Add Iroh relay

Author: feld

files/default/iroh-relay.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Iroh relay
+
+[Service]
+ExecStart=/usr/local/bin/iroh-relay --config-path /etc/iroh-relay.toml
+Restart=on-failure
+RestartSec=5s
+User=iroh
+Group=iroh
+
+[Install]
+WantedBy=multi-user.target

files/default/iroh-relay.toml

@@ -0,0 +1,5 @@
+enable_relay = true
+http_bind_addr = "[::]:3340"
+enable_stun = true
+enable_metrics = false
+metrics_bind_addr = "127.0.0.1:9092"

recipes/default.rb

@@ -11,6 +11,7 @@
 include_recipe 'chatmail::opendkim'
 include_recipe 'chatmail::dovecot'
 include_recipe 'chatmail::postfix'
+include_recipe 'chatmail::iroh'
 include_recipe 'chatmail::nginx'
 include_recipe 'chatmail::mtail'
 include_recipe 'chatmail::chatmaild'

recipes/iroh.rb

@@ -0,0 +1,66 @@
+#
+# Cookbook:: chatmail
+# Recipe:: iroh
+#
+# Copyright:: 2023, The Authors, All Rights Reserved.
+
+iroh_release = 'v0.28.1'
+iroh_tarball = "iroh-relay-#{iroh_release}-x86_64-unknown-linux-musl.tar.gz"
+iroh_relay_hash = '2ffacf7c0622c26b67a5895ee8e07388769599f60e5f52a3bd40a3258db89b2c'
+iroh_relay_path = '/usr/local/bin/iroh-relay'
+
+group 'iroh'
+
+user 'iroh' do
+  gid 'iroh'
+  home '/home/iroh'
+  shell '/usr/sbin/nologin'
+end
+
+directory '/usr/local/bin'
+
+remote_file "/tmp/#{iroh_tarball}" do
+  source "https://github.com/n0-computer/iroh/releases/download/#{iroh_release}/iroh-relay-#{iroh_release}-x86_64-unknown-linux-musl.tar.gz"
+  mode '0644'
+  action :create
+  # Only download if checksum doesn't match
+  not_if do
+    ::File.exist?(iroh_relay_path) && \
+      ::Digest::SHA256.file(iroh_relay_path).hexdigest == iroh_relay_hash
+  end
+  notifies :run, 'execute[extract iroh_relay]', :immediately
+end
+
+execute 'extract iroh_relay' do
+  command "tar xzf /tmp/#{iroh_tarball} -C /usr/local/bin"
+  action :nothing
+end
+
+file iroh_relay_path do
+  owner 'root'
+  group 'root'
+  mode '0755'
+end
+
+cookbook_file '/etc/iroh-relay.toml' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+  notifies :restart, 'service[iroh-relay.service]', :delayed
+end
+
+cookbook_file '/etc/systemd/system/iroh-relay.service' do
+  owner 'root'
+  group 'root'
+  mode '0644'
+  notifies :run, 'execute[systemctl daemon-reload]', :immediately
+  notifies :restart, 'service[iroh-relay.service]', :delayed
+end
+
+service 'iroh-relay.service' do
+  action [:enable, :start]
+end
+
+execute 'systemctl daemon-reload' do
+  action :nothing
+end

templates/default/nginx.conf.erb

@@ -48,7 +48,7 @@ http {
 	server {
 
 		listen 8443 ssl default_server;
-                <%- if not @config['disable_ipv6'] -%>
+		<%- if not @config['disable_ipv6'] -%>
 		listen [::]:8443 ssl default_server;
 		<%- end -%>
 
@@ -97,15 +97,34 @@ http {
 			include /etc/nginx/fastcgi_params;
 			fastcgi_param SCRIPT_FILENAME /usr/lib/cgi-bin/newemail.py;
 		}
+
+                # Proxy to iroh-relay service.
+                location /relay {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+
+                        # Upgrade header is normally set to "iroh derp http" or "websocket".
+                        proxy_set_header Upgrade $http_upgrade;
+                        proxy_set_header Connection "upgrade";
+                }
+
+		location /relay/probe {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+		}
+
+		location /generate_204 {
+                        proxy_pass http://127.0.0.1:3340;
+                        proxy_http_version 1.1;
+		}
 	}
 
 	# Redirect www. to non-www
 	server {
 		listen 8443 ssl;
-                <%- if not @config['disable_ipv6'] -%>
+		<%- if not @config['disable_ipv6'] -%>
 		listen [::]:8443 ssl;
 		<%- end -%>
-
 		server_name www.<%= @config['domain'] %>;
 		return 301 $scheme://<%= @config['domain'] %>$request_uri;
 		access_log syslog:server=unix:/dev/log,facility=local7;