# # Cookbook:: kosmos-akkounts # Recipe:: default # require 'ipaddr' app_name = "akkounts" deploy_user = "deploy" deploy_group = "deploy" deploy_path = "/opt/#{app_name}" credentials = Chef::EncryptedDataBagItem.load('credentials', app_name) smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp') group deploy_group user deploy_user do group deploy_group manage_home true shell "/bin/bash" end package "libpq-dev" package "libvips" include_recipe 'redisio::default' include_recipe 'redisio::enable' node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x" include_recipe 'kosmos-nodejs' npm_package "bun" ruby_version = "3.3.8" ruby_path = "/opt/ruby_build/builds/#{ruby_version}" bundle_path = "#{ruby_path}/bin/bundle" rails_env = node.chef_environment == "development" ? "development" : "production" ruby_build_install 'v20240221' ruby_build_definition ruby_version do prefix_path ruby_path end postgres_readonly_host = search(:node, "role:postgresql_replica").first["knife_zero"]["host"] rescue nil btcpay_host = search(:node, "role:btcpay").first["knife_zero"]["host"] rescue nil lndhub_host = search(:node, "role:lndhub").first["knife_zero"]["host"] rescue nil webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',') env = { primary_domain: node['akkounts']['primary_domain'], akkounts_domain: node['akkounts']['domain'], rails_serve_static_files: true, secret_key_base: credentials["rails_secret_key_base"], encryption_primary_key: credentials["rails_encryption_primary_key"], encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"], db_adapter: "postgresql", pg_host: "pg.kosmos.local", pg_port: 5432, pg_database: "akkounts", pg_database_queue: "akkounts_queue", pg_username: credentials["postgresql"]["username"], pg_password: credentials["postgresql"]["password"] } env[:ldap] = { host: "ldap.kosmos.local", port: 389, use_tls: false, uid_attr: "cn", base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org", admin_user: credentials["ldap"]["admin_user"], admin_password: credentials["ldap"]["admin_password"], suffix: "dc=kosmos,dc=org" } smtp_server, smtp_port = smtp_credentials[:relayhost].split(":") env[:smtp] = { server: smtp_server, port: smtp_port, login: smtp_credentials[:user_name], password: smtp_credentials[:password], from_address: node['akkounts']['smtp']['from_address'], domain: node['akkounts']['smtp']['domain'], auth_method: node['akkounts']['smtp']['auth_method'], enable_starttls: node['akkounts']['smtp']['enable_starttls'] } env[:sentry_dsn] = credentials["sentry_dsn"] if webhooks_allowed_ips.length > 0 env[:webhooks_allowed_ips] = webhooks_allowed_ips end # # BTCPay Server # if btcpay_host env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1" env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url'] env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id'] env[:btcpay_auth_token] = credentials["btcpay_auth_token"] end # # Discourse # env[:discourse_public_url] = "https://#{node['discourse']['domain']}" env[:discourse_connect_secret] = credentials['discourse_connect_secret'] # # Drone CI # env[:droneci_public_url] = node["droneci"]["public_url"] # # ejabberd # ejabberd_private_ip_addresses = [] search(:node, "role:ejabberd").each do |node| ejabberd_private_ip_addresses << node["knife_zero"]["host"] end ejabberd_private_ip_addresses.each do |ip_address| IPAddr.new ip_address hostsfile_entry ip_address do hostname 'xmpp.kosmos.local' action :create end rescue IPAddr::InvalidAddressError ejabberd_private_ip_addresses.delete! ip_address next end if ejabberd_private_ip_addresses.size > 0 env[:ejabberd_api_url] = "http://xmpp.kosmos.local/api" env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url'] end # # Gitea # env[:gitea_public_url] = "https://#{node['gitea']['domain']}" # # lndhub.go # if lndhub_host node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026" env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"] env[:lndhub_api_url] = node["akkounts"]["lndhub"]["api_url"] env[:lndhub_admin_token] = credentials["lndhub_admin_token"] env[:lndhub_public_url] = node["akkounts"]["lndhub"]["public_url"] env[:lndhub_public_key] = node["akkounts"]["lndhub"]["public_key"] if postgres_readonly_host env[:lndhub_admin_ui] = true env[:lndhub_pg_host] = postgres_readonly_host env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"] env[:lndhub_pg_username] = credentials["postgresql"]["username"] env[:lndhub_pg_password] = credentials["postgresql"]["password"] end end # # Mastodon # env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}" env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain'] # # MediaWiki # env[:mediawiki_public_url] = node['mediawiki']['url'] # # Nostr # env[:nostr_private_key] = credentials['nostr_private_key'] env[:nostr_public_key] = node['akkounts']['nostr']['public_key'] env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url'] # # remoteStorage / Liquor Cabinet # env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}" rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil rs_redis_port = node['liquor-cabinet']['redis_port'] rs_redis_db = node['liquor-cabinet']['redis_db'] if rs_redis_host env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}" end # # S3 # if node['akkounts']['s3_enabled'] env[:s3_enabled] = true env[:s3_endpoint] = node['akkounts']['s3_endpoint'] env[:s3_region] = node['akkounts']['s3_region'] env[:s3_bucket] = node['akkounts']['s3_bucket'] env[:s3_alias_host] = node['akkounts']['s3_alias_host'] env[:s3_access_key] = credentials['s3_access_key'] env[:s3_secret_key] = credentials['s3_secret_key'] end # # Akkounts Deployment # systemd_unit "akkounts.service" do content({ Unit: { Description: "Kosmos Accounts", Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"], Requires: "redis@6379.service", After: "syslog.target network.target" }, Service: { Type: "simple", User: deploy_user, WorkingDirectory: deploy_path, Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true", ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid", ExecStop: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid stop", ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart", PIDFile: "#{deploy_path}/tmp/puma.pid", TimeoutSec: "10", Restart: "always", }, Install: { WantedBy: "multi-user.target" } }) verify false triggers_reload true action [:create, :enable] end deploy_env = { "HOME" => deploy_path, "PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin", "RAILS_ENV" => rails_env, "NODE_ENV" => rails_env } git deploy_path do repository node[app_name]["repo"] revision node[app_name]["revision"] user deploy_user group deploy_group notifies :restart, "service[#{app_name}]", :delayed end file "#{deploy_path}/config/master.key" do content credentials['rails_master_key'] mode '0400' owner deploy_user group deploy_group notifies :restart, "service[#{app_name}]", :delayed end template "#{deploy_path}/.env.#{rails_env}" do source 'env.erb' owner deploy_user group deploy_group mode 0600 sensitive true variables config: env notifies :restart, "service[#{app_name}]", :delayed end execute "bundle install" do environment deploy_env user deploy_user cwd deploy_path command "bundle install --without development,test --deployment" end execute 'rake db:migrate' do environment deploy_env user deploy_user group deploy_group cwd deploy_path command "bundle exec rake db:migrate" end execute 'rake assets:precompile' do environment deploy_env user deploy_user group deploy_group cwd deploy_path command "bundle exec rake assets:precompile" end service "akkounts" do action [:enable, :start] end firewall_rule "akkounts_zerotier" do command :allow port node["akkounts"]["port"] protocol :tcp source "10.1.1.0/24" end