Migrate nginx sites to openresty #511
|
@ -0,0 +1,10 @@
|
|||
{
|
||||
"id": "tor",
|
||||
"services": {
|
||||
"encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n",
|
||||
"iv": "qtzvl79A/PZc5JjE\n",
|
||||
"auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
|
@ -11,7 +11,10 @@
|
|||
}
|
||||
},
|
||||
"openresty": {
|
||||
"listen_ip": "148.251.237.111"
|
||||
"listen_ip": "148.251.237.111",
|
||||
"log_formats": {
|
||||
"json": "{\"ip\":\"$remote_addr\",\"time\":\"$time_local\",\"host\":\"$host\",\"method\":\"$request_method\",\"uri\":\"$uri\",\"status\":$status,\"size\":$body_bytes_sent,\"referer\":\"$http_referer\",\"upstream_addr\":\"$upstream_addr\",\"upstream_response_time\":\"$upstream_response_time\",\"ua\":\"$http_user_agent\"}"
|
||||
}
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
|
@ -21,24 +24,52 @@
|
|||
"hostname": "draco",
|
||||
"ipaddress": "148.251.237.73",
|
||||
"roles": [
|
||||
"base",
|
||||
"kvm_host",
|
||||
"openresty_proxy",
|
||||
"openresty"
|
||||
"openresty",
|
||||
"garage_gateway",
|
||||
"tor_proxy"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_encfs",
|
||||
"kosmos_encfs::default",
|
||||
"kosmos_kvm::host",
|
||||
"kosmos_kvm::backup",
|
||||
"kosmos_openresty",
|
||||
"kosmos_openresty::default",
|
||||
"kosmos_openresty::firewall",
|
||||
"kosmos_garage",
|
||||
"kosmos_garage::default",
|
||||
"kosmos_garage::firewall_rpc",
|
||||
"kosmos_assets::nginx_site",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"kosmos_garage::nginx_web",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_gitea::nginx_ssh",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos-akkounts::nginx",
|
||||
"kosmos-akkounts::nginx_api",
|
||||
"kosmos-bitcoin::nginx_lndhub",
|
||||
"kosmos-hubot::nginx_botka_irc-libera-chat",
|
||||
"kosmos-hubot::nginx_hal8000_xmpp",
|
||||
"kosmos-ipfs::nginx_public_gateway",
|
||||
"kosmos-mastodon::nginx",
|
||||
"remotestorage_discourse::nginx",
|
||||
"kosmos-base::tor_services",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"kosmos_encfs",
|
||||
"kosmos_encfs::default",
|
||||
"kosmos-ejabberd::firewall",
|
||||
"kosmos-ipfs::firewall_swarm",
|
||||
"kosmos-bitcoin::firewall",
|
||||
"kosmos_zerotier::firewall",
|
||||
"kosmos_openresty",
|
||||
"kosmos_openresty::default",
|
||||
"kosmos_openresty::firewall",
|
||||
"kosmos_assets::nginx_site",
|
||||
"sockethub::firewall",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
|
@ -54,18 +85,20 @@
|
|||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"firewall::default",
|
||||
"openresty::apt_package",
|
||||
"openresty::ohai_plugin",
|
||||
"openresty::commons_cleanup",
|
||||
"openresty::commons_user",
|
||||
"openresty::commons_dir",
|
||||
"openresty::commons_script",
|
||||
"openresty::commons_conf",
|
||||
"logrotate::default",
|
||||
"openresty::luarocks",
|
||||
"firewall::default",
|
||||
"git::default",
|
||||
"git::package",
|
||||
"kosmos-base::letsencrypt"
|
||||
"kosmos-base::letsencrypt",
|
||||
"fail2ban::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
|
@ -85,12 +118,12 @@
|
|||
"run_list": [
|
||||
"role[base]",
|
||||
"role[kvm_host]",
|
||||
"role[openresty_proxy]",
|
||||
"recipe[kosmos_encfs]",
|
||||
"recipe[kosmos-ejabberd::firewall]",
|
||||
"recipe[kosmos-ipfs::firewall_swarm]",
|
||||
"recipe[kosmos-bitcoin::firewall]",
|
||||
"recipe[kosmos_zerotier::firewall]",
|
||||
"role[openresty_proxy]",
|
||||
"recipe[sockethub::firewall]"
|
||||
]
|
||||
}
|
||||
}
|
|
@ -18,7 +18,12 @@
|
|||
"hostname": "fornax",
|
||||
"ipaddress": "148.251.83.201",
|
||||
"roles": [
|
||||
"nginx_proxy",
|
||||
"base",
|
||||
"kvm_host",
|
||||
"openresty_proxy",
|
||||
"openresty",
|
||||
"garage_gateway",
|
||||
"tor_proxy",
|
||||
"zerotier_controller"
|
||||
],
|
||||
"recipes": [
|
||||
|
@ -26,16 +31,19 @@
|
|||
"kosmos-base::default",
|
||||
"kosmos_kvm::host",
|
||||
"kosmos_kvm::backup",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"kosmos_assets::nginx_site",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"kosmos_openresty",
|
||||
"kosmos_openresty::default",
|
||||
"kosmos_openresty::firewall",
|
||||
"kosmos_garage",
|
||||
"kosmos_garage::default",
|
||||
"kosmos_garage::firewall_rpc",
|
||||
"kosmos_assets::nginx_site",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"kosmos_garage::nginx_web",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_gitea::nginx_ssh",
|
||||
"kosmos_rsk::nginx_testnet",
|
||||
"kosmos_rsk::nginx_mainnet",
|
||||
"kosmos_website",
|
||||
|
@ -43,12 +51,14 @@
|
|||
"kosmos-akkounts::nginx",
|
||||
"kosmos-akkounts::nginx_api",
|
||||
"kosmos-bitcoin::nginx_lndhub",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"kosmos-hubot::nginx_botka_irc-libera-chat",
|
||||
"kosmos-hubot::nginx_hal8000_xmpp",
|
||||
"kosmos-ipfs::nginx_public_gateway",
|
||||
"kosmos-mastodon::nginx",
|
||||
"remotestorage_discourse::nginx",
|
||||
"kosmos-base::tor_services",
|
||||
"tor-full",
|
||||
"tor-full::default",
|
||||
"kosmos_zerotier::controller",
|
||||
"kosmos_zerotier::firewall",
|
||||
"kosmos_zerotier::zncui",
|
||||
|
@ -66,19 +76,16 @@
|
|||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"kosmos-nginx::default",
|
||||
"nginx::default",
|
||||
"nginx::package",
|
||||
"nginx::ohai_plugin",
|
||||
"nginx::repo",
|
||||
"nginx::commons",
|
||||
"nginx::commons_dir",
|
||||
"nginx::commons_script",
|
||||
"nginx::commons_conf",
|
||||
"kosmos-nginx::firewall",
|
||||
"discourse::nginx",
|
||||
"openresty::apt_package",
|
||||
"openresty::ohai_plugin",
|
||||
"openresty::commons_cleanup",
|
||||
"openresty::commons_user",
|
||||
"openresty::commons_dir",
|
||||
"openresty::commons_script",
|
||||
"openresty::commons_conf",
|
||||
"logrotate::default",
|
||||
"openresty::luarocks",
|
||||
"firewall::default",
|
||||
"chef-sugar::default",
|
||||
"git::default",
|
||||
"git::package",
|
||||
"kosmos-base::letsencrypt",
|
||||
|
@ -88,20 +95,21 @@
|
|||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"ohai": {
|
||||
"version": "15.12.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
|
||||
},
|
||||
"chef": {
|
||||
"version": "15.17.4",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.17.4/lib"
|
||||
"version": "18.2.7",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.2.7/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "18.1.4",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"role[base]",
|
||||
"role[kvm_host]",
|
||||
"role[nginx_proxy]",
|
||||
"role[openresty_proxy]",
|
||||
"role[zerotier_controller]"
|
||||
]
|
||||
}
|
||||
}
|
|
@ -4,13 +4,6 @@ override_attributes(
|
|||
'openresty' => {
|
||||
'server_names_hash_bucket_size' => 128
|
||||
},
|
||||
'tor' => {
|
||||
'HiddenServices' => {
|
||||
'web' => {
|
||||
'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443']
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
development_run_list = %w(
|
||||
|
@ -20,31 +13,30 @@ development_run_list = %w(
|
|||
|
||||
default_run_list = %w(
|
||||
role[openresty]
|
||||
tor-full
|
||||
)
|
||||
|
||||
production_run_list = %w(
|
||||
role[openresty]
|
||||
role[garage_gateway]
|
||||
kosmos_assets::nginx_site
|
||||
kosmos_discourse::nginx
|
||||
kosmos_drone::nginx
|
||||
kosmos_garage::default
|
||||
kosmos_garage::firewall_rpc
|
||||
kosmos-ejabberd::nginx
|
||||
kosmos_garage::nginx_web
|
||||
kosmos_gitea::nginx
|
||||
kosmos_gitea::nginx_ssh
|
||||
kosmos_rsk::nginx_testnet
|
||||
kosmos_rsk::nginx_mainnet
|
||||
kosmos_website::default
|
||||
kosmos-akkounts::nginx
|
||||
kosmos-akkounts::nginx_api
|
||||
kosmos-bitcoin::nginx_lndhub
|
||||
kosmos-ejabberd::nginx
|
||||
kosmos-hubot::nginx_botka_irc-libera-chat
|
||||
kosmos-hubot::nginx_hal8000_xmpp
|
||||
kosmos-ipfs::nginx_public_gateway
|
||||
kosmos-mastodon::nginx
|
||||
remotestorage_discourse::nginx
|
||||
)
|
||||
|
||||
production_run_list = %w(
|
||||
role[openresty]
|
||||
kosmos_assets::nginx_site
|
||||
role[tor_proxy]
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
name "tor_proxy"
|
||||
|
||||
run_list %w(
|
||||
kosmos-base::tor_services
|
||||
tor-full
|
||||
)
|
|
@ -7,5 +7,4 @@ long_description 'Installs/Configures discourse'
|
|||
version '0.1.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends 'kosmos-nginx'
|
||||
depends 'firewall'
|
||||
|
|
|
@ -1,39 +0,0 @@
|
|||
#
|
||||
# Cookbook:: discourse
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node['discourse']['domain']
|
||||
discourse_role = node['discourse']['role']
|
||||
|
||||
upstream_ip_addresses = []
|
||||
search(:node, "role:#{discourse_role}").each do |n|
|
||||
upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
end
|
||||
# No Discourse host, stop here
|
||||
if upstream_ip_addresses.empty?
|
||||
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
|
||||
return
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_port: node['discourse']['port'],
|
||||
upstream_name: discourse_role,
|
||||
upstream_ip_addresses: upstream_ip_addresses
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
|
@ -7,7 +7,7 @@ long_description 'Installs/configures kosmos-akkounts'
|
|||
version '0.2.0'
|
||||
chef_version '>= 18.0'
|
||||
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos_openresty'
|
||||
depends "kosmos-nodejs"
|
||||
depends "redisio"
|
||||
depends "postgresql"
|
||||
|
|
|
@ -3,11 +3,13 @@
|
|||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
app_name = "akkounts"
|
||||
domain = node[app_name]["domain"]
|
||||
app_name = "akkounts"
|
||||
domain = node[app_name]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:akkounts").each do |node|
|
||||
|
@ -15,10 +17,8 @@ search(:node, "role:akkounts").each do |node|
|
|||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_#{app_name}.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_#{app_name}.erb"
|
||||
variables port: node[app_name]['port'],
|
||||
domain: domain,
|
||||
upstream_port: node["akkounts"]["port"],
|
||||
|
@ -26,9 +26,4 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
|||
root_dir: "/opt/#{app_name}/public",
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -3,29 +3,24 @@
|
|||
# Recipe:: nginx_api
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
domain = node["akkounts_api"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:akkounts").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||
source "nginx_conf_akkounts_api.erb"
|
||||
owner "www-data"
|
||||
mode 0640
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf_akkounts_api.erb"
|
||||
variables domain: domain,
|
||||
upstream_port: node["akkounts"]["port"],
|
||||
upstream_hosts: upstream_hosts,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -5,12 +5,12 @@ upstream _akkounts {
|
|||
<% end %>
|
||||
}
|
||||
|
||||
proxy_cache_path /var/cache/nginx/akkounts levels=1:2
|
||||
proxy_cache_path <%= node[:openresty][:cache_dir] %>/akkounts levels=1:2
|
||||
keys_zone=akkounts_cache:10m
|
||||
max_size=1g inactive=120m use_temp_path=off;
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
|
||||
|
@ -19,8 +19,8 @@ server {
|
|||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
root <%= @root_dir %>;
|
||||
|
||||
|
|
|
@ -6,7 +6,7 @@ upstream _akkounts_api {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
|
||||
|
@ -15,8 +15,8 @@ server {
|
|||
|
||||
add_header 'Strict-Transport-Security' 'max-age=31536000';
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
location /kredits/ {
|
||||
add_header 'Access-Control-Allow-Origin' '*' always;
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-base
|
||||
# Recipe:: tor_services
|
||||
#
|
||||
|
||||
tor_services = data_bag_item('credentials', 'tor')['services']
|
||||
|
||||
tor_service "ejabberd" do
|
||||
hostname tor_services['ejabberd']['hostname']
|
||||
public_key tor_services['ejabberd']['public_key']
|
||||
secret_key tor_services['ejabberd']['secret_key']
|
||||
# TODO configure IP from node attribute
|
||||
# (This is hardcoded for draco atm)
|
||||
ports [ "5222 148.251.237.73:5222",
|
||||
"5223 148.251.237.73:5223",
|
||||
"5269 148.251.237.73:5269" ]
|
||||
end
|
||||
|
||||
tor_service "web" do
|
||||
hostname tor_services['web']['hostname']
|
||||
public_key tor_services['web']['public_key']
|
||||
secret_key tor_services['web']['secret_key']
|
||||
ports ['80 127.0.0.1:80', '443 127.0.0.1:443']
|
||||
end
|
|
@ -0,0 +1,52 @@
|
|||
require "base64"
|
||||
|
||||
resource_name :tor_service
|
||||
provides :tor_service
|
||||
|
||||
property :name, [String], name_property: true
|
||||
property :hostname, [String], required: true
|
||||
property :public_key, [String], required: true # base64 encoded content of generated key file
|
||||
property :secret_key, [String], required: true # base64 encoded content of generated key file
|
||||
property :ports, [Array], required: true
|
||||
|
||||
default_action :create
|
||||
|
||||
action :create do
|
||||
name = new_resource.name
|
||||
ports = Array(new_resource.ports)
|
||||
service_dir = "#{node['tor']['DataDirectory']}/#{name}"
|
||||
user = "debian-tor"
|
||||
group = "debian-tor"
|
||||
|
||||
node.normal['tor']['HiddenServices'][name]['HiddenServicePorts'] = ports
|
||||
|
||||
directory service_dir do
|
||||
recursive true
|
||||
owner user
|
||||
group group
|
||||
mode '4700'
|
||||
end
|
||||
|
||||
file "#{service_dir}/hostname" do
|
||||
content new_resource.hostname
|
||||
owner user
|
||||
group group
|
||||
mode '0600'
|
||||
end
|
||||
|
||||
file "#{service_dir}/hs_ed25519_public_key" do
|
||||
content Base64.decode64(new_resource.public_key)
|
||||
owner user
|
||||
group group
|
||||
mode '0600'
|
||||
sensitive true
|
||||
end
|
||||
|
||||
file "#{service_dir}/hs_ed25519_secret_key" do
|
||||
content Base64.decode64(new_resource.secret_key)
|
||||
owner user
|
||||
group group
|
||||
mode '0600'
|
||||
sensitive true
|
||||
end
|
||||
end
|
|
@ -14,6 +14,7 @@ depends 'git'
|
|||
depends 'golang'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos_openresty'
|
||||
depends 'kosmos_postgresql'
|
||||
depends 'postgresql'
|
||||
depends 'redisio'
|
||||
|
|
|
@ -3,27 +3,20 @@
|
|||
# Recipe:: nginx_lndhub
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node['lndhub-go']['domain']
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_host = search(:node, "role:lndhub").first["knife_zero"]["host"]
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source 'nginx_conf_lndhub.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
variables port: node['lndhub-go']['port'],
|
||||
server_name: domain,
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template 'nginx_conf_lndhub.erb'
|
||||
variables server_name: domain,
|
||||
port: node['lndhub-go']['port'],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_host
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -6,14 +6,14 @@ upstream _lndhub {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
|
|
@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
|
|||
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
|
||||
|
||||
node.override["tor"]["HiddenServices"]["ejabberd"] = {
|
||||
"HiddenServicePorts" => [
|
||||
"5222 127.0.0.1:5222",
|
||||
"5223 127.0.0.1:5223",
|
||||
"5269 127.0.0.1:5269"
|
||||
]
|
||||
}
|
||||
|
||||
node.default["kosmos-ejabberd"]["uploads"] = {
|
||||
"domain" => "uploads.kosmos.chat",
|
||||
"max_upload_size_mb" => "100",
|
||||
|
|
|
@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do
|
|||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
#
|
||||
# Tor hidden service
|
||||
#
|
||||
# The attributes for the hidden service are set in attributes/default.rb, due
|
||||
# to the way the tor-full cookbook builds the path to the hidden service dir
|
||||
include_recipe "tor-full"
|
||||
|
|
|
@ -17,28 +17,15 @@ rescue IPAddr::InvalidAddressError
|
|||
next
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
|
||||
source "nginx_conf_streams.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
# variables ejabberd_hosts: ejabberd_hosts
|
||||
openresty_stream "ejabberd" do
|
||||
template "nginx_conf_streams.erb"
|
||||
variables ejabberd_hosts: ["10.1.1.113"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ejabberd" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
firewall_rule "ejabberd" do
|
||||
port [5222, 5223, 5269, 5443]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
|
|
|
@ -5,34 +5,6 @@ log_format proxy '$remote_addr [$time_local] '
|
|||
|
||||
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
|
||||
|
||||
upstream ejabberd_c2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5222;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_c2s_tls {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5223;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_s2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5269;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_https {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5443;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_stun_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
|
@ -50,36 +22,12 @@ upstream ejabberd_turn {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 5222;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5223;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5269;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_s2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5443;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_https;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
proxy_pass ejabberd_stun_turn;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
proxy_pass 10.1.1.113:$server_port;
|
||||
#proxy_pass ejabberd_turn;
|
||||
}
|
||||
|
|
|
@ -9,6 +9,7 @@ version '0.2.0'
|
|||
depends 'kosmos-base'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos-ipfs'
|
||||
depends 'kosmos_openresty'
|
||||
depends 'firewall'
|
||||
depends 'git'
|
||||
depends 'redisio'
|
||||
|
|
|
@ -1,24 +1,17 @@
|
|||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = "irc-libera-chat.botka.kosmos.chat"
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source 'nginx_conf_hubot.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template 'nginx_conf_hubot.erb'
|
||||
variables express_port: node['botka_irc-libera-chat']['http_port'],
|
||||
server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_host
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -1,24 +1,18 @@
|
|||
include_recipe "kosmos-base::letsencrypt"
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
app_name = "hal8000_xmpp"
|
||||
|
||||
nginx_certbot_site node[app_name]['domain']
|
||||
domain = node[app_name]['domain']
|
||||
|
||||
upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{node[app_name]['domain']}" do
|
||||
source 'nginx_conf_hubot.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template 'nginx_conf_hubot.erb'
|
||||
variables express_port: node[app_name]['http_port'],
|
||||
server_name: node[app_name]['domain'],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{node[app_name]['domain']}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{node[app_name]['domain']}/privkey.pem",
|
||||
upstream_host: upstream_host
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site node[app_name]['domain'] do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -6,14 +6,14 @@ upstream _express_<%= @server_name.gsub(".", "_") %> {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log json;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
|
||||
location / {
|
||||
# Increase number of buffers. Default is 8
|
||||
|
|
|
@ -9,6 +9,6 @@ version '0.3.0'
|
|||
depends 'ipfs'
|
||||
depends 'fail2ban'
|
||||
depends 'kosmos-base'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos_openresty'
|
||||
depends 'firewall'
|
||||
|
|
|
@ -3,7 +3,6 @@
|
|||
# Recipe:: nginx_public_gateway
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe 'firewall'
|
||||
|
||||
domain = node["kosmos-ipfs"]["nginx"]["domain"]
|
||||
|
@ -13,12 +12,13 @@ search(:node, "role:ipfs_gateway").each do |node|
|
|||
ipfs_node_ip_addresses << node["knife_zero"]["host"]
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_#{domain}.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_#{domain}.erb"
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
|
@ -26,12 +26,6 @@ template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
|||
ipfs_gateway_port: node['kosmos-ipfs']['gateway_port'],
|
||||
ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'],
|
||||
upstream_hosts: ipfs_node_ip_addresses
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
firewall_rule 'ipfs_api' do
|
||||
|
|
|
@ -10,10 +10,9 @@ upstream _ipfs_api {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
access_log /var/log/nginx/<%= @server_name %>.access.log;
|
||||
error_log /var/log/nginx/<%= @server_name %>.error.log;
|
||||
|
@ -28,7 +27,7 @@ server {
|
|||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @ipfs_external_api_port %> ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %><%= @ipfs_external_api_port %> ssl http2;
|
||||
<% else -%>
|
||||
listen <%= @ipfs_external_api_port %>;
|
||||
<% end -%>
|
||||
|
|
|
@ -11,9 +11,8 @@ depends 'elasticsearch'
|
|||
depends 'java'
|
||||
depends 'firewall'
|
||||
depends 'redisio'
|
||||
depends 'tor-full'
|
||||
depends 'postgresql'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos-nodejs'
|
||||
depends 'kosmos_openresty'
|
||||
depends 'kosmos_postgresql'
|
||||
depends 'ruby_build'
|
||||
|
|
|
@ -3,57 +3,51 @@
|
|||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
app_dir = node["kosmos-mastodon"]["directory"]
|
||||
server_name = node["kosmos-mastodon"]["domain"]
|
||||
is_proxy = node.roles.include?('nginx_proxy') rescue nil
|
||||
upstream_hosts = []
|
||||
|
||||
if is_proxy
|
||||
upstream_hosts = []
|
||||
search(:node, "role:mastodon").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
if upstream_hosts.any?
|
||||
web_root_dir = "/var/www/#{server_name}/public"
|
||||
search(:node, "role:mastodon").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
else
|
||||
web_root_dir = "#{app_dir}/public"
|
||||
upstream_hosts << "localhost"
|
||||
end
|
||||
|
||||
directory "#{node['nginx']['dir']}/snippets" do
|
||||
directory "#{node['openresty']['dir']}/snippets" do
|
||||
action :create
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/snippets/mastodon.conf" do
|
||||
template "#{node['openresty']['dir']}/snippets/mastodon.conf" do
|
||||
source 'nginx_conf_shared.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables web_root_dir: web_root_dir,
|
||||
server_name: server_name
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
notifies :reload, 'service[openresty]', :delayed
|
||||
end
|
||||
|
||||
nginx_certbot_site server_name
|
||||
tls_cert_for server_name do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
onion_address = File.read("/var/lib/tor/web/hostname").strip rescue nil rescue nil
|
||||
tor_services = data_bag_item('credentials', 'tor')['services']
|
||||
onion_address = tor_services['web']['hostname']
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_mastodon.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site server_name do
|
||||
template 'nginx_conf_mastodon.erb'
|
||||
variables server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem",
|
||||
shared_config_path: "#{node['nginx']['dir']}/snippets/mastodon.conf",
|
||||
shared_config_path: "#{node['openresty']['dir']}/snippets/mastodon.conf",
|
||||
app_port: node["kosmos-mastodon"]["app_port"],
|
||||
streaming_port: node["kosmos-mastodon"]["streaming_port"],
|
||||
onion_address: onion_address,
|
||||
upstream_hosts: upstream_hosts
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -20,7 +20,7 @@ proxy_cache_path /var/cache/nginx/mastodon levels=1:2
|
|||
max_size=1g inactive=120m use_temp_path=off;
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
include <%= @shared_config_path %>;
|
||||
|
@ -36,12 +36,12 @@ server {
|
|||
|
||||
<% if @onion_address %>
|
||||
server {
|
||||
listen 80;
|
||||
listen 127.0.0.1:80;
|
||||
server_name mastodon.<%= @onion_address %>;
|
||||
include <%= @shared_config_path %>;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen 127.0.0.1:443 ssl http2;
|
||||
server_name mastodon.<%= @onion_address %>;
|
||||
include <%= @shared_config_path %>;
|
||||
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
# kosmos-parity CHANGELOG
|
||||
|
||||
## 0.1.0
|
||||
- [Greg Karékinian] - Initial release of kosmos-parity
|
|
@ -1,20 +0,0 @@
|
|||
Copyright (c) 2019 Kosmos Developers
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining
|
||||
a copy of this software and associated documentation files (the
|
||||
"Software"), to deal in the Software without restriction, including
|
||||
without limitation the rights to use, copy, modify, merge, publish,
|
||||
distribute, sublicense, and/or sell copies of the Software, and to
|
||||
permit persons to whom the Software is furnished to do so, subject to
|
||||
the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be
|
||||
included in all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -1,52 +0,0 @@
|
|||
# kosmos-parity Cookbook
|
||||
|
||||
This cookbook installs [Parity](https://parity.io/) nodes
|
||||
|
||||
## Requirements
|
||||
|
||||
### Platforms
|
||||
|
||||
- Ubuntu
|
||||
|
||||
### Chef
|
||||
|
||||
- Chef 12.1 or later
|
||||
|
||||
## Attributes
|
||||
|
||||
### kosmos-parity::default
|
||||
|
||||
<table>
|
||||
<tr>
|
||||
<th>Key</th>
|
||||
<th>Type</th>
|
||||
<th>Description</th>
|
||||
<th>Default</th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><tt>['kosmos-parity']['home_path']</tt></td>
|
||||
<td>String</td>
|
||||
<td>The parity user's home path</td>
|
||||
<td><tt>/home/parity</tt></td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
## Usage
|
||||
|
||||
### kosmos-parity::default
|
||||
|
||||
### kosmos-parity::node_dev
|
||||
|
||||
Sets up a parity node running on the dev chain on port 8545 (behind nginx, with
|
||||
HTTPS)
|
||||
|
||||
### kosmos-parity::node_testnet
|
||||
|
||||
Sets up a parity node running on the testnet chain on port 8546 (behind nginx,
|
||||
with HTTPS)
|
||||
|
||||
## License and Authors
|
||||
|
||||
Authors:
|
||||
|
||||
* Greg Karékinian
|
|
@ -1,7 +0,0 @@
|
|||
node.default['kosmos-parity']['home_path'] = "/home/parity"
|
||||
node.default['kosmos-parity']['version'] = "1.6.6"
|
||||
node.default['kosmos-parity']['package_checksum'] = '7fd51ded7a367774e62c965088ffd15ad0fa42251005d448eb700cbf5db8df24'
|
||||
node.default['kosmos-parity']['package_version'] = '1.7.0'
|
||||
node.default['kosmos-parity']['package_timestamp'] = '1493999009'
|
||||
node.default['kosmos-parity']['debian_package_dir'] = Chef::Config[:file_cache_path]
|
||||
node.default['kosmos-parity']['hostname'] = "parity.kosmos.org"
|
|
@ -1,14 +0,0 @@
|
|||
name 'kosmos-parity'
|
||||
maintainer 'Kosmos'
|
||||
maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos-parity'
|
||||
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
|
||||
version '0.1.0'
|
||||
|
||||
gem 'toml'
|
||||
|
||||
depends 'ark'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'firewall'
|
||||
depends 'backup'
|
|
@ -1,6 +0,0 @@
|
|||
|
||||
return if node.chef_environment == "development"
|
||||
|
||||
# Backup the local directory
|
||||
node.override["backup"]["archives"]["parity"] = ["#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/**/keys"]
|
||||
include_recipe "backup"
|
|
@ -1,86 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: create_package_from_github
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe 'kosmos-parity::user'
|
||||
build_essential 'kosmos-parity'
|
||||
package %w(git libssl-dev pkg-config libudev-dev)
|
||||
gem_package 'fpm' do
|
||||
version '1.8.1'
|
||||
end
|
||||
|
||||
rust_version = '1.17.0'
|
||||
architecture = node['kernel']['machine']
|
||||
rust_canonical_basename = "rust-#{rust_version}-#{architecture}-unknown-linux-gnu"
|
||||
rust_path = "/usr/local/rust_#{rust_version}"
|
||||
|
||||
url = "https://static.rust-lang.org/dist/#{rust_canonical_basename}.tar.gz"
|
||||
|
||||
ark "rust_#{rust_version}" do
|
||||
url url
|
||||
path "/usr/local"
|
||||
action :put
|
||||
notifies :run, "execute[install rust]", :immediately
|
||||
end
|
||||
|
||||
execute "install rust" do
|
||||
command "./install.sh"
|
||||
cwd "#{rust_path}"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
parity_revision = "0d8920347a72fc50e82b540855eba94c8bbb2c0f"
|
||||
|
||||
git "/home/parity/parity" do
|
||||
repository "https://github.com/paritytech/parity.git"
|
||||
revision parity_revision
|
||||
user "parity"
|
||||
group "parity"
|
||||
notifies :run, "execute[build parity]", :immediately
|
||||
end
|
||||
|
||||
execute "build parity" do
|
||||
cwd "/home/parity/parity"
|
||||
environment "HOME" => "/home/parity"
|
||||
command "cargo build --release"
|
||||
action :nothing
|
||||
user "parity"
|
||||
group "parity"
|
||||
notifies :run, "execute[copy parity]", :immediately
|
||||
end
|
||||
|
||||
execute "copy parity" do
|
||||
command "cp /home/parity/parity/target/release/parity /usr/bin/"
|
||||
action :run
|
||||
notifies :run, "execute[create package]", :immediately
|
||||
end
|
||||
|
||||
timestamp = Time.now.strftime('%s')
|
||||
parity_version = node['kosmos-parity']['package_version']
|
||||
execute "create package" do
|
||||
cwd node['kosmos-parity']['debian_package_dir']
|
||||
command "fpm -s dir -t deb -n parity -v #{parity_version}-#{timestamp} -p parity_#{parity_version}-#{timestamp}.deb /usr/bin/parity"
|
||||
action :nothing
|
||||
end
|
|
@ -1,42 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe 'kosmos-parity::user'
|
||||
|
||||
parity_version = node['kosmos-parity']['version']
|
||||
parity_package_path = "#{Chef::Config[:file_cache_path]}/parity_#{parity_version}_amd64.deb"
|
||||
remote_file parity_package_path do
|
||||
source "https://d1h4xl4cr1h0mo.cloudfront.net/v#{parity_version}/x86_64-unknown-linux-gnu/parity_#{parity_version}_amd64.deb"
|
||||
checksum node['kosmos-parity']['checksum']
|
||||
mode 0750
|
||||
notifies :install, "dpkg_package[parity]", :immediately
|
||||
end
|
||||
|
||||
dpkg_package "parity" do
|
||||
source parity_package_path
|
||||
end
|
||||
|
||||
include_recipe "kosmos-parity::backup"
|
|
@ -1,46 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe 'kosmos-parity::user'
|
||||
|
||||
parity_version = node['kosmos-parity']['package_version']
|
||||
package_timestamp = node['kosmos-parity']['package_timestamp']
|
||||
parity_filename = "parity_#{parity_version}-#{package_timestamp}.deb"
|
||||
|
||||
parity_package_path = "#{Chef::Config[:file_cache_path]}/#{parity_filename}"
|
||||
remote_file parity_package_path do
|
||||
source "https://dl.5apps.com/#{parity_filename}"
|
||||
checksum node['kosmos-parity']['checksum']
|
||||
mode 0750
|
||||
notifies :install, "dpkg_package[parity]", :immediately
|
||||
end
|
||||
|
||||
dpkg_package "parity" do
|
||||
source parity_package_path
|
||||
version "#{parity_version}-#{package_timestamp}"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-parity::backup"
|
|
@ -1,75 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: node_dev
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
# Sets up a parity node running on the dev chain on port 8545 (behind nginx,
|
||||
# with HTTPS)
|
||||
|
||||
rpc_proxy_port = 8545
|
||||
rpc_port = 18545
|
||||
dapps_port = 8180
|
||||
|
||||
parity_node "dev" do
|
||||
password "parityparity"
|
||||
config parity: {
|
||||
chain: "dev",
|
||||
no_download: true, # Don't download updates
|
||||
},
|
||||
network: {
|
||||
port: 30303,
|
||||
warp: true,
|
||||
allow_ips: "public" # Don't connect to local IPs
|
||||
},
|
||||
rpc: {
|
||||
port: rpc_port,
|
||||
cors: "*",
|
||||
apis: ["web3", "net", "traces", "rpc", "eth"],
|
||||
hosts: ["all"],
|
||||
},
|
||||
dapps: {
|
||||
port: dapps_port,
|
||||
},
|
||||
ui: {
|
||||
disable: true,
|
||||
},
|
||||
websockets: {
|
||||
disable: true,
|
||||
},
|
||||
mining: {
|
||||
reseal_min_period: 0,
|
||||
}
|
||||
rpc_proxy_port rpc_proxy_port
|
||||
end
|
||||
|
||||
# The firewall_rule doesn't appear to work inside a resource, that's why we're
|
||||
# doing it here
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe 'firewall'
|
||||
firewall_rule "parity_dev" do
|
||||
port rpc_proxy_port
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
|
@ -1,74 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: node_mainnet
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
# Sets up a parity node running on the mainnet chain on port 8547 (behind
|
||||
# nginx, with HTTPS)
|
||||
|
||||
rpc_proxy_port = 8547
|
||||
rpc_port = 18547
|
||||
dapps_port = 8182
|
||||
|
||||
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
|
||||
|
||||
parity_node "mainnet" do
|
||||
password credentials["mainnet_password"]
|
||||
config parity: {
|
||||
chain: "homestead",
|
||||
no_download: true, # Don't Download Updates
|
||||
},
|
||||
network: {
|
||||
port: 30305,
|
||||
warp: true,
|
||||
allow_ips: "public" # Don't connect to local IPs
|
||||
},
|
||||
rpc: {
|
||||
port: rpc_port,
|
||||
cors: "*",
|
||||
apis: ["web3", "net", "traces", "rpc", "eth"],
|
||||
hosts: ["all"],
|
||||
},
|
||||
dapps: {
|
||||
port: dapps_port,
|
||||
},
|
||||
ui: {
|
||||
disable: true,
|
||||
},
|
||||
websockets: {
|
||||
disable: true,
|
||||
}
|
||||
rpc_proxy_port rpc_proxy_port
|
||||
end
|
||||
|
||||
# The firewall_rule doesn't appear to work inside a resource, that's why we're
|
||||
# doing it here
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe 'firewall'
|
||||
firewall_rule "parity_mainnet" do
|
||||
port rpc_proxy_port
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
|
@ -1,75 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: node_testnet
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
# Sets up a parity node running on the testnet chain on port 8546 (behind
|
||||
# nginx, with HTTPS)
|
||||
|
||||
rpc_proxy_port = 8546
|
||||
rpc_port = 18546
|
||||
dapps_port = 8181
|
||||
network_port = 30304
|
||||
|
||||
credentials = Chef::EncryptedDataBagItem.load('credentials', 'parity')
|
||||
|
||||
parity_node "testnet" do
|
||||
password credentials["testnet_password"]
|
||||
config parity: {
|
||||
chain: "ropsten",
|
||||
no_download: true, # Don't download updates
|
||||
},
|
||||
network: {
|
||||
port: network_port,
|
||||
warp: true,
|
||||
allow_ips: "public" # Don't connect to local IPs
|
||||
},
|
||||
rpc: {
|
||||
port: rpc_port,
|
||||
cors: "*",
|
||||
apis: ["web3", "net", "traces", "rpc", "eth"],
|
||||
hosts: ["all"],
|
||||
},
|
||||
dapps: {
|
||||
port: dapps_port,
|
||||
},
|
||||
ui: {
|
||||
disable: true,
|
||||
},
|
||||
websockets: {
|
||||
disable: true,
|
||||
}
|
||||
rpc_proxy_port rpc_proxy_port
|
||||
end
|
||||
|
||||
# The firewall_rule doesn't appear to work inside a resource, that's why we're
|
||||
# doing it here
|
||||
unless node.chef_environment == "development"
|
||||
include_recipe 'firewall'
|
||||
firewall_rule "parity_testnet" do
|
||||
port [ rpc_proxy_port, network_port ]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
end
|
|
@ -1,37 +0,0 @@
|
|||
#
|
||||
# Cookbook Name:: kosmos-parity
|
||||
# Recipe:: user
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
group "parity" do
|
||||
gid 72748
|
||||
end
|
||||
|
||||
user "parity" do
|
||||
system true
|
||||
manage_home true
|
||||
comment "parity user"
|
||||
uid 72748
|
||||
gid 72748
|
||||
end
|
|
@ -1,136 +0,0 @@
|
|||
require 'toml'
|
||||
|
||||
provides :parity_node
|
||||
|
||||
property :name, String, name_property: true, required: true
|
||||
property :config, Hash, required: true
|
||||
property :password, String, required: true
|
||||
property :rpc_proxy_port, Integer
|
||||
|
||||
action :enable do
|
||||
node_name = name
|
||||
parity_service = "parity_#{node_name}"
|
||||
base_path = "#{node['kosmos-parity']['home_path']}/.local/share/io.parity.ethereum/#{node_name}"
|
||||
config_path = "#{base_path}/config.toml"
|
||||
|
||||
config[:parity][:base_path] = base_path
|
||||
config[:account] = {}
|
||||
config[:account][:password] = ["#{base_path}/password"]
|
||||
|
||||
if config[:parity][:chain] == "dev"
|
||||
config[:parity][:chain] = "#{base_path}/chain-config.json"
|
||||
end
|
||||
|
||||
directory base_path do
|
||||
recursive true
|
||||
owner "parity"
|
||||
group "parity"
|
||||
end
|
||||
|
||||
%w(chains keys).each do |subfolder|
|
||||
directory "#{base_path}/#{subfolder}" do
|
||||
recursive true
|
||||
owner "parity"
|
||||
group "parity"
|
||||
end
|
||||
end
|
||||
|
||||
password_path = "#{base_path}/password"
|
||||
|
||||
file password_path do
|
||||
content password
|
||||
owner "parity"
|
||||
group "parity"
|
||||
mode 0640
|
||||
end
|
||||
|
||||
ruby_block "generate config" do
|
||||
block do
|
||||
parity_args = "--chain #{config[:parity][:chain]} --base-path #{base_path}"
|
||||
|
||||
parity_account_list = Mixlib::ShellOut.new(
|
||||
"parity account list #{parity_args}",
|
||||
user: "parity"
|
||||
)
|
||||
parity_account_list.run_command
|
||||
|
||||
parity_account = parity_account_list.stdout.strip.gsub(/[(\[|\])]/, '')
|
||||
|
||||
if parity_account.empty?
|
||||
parity_account_create = Mixlib::ShellOut.new(
|
||||
"parity account new #{parity_args} --password #{base_path}/password",
|
||||
user: "parity"
|
||||
)
|
||||
parity_account_create.run_command
|
||||
|
||||
parity_account = parity_account_create.stdout.strip
|
||||
end
|
||||
|
||||
config[:account][:unlock] = [parity_account]
|
||||
|
||||
# Using our own chain config (i.e. dev)
|
||||
if config[:parity][:chain].include?(".json")
|
||||
template "#{base_path}/chain-config.json" do
|
||||
source 'chain-config.json.erb'
|
||||
variables parity_account: parity_account
|
||||
owner "parity"
|
||||
group "parity"
|
||||
mode 0640
|
||||
notifies :restart, "service[#{parity_service}]", :delayed
|
||||
end
|
||||
end
|
||||
|
||||
file "config" do
|
||||
path config_path
|
||||
content TOML::Generator.new(config).body
|
||||
owner "parity"
|
||||
group "parity"
|
||||
mode 0640
|
||||
notifies :restart, "service[#{parity_service}]", :delayed
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
execute "systemctl daemon-reload" do
|
||||
command "systemctl daemon-reload"
|
||||
action :nothing
|
||||
end
|
||||
|
||||
template "/lib/systemd/system/#{parity_service}.service" do
|
||||
source "parity.systemd.service.erb"
|
||||
variables config_file: config_path
|
||||
notifies :run, "execute[systemctl daemon-reload]", :delayed
|
||||
notifies :restart, "service[#{parity_service}]", :delayed
|
||||
end
|
||||
|
||||
service parity_service do
|
||||
action [:enable, :start]
|
||||
end
|
||||
|
||||
if rpc_proxy_port
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
hostname = node['kosmos-parity']['hostname']
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{parity_service}" do
|
||||
source 'nginx_conf_parity.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables internal_port: config[:rpc][:port],
|
||||
external_port: rpc_proxy_port,
|
||||
parity_service: parity_service,
|
||||
server_name: hostname,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{hostname}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{hostname}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site parity_service do
|
||||
action :enable
|
||||
end
|
||||
|
||||
nginx_certbot_site hostname do
|
||||
site parity_service
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,34 +0,0 @@
|
|||
{
|
||||
"name": "KreditsChain",
|
||||
"engine": {
|
||||
"instantSeal": { "params": {} }
|
||||
},
|
||||
"params": {
|
||||
"accountStartNonce": "0x00",
|
||||
"maximumExtraDataSize": "0x20",
|
||||
"minGasLimit": "0x1388",
|
||||
"networkID" : "0x11"
|
||||
},
|
||||
"genesis": {
|
||||
"seal": {
|
||||
"ethereum": {
|
||||
"nonce": "0x00006d6f7264656e",
|
||||
"mixHash": "0x00000000000000000000000000000000000000647572616c65787365646c6578"
|
||||
}
|
||||
},
|
||||
"difficulty": "0x20000",
|
||||
"author": "0x0000000000000000000000000000000000000000",
|
||||
"timestamp": "0x00",
|
||||
"parentHash": "0x0000000000000000000000000000000000000000000000000000000000000000",
|
||||
"extraData": "0x",
|
||||
"gasLimit": "0x5B8D80"
|
||||
},
|
||||
"accounts": {
|
||||
"0000000000000000000000000000000000000001": { "balance": "1", "builtin": { "name": "ecrecover", "pricing": { "linear": { "base": 3000, "word": 0 } } } },
|
||||
"0000000000000000000000000000000000000002": { "balance": "1", "builtin": { "name": "sha256", "pricing": { "linear": { "base": 60, "word": 12 } } } },
|
||||
"0000000000000000000000000000000000000003": { "balance": "1", "builtin": { "name": "ripemd160", "pricing": { "linear": { "base": 600, "word": 120 } } } },
|
||||
"0000000000000000000000000000000000000004": { "balance": "1", "builtin": { "name": "identity", "pricing": { "linear": { "base": 15, "word": 3 } } } },
|
||||
"<%= @parity_account %>":{"balance": "1606938044258990275541962092341162602522" }
|
||||
}
|
||||
}
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
# Generated by Chef
|
||||
upstream _<%= @parity_service %> {
|
||||
server localhost:<%= @internal_port %>;
|
||||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen <%= @external_port %> ssl http2;
|
||||
<% else -%>
|
||||
listen <%= @external_port %>;
|
||||
<% end -%>
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @parity_service %>.error.log warn;
|
||||
|
||||
location / {
|
||||
# Increase number of buffers. Default is 8
|
||||
proxy_buffers 1024 8k;
|
||||
|
||||
proxy_pass http://_<%= @parity_service %>;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
<% end -%>
|
||||
}
|
|
@ -1,11 +0,0 @@
|
|||
[Unit]
|
||||
Description=Parity Daemon (<%= @environment %>)
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
ExecStart=/usr/bin/parity --config <%= @config_file %> --no-discovery $ARGS
|
||||
User=parity
|
||||
Group=parity
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
|
@ -2,10 +2,11 @@ name 'kosmos_discourse'
|
|||
maintainer 'Kosmos Developers'
|
||||
maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures discourse'
|
||||
long_description 'Installs/Configures discourse'
|
||||
version '0.1.0'
|
||||
description 'Installs/configures Discourse'
|
||||
long_description 'Installs/configures Discourse'
|
||||
version '0.2.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends 'discourse'
|
||||
depends 'firewall'
|
||||
depends 'kosmos_openresty'
|
||||
|
|
|
@ -3,4 +3,30 @@
|
|||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "discourse::nginx"
|
||||
domain = node['discourse']['domain']
|
||||
discourse_role = node['discourse']['role']
|
||||
|
||||
upstream_ip_addresses = []
|
||||
search(:node, "role:#{discourse_role}").each do |n|
|
||||
upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
end
|
||||
# No Discourse host, stop here
|
||||
if upstream_ip_addresses.empty?
|
||||
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
|
||||
return
|
||||
end
|
||||
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf.erb"
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_port: node['discourse']['port'],
|
||||
upstream_name: discourse_role,
|
||||
upstream_ip_addresses: upstream_ip_addresses
|
||||
end
|
||||
|
|
|
@ -8,7 +8,7 @@ upstream _discourse {
|
|||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
server_name <%= @server_name %>;
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
|
|
|
@ -8,5 +8,5 @@ version '0.1.0'
|
|||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_gitea"
|
||||
depends "kosmos_openresty"
|
||||
|
|
|
@ -12,21 +12,16 @@ end
|
|||
# No Discourse host, stop here
|
||||
return if upstream_ip_addresses.empty?
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf.erb"
|
||||
variables server_name: domain,
|
||||
upstream_ip_addresses: upstream_ip_addresses,
|
||||
upstream_port: node["kosmos_drone"]["upstream_port"],
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
# Generated by Chef
|
||||
upstream _drone {
|
||||
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
|
||||
|
@ -8,7 +7,7 @@ upstream _drone {
|
|||
|
||||
server {
|
||||
server_name <%= @server_name %>;
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
|
@ -33,4 +32,3 @@ server {
|
|||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -9,3 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
|
|||
source_url 'https://gitea.kosmos.org/kosmos/chef'
|
||||
|
||||
depends 'firewall'
|
||||
depends 'kosmos_openresty'
|
||||
|
|
|
@ -3,15 +3,14 @@
|
|||
# Recipe:: nginx_web
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
file "/etc/nginx/conf.d/garage.conf" do
|
||||
file "#{node['openresty']['dir']}/conf.d/garage.conf" do
|
||||
raucao marked this conversation as resolved
Outdated
|
||||
content <<-EOF
|
||||
upstream garage_web {
|
||||
server localhost:3902;
|
||||
}
|
||||
|
||||
proxy_cache_path /var/cache/nginx/garage levels=1:2 keys_zone=garage_cache:10m
|
||||
proxy_cache_path #{node['openresty']['cache_dir']}/garage
|
||||
levels=1:2 keys_zone=garage_cache:10m
|
||||
max_size=1g inactive=60m use_temp_path=off;
|
||||
EOF
|
||||
end
|
||||
|
@ -19,19 +18,15 @@ end
|
|||
domains = node['garage']['s3_web_domains']
|
||||
|
||||
domains.each do |server_name|
|
||||
nginx_certbot_site server_name
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
|
||||
source 'nginx_conf_web.erb'
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
tls_cert_for server_name do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
nginx_site server_name do
|
||||
action :enable
|
||||
openresty_site server_name do
|
||||
template "nginx_conf_web.erb"
|
||||
variables server_name: server_name,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem"
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
server {
|
||||
listen 443 http2 ssl;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 http2 ssl;
|
||||
|
||||
server_name <%= @server_name %>;
|
||||
|
|
|
@ -2,25 +2,13 @@ name 'kosmos_gitea'
|
|||
maintainer 'Kosmos Developers'
|
||||
maintainer_email 'ops@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures kosmos_gitea'
|
||||
long_description 'Installs/Configures kosmos_gitea'
|
||||
version '0.1.0'
|
||||
description 'Installs/configures Gitea'
|
||||
long_description 'Installs/configures Gitea'
|
||||
version '0.2.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
# The `issues_url` points to the location where issues for this cookbook are
|
||||
# tracked. A `View Issues` link will be displayed on this cookbook's page when
|
||||
# uploaded to a Supermarket.
|
||||
#
|
||||
# issues_url 'https://github.com/<insert_org_here>/kosmos_gitea/issues'
|
||||
|
||||
# The `source_url` points to the development repository for this cookbook. A
|
||||
# `View Source` link will be displayed on this cookbook's page when uploaded to
|
||||
# a Supermarket.
|
||||
#
|
||||
# source_url 'https://github.com/<insert_org_here>/kosmos_gitea'
|
||||
|
||||
depends "firewall"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos_openresty"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "kosmos-dirsrv"
|
||||
|
|
|
@ -3,14 +3,8 @@
|
|||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
domain = node["gitea"]["domain"]
|
||||
|
||||
# upstream_ip_addresses = []
|
||||
# search(:node, "role:gitea").each do |n|
|
||||
# upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
# end
|
||||
begin
|
||||
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
|
||||
rescue
|
||||
|
@ -18,35 +12,16 @@ rescue
|
|||
return
|
||||
end
|
||||
|
||||
nginx_certbot_site domain
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_web.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_web.erb"
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_host: upstream_ip_address,
|
||||
upstream_port: node["gitea"]["port"]
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ssh" do
|
||||
source "nginx_conf_ssh.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
variables domain: domain,
|
||||
upstream_host: upstream_ip_address
|
||||
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ssh" do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
#
|
||||
# Cookbook:: kosmos_gitea
|
||||
# Recipe:: nginx_ssh
|
||||
#
|
||||
|
||||
begin
|
||||
upstream_ip_address = search(:node, "role:gitea").first["knife_zero"]["host"]
|
||||
rescue
|
||||
Chef::Log.warn('No server with "gitea" role. Stopping here.')
|
||||
return
|
||||
end
|
||||
|
||||
openresty_stream "ssh" do
|
||||
template "nginx_conf_ssh.erb"
|
||||
variables upstream_host: upstream_ip_address
|
||||
action :enable
|
||||
end
|
|
@ -3,6 +3,6 @@ upstream _gitea_ssh {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 148.251.83.201:22;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>22;
|
||||
proxy_pass _gitea_ssh;
|
||||
}
|
||||
|
|
|
@ -4,23 +4,17 @@ upstream _gitea_web {
|
|||
}
|
||||
|
||||
server {
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @server_name %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
ssl_certificate_key <%= @ssl_key %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
<% else -%>
|
||||
listen 80;
|
||||
server_name <%= @server_name %>;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.access.log;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @server_name %>.error.log warn;
|
||||
|
||||
location /.well-known {
|
||||
root "/var/www/<%= @server_name %>";
|
||||
}
|
||||
<% end -%>
|
||||
add_header Strict-Transport-Security "max-age=31536000";
|
||||
|
||||
client_max_body_size 20M;
|
||||
|
||||
|
|
|
@ -3,5 +3,7 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
node.normal['openresty']['log_formats']['json'] = '{"ip":"$remote_addr","time":"$time_local","host":"$host","method":"$request_method","uri":"$uri","status":$status,"size":$body_bytes_sent,"referer":"$http_referer","upstream_addr":"$upstream_addr","upstream_response_time":"$upstream_response_time","ua":"$http_user_agent"}'
|
||||
|
||||
# Install openresty from official packages
|
||||
include_recipe 'openresty::apt_package'
|
||||
|
|
|
@ -9,4 +9,4 @@ issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
|
|||
source_url 'https://gitea.kosmos.org/kosmos/chef'
|
||||
|
||||
depends 'firewall'
|
||||
depends 'kosmos-nginx'
|
||||
depends 'kosmos_openresty'
|
||||
|
|
|
@ -5,33 +5,27 @@ property :network, String, required: true, name_property: true
|
|||
property :domain, String, required: true
|
||||
|
||||
action :create do
|
||||
include_recipe "kosmos-nginx"
|
||||
|
||||
network = new_resource.network
|
||||
domain = new_resource.domain
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
upstream_hosts = []
|
||||
search(:node, "role:rskj_#{network}").each do |node|
|
||||
upstream_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
upstream_hosts.push("localhost") if upstream_hosts.empty?
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{domain}" do
|
||||
source "nginx_conf_rskj.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf_rskj.erb"
|
||||
variables domain: domain,
|
||||
upstream_name: "rskj_#{network}",
|
||||
upstream_hosts: upstream_hosts,
|
||||
upstream_port: "4444",
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
end
|
||||
|
|
|
@ -5,15 +5,15 @@ upstream _<%= @upstream_name %> {
|
|||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name <%= @domain %>;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
|
||||
access_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:nginx][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
location / {
|
||||
if ($request_method = 'OPTIONS') {
|
||||
|
|
|
@ -7,5 +7,5 @@ long_description 'Configures the main kosmos.org website'
|
|||
version '1.0.0'
|
||||
chef_version '>= 15.10' if respond_to?(:chef_version)
|
||||
|
||||
depends "kosmos-nginx"
|
||||
depends 'git'
|
||||
depends "kosmos_openresty"
|
||||
|
|
|
@ -3,37 +3,26 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "git"
|
||||
|
||||
domain = node["kosmos_website"]["domain"]
|
||||
|
||||
nginx_certbot_site domain
|
||||
|
||||
directory "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
mode "0755"
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
git "/var/www/#{domain}/site" do
|
||||
user node["nginx"]["user"]
|
||||
group node["nginx"]["group"]
|
||||
git "/var/www/#{domain}" do
|
||||
user node["openresty"]["user"]
|
||||
group node["openresty"]["group"]
|
||||
repository node["kosmos_website"]["repo"]
|
||||
revision node["kosmos_website"]["revision"]
|
||||
action :sync
|
||||
end
|
||||
|
||||
template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
|
||||
source "nginx_conf_website.erb"
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
openresty_site domain do
|
||||
template "nginx_conf_website.erb"
|
||||
variables domain: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
|
||||
notifies :reload, "service[nginx]", :delayed
|
||||
end
|
||||
|
||||
nginx_site domain do
|
||||
action :enable
|
||||
end
|
||||
|
|
|
@ -1,14 +1,15 @@
|
|||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
# Generated by Chef
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name <%= @domain %>;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
root /var/www/<%= @domain %>/site/public;
|
||||
root /var/www/<%= @domain %>/public;
|
||||
|
||||
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log;
|
||||
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
|
||||
|
||||
access_log off;
|
||||
gzip_static on;
|
||||
gzip_comp_level 5;
|
||||
|
||||
|
@ -29,4 +30,3 @@ server {
|
|||
proxy_pass https://accounts.kosmos.org;
|
||||
}
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -1 +1 @@
|
|||
Subproject commit 867046cbd1e120f7b2cb842114dcc725cdf0c2b2
|
||||
Subproject commit bc916b981cecbbc65dc220ecaa9e878a22d8f6fa
|
|
@ -1,2 +0,0 @@
|
|||
node.override['discourse']['domain'] = "community.remotestorage.io"
|
||||
node.override['discourse']['role'] = "remotestorage_discourse"
|
|
@ -2,9 +2,11 @@ name 'remotestorage_discourse'
|
|||
maintainer 'Kosmos Developers'
|
||||
maintainer_email 'mail@kosmos.org'
|
||||
license 'MIT'
|
||||
description 'Installs/Configures discourse'
|
||||
long_description 'Installs/Configures discourse'
|
||||
version '0.1.0'
|
||||
description 'Installs/configures Discourse'
|
||||
long_description 'Installs/configures Discourse'
|
||||
version '0.2.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends 'discourse'
|
||||
depends 'firewall'
|
||||
depends 'kosmos_openresty'
|
||||
|
|
|
@ -3,4 +3,30 @@
|
|||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "discourse::nginx"
|
||||
domain = "community.remotestorage.io"
|
||||
discourse_role = "remotestorage_discourse"
|
||||
|
||||
upstream_ip_addresses = []
|
||||
search(:node, "role:#{discourse_role}").each do |n|
|
||||
upstream_ip_addresses << n["knife_zero"]["host"]
|
||||
end
|
||||
# No Discourse host, stop here
|
||||
if upstream_ip_addresses.empty?
|
||||
Chef::Log.warn("No server with '#{discourse_role}' role. Stopping here.")
|
||||
return
|
||||
end
|
||||
|
||||
tls_cert_for domain do
|
||||
auth "gandi_dns"
|
||||
action :create
|
||||
end
|
||||
|
||||
openresty_site domain do
|
||||
template "nginx_conf.erb"
|
||||
variables server_name: domain,
|
||||
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
|
||||
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem",
|
||||
upstream_port: node['discourse']['port'],
|
||||
upstream_name: discourse_role,
|
||||
upstream_ip_addresses: upstream_ip_addresses
|
||||
end
|
||||
|
|
|
@ -1,14 +1,13 @@
|
|||
# Generated by Chef
|
||||
upstream _discourse {
|
||||
upstream _rs_discourse {
|
||||
<% @upstream_ip_addresses.each do |upstream_ip_address| -%>
|
||||
server <%= upstream_ip_address %>:<%= @upstream_port %>;
|
||||
<% end -%>
|
||||
}
|
||||
|
||||
<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
|
||||
server {
|
||||
server_name <%= @server_name %>;
|
||||
listen 443 ssl http2;
|
||||
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
ssl_certificate <%= @ssl_cert %>;
|
||||
|
@ -28,8 +27,7 @@ server {
|
|||
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
proxy_pass http://_discourse;
|
||||
proxy_pass http://_rs_discourse;
|
||||
proxy_http_version 1.1;
|
||||
}
|
||||
}
|
||||
<% end -%>
|
||||
|
|
|
@ -85,7 +85,7 @@ ruby_block "read-hostnames" do
|
|||
block do
|
||||
# Set generated hostname for hidden services
|
||||
node['tor']['HiddenServices'].each do |name, service|
|
||||
path = File.join(service['HiddenServiceDir'], "/hostname")
|
||||
path = "/var/lib/tor/#{name}/hostname"
|
||||
node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip()
|
||||
end
|
||||
end
|
||||
|
@ -96,10 +96,6 @@ template '/etc/tor/torrc' do
|
|||
source 'torrc.erb'
|
||||
notifies :restart, 'service[tor]', :immediately
|
||||
notifies :run, "ruby_block[read-hostnames]"
|
||||
# Set default HiddenServiceDir
|
||||
node['tor']['HiddenServices'].each do |name, service|
|
||||
node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/")
|
||||
end
|
||||
end
|
||||
|
||||
# Install exit policy notice
|
||||
|
|
|
@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %>
|
|||
#HiddenServicePort 22 127.0.0.1:22
|
||||
<% node['tor']['HiddenServices'].each do |name, service| -%>
|
||||
|
||||
HiddenServiceDir <%= service['HiddenServiceDir'] %>
|
||||
HiddenServiceDir /var/lib/tor/<%= name %>/
|
||||
<% service['HiddenServicePorts'].each do |port| -%>
|
||||
HiddenServicePort <%= port %>
|
||||
<% end -%>
|
||||
|
|
Loading…
Reference in New Issue
Could use
node['openresty']['dir']
here instead of hardcoding `/etc/openresty"