#
# Cookbook Name:: kosmos-ipfs
# Recipe:: nginx_public_gateway
#

include_recipe 'firewall'

domain = node["kosmos-ipfs"]["nginx"]["domain"]

ipfs_node_ip_addresses = []
search(:node, "role:ipfs_gateway").each do |node|
  ipfs_node_ip_addresses << node["knife_zero"]["host"]
end

tls_cert_for domain do
  auth "gandi_dns"
  action :create
end

openresty_site domain do
  template "nginx_conf_#{domain}.erb"
  variables server_name:            domain,
            ssl_cert:               "/etc/letsencrypt/live/#{domain}/fullchain.pem",
            ssl_key:                "/etc/letsencrypt/live/#{domain}/privkey.pem",
            ipfs_api_port:          node['kosmos-ipfs']['api_port'],
            ipfs_gateway_port:      node['kosmos-ipfs']['gateway_port'],
            ipfs_external_api_port: node['kosmos-ipfs']['nginx']['external_api_port'],
            upstream_hosts:         ipfs_node_ip_addresses
end

firewall_rule 'ipfs_api' do
  port     node['kosmos-ipfs']['nginx']['external_api_port']
  protocol :tcp
  command  :allow
end

node.normal['fail2ban']['filters'] = {
  'nginx-ipfs-404' => {
    'failregex' => ['^<HOST> -.*"(GET|POST|PUT|DELETE|OPTIONS|HEAD).*HTTP.*" 404'],
    'ignoreregex' => []
  }
}

node.normal['fail2ban']['services'] = {
  'nginx-ipfs' => {
    'enabled' => 'true',
    'filter' => 'nginx-ipfs-404',
    'logpath' => "/var/log/nginx/#{domain}.access.log",
    'maxretry' => '10',
    'bantime' => '1440m',
    'findtime' => '1440m'
  }
}

include_recipe "fail2ban"