2019-01-09 17:17:50 +00:00
|
|
|
#
|
|
|
|
# Cookbook:: kosmos-ejabberd
|
|
|
|
# Recipe:: default
|
|
|
|
#
|
|
|
|
|
2020-02-12 16:40:38 +00:00
|
|
|
ejabberd_credentials = data_bag_item("credentials", "ejabberd")
|
|
|
|
|
2019-01-09 17:17:50 +00:00
|
|
|
ejabberd_version = node["kosmos-ejabberd"]["version"]
|
|
|
|
package_checksum = node["kosmos-ejabberd"]["checksum"]
|
|
|
|
package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb"
|
|
|
|
|
|
|
|
remote_file package_path do
|
2020-04-20 12:53:08 +00:00
|
|
|
source "https://www.process-one.net/downloads/downloads-action.php?file=/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb"
|
2019-01-09 17:17:50 +00:00
|
|
|
checksum package_checksum
|
|
|
|
notifies :install, "dpkg_package[ejabberd]", :immediately
|
|
|
|
end
|
|
|
|
|
|
|
|
dpkg_package "ejabberd" do
|
|
|
|
source package_path
|
2019-05-14 15:10:15 +00:00
|
|
|
version "#{ejabberd_version}-0"
|
2019-01-09 17:17:50 +00:00
|
|
|
action :nothing
|
|
|
|
notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
|
|
|
|
end
|
|
|
|
|
2020-11-25 15:32:07 +00:00
|
|
|
file "/opt/ejabberd/.erlang.cookie" do
|
|
|
|
mode "0400"
|
|
|
|
owner "ejabberd"
|
|
|
|
group "ejabberd"
|
|
|
|
content ejabberd_credentials['erlang_cookie']
|
|
|
|
end
|
|
|
|
|
2020-11-25 20:02:46 +00:00
|
|
|
file "/opt/ejabberd/.hosts.erlang" do
|
|
|
|
mode "0644"
|
|
|
|
owner "ejabberd"
|
|
|
|
group "ejabberd"
|
|
|
|
content <<-EOF
|
|
|
|
"andromeda.kosmos.org".
|
|
|
|
"centaurus.kosmos.org".
|
|
|
|
"draco.kosmos.org".
|
|
|
|
EOF
|
|
|
|
end
|
|
|
|
|
|
|
|
ruby_block "configure ERLANG_NODE" do
|
|
|
|
block do
|
|
|
|
file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
|
|
|
|
file.search_file_replace_line(
|
|
|
|
%r{#ERLANG_NODE=ejabberd@localhost},
|
2022-01-18 16:33:04 +00:00
|
|
|
"ERLANG_NODE=#{node['kosmos-ejabberd']['erlang_node']}"
|
2020-11-25 20:02:46 +00:00
|
|
|
)
|
|
|
|
file.write_file
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2019-05-10 09:43:52 +00:00
|
|
|
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
|
2019-01-09 17:17:50 +00:00
|
|
|
|
2020-02-12 16:40:38 +00:00
|
|
|
hosts = [
|
|
|
|
{
|
|
|
|
name: "kosmos.org",
|
|
|
|
sql_database: "ejabberd",
|
2020-02-18 14:47:31 +00:00
|
|
|
ldap_enabled: true,
|
|
|
|
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
|
2020-02-12 16:40:38 +00:00
|
|
|
append_host_config: <<-EOF
|
|
|
|
modules:
|
|
|
|
mod_muc:
|
|
|
|
host: "kosmos.chat"
|
|
|
|
access:
|
|
|
|
- allow
|
|
|
|
access_admin:
|
|
|
|
- allow: admin
|
|
|
|
access_create: muc_create
|
|
|
|
access_persistent: muc_create
|
|
|
|
max_user_conferences: 1000
|
|
|
|
default_room_options:
|
|
|
|
mam: true
|
2020-11-24 14:44:59 +00:00
|
|
|
mod_http_upload:
|
|
|
|
put_url: "https://uploads.kosmos.chat/8af2c77"
|
|
|
|
external_secret: "#{ejabberd_credentials["uploads_secret"]}"
|
|
|
|
max_size: 104857600
|
|
|
|
thumbnail: false # otherwise needs the identify command from ImageMagick installed
|
2020-02-12 16:40:38 +00:00
|
|
|
EOF
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "5apps.com",
|
|
|
|
sql_database: "ejabberd_5apps",
|
|
|
|
ldap_enabled: true,
|
|
|
|
ldap_password: ejabberd_credentials['5apps_ldap_password'],
|
|
|
|
append_host_config: <<-EOF
|
|
|
|
modules:
|
|
|
|
mod_muc:
|
|
|
|
host: "muc.@HOST@"
|
|
|
|
access:
|
|
|
|
- allow: local
|
|
|
|
access_admin:
|
|
|
|
- allow: admin
|
|
|
|
access_create: muc_create
|
|
|
|
access_persistent: muc_create
|
|
|
|
max_user_conferences: 1000
|
|
|
|
default_room_options:
|
|
|
|
anonymous: false
|
|
|
|
public: true
|
|
|
|
members_only: true
|
|
|
|
public_list: false
|
|
|
|
persistent: true
|
|
|
|
mam: true
|
2020-11-24 14:44:59 +00:00
|
|
|
mod_http_upload:
|
|
|
|
put_url: "https://uploads.kosmos.chat/2802cfe"
|
|
|
|
external_secret: "#{ejabberd_credentials["uploads_secret"]}"
|
|
|
|
max_size: 104857600
|
|
|
|
thumbnail: false # otherwise needs the identify command from ImageMagick installed
|
2020-02-12 16:40:38 +00:00
|
|
|
EOF
|
|
|
|
}
|
|
|
|
]
|
2019-01-09 17:17:50 +00:00
|
|
|
|
2020-02-17 12:20:54 +00:00
|
|
|
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
|
|
|
ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
|
|
|
|
ldap_base = "cn=users,dc=kosmos,dc=org"
|
|
|
|
|
|
|
|
admin_users = ejabberd_credentials['admins']
|
|
|
|
|
2020-02-12 16:40:38 +00:00
|
|
|
hosts.each do |host|
|
Switch the ejabberd LDAP setup to a new application account
Needs the new directory structure:
```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com
dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]
dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```
And the new ACIs:
```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```
Refs #140
2020-02-21 16:58:16 +00:00
|
|
|
ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
|
|
|
|
|
2020-02-17 12:20:54 +00:00
|
|
|
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
|
|
|
|
source "vhost.yml.erb"
|
|
|
|
mode 0640
|
|
|
|
owner 'ejabberd'
|
|
|
|
group 'ejabberd'
|
|
|
|
sensitive true
|
|
|
|
variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
|
2021-01-23 15:43:15 +00:00
|
|
|
sql_server: "pg.kosmos.local",
|
2020-02-17 12:20:54 +00:00
|
|
|
host: host,
|
|
|
|
ldap_base: ldap_base,
|
|
|
|
ldap_server: ldap_domain,
|
Switch the ejabberd LDAP setup to a new application account
Needs the new directory structure:
```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com
dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]
dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```
And the new ACIs:
```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```
Refs #140
2020-02-21 16:58:16 +00:00
|
|
|
ldap_rootdn: ldap_rootdn,
|
2020-02-17 12:20:54 +00:00
|
|
|
ldap_encryption_type: ldap_encryption_type
|
2021-01-24 09:14:29 +00:00
|
|
|
notifies :run, "execute[ejabberdctl reload_config]", :delayed
|
2020-02-17 12:20:54 +00:00
|
|
|
end
|
|
|
|
end
|
2019-01-09 17:17:50 +00:00
|
|
|
|
2020-12-08 19:00:31 +00:00
|
|
|
akkounts_ip_addresses = []
|
|
|
|
search(:node, "role:akkounts").each do |node|
|
|
|
|
akkounts_ip_addresses << node["knife_zero"]["host"]
|
|
|
|
end
|
|
|
|
|
2019-01-09 17:17:50 +00:00
|
|
|
template "/opt/ejabberd/conf/ejabberd.yml" do
|
|
|
|
source "ejabberd.yml.erb"
|
|
|
|
mode 0640
|
|
|
|
sensitive true
|
2020-06-10 16:37:36 +00:00
|
|
|
variables hosts: hosts,
|
2020-05-02 12:07:14 +00:00
|
|
|
admin_users: admin_users,
|
|
|
|
stun_auth_realm: "kosmos.org",
|
|
|
|
turn_ip_address: node['ipaddress'],
|
|
|
|
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
2020-12-08 19:00:31 +00:00
|
|
|
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
|
|
|
|
akkounts_ip_addresses: akkounts_ip_addresses
|
2019-01-09 17:17:50 +00:00
|
|
|
notifies :run, "execute[ejabberdctl reload_config]", :delayed
|
|
|
|
end
|
|
|
|
|
|
|
|
execute "ejabberdctl reload_config" do
|
|
|
|
command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config"
|
|
|
|
action :nothing
|
|
|
|
end
|
|
|
|
|
|
|
|
file "/etc/init.d/ejabberd" do
|
|
|
|
action :delete
|
|
|
|
end
|
|
|
|
|
|
|
|
# Copy the systemd service file
|
|
|
|
file "/lib/systemd/system/ejabberd.service" do
|
|
|
|
content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") }
|
|
|
|
action :nothing
|
|
|
|
notifies :run, "execute[systemctl daemon-reload]", :immediately
|
2019-05-14 10:18:22 +00:00
|
|
|
notifies :restart, "service[ejabberd]", :delayed
|
2019-01-09 17:17:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
execute "systemctl daemon-reload" do
|
|
|
|
command "systemctl daemon-reload"
|
|
|
|
action :nothing
|
|
|
|
end
|
|
|
|
|
2019-06-14 14:38:49 +00:00
|
|
|
# Set permissions for the upload folders
|
|
|
|
%w(xmpp.kosmos.org xmpp.5apps.com).each do |domain|
|
2019-07-19 10:47:42 +00:00
|
|
|
directory "/opt/ejabberd/uploads/#{domain}" do
|
2019-06-14 14:38:49 +00:00
|
|
|
owner "ejabberd"
|
|
|
|
group "ejabberd"
|
|
|
|
mode 0750
|
|
|
|
recursive true
|
|
|
|
end
|
2019-04-17 09:22:12 +00:00
|
|
|
end
|
|
|
|
|
2019-01-09 17:17:50 +00:00
|
|
|
service "ejabberd" do
|
|
|
|
action [:enable, :start]
|
|
|
|
end
|
2019-05-13 15:08:21 +00:00
|
|
|
|
|
|
|
unless node.chef_environment == "development"
|
2020-12-04 15:27:42 +00:00
|
|
|
include_recipe "kosmos-ejabberd::firewall"
|
2019-05-13 15:08:21 +00:00
|
|
|
end
|
2019-09-09 11:36:49 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# Tor hidden service
|
|
|
|
#
|
2019-09-11 11:47:42 +00:00
|
|
|
# The attributes for the hidden service are set in attributes/default.rb, due
|
|
|
|
# to the way the tor-full cookbook builds the path to the hidden service dir
|
2019-09-09 11:36:49 +00:00
|
|
|
include_recipe "tor-full"
|