

@ -5,34 +5,6 @@ log_format proxy '$remote_addr [$time_local] '
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
upstream ejabberd_c2s {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5222;
<% end %>
}
upstream ejabberd_c2s_tls {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5223;
<% end %>
}
upstream ejabberd_s2s {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5269;
<% end %>
}
upstream ejabberd_https {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
server <%= ip_address %>:5443;
<% end %>
}
upstream ejabberd_stun_turn {
hash $remote_addr consistent;
<% @ejabberd_hosts.each do |ip_address| %>
@ -50,36 +22,12 @@ upstream ejabberd_turn {
}
server {
listen 5222;
proxy_protocol on;
proxy_pass ejabberd_c2s;
}
server {
listen 5223;
proxy_protocol on;
proxy_pass ejabberd_c2s;
}
server {
listen 5269;
proxy_protocol on;
proxy_pass ejabberd_s2s;
}
server {
listen 5443;
proxy_protocol on;
proxy_pass ejabberd_https;
}
server {
listen <%= @stun_turn_port %> udp;
listen <%= @stun_turn_port %> udp;
proxy_pass ejabberd_stun_turn;
}
server {
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
proxy_pass 10.1.1.113:$server_port;
#proxy_pass ejabberd_turn;
}

1
site-cookbooks/kosmos-hubot/metadata.rb
View File

@ -9,6 +9,7 @@ version '0.2.0'
depends 'kosmos-base'
depends 'kosmos-nodejs'
depends 'kosmos-ipfs'
depends 'kosmos_openresty'
depends 'firewall'
depends 'git'
depends 'redisio'

21
site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
View File

@ -1,24 +1,17 @@
include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx"
domain = "irc-libera-chat.botka.kosmos.chat"
nginx_certbot_site domain
upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source 'nginx_conf_hubot.erb'
owner node["nginx"]["user"]
mode 0640
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template 'nginx_conf_hubot.erb'
variables express_port: node['botka_irc-libera-chat']['http_port'],
server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_host
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

22
site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
View File

@ -1,24 +1,18 @@
include_recipe "kosmos-base::letsencrypt"
include_recipe "kosmos-nginx"
app_name = "hal8000_xmpp"
nginx_certbot_site node[app_name]['domain']
domain = node[app_name]['domain']
upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
source 'nginx_conf_hubot.erb'
owner node["nginx"]["user"]
mode 0640
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template 'nginx_conf_hubot.erb'
variables express_port: node[app_name]['http_port'],
server_name: node[app_name]['domain'],
ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem",
upstream_host: upstream_host
notifies :reload, 'service[nginx]', :delayed
end
nginx_site node[app_name]['domain'] do
action :enable
end

6
site-cookbooks/kosmos-hubot/templates/default/nginx_conf_hubot.erb
View File

@ -6,14 +6,14 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
}
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
location / {
# Increase number of buffers. Default is 8

2
site-cookbooks/kosmos-ipfs/metadata.rb
View File

@ -9,6 +9,6 @@ version '0.3.0'
depends 'ipfs'
depends 'fail2ban'
depends 'kosmos-base'
depends 'kosmos-nginx'
depends 'kosmos-nodejs'
depends 'kosmos_openresty'
depends 'firewall'

18
site-cookbooks/kosmos-ipfs/recipes/nginx_public_gateway.rb
View File

@ -3,7 +3,6 @@
# Recipe:: nginx_public_gateway
#
include_recipe "kosmos-nginx"
include_recipe 'firewall'
domain = node["kosmos-ipfs"]["nginx"]["domain"]
@ -13,12 +12,13 @@ search(:node, "role:ipfs_gateway").each do |node|
ipfs_node_ip_addresses << node["knife_zero"]["host"]
end
nginx_certbot_site domain
tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_#{domain}.erb"
owner 'www-data'
mode 0640
openresty_site domain do
template "nginx_conf_#{domain}.erb"
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
@ -26,12 +26,6 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
ipfs_gateway_port: node['kosmos-ipfs']['gateway_port'],
ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'],
upstream_hosts: ipfs_node_ip_addresses
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
firewall_rule 'ipfs_api' do

7
site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
View File

@ -10,10 +10,9 @@ upstream _ipfs_api {
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
access_log /var/log/nginx/<%= @server_name %>.access.log;
error_log /var/log/nginx/<%= @server_name %>.error.log;
@ -28,7 +27,7 @@ server {
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @ipfs_external_api_port %> ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %><%= @ipfs_external_api_port %> ssl http2;
<% else -%>
listen <%= @ipfs_external_api_port %>;
<% end -%>

3
site-cookbooks/kosmos-mastodon/metadata.rb
View File

@ -11,9 +11,8 @@ depends 'elasticsearch'
depends 'java'
depends 'firewall'
depends 'redisio'
depends 'tor-full'
depends 'postgresql'
depends 'kosmos-nginx'
depends 'kosmos-nodejs'
depends 'kosmos_openresty'
depends 'kosmos_postgresql'
depends 'ruby_build'

40
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@ -3,57 +3,51 @@
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
app_dir = node["kosmos-mastodon"]["directory"]
server_name = node["kosmos-mastodon"]["domain"]
is_proxy = node.roles.include?('nginx_proxy') rescue nil
upstream_hosts = []
if is_proxy
upstream_hosts = []
search(:node, "role:mastodon").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
if upstream_hosts.any?
web_root_dir = "/var/www/#{server_name}/public"
search(:node, "role:mastodon").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
else
web_root_dir = "#{app_dir}/public"
upstream_hosts << "localhost"
end
directory "#{node['nginx']['dir']}/snippets" do
directory "#{node['openresty']['dir']}/snippets" do
action :create
owner 'www-data'
mode 0640
end
template "#{node['nginx']['dir']}/snippets/mastodon.conf" do
template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
source 'nginx_conf_shared.erb'
owner 'www-data'
mode 0640
variables web_root_dir: web_root_dir,
server_name: server_name
notifies :reload, 'service[nginx]', :delayed
notifies :reload, 'service[openresty]', :delayed
end
nginx_certbot_site server_name
tls_cert_for server_name do
auth "gandi_dns"
action :create
end
onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
tor_services = data_bag_item('credentials', 'tor')['services']
onion_address = tor_services['web']['hostname']
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_mastodon.erb'
owner 'www-data'
mode 0640
openresty_site server_name do
template 'nginx_conf_mastodon.erb'
variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf",
shared_config_path: "#{node['openresty']['dir']}/snippets/mastodon.conf",
app_port: node["kosmos-mastodon"]["app_port"],
streaming_port: node["kosmos-mastodon"]["streaming_port"],
onion_address: onion_address,
upstream_hosts: upstream_hosts
notifies :reload, 'service[nginx]', :delayed
end
nginx_site server_name do
action :enable
end

6
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
View File

@ -20,7 +20,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
max_size=1g inactive=120m use_temp_path=off;
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
include <%= @shared_config_path %>;
@ -36,12 +36,12 @@ server {
<% if @onion_address %>
server {
listen 80;
listen 127.0.0.1:80;
server_name mastodon.<%= @onion_address %>;
include <%= @shared_config_path %>;
}
server {
listen 443 ssl http2;
listen 127.0.0.1:443 ssl http2;
server_name mastodon.<%= @onion_address %>;
include <%= @shared_config_path %>;

4
site-cookbooks/kosmos-parity/CHANGELOG.md
View File

@ -1,4 +0,0 @@
# kosmos-parity CHANGELOG
## 0.1.0
- [Greg Karékinian] - Initial release of kosmos-parity

20
site-cookbooks/kosmos-parity/LICENSE
View File

@ -1,20 +0,0 @@
Copyright (c) 2019 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

52
site-cookbooks/kosmos-parity/README.md
View File

@ -1,52 +0,0 @@
# kosmos-parity Cookbook
This cookbook installs [Parity](https://parity.io/) nodes
## Requirements
### Platforms
- Ubuntu
### Chef
- Chef 12.1 or later
## Attributes
### kosmos-parity::default
<table>
<tr>
<th>Key</th>
<th>Type</th>
<th>Description</th>
<th>Default</th>
</tr>
<tr>
<td><tt>['kosmos-parity']['home_path']</tt></td>
<td>String</td>
<td>The parity user's home path</td>
<td><tt>/home/parity</tt></td>
</tr>
</table>
## Usage
### kosmos-parity::default
### kosmos-parity::node_dev
Sets up a parity node running on the dev chain on port 8545 (behind nginx, with
HTTPS)
### kosmos-parity::node_testnet
Sets up a parity node running on the testnet chain on port 8546 (behind nginx,
with HTTPS)
## License and Authors
Authors:
* Greg Karékinian

7
site-cookbooks/kosmos-parity/attributes/default.rb
View File

@ -1,7 +0,0 @@
node.default['kosmos-parity']['home_path'] = "/home/parity"
node.default['kosmos-parity']['version'] = "1.6.6"
node.default['kosmos-parity']['package_checksum'] = '7fd51ded7a367774e62c965088ffd15ad0fa42251005d448eb700cbf5db8df24'
node.default['kosmos-parity']['package_version'] = '1.7.0'
node.default['kosmos-parity']['package_timestamp'] = '1493999009'
node.default['kosmos-parity']['debian_package_dir'] = Chef::Config[:file_cache_path]
node.default['kosmos-parity']['hostname'] = "parity.kosmos.org"

14
site-cookbooks/kosmos-parity/metadata.rb
View File

@ -1,14 +0,0 @@
name 'kosmos-parity'
maintainer 'Kosmos'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/Configures kosmos-parity'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '0.1.0'
gem 'toml'
depends 'ark'
depends 'kosmos-nginx'
depends 'firewall'
depends 'backup'

6
site-cookbooks/kosmos-parity/recipes/backup.rb
View File

@ -1,6 +0,0 @@
return if node.chef_environment == "development"
# Backup the local directory
node.override["backup"]["archives"]["parity"] = ["#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/**/keys"]
include_recipe "backup"

86
site-cookbooks/kosmos-parity/recipes/create_package_from_github.rb
View File

@ -1,86 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: create_package_from_github
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe 'kosmos-parity::user'
build_essential 'kosmos-parity'
package %w(git libssl-dev pkg-config libudev-dev)
gem_package 'fpm' do
version '1.8.1'
end
rust_version = '1.17.0'
architecture = node['kernel']['machine']
rust_canonical_basename = "rust-#{rust_version}-#{architecture}-unknown-linux-gnu"
rust_path = "/usr/local/rust_#{rust_version}"
url = "https://static.rust-lang.org/dist/#{rust_canonical_basename}.tar.gz"
ark "rust_#{rust_version}" do
url url
path "/usr/local"
action :put
notifies :run, "execute[install rust]", :immediately
end
execute "install rust" do
command "./install.sh"
cwd "#{rust_path}"
action :nothing
end
parity_revision = "0d8920347a72fc50e82b540855eba94c8bbb2c0f"
git "/home/parity/parity" do
repository "https://github.com/paritytech/parity.git"
revision parity_revision
user "parity"
group "parity"
notifies :run, "execute[build parity]", :immediately
end
execute "build parity" do
cwd "/home/parity/parity"
environment "HOME" => "/home/parity"
command "cargo build --release"
action :nothing
user "parity"
group "parity"
notifies :run, "execute[copy parity]", :immediately
end
execute "copy parity" do
command "cp /home/parity/parity/target/release/parity /usr/bin/"
action :run
notifies :run, "execute[create package]", :immediately
end
timestamp = Time.now.strftime('%s')
parity_version = node['kosmos-parity']['package_version']
execute "create package" do
cwd node['kosmos-parity']['debian_package_dir']
command "fpm -s dir -t deb -n parity -v #{parity_version}-#{timestamp} -p parity_#{parity_version}-#{timestamp}.deb /usr/bin/parity"
action :nothing
end

42
site-cookbooks/kosmos-parity/recipes/default.rb
View File

@ -1,42 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe 'kosmos-parity::user'
parity_version = node['kosmos-parity']['version']
parity_package_path = "#{Chef::Config[:file_cache_path]}/parity_#{parity_version}_amd64.deb"
remote_file parity_package_path do
source "https://d1h4xl4cr1h0mo.cloudfront.net/v#{parity_version}/x86_64-unknown-linux-gnu/parity_#{parity_version}_amd64.deb"
checksum node['kosmos-parity']['checksum']
mode 0750
notifies :install, "dpkg_package[parity]", :immediately
end
dpkg_package "parity" do
source parity_package_path
end
include_recipe "kosmos-parity::backup"

46
site-cookbooks/kosmos-parity/recipes/from_package.rb
View File

@ -1,46 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe 'kosmos-parity::user'
parity_version = node['kosmos-parity']['package_version']
package_timestamp = node['kosmos-parity']['package_timestamp']
parity_filename = "parity_#{parity_version}-#{package_timestamp}.deb"
parity_package_path = "#{Chef::Config[:file_cache_path]}/#{parity_filename}"
remote_file parity_package_path do
source "https://dl.5apps.com/#{parity_filename}"
checksum node['kosmos-parity']['checksum']
mode 0750
notifies :install, "dpkg_package[parity]", :immediately
end
dpkg_package "parity" do
source parity_package_path
version "#{parity_version}-#{package_timestamp}"
end
include_recipe "kosmos-parity::backup"

75
site-cookbooks/kosmos-parity/recipes/node_dev.rb
View File

@ -1,75 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_dev
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Sets up a parity node running on the dev chain on port 8545 (behind nginx,
# with HTTPS)
rpc_proxy_port = 8545
rpc_port = 18545
dapps_port = 8180
parity_node "dev" do
password "parityparity"
config parity: {
chain: "dev",
no_download: true, # Don't download updates
},
network: {
port: 30303,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
},
mining: {
reseal_min_period: 0,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_dev" do
port rpc_proxy_port
protocol :tcp
command :allow
end
end

74
site-cookbooks/kosmos-parity/recipes/node_mainnet.rb
View File

@ -1,74 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_mainnet
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Sets up a parity node running on the mainnet chain on port 8547 (behind
# nginx, with HTTPS)
rpc_proxy_port = 8547
rpc_port = 18547
dapps_port = 8182
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
parity_node "mainnet" do
password credentials["mainnet_password"]
config parity: {
chain: "homestead",
no_download: true, # Don't Download Updates
},
network: {
port: 30305,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_mainnet" do
port rpc_proxy_port
protocol :tcp
command :allow
end
end

75
site-cookbooks/kosmos-parity/recipes/node_testnet.rb
View File

@ -1,75 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: node_testnet
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
# Sets up a parity node running on the testnet chain on port 8546 (behind
# nginx, with HTTPS)
rpc_proxy_port = 8546
rpc_port = 18546
dapps_port = 8181
network_port = 30304
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
parity_node "testnet" do
password credentials["testnet_password"]
config parity: {
chain: "ropsten",
no_download: true, # Don't download updates
},
network: {
port: network_port,
warp: true,
allow_ips: "public" # Don't connect to local IPs
},
rpc: {
port: rpc_port,
cors: "*",
apis: ["web3", "net", "traces", "rpc", "eth"],
hosts: ["all"],
},
dapps: {
port: dapps_port,
},
ui: {
disable: true,
},
websockets: {
disable: true,
}
rpc_proxy_port rpc_proxy_port
end
# The firewall_rule doesn't appear to work inside a resource, that's why we're
# doing it here
unless node.chef_environment == "development"
include_recipe 'firewall'
firewall_rule "parity_testnet" do
port [ rpc_proxy_port, network_port ]
protocol :tcp
command :allow
end
end

37
site-cookbooks/kosmos-parity/recipes/user.rb
View File

@ -1,37 +0,0 @@
#
# Cookbook Name:: kosmos-parity
# Recipe:: user
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
group "parity" do
gid 72748
end
user "parity" do
system true
manage_home true
comment "parity user"
uid 72748
gid 72748
end

136
site-cookbooks/kosmos-parity/resources/node.rb
View File

@ -1,136 +0,0 @@
require 'toml'
provides :parity_node
property :name, String, name_property: true, required: true
property :config, Hash, required: true
property :password, String, required: true
property :rpc_proxy_port, Integer
action :enable do
node_name = name
parity_service = "parity_#{node_name}"
base_path = "#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/#{node_name}"
config_path = "#{base_path}/config.toml"
config[:parity][:base_path] = base_path
config[:account] = {}
config[:account][:password] = ["#{base_path}/password"]
if config[:parity][:chain] == "dev"
config[:parity][:chain] = "#{base_path}/chain-config.json"
end
directory base_path do
recursive true
owner "parity"
group "parity"
end
%w(chains keys).each do |subfolder|
directory "#{base_path}/#{subfolder}" do
recursive true
owner "parity"
group "parity"
end
end
password_path = "#{base_path}/password"
file password_path do
content password
owner "parity"
group "parity"
mode 0640
end
ruby_block "generate config" do
block do
parity_args = "--chain #{config[:parity][:chain]} --base-path #{base_path}"
parity_account_list = Mixlib::ShellOut.new(
"parity account list #{parity_args}",
user: "parity"
)
parity_account_list.run_command
parity_account = parity_account_list.stdout.strip.gsub(/[(\[|\])]/, '')
if parity_account.empty?
parity_account_create = Mixlib::ShellOut.new(
"parity account new #{parity_args} --password #{base_path}/password",
user: "parity"
)
parity_account_create.run_command
parity_account = parity_account_create.stdout.strip
end
config[:account][:unlock] = [parity_account]
# Using our own chain config (i.e. dev)
if config[:parity][:chain].include?(".json")
template "#{base_path}/chain-config.json" do
source 'chain-config.json.erb'
variables parity_account: parity_account
owner "parity"
group "parity"
mode 0640
notifies :restart, "service[#{parity_service}]", :delayed
end
end
file "config" do
path config_path
content TOML::Generator.new(config).body
owner "parity"
group "parity"
mode 0640
notifies :restart, "service[#{parity_service}]", :delayed
end
end
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
template "/lib/systemd/system/#{parity_service}.service" do
source "parity.systemd.service.erb"
variables config_file: config_path
notifies :run, "execute[systemctl daemon-reload]", :delayed
notifies :restart, "service[#{parity_service}]", :delayed
end
service parity_service do
action [:enable, :start]
end
if rpc_proxy_port
include_recipe "kosmos-nginx"
hostname = node['kosmos-parity']['hostname']
template "#{node['nginx']['dir']}/sites-available/#{parity_service}" do
source 'nginx_conf_parity.erb'
owner 'www-data'
mode 0640
variables internal_port: config[:rpc][:port],
external_port: rpc_proxy_port,
parity_service: parity_service,
server_name: hostname,
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site parity_service do
action :enable
end
nginx_certbot_site hostname do
site parity_service
end
end
end

34
site-cookbooks/kosmos-parity/templates/default/chain-config.json.erb
View File

@ -1,34 +0,0 @@
{
"name": "KreditsChain",
"engine": {
"instantSeal": { "params": {} }
},
"params": {
"accountStartNonce": "0x00",
"maximumExtraDataSize": "0x20",
"minGasLimit": "0x1388",
"networkID" : "0x11"
},
"genesis": {
"seal": {
"ethereum": {
"nonce": "0x00006d6f7264656e",
"mixHash": "0x00000000000000000000000000000000000000647572616c65787365646c6578"
}
},
"difficulty": "0x20000",
"author": "0x0000000000000000000000000000000000000000",
"timestamp": "0x00",
"parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
"extraData": "0x",
"gasLimit": "0x5B8D80"
},
"accounts": {
"0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } },
"0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } },
"0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } },
"0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } },
"<%= @parity_account %>":{"balance": "1606938044258990275541962092341162602522" }
}
}

30
site-cookbooks/kosmos-parity/templates/default/nginx_conf_parity.erb
View File

@ -1,30 +0,0 @@
# Generated by Chef
upstream _<%= @parity_service %> {
server localhost:<%= @internal_port %>;
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen <%= @external_port %> ssl http2;
<% else -%>
listen <%= @external_port %>;
<% end -%>
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
location / {
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
proxy_pass http://_<%= @parity_service %>;
proxy_http_version 1.1;
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
<% end -%>
}

11
site-cookbooks/kosmos-parity/templates/default/parity.systemd.service.erb
View File

@ -1,11 +0,0 @@
[Unit]
Description=Parity Daemon (<%= @environment %>)
After=network.target
[Service]
ExecStart=/usr/bin/parity --config <%= @config_file %> --no-discovery $ARGS
User=parity
Group=parity
[Install]
WantedBy=default.target

7
site-cookbooks/kosmos_discourse/metadata.rb
View File

@ -2,10 +2,11 @@ name 'kosmos_discourse'
maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/Configures discourse'
long_description 'Installs/Configures discourse'
version '0.1.0'
description 'Installs/configures Discourse'
long_description 'Installs/configures Discourse'
version '0.2.0'
chef_version '>= 14.0'
depends 'discourse'
depends 'firewall'
depends 'kosmos_openresty'

28
site-cookbooks/kosmos_discourse/recipes/nginx.rb
View File

@ -3,4 +3,30 @@
# Recipe:: nginx
#
include_recipe "discourse::nginx"
domain = node['discourse']['domain']
discourse_role = node['discourse']['role']
upstream_ip_addresses = []
search(:node, "role:#{discourse_role}").each do |n|
upstream_ip_addresses << n["knife_zero"]["host"]
end
# No Discourse host, stop here
if upstream_ip_addresses.empty?
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
return
end
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template "nginx_conf.erb"
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: node['discourse']['port'],
upstream_name: discourse_role,
upstream_ip_addresses: upstream_ip_addresses
end

2
site-cookbooks/kosmos_discourse/templates/nginx_conf.erb
View File

@ -8,7 +8,7 @@ upstream _discourse {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
server_name <%= @server_name %>;
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate <%= @ssl_cert %>;

2
site-cookbooks/kosmos_drone/metadata.rb
View File

@ -8,5 +8,5 @@ version '0.1.0'
chef_version '>= 14.0'
depends "firewall"
depends "kosmos-nginx"
depends "kosmos_gitea"
depends "kosmos_openresty"

17
site-cookbooks/kosmos_drone/recipes/nginx.rb
View File

@ -12,21 +12,16 @@ end
# No Discourse host, stop here
return if upstream_ip_addresses.empty?
nginx_certbot_site domain
tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf.erb"
owner 'www-data'
mode 0640
openresty_site domain do
template "nginx_conf.erb"
variables server_name: domain,
upstream_ip_addresses: upstream_ip_addresses,
upstream_port: node["kosmos_drone"]["upstream_port"],
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end

4
site-cookbooks/kosmos_drone/templates/nginx_conf.erb
View File

@ -1,4 +1,3 @@
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
# Generated by Chef
upstream _drone {
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
@ -8,7 +7,7 @@ upstream _drone {
server {
server_name <%= @server_name %>;
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate <%= @ssl_cert %>;
@ -33,4 +32,3 @@ server {
proxy_http_version 1.1;
}
}
<% end -%>

1
site-cookbooks/kosmos_garage/metadata.rb
View File

@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
source_url 'https://gitea.kosmos.org/kosmos/chef'
depends 'firewall'
depends 'kosmos_openresty'

27
site-cookbooks/kosmos_garage/recipes/nginx_web.rb
View File

@ -3,15 +3,14 @@
# Recipe:: nginx_web
#
include_recipe "kosmos-nginx"
file "/etc/nginx/conf.d/garage.conf" do
file "#{node['openresty']['dir']}/conf.d/garage.conf" do
raucao marked this conversation as resolved Outdated
greg commented 2023-07-28 12:26:02 +00:00
Outdated
Review
Copy Link

Could use node['openresty']['dir'] here instead of hardcoding `/etc/openresty"

Could use `node['openresty']['dir']` here instead of hardcoding `/etc/openresty"
👍 1
content <<-EOF
upstream garage_web {
server localhost:3902;
}
proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
proxy_cache_path #{node['openresty']['cache_dir']}/garage
levels=1:2 keys_zone=garage_cache:10m
max_size=1g inactive=60m use_temp_path=off;
EOF
end
@ -19,19 +18,15 @@ end
domains = node['garage']['s3_web_domains']
domains.each do |server_name|
nginx_certbot_site server_name
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
source 'nginx_conf_web.erb'
owner 'www-data'
mode 0640
variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
tls_cert_for server_name do
auth "gandi_dns"
action :create
end
nginx_site server_name do
action :enable
openresty_site server_name do
template "nginx_conf_web.erb"
variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
end
end

2
site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
View File

@ -1,5 +1,5 @@
server {
listen 443 http2 ssl;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 http2 ssl;
server_name <%= @server_name %>;

20
site-cookbooks/kosmos_gitea/metadata.rb
View File

@ -2,25 +2,13 @@ name 'kosmos_gitea'
maintainer 'Kosmos Developers'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Installs/Configures kosmos_gitea'
long_description 'Installs/Configures kosmos_gitea'
version '0.1.0'
description 'Installs/configures Gitea'
long_description 'Installs/configures Gitea'
version '0.2.0'
chef_version '>= 14.0'
# The `issues_url` points to the location where issues for this cookbook are
# tracked. A `View Issues` link will be displayed on this cookbook's page when
# uploaded to a Supermarket.
#
# issues_url 'https://github.com/<insert_org_here>/kosmos_gitea/issues'
# The `source_url` points to the development repository for this cookbook. A
# `View Source` link will be displayed on this cookbook's page when uploaded to
# a Supermarket.
#
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
depends "firewall"
depends "kosmos-nginx"
depends "kosmos_openresty"
depends "kosmos_postgresql"
depends "backup"
depends "kosmos-dirsrv"

37
site-cookbooks/kosmos_gitea/recipes/nginx.rb
View File

@ -3,14 +3,8 @@
# Recipe:: nginx
#
include_recipe "kosmos-nginx"
domain = node["gitea"]["domain"]
# upstream_ip_addresses = []
# search(:node, "role:gitea").each do |n|
# upstream_ip_addresses << n["knife_zero"]["host"]
# end
begin
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
rescue
@ -18,35 +12,16 @@ rescue
return
end
nginx_certbot_site domain
tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_web.erb"
owner 'www-data'
mode 0640
openresty_site domain do
template "nginx_conf_web.erb"
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_host: upstream_ip_address,
upstream_port: node["gitea"]["port"]
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
template "#{node['nginx']['dir']}/streams-available/ssh" do
source "nginx_conf_ssh.erb"
owner 'www-data'
mode 0640
variables domain: domain,
upstream_host: upstream_ip_address
notifies :reload, 'service[nginx]', :delayed
end
nginx_stream "ssh" do
action :enable
end

17
site-cookbooks/kosmos_gitea/recipes/nginx_ssh.rb Normal file
View File

@ -0,0 +1,17 @@
#
# Cookbook:: kosmos_gitea
# Recipe:: nginx_ssh
#
begin
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
rescue
Chef::Log.warn('No server with "gitea" role. Stopping here.')
return
end
openresty_stream "ssh" do
template "nginx_conf_ssh.erb"
variables upstream_host: upstream_ip_address
action :enable
end

2
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_ssh.erb
View File

@ -3,6 +3,6 @@ upstream _gitea_ssh {
}
server {
listen 148.251.83.201:22;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
proxy_pass _gitea_ssh;
}

16
site-cookbooks/kosmos_gitea/templates/default/nginx_conf_web.erb
View File

@ -4,23 +4,17 @@ upstream _gitea_web {
}
server {
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
add_header Strict-Transport-Security "max-age=31536000";
<% else -%>
listen 80;
server_name <%= @server_name %>;
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log;
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
location /.well-known {
root "/var/www/<%= @server_name %>";
}
<% end -%>
add_header Strict-Transport-Security "max-age=31536000";
client_max_body_size 20M;

2
site-cookbooks/kosmos_openresty/recipes/default.rb
View File

@ -3,5 +3,7 @@
# Recipe:: default
#
node.normal['openresty']['log_formats']['json'] = '{"ip":"$remote_addr","time":"$time_local","host":"$host","method":"$request_method","uri":"$uri","status":$status,"size":$body_bytes_sent,"referer":"$http_referer","upstream_addr":"$upstream_addr","upstream_response_time":"$upstream_response_time","ua":"$http_user_agent"}'
# Install openresty from official packages
include_recipe 'openresty::apt_package'

2
site-cookbooks/kosmos_rsk/metadata.rb
View File

@ -9,4 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
source_url 'https://gitea.kosmos.org/kosmos/chef'
depends 'firewall'
depends 'kosmos-nginx'
depends 'kosmos_openresty'

20
site-cookbooks/kosmos_rsk/resources/nginx_site.rb
View File

@ -5,33 +5,27 @@ property :network, String, required: true, name_property: true
property :domain, String, required: true
action :create do
include_recipe "kosmos-nginx"
network = new_resource.network
domain = new_resource.domain
nginx_certbot_site domain
upstream_hosts = []
search(:node, "role:rskj_#{network}").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
upstream_hosts.push("localhost") if upstream_hosts.empty?
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
source "nginx_conf_rskj.erb"
owner 'www-data'
mode 0640
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template "nginx_conf_rskj.erb"
variables domain: domain,
upstream_name: "rskj_#{network}",
upstream_hosts: upstream_hosts,
upstream_port: "4444",
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, 'service[nginx]', :delayed
end
nginx_site domain do
action :enable
end
end

6
site-cookbooks/kosmos_rsk/templates/nginx_conf_rskj.erb
View File

@ -5,15 +5,15 @@ upstream _<%= @upstream_name %> {
}
server {
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @domain %>;
add_header Strict-Transport-Security "max-age=15768000";
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
location / {
if ($request_method = 'OPTIONS') {

2
site-cookbooks/kosmos_website/metadata.rb
View File

@ -7,5 +7,5 @@ long_description 'Configures the main kosmos.org website'
version '1.0.0'
chef_version '>= 15.10' if respond_to?(:chef_version)
depends "kosmos-nginx"
depends 'git'
depends "kosmos_openresty"

27
site-cookbooks/kosmos_website/recipes/default.rb
View File

@ -3,37 +3,26 @@
# Recipe:: default
#
include_recipe "kosmos-nginx"
include_recipe "git"
domain = node["kosmos_website"]["domain"]
nginx_certbot_site domain
directory "/var/www/#{domain}/site" do
user node["nginx"]["user"]
group node["nginx"]["group"]
mode "0755"
tls_cert_for domain do
auth "gandi_dns"
action :create
end
git "/var/www/#{domain}/site" do
user node["nginx"]["user"]
group node["nginx"]["group"]
git "/var/www/#{domain}" do
user node["openresty"]["user"]
group node["openresty"]["group"]
repository node["kosmos_website"]["repo"]
revision node["kosmos_website"]["revision"]
action :sync
end
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
source "nginx_conf_website.erb"
owner node["nginx"]["user"]
mode 0640
openresty_site domain do
template "nginx_conf_website.erb"
variables domain: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :reload, "service[nginx]", :delayed
end
nginx_site domain do
action :enable
end

12
site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
View File

@ -1,14 +1,15 @@
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
# Generated by Chef
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @domain %>;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
root /var/www/<%= @domain %>/site/public;
root /var/www/<%= @domain %>/public;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
access_log off;
gzip_static on;
gzip_comp_level 5;
@ -29,4 +30,3 @@ server {
proxy_pass https://accounts.kosmos.org;
}
}
<% end -%>

2
site-cookbooks/openresty

@ -1 +1 @@
Subproject commit 867046cbd1e120f7b2cb842114dcc725cdf0c2b2
Subproject commit bc916b981cecbbc65dc220ecaa9e878a22d8f6fa

2
site-cookbooks/remotestorage_discourse/attributes/default.rb
View File

@ -1,2 +0,0 @@
node.override['discourse']['domain'] = "community.remotestorage.io"
node.override['discourse']['role'] = "remotestorage_discourse"

8
site-cookbooks/remotestorage_discourse/metadata.rb
View File

@ -2,9 +2,11 @@ name 'remotestorage_discourse'
maintainer 'Kosmos Developers'
maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/Configures discourse'
long_description 'Installs/Configures discourse'
version '0.1.0'
description 'Installs/configures Discourse'
long_description 'Installs/configures Discourse'
version '0.2.0'
chef_version '>= 14.0'
depends 'discourse'
depends 'firewall'
depends 'kosmos_openresty'

28
site-cookbooks/remotestorage_discourse/recipes/nginx.rb
View File

@ -3,4 +3,30 @@
# Recipe:: nginx
#
include_recipe "discourse::nginx"
domain = "community.remotestorage.io"
discourse_role = "remotestorage_discourse"
upstream_ip_addresses = []
search(:node, "role:#{discourse_role}").each do |n|
upstream_ip_addresses << n["knife_zero"]["host"]
end
# No Discourse host, stop here
if upstream_ip_addresses.empty?
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
return
end
tls_cert_for domain do
auth "gandi_dns"
action :create
end
openresty_site domain do
template "nginx_conf.erb"
variables server_name: domain,
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
upstream_port: node['discourse']['port'],
upstream_name: discourse_role,
upstream_ip_addresses: upstream_ip_addresses
end

8
site-cookbooks/remotestorage_discourse/templates/nginx_conf.erb
View File

@ -1,14 +1,13 @@
# Generated by Chef
upstream _discourse {
upstream _rs_discourse {
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
server <%= upstream_ip_address %>:<%= @upstream_port %>;
<% end -%>
}
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
server {
server_name <%= @server_name %>;
listen 443 ssl http2;
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate <%= @ssl_cert %>;
@ -28,8 +27,7 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://_discourse;
proxy_pass http://_rs_discourse;
proxy_http_version 1.1;
}
}
<% end -%>

6
site-cookbooks/tor-full/recipes/default.rb
View File

@ -85,7 +85,7 @@ ruby_block "read-hostnames" do
block do
# Set generated hostname for hidden services
node['tor']['HiddenServices'].each do |name, service|
path = File.join(service['HiddenServiceDir'], "/hostname")
path = "/var/lib/tor/#{name}/hostname"
node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip()
end
end
@ -96,10 +96,6 @@ template '/etc/tor/torrc' do
source 'torrc.erb'
notifies :restart, 'service[tor]', :immediately
notifies :run, "ruby_block[read-hostnames]"
# Set default HiddenServiceDir
node['tor']['HiddenServices'].each do |name, service|
node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/")
end
end
# Install exit policy notice

2
site-cookbooks/tor-full/templates/default/torrc.erb
View File

@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %>
#HiddenServicePort 22 127.0.0.1:22
<% node['tor']['HiddenServices'].each do |name, service| -%>
HiddenServiceDir <%= service['HiddenServiceDir'] %>
HiddenServiceDir /var/lib/tor/<%= name %>/
<% service['HiddenServicePorts'].each do |port| -%>
HiddenServicePort <%= port %>
<% end -%>