Add podman_site resource

diff --git a/cookbooks/podman/attributes/default.rb b/cookbooks/podman/attributes/default.rb
new file mode 100644 (file)
index 0000000..0d4f407
--- /dev/null
+++ b/cookbooks/podman/attributes/default.rb
@@ -0,0 +1 @@
+default[:podman][:ports] = {}

diff --git a/cookbooks/podman/metadata.rb b/cookbooks/podman/metadata.rb
index e1039e85d6826cd51e1a399622fbc89d6cd3d991..d44ad30bdd3ef9af6ca6dd90b33b14aac43e6a05 100644 (file)
--- a/cookbooks/podman/metadata.rb
+++ b/cookbooks/podman/metadata.rb
@@ -6,4 +6,5 @@ description       "Installs and configures podman"
 
 version           "1.0.0"
 supports          "ubuntu"
 
 version           "1.0.0"
 supports          "ubuntu"

+depends           "apache"

 depends           "systemd"
 depends           "systemd"

diff --git a/cookbooks/podman/recipes/apache.rb b/cookbooks/podman/recipes/apache.rb
new file mode 100644 (file)
index 0000000..b63bfe4
--- /dev/null
+++ b/cookbooks/podman/recipes/apache.rb
@@ -0,0 +1,23 @@
+#
+# Cookbook:: podman
+# Recipe:: apache
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "podman"
+include_recipe "apache"
+
+apache_module "proxy_http"

diff --git a/cookbooks/podman/resources/site.rb b/cookbooks/podman/resources/site.rb
new file mode 100644 (file)
index 0000000..e0b0f8c
--- /dev/null
+++ b/cookbooks/podman/resources/site.rb
@@ -0,0 +1,91 @@
+#
+# Cookbook:: podman
+# Resource:: podman_site
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "yaml"
+
+unified_mode true
+
+default_action :create
+
+property :site, String, :name_property => true
+property :image, String, :required => true
+property :port, Integer, :default => 8080
+property :aliases, :kind_of => Array, :default => []
+
+action :create do
+  podman_service new_resource.site do
+    description "Container service for #{new_resource.site}"
+    image new_resource.image
+    ports external_port => new_resource.port
+  end
+
+  ssl_certificate new_resource.site do
+    domains Array(new_resource.site) + new_resource.aliases
+  end
+
+  apache_site new_resource.site do
+    cookbook "podman"
+    template "apache.erb"
+    variables :port => external_port, :aliases => new_resource.aliases
+  end
+end
+
+action :delete do
+  apache_site new_resource.site do
+    action [:disable, :delete]
+  end
+
+  podman_service new_resource.site do
+    action :delete
+  end
+
+  node.rm_normal(:podman, :ports, new_resource.site)
+end
+
+action_class do
+  def ports_file
+    "#{Chef::Config[:file_cache_path]}/podman-ports.yml"
+  end
+
+  def ports
+    @ports ||= if ::File.exist?(ports_file)
+                 YAML.safe_load(::File.read(ports_file))
+               else
+                 {}
+               end
+  end
+
+  def external_port
+    unless ports.include?(new_resource.site)
+      port = 40000
+
+      port += 1 while ports.values.include?(port)
+
+      ports[new_resource.site] = port
+
+      ::File.write(ports_file, YAML.dump(ports))
+    end
+
+    ports[new_resource.site]
+  end
+end
+
+def after_created
+  notifies :reload, "service[apache2]"
+end

diff --git a/cookbooks/podman/templates/default/apache.erb b/cookbooks/podman/templates/default/apache.erb
new file mode 100644 (file)
index 0000000..3c1f510
--- /dev/null
+++ b/cookbooks/podman/templates/default/apache.erb
@@ -0,0 +1,52 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:80>
+  ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+  ServerAlias <%= alias_name %>
+<% end -%>
+  ServerAdmin webmaster@openstreetmap.org
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
+<% unless @aliases.empty? -%>
+
+<VirtualHost *:443>
+  ServerName <%= @aliases.first %>
+<% @aliases.drop(1).each do |alias_name| -%>
+  ServerAlias <%= alias_name %>
+<% end -%>
+  ServerAdmin webmaster@openstreetmap.org
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
+<% end -%>
+
+<VirtualHost *:443>
+  ServerName <%= @name %>
+  ServerAdmin webmaster@openstreetmap.org
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  RequestHeader set X-Forwarded-Proto "https"
+  RequestHeader set X-Forwarded-Port "443"
+
+  ProxyPass / http://localhost:<%= @port %>/
+  ProxyPreserveHost on
+</VirtualHost>