From 1502d1956d7358ab3e4c3ffdc01584893865f102 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:47:32 +0200
Subject: [PATCH 1/4] Set new passwords for the LDAP service accounts

---
 data_bags/credentials/ejabberd.json | 32 ++++++++++++++---------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json
index cb2d066..3ef7052 100644
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@@ -1,38 +1,38 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "RdzDZk2F4yBvgII84JGt8AF0LT4cyjRQFQvMJ5LhdB54T06Kjq3S\n",
-    "iv": "+3WlMHiNAFVE4iku\n",
-    "auth_tag": "mKheQu/KeHSyt8W783lrzA==\n",
+    "encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n",
+    "iv": "38KjEZZbI9rNfsA1\n",
+    "auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "fABWhxMuLaF2qLFdIN//R6bgBkD60WRWiBZPErB1eBOxHqOp813o\n",
-    "iv": "uBPPYY/FM2hee05V\n",
-    "auth_tag": "cO+zP2QggWIzbuVxtkct2w==\n",
+    "encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n",
+    "iv": "07hmbipcLzslZT81\n",
+    "auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "uploads_secret": {
-    "encrypted_data": "03Y8CNBstV7vYopx8X54hkRSlnwwbOg5Y0KwTPV4qys1\n",
-    "iv": "gLTP7Y2Y70jL+sxH\n",
-    "auth_tag": "HJoyOF4rYm9ayKfViuKBlA==\n",
+    "encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n",
+    "iv": "Swez2eH4b11G/exT\n",
+    "auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "mRX2Lxqxb//Gd76bk+G3V+eObaq+NILiMsHHjFvjBCvJrznvRzezqW1VHhwW\ndH/ZY2gM8CVCcmYNQ8Xtg/1loPYAUjROvDRirj5i9fP7zgJRc1anNmohDOle\n34aNPYverGm+IJ21sFrAv4Xe/KleJBO5ynuiInqqvljcu3LiuvSYBXW34yWB\n",
-    "iv": "QqJJM8gmox565JUd\n",
-    "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
+    "encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n",
+    "iv": "9TlJYq79eQy6T1l/\n",
+    "auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "erlang_cookie": {
-    "encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
-    "iv": "mm+fYYceD1nPsuo1\n",
-    "auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
+    "encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n",
+    "iv": "c7SINIqy8p+yMlQ+\n",
+    "auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
-}
+}
\ No newline at end of file

From ff7cb1ce4a2195d91b1149481abc2b62873b2cdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:48:30 +0200
Subject: [PATCH 2/4] Generate a hosts entry for the LDAP server

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index e94674e..39a1ec6 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 
 ejabberd_version = node["kosmos-ejabberd"]["version"]

From e53e55cb2d716e283e07a49913ec0b5f7324db0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:49:00 +0200
Subject: [PATCH 3/4] Disable TLS for LDAP since we're using Zerotier
 networking

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 39a1ec6..cdde575 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -124,7 +124,7 @@ modules:
 ]
 
 ldap_domain = node['kosmos-dirsrv']['master_hostname']
-ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
+ldap_encryption_type = "none"
 ldap_base = "cn=users,dc=kosmos,dc=org"
 
 admin_users = ejabberd_credentials['admins']

From c56870008ed207fc62f54aeba5d5525823ed7290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:49:28 +0200
Subject: [PATCH 4/4] Use the new LDAP services application accounts

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index cdde575..68c0776 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -130,7 +130,7 @@ ldap_base = "cn=users,dc=kosmos,dc=org"
 admin_users = ejabberd_credentials['admins']
 
 hosts.each do |host|
-  ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
+  ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"