Add LDAP support to mastodon

Users can log in with their account in the database, or with an LDAP
account in the cn=greg,ou=users,dc=kosmos,dc=org group, with the
mastodon attribute set to enabled

site-cookbooks/kosmos-mastodon/recipes/default.rb

@@ -149,6 +149,10 @@ application mastodon_path do
   end
 
   mastodon_credentials = data_bag_item('credentials', 'mastodon')
+  ldap_credentials = data_bag_item("credentials", "389")
+  ldap_host = node["kosmos-dirsrv"]["nginx"]["domain"]
+  ldap_method = node.chef_environment == "development" ? :simple : :simple_tls
+  ldap_base = "ou=users,dc=kosmos,dc=org"
 
   template ".env.production" do
     source "env.production.erb"
@@ -169,7 +173,11 @@ application mastodon_path do
               s3_region: "eu-west-1",
               vapid_private_key: mastodon_credentials['vapid_private_key'],
               vapid_public_key: mastodon_credentials['vapid_public_key'],
-              db_pass: postgresql_data_bag_item['mastodon_user_password']
+              db_pass: postgresql_data_bag_item['mastodon_user_password'],
+              ldap_password: ldap_credentials['password'],
+              ldap_host: ldap_host,
+              ldap_method: ldap_method,
+              ldap_base: ldap_base
   end
 
   execute "bundle install" do

site-cookbooks/kosmos-mastodon/recipes/nginx.rb

@@ -53,7 +53,7 @@ template "#{node['nginx']['dir']}/sites-available/#{server_name}" do
             ssl_cert:            "/etc/letsencrypt/live/#{server_name}/fullchain.pem",
             ssl_key:             "/etc/letsencrypt/live/#{server_name}/privkey.pem",
             shared_config_path:  "#{node['nginx']['dir']}/snippets/mastodon.conf",
-            onion_address:       File.read("/var/lib/tor/mastodon/hostname").strip
+            onion_address:       node['tor']['HiddenServices']['mastodon']['HiddenServiceDir']
   notifies :reload, 'service[nginx]', :delayed
 end
 
@@ -73,4 +73,4 @@ nginx_certbot_site server_name
 #
 # The attributes for the hidden service are set in attributes/default.rb, due
 # to the way the tor-full cookbook builds the path to the hidden service dir
-include_recipe "tor-full"
+include_recipe "tor-full" unless node.chef_environment == "development"

site-cookbooks/kosmos-mastodon/templates/default/env.production.erb

@@ -61,3 +61,12 @@ ES_HOST=localhost
 ES_PORT=9200
 
 ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
+
+LDAP_ENABLED=true
+LDAP_HOST=<%= @ldap_host %>
+LDAP_METHOD=<%= @ldap_method %>
+LDAP_BASE="<%= @ldap_base %>"
+LDAP_BIND_DN="cn=Directory Manager"
+LDAP_PASSWORD="<%= @ldap_password %>"
+LDAP_UID="uid"
+LDAP_SEARCH_FILTER="(&(objectClass=account)(mastodon=enabled)(|(%{uid}=%{email})(mail=%{email})))"

site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb

@@ -1,14 +1,10 @@
+<% unless node.chef_environment == "development" -%>
 server {
   listen 80;
   server_name mastodon.<%= @onion_address %>;
   include <%= @shared_config_path %>;
 }
-
+<% end -%>
-server {
-  listen 80;
-  server_name <%= @server_name %>;
-  return 301 https://$server_name$request_uri;
-}
 
 map $http_upgrade $connection_upgrade {
   default upgrade;
@@ -16,8 +12,12 @@ map $http_upgrade $connection_upgrade {
 }
 
 server {
+  <% unless node.chef_environment == "development" -%>
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
+  <% else -%>
+  listen 80;
+  <% end -%>
   server_name <%= @server_name %>;
   include <%= @shared_config_path %>;