chef/site-cookbooks/5apps-hubot/recipes/xmpp_schlupp.rb

#
# Cookbook Name:: 5apps-hubot
# Recipe:: xmpp_schlupp
#
# Copyright 2016, Kosmos
#
# All rights reserved - Do Not Redistribute
#

express_port = 8083
express_domain = "hubot.5apps.com"

unless node.chef_environment == "development"
  include_recipe "firewall"
  firewall_rule 'hubot_express_schlupp_xmpp' do
    port     express_port
    protocol :tcp
    command  :allow
  end
end

group "hubot" do
  gid 48268
end

user "hubot" do
  system true
  manage_home true
  comment "hubot user"
  uid 48268
  gid 48268
  shell "/bin/bash"
end

schlupp_xmpp_data_bag_item = Chef::EncryptedDataBagItem.load('credentials', '5apps_schlupp_xmpp')

schlupp_xmpp_path = "/opt/schlupp_xmpp"
application schlupp_xmpp_path do
  owner "hubot"
  group "hubot"

  git do
    user       "hubot"
    group      "hubot"
    repository "git@gitlab.com:5apps/schlupp.git"
    revision   "master"
    deploy_key schlupp_xmpp_data_bag_item['deploy_key']
  end

  file "external-scripts.json" do
    mode  "0640"
    owner "hubot"
    group "hubot"
    content [
      "hubot-auth",
      "hubot-help",
      "hubot-redis-brain",
      "hubot-rules",
      "hubot-shipit",
      "hubot-plusplus",
      "hubot-tell",
      "hubot-seen",
      "hubot-rss-reader",
      "hubot-incoming-webhook",
      "hubot-yubikey-invalidation",
    ].to_json
  end

  npm_install do
    user "hubot"
  end

  execute "systemctl daemon-reload" do
    command "systemctl daemon-reload"
    action :nothing
  end

  template "/lib/systemd/system/schlupp_xmpp_nodejs.service" do
    source 'nodejs.systemd.service.erb'
    owner 'root'
    group 'root'
    mode '0644'
    variables(
      user: "hubot",
      group: "hubot",
      app_dir: schlupp_xmpp_path,
      entry: "#{schlupp_xmpp_path}/bin/hubot -a xmpp --name schlupp",
      environment: { "HUBOT_XMPP_USERNAME"         => "schlupp@5apps.com/hubot",
                     "HUBOT_XMPP_PASSWORD"         => schlupp_xmpp_data_bag_item['password'],
                     "HUBOT_XMPP_ROOMS"            => "5info@muc.5apps.com,5ops@muc.5apps.com,core@muc.5apps.com,deploy@muc.5apps.com,storage@muc.5apps.com,watercooler@muc.5apps.com,hilti@muc.5apps.com,test@muc.5apps.com,gymapp@muc.5apps.com,solarisbank@muc.5apps.com",
                     "HUBOT_XMPP_HOST"             => "xmpp.5apps.com",
                     "HUBOT_RSS_PRINTSUMMARY"      => "false",
                     "EXPRESS_PORT"                => express_port,
                     "HUBOT_RSS_HEADER"            => "Update:",
                     "HUBOT_AUTH_ADMIN"            => "basti,garret,greg",
                     "REDIS_URL"                   => "redis://localhost:6379/5apps_schlupp_xmpp",
                     "WEBHOOK_TOKEN"               => schlupp_xmpp_data_bag_item['webhook_token'],
                     "AIRTABLE_API_KEY"            => schlupp_xmpp_data_bag_item['airtable_api_key'],
                     "GITHUB_TOKEN"                => schlupp_xmpp_data_bag_item['github_token'],
                     "AWS_ACCESS_KEY_ID"           => schlupp_xmpp_data_bag_item['aws_access_key_id'],
                     "AWS_SECRET_ACCESS_KEY"       => schlupp_xmpp_data_bag_item['aws_secret_access_key'] }
    )

    notifies :run, "execute[systemctl daemon-reload]", :delayed
    notifies :restart, "service[schlupp_xmpp_nodejs]", :delayed
  end

  service "schlupp_xmpp_nodejs" do
    action [:enable, :start]
  end
end

#
# Nginx reverse proxy
#
unless node.chef_environment == "development"
  include_recipe "kosmos-base::letsencrypt"
end

include_recipe 'kosmos-nginx'

directory "/var/www/#{express_domain}/.well-known/acme-challenge" do
  owner     node["nginx"]["user"]
  group     node["nginx"]["group"]
  recursive true
  action    :create
end

template "#{node['nginx']['dir']}/sites-available/#{express_domain}" do
  source 'nginx_conf_hubot.erb'
  owner node["nginx"]["user"]
  mode 0640
  variables express_port: express_port,
            server_name:  express_domain,
            ssl_cert:     "/etc/letsencrypt/live/#{express_domain}/fullchain.pem",
            ssl_key:      "/etc/letsencrypt/live/#{express_domain}/privkey.pem"
  notifies :reload, 'service[nginx]', :delayed
end

nginx_site express_domain do
  enable true
end

unless node.chef_environment == "development"
  execute "letsencrypt cert for #{express_domain}" do
    command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path /var/www/#{express_domain} -d #{express_domain} -n"
    cwd "/usr/local/certbot"
    not_if { File.exist? "/etc/letsencrypt/live/#{express_domain}/fullchain.pem" }
    notifies :create, "template[#{node['nginx']['dir']}/sites-available/#{express_domain}]", :immediately
  end
end