- foundation-dwg
- foundation-mwg
- foundation-owg
+ - foundation-welcome
- foundation-wiki
- ftp
- geodns
- name: foundation-owg
run_list:
- recipe[foundation::owg]
+ - name: foundation-welcome
+ run_list:
+ - recipe[foundation::welcome]
- name: foundation-wiki
run_list:
- recipe[foundation::wiki]
depends "apache"
depends "git"
depends "mediawiki"
+depends "podman"
depends "ruby"
--- /dev/null
+#
+# Cookbook:: foundation
+# Recipe:: welcome
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+include_recipe "apache"
+include_recipe "podman"
+
+docker_external_port = 8090
+
+podman_service "welcome-mat" do
+ description "Container service for welcome.openstreetmap.org"
+ image "ghcr.io/osmfoundation/welcome-mat:latest"
+ ports docker_external_port => "8080"
+end
+
+ssl_certificate "welcome.openstreetmap.org" do
+ domains ["welcome.openstreetmap.org", "welcome.osm.org"]
+ notifies :reload, "service[apache2]"
+end
+
+apache_module "proxy_http"
+
+apache_site "welcome.openstreetmap.org" do
+ template "apache.welcome.erb"
+ variables :docker_external_port => docker_external_port, :aliases => ["welcome.osm.org"]
+end
--- /dev/null
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:443>
+ ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+ ServerAlias <%= alias_name %>
+<% end -%>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+ SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+ # Let the backend know we are using HTTPS
+ RequestHeader set X-Forwarded-Proto “https”
+ RequestHeader set X-Forwarded-Port “443”
+
+ ProxyPass / http://localhost:<%= @docker_external_port %>/
+ ProxyPreserveHost on
+
+</VirtualHost>
+
+<VirtualHost *:80>
+ ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+ ServerAlias <%= alias_name %>
+<% end -%>
+ ServerAdmin webmaster@openstreetmap.org
+
+ CustomLog /var/log/apache2/<%= @name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+ RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+ RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
--- /dev/null
+name "podman"
+maintainer "OpenStreetMap Administrators"
+maintainer_email "admins@openstreetmap.org"
+license "Apache-2.0"
+description "Installs and configures podman"
+
+version "1.0.0"
+supports "ubuntu"
+depends "systemd"
--- /dev/null
+#
+# Cookbook:: podman
+# Recipe:: default
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package %w[
+ podman
+ slirp4netns
+ uidmap
+]
+
+ruby_block "subuid-containers" do
+ block do
+ File.open("/etc/subuid", "a") do |file|
+ file.puts("containers:2147483647:2147483648")
+ end
+ end
+ not_if "grep -q '^containers:' /etc/subuid"
+end
+
+ruby_block "subgid-containers" do
+ block do
+ File.open("/etc/subgid", "a") do |file|
+ file.puts("containers:2147483647:2147483648")
+ end
+ end
+ not_if "grep -q '^containers:' /etc/subgid"
+end
+
+service "podman-auto-update.timer" do
+ action [:enable, :start]
+end
--- /dev/null
+#
+# Cookbook:: podman
+# Resource:: podman_service
+#
+# Copyright:: 2023, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+unified_mode true
+
+default_action :create
+
+property :service, String, :name_property => true
+property :description, String, :required => true
+property :image, String, :required => true
+property :ports, Hash
+
+action :create do
+ systemd_service new_resource.service do
+ description new_resource.description
+ type "notify"
+ notify_access "all"
+ environment "PODMAN_SYSTEMD_UNIT" => "%n"
+ exec_start_pre "/bin/rm --force %t/%n.ctr-id"
+ exec_start "/usr/bin/podman run --cidfile=%t/%n.ctr-id --cgroups=no-conmon --userns=auto --label=io.containers.autoupdate=registry --network=slirp4netns #{publish_options} --rm --sdnotify=conmon --detach --replace --name=%N #{new_resource.image}"
+ exec_stop "/usr/bin/podman stop --ignore --time=10 --cidfile=%t/%n.ctr-id"
+ exec_stop_post "/usr/bin/podman rm --force --ignore --cidfile=%t/%n.ctr-id"
+ timeout_stop_sec 70
+ restart "on-failure"
+ end
+
+ service new_resource.service do
+ action [:enable, :start]
+ subscribes :restart, "systemd_service[#{new_resource.service}]"
+ end
+end
+
+action :delete do
+ service new_resource.service do
+ action [:disable, :stop]
+ end
+
+ systemd_service new_resource.service do
+ action :delete
+ end
+end
+
+action_class do
+ def publish_options
+ new_resource.ports.collect do |host, guest|
+ "--publish=127.0.0.1:#{host}:#{guest}"
+ end.join(" ")
+ end
+end
property :requires, [String, Array]
property :joins_namespace_of, [String, Array]
property :type, String, :is => %w[simple forking oneshot dbus notify idle]
+property :notify_access, String, :is => %w[none main exec all]
property :limit_nofile, Integer
property :limit_as, [Integer, String]
property :limit_cpu, [Integer, String]
property :exec_start, [String, Array]
property :exec_start_post, [String, Array]
property :exec_stop, [String, Array]
+property :exec_stop_post, [String, Array]
property :exec_reload, String
property :runtime_directory, String
property :runtime_directory_mode, Integer
<% if @type -%>
Type=<%= @type %>
<% end -%>
+<% if @notify_access -%>
+NotifyAccess=<%= @notify_access %>
+<% end -%>
<% if @limit_nofile -%>
LimitNOFILE=<%= @limit_nofile %>
<% end -%>
ExecStop=<%= exec_stop %>
<% end -%>
<% end -%>
+<% if @exec_stop_post -%>
+<% if @dropin -%>
+ExecStopPost=
+<% end -%>
+<% Array(@exec_stop_post).each do |exec_stop_post| -%>
+ExecStopPost=<%= exec_stop_post %>
+<% end -%>
+<% end -%>
<% if @exec_reload -%>
<% if @dropin -%>
ExecReload=
--- /dev/null
+require "serverspec"
+
+# Required by serverspec
+set :backend, :exec
+
+describe package("apache2") do
+ it { should be_installed }
+end
+
+describe service("apache2") do
+ it { should be_enabled }
+ it { should be_running }
+end
+
+describe port(80) do
+ it { should be_listening.with("tcp") }
+end
+
+describe port(443) do
+ it { should be_listening.with("tcp") }
+end
projects / chef.git / commitdiff