Râu Cao
061880536b
Typo (not using pumactl), but we don't need to specify it to do the right thing anyway. systemd can just send sigterm on its own.
313 lines
8.2 KiB
Ruby
313 lines
8.2 KiB
Ruby
#
|
|
# Cookbook:: kosmos-akkounts
|
|
# Recipe:: default
|
|
#
|
|
require 'ipaddr'
|
|
|
|
app_name = "akkounts"
|
|
deploy_user = "deploy"
|
|
deploy_group = "deploy"
|
|
deploy_path = "/opt/#{app_name}"
|
|
credentials = Chef::EncryptedDataBagItem.load('credentials', app_name)
|
|
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
|
|
|
|
group deploy_group
|
|
|
|
user deploy_user do
|
|
group deploy_group
|
|
manage_home true
|
|
shell "/bin/bash"
|
|
end
|
|
|
|
package "libpq-dev"
|
|
package "libvips"
|
|
|
|
include_recipe 'redisio::default'
|
|
include_recipe 'redisio::enable'
|
|
|
|
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_20.x"
|
|
include_recipe 'kosmos-nodejs'
|
|
npm_package "bun"
|
|
|
|
ruby_version = "3.3.8"
|
|
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
|
|
bundle_path = "#{ruby_path}/bin/bundle"
|
|
rails_env = node.chef_environment == "development" ? "development" : "production"
|
|
|
|
ruby_build_install 'v20240221'
|
|
ruby_build_definition ruby_version do
|
|
prefix_path ruby_path
|
|
end
|
|
|
|
postgres_readonly_host = search(:node, "role:postgresql_replica").first["knife_zero"]["host"] rescue nil
|
|
btcpay_host = search(:node, "role:btcpay").first["knife_zero"]["host"] rescue nil
|
|
lndhub_host = search(:node, "role:lndhub").first["knife_zero"]["host"] rescue nil
|
|
webhooks_allowed_ips = [lndhub_host].compact.uniq.join(',')
|
|
|
|
env = {
|
|
primary_domain: node['akkounts']['primary_domain'],
|
|
akkounts_domain: node['akkounts']['domain'],
|
|
rails_serve_static_files: true,
|
|
secret_key_base: credentials["rails_secret_key_base"],
|
|
encryption_primary_key: credentials["rails_encryption_primary_key"],
|
|
encryption_key_derivation_salt: credentials["rails_encryption_key_derivation_salt"],
|
|
db_adapter: "postgresql",
|
|
pg_host: "pg.kosmos.local",
|
|
pg_port: 5432,
|
|
pg_database: "akkounts",
|
|
pg_database_queue: "akkounts_queue",
|
|
pg_username: credentials["postgresql"]["username"],
|
|
pg_password: credentials["postgresql"]["password"]
|
|
}
|
|
|
|
env[:ldap] = {
|
|
host: "ldap.kosmos.local",
|
|
port: 389,
|
|
use_tls: false,
|
|
uid_attr: "cn",
|
|
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
|
|
admin_user: credentials["ldap"]["admin_user"],
|
|
admin_password: credentials["ldap"]["admin_password"],
|
|
suffix: "dc=kosmos,dc=org"
|
|
}
|
|
|
|
smtp_server, smtp_port = smtp_credentials[:relayhost].split(":")
|
|
env[:smtp] = {
|
|
server: smtp_server,
|
|
port: smtp_port,
|
|
login: smtp_credentials[:user_name],
|
|
password: smtp_credentials[:password],
|
|
from_address: node['akkounts']['smtp']['from_address'],
|
|
domain: node['akkounts']['smtp']['domain'],
|
|
auth_method: node['akkounts']['smtp']['auth_method'],
|
|
enable_starttls: node['akkounts']['smtp']['enable_starttls']
|
|
}
|
|
|
|
env[:sentry_dsn] = credentials["sentry_dsn"]
|
|
|
|
if webhooks_allowed_ips.length > 0
|
|
env[:webhooks_allowed_ips] = webhooks_allowed_ips
|
|
end
|
|
|
|
#
|
|
# BTCPay Server
|
|
#
|
|
|
|
if btcpay_host
|
|
env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
|
|
env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
|
|
env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
|
|
env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
|
|
end
|
|
|
|
#
|
|
# Discourse
|
|
#
|
|
|
|
env[:discourse_public_url] = "https://#{node['discourse']['domain']}"
|
|
env[:discourse_connect_secret] = credentials['discourse_connect_secret']
|
|
|
|
#
|
|
# Drone CI
|
|
#
|
|
|
|
env[:droneci_public_url] = node["droneci"]["public_url"]
|
|
|
|
#
|
|
# ejabberd
|
|
#
|
|
|
|
ejabberd_private_ip_addresses = []
|
|
search(:node, "role:ejabberd").each do |node|
|
|
ejabberd_private_ip_addresses << node["knife_zero"]["host"]
|
|
end
|
|
|
|
ejabberd_private_ip_addresses.each do |ip_address|
|
|
IPAddr.new ip_address
|
|
hostsfile_entry ip_address do
|
|
hostname 'xmpp.kosmos.local'
|
|
action :create
|
|
end
|
|
rescue IPAddr::InvalidAddressError
|
|
ejabberd_private_ip_addresses.delete! ip_address
|
|
next
|
|
end
|
|
|
|
if ejabberd_private_ip_addresses.size > 0
|
|
env[:ejabberd_api_url] = "http://xmpp.kosmos.local/api"
|
|
env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url']
|
|
end
|
|
|
|
#
|
|
# Gitea
|
|
#
|
|
|
|
env[:gitea_public_url] = "https://#{node['gitea']['domain']}"
|
|
|
|
#
|
|
# lndhub.go
|
|
#
|
|
|
|
if lndhub_host
|
|
node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026"
|
|
env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"]
|
|
env[:lndhub_api_url] = node["akkounts"]["lndhub"]["api_url"]
|
|
env[:lndhub_admin_token] = credentials["lndhub_admin_token"]
|
|
env[:lndhub_public_url] = node["akkounts"]["lndhub"]["public_url"]
|
|
env[:lndhub_public_key] = node["akkounts"]["lndhub"]["public_key"]
|
|
if postgres_readonly_host
|
|
env[:lndhub_admin_ui] = true
|
|
env[:lndhub_pg_host] = postgres_readonly_host
|
|
env[:lndhub_pg_database] = node["akkounts"]["lndhub"]["postgres_db"]
|
|
env[:lndhub_pg_username] = credentials["postgresql"]["username"]
|
|
env[:lndhub_pg_password] = credentials["postgresql"]["password"]
|
|
end
|
|
end
|
|
|
|
#
|
|
# Mastodon
|
|
#
|
|
|
|
env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
|
|
env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
|
|
|
|
#
|
|
# MediaWiki
|
|
#
|
|
|
|
env[:mediawiki_public_url] = node['mediawiki']['url']
|
|
|
|
#
|
|
# Nostr
|
|
#
|
|
|
|
env[:nostr_private_key] = credentials['nostr_private_key']
|
|
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
|
|
env[:nostr_relay_url] = node['akkounts']['nostr']['relay_url']
|
|
|
|
#
|
|
# remoteStorage / Liquor Cabinet
|
|
#
|
|
|
|
env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}"
|
|
|
|
rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil
|
|
rs_redis_port = node['liquor-cabinet']['redis_port']
|
|
rs_redis_db = node['liquor-cabinet']['redis_db']
|
|
if rs_redis_host
|
|
env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}"
|
|
end
|
|
|
|
#
|
|
# S3
|
|
#
|
|
|
|
if node['akkounts']['s3_enabled']
|
|
env[:s3_enabled] = true
|
|
env[:s3_endpoint] = node['akkounts']['s3_endpoint']
|
|
env[:s3_region] = node['akkounts']['s3_region']
|
|
env[:s3_bucket] = node['akkounts']['s3_bucket']
|
|
env[:s3_alias_host] = node['akkounts']['s3_alias_host']
|
|
env[:s3_access_key] = credentials['s3_access_key']
|
|
env[:s3_secret_key] = credentials['s3_secret_key']
|
|
end
|
|
|
|
#
|
|
# Akkounts Deployment
|
|
#
|
|
|
|
systemd_unit "akkounts.service" do
|
|
content({
|
|
Unit: {
|
|
Description: "Kosmos Accounts",
|
|
Documentation: ["https://gitea.kosmos.org/kosmos/akkounts"],
|
|
Requires: "redis@6379.service",
|
|
After: "syslog.target network.target"
|
|
},
|
|
Service: {
|
|
Type: "simple",
|
|
User: deploy_user,
|
|
WorkingDirectory: deploy_path,
|
|
Environment: "RAILS_ENV=#{rails_env} SOLID_QUEUE_IN_PUMA=true",
|
|
ExecStart: "#{bundle_path} exec puma -C config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid",
|
|
ExecReload: "#{bundle_path} exec pumactl -F config/puma.rb --pidfile #{deploy_path}/tmp/puma.pid phased-restart",
|
|
PIDFile: "#{deploy_path}/tmp/puma.pid",
|
|
TimeoutSec: "10",
|
|
Restart: "always",
|
|
},
|
|
Install: {
|
|
WantedBy: "multi-user.target"
|
|
}
|
|
})
|
|
verify false
|
|
triggers_reload true
|
|
action [:create, :enable]
|
|
end
|
|
|
|
deploy_env = {
|
|
"HOME" => deploy_path,
|
|
"PATH" => "#{ruby_path}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin",
|
|
"RAILS_ENV" => rails_env,
|
|
"NODE_ENV" => rails_env
|
|
}
|
|
|
|
git deploy_path do
|
|
repository node[app_name]["repo"]
|
|
revision node[app_name]["revision"]
|
|
user deploy_user
|
|
group deploy_group
|
|
notifies :restart, "service[#{app_name}]", :delayed
|
|
end
|
|
|
|
file "#{deploy_path}/config/master.key" do
|
|
content credentials['rails_master_key']
|
|
mode '0400'
|
|
owner deploy_user
|
|
group deploy_group
|
|
notifies :restart, "service[#{app_name}]", :delayed
|
|
end
|
|
|
|
template "#{deploy_path}/.env.#{rails_env}" do
|
|
source 'env.erb'
|
|
owner deploy_user
|
|
group deploy_group
|
|
mode 0600
|
|
sensitive true
|
|
variables config: env
|
|
notifies :restart, "service[#{app_name}]", :delayed
|
|
end
|
|
|
|
execute "bundle install" do
|
|
environment deploy_env
|
|
user deploy_user
|
|
cwd deploy_path
|
|
command "bundle install --without development,test --deployment"
|
|
end
|
|
|
|
execute 'rake db:migrate' do
|
|
environment deploy_env
|
|
user deploy_user
|
|
group deploy_group
|
|
cwd deploy_path
|
|
command "bundle exec rake db:migrate"
|
|
end
|
|
|
|
execute 'rake assets:precompile' do
|
|
environment deploy_env
|
|
user deploy_user
|
|
group deploy_group
|
|
cwd deploy_path
|
|
command "bundle exec rake assets:precompile"
|
|
end
|
|
|
|
service "akkounts" do
|
|
action [:enable, :start]
|
|
end
|
|
|
|
firewall_rule "akkounts_zerotier" do
|
|
command :allow
|
|
port node["akkounts"]["port"]
|
|
protocol :tcp
|
|
source "10.1.1.0/24"
|
|
end
|