kosmos/chef
8
3
Fork 0
Code Issues 34 Pull Requests 3 Projects 2 Activity

Merge branch 'master' into jammy_jellyfish

Browse Source
This commit is contained in:
Râu Cao
2024-06-07 18:45:15 +00:00
parent 67244f78e1 f843a31e03
commit 37f9229fac
208 changed files with 7449 additions and 16229 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
site-cookbooks/kosmos-akkounts/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['akkounts']['repo'] = 'https://gitea.kosmos.org/kosmos/akkounts.git'
node.default['akkounts']['revision'] = 'master'
node.default['akkounts']['revision'] = 'live'
node.default['akkounts']['port'] = 3000
node.default['akkounts']['domain'] = 'accounts.kosmos.org'
node.default['akkounts']['primary_domain'] = 'kosmos.org'
@@ -11,9 +11,20 @@ node.default['akkounts']['smtp']['domain'] = 'kosmos.org'
node.default['akkounts']['smtp']['auth_method'] = 'plain'
node.default['akkounts']['smtp']['enable_starttls'] = 'auto'
node.default['akkounts']['btcpay']['public_url'] = nil
node.default['akkounts']['btcpay']['store_id'] = nil
node.default['akkounts']['ejabberd']['admin_url'] = nil
node.default['akkounts']['lndhub']['api_url'] = nil
node.default['akkounts']['lndhub']['public_url'] = nil
node.default['akkounts']['lndhub']['public_key'] = nil
node.default['akkounts']['lndhub']['postgres_db'] = 'lndhub'
node.default['akkounts']['nostr']['public_key'] = nil
node.default['akkounts']['s3_enabled'] = true
node.default['akkounts']['s3_endpoint'] = "https://s3.kosmos.org"
node.default['akkounts']['s3_region'] = "garage"
node.default['akkounts']['s3_bucket'] = "akkounts-production"
node.default['akkounts']['s3_alias_host'] = "https://s3.accounts.kosmos.org"

80
site-cookbooks/kosmos-akkounts/recipes/default.rb
View File

@@ -20,6 +20,7 @@ user deploy_user do
end
package "libpq-dev"
package "libvips"
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
@@ -29,12 +30,12 @@ npm_package "yarn" do
version "1.22.4"
end
ruby_version = "2.7.5"
ruby_version = "3.3.0"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
rails_env = node.chef_environment == "development" ? "development" : "production"
ruby_build_install 'v20230615'
ruby_build_install 'v20240221'
ruby_build_definition ruby_version do
prefix_path ruby_path
end
@@ -68,15 +69,34 @@ if webhooks_allowed_ips.length > 0
env[:webhooks_allowed_ips] = webhooks_allowed_ips
end
#
# BTCPay Server
#
if btcpay_host
env[:btcpay_api_url] = "http://#{btcpay_host}:23001/api/v1"
env[:btcpay_public_url] = node['akkounts']['btcpay']['public_url']
env[:btcpay_store_id] = node['akkounts']['btcpay']['store_id']
env[:btcpay_auth_token] = credentials["btcpay_auth_token"]
end
#
# Discourse
#
env[:discourse_public_url] = "https://#{node['discourse']['domain']}"
env[:discourse_connect_secret] = credentials['discourse_connect_secret']
#
# Drone CI
#
env[:droneci_public_url] = node["droneci"]["public_url"]
#
# ejabberd
#
ejabberd_private_ip_addresses = []
search(:node, "role:ejabberd").each do |node|
ejabberd_private_ip_addresses << node["knife_zero"]["host"]
@@ -98,12 +118,21 @@ if ejabberd_private_ip_addresses.size > 0
env[:ejabberd_admin_url] = node['akkounts']['ejabberd']['admin_url']
end
#
# Gitea
#
env[:gitea_public_url] = "https://#{node['gitea']['domain']}"
#
# lndhub.go
#
if lndhub_host
node.override["akkounts"]["lndhub"]["api_url"] = "http://#{lndhub_host}:3026"
env[:lndhub_legacy_api_url] = node["akkounts"]["lndhub"]["api_url"]
env[:lndhub_api_url] = node["akkounts"]["lndhub"]["api_url"]
env[:lndhub_admin_token] = credentials["lndhub_admin_token"]
env[:lndhub_public_url] = node["akkounts"]["lndhub"]["public_url"]
env[:lndhub_public_key] = node["akkounts"]["lndhub"]["public_key"]
if postgres_readonly_host
@@ -115,10 +144,57 @@ if lndhub_host
end
end
#
# Mastodon
#
env[:mastodon_public_url] = "https://#{node['kosmos-mastodon']['domain']}"
env[:mastodon_address_domain] = node['kosmos-mastodon']['user_address_domain']
#
# MediaWiki
#
env[:mediawiki_public_url] = node['mediawiki']['url']
#
# Nostr
#
env[:nostr_private_key] = credentials['nostr_private_key']
env[:nostr_public_key] = node['akkounts']['nostr']['public_key']
#
# remoteStorage / Liquor Cabinet
#
env[:rs_storage_url] = "https://#{node['liquor-cabinet']['domain']}"
rs_redis_host = search(:node, "role:redis_server").first["knife_zero"]["host"] rescue nil
rs_redis_port = node['liquor-cabinet']['redis_port']
rs_redis_db = node['liquor-cabinet']['redis_db']
if rs_redis_host
env[:rs_redis_url] = "redis://#{rs_redis_host}:#{rs_redis_port}/#{rs_redis_db}"
end
#
# S3
#
if node['akkounts']['s3_enabled']
env[:s3_enabled] = true
env[:s3_endpoint] = node['akkounts']['s3_endpoint']
env[:s3_region] = node['akkounts']['s3_region']
env[:s3_bucket] = node['akkounts']['s3_bucket']
env[:s3_alias_host] = node['akkounts']['s3_alias_host']
env[:s3_access_key] = credentials['s3_access_key']
env[:s3_secret_key] = credentials['s3_secret_key']
end
#
# Akkounts Deployment
#
systemd_unit "akkounts.service" do
content({
Unit: {

4
site-cookbooks/kosmos-akkounts/templates/nginx_conf_akkounts_api.erb
View File

@@ -18,7 +18,7 @@ server {
access_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain %>.error.log warn;
location /kredits/ {
location / {
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
@@ -31,6 +31,6 @@ server {
proxy_buffers 1024 8k;
proxy_http_version 1.1;
proxy_pass http://_akkounts_api/api/kredits/;
proxy_pass http://_akkounts_api/api/;
}
}

21
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@@ -2,27 +2,6 @@
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
unless platform?('ubuntu')
raise "This recipe only supports Ubuntu installs"

36
site-cookbooks/kosmos-base/resources/tls_cert_for.rb
View File

@@ -3,6 +3,8 @@ provides :tls_cert_for
property :domain, [String, Array], name_property: true
property :auth, [String, NilClass], default: nil
property :deploy_hook, [String, NilClass], default: nil
property :acme_domain, [String, NilClass], default: nil
default_action :create
@@ -17,13 +19,35 @@ action :create do
case new_resource.auth
when "gandi_dns"
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
hook_path = "/root/gandi_dns_certbot_hook.sh"
hook_auth_command = "#{hook_path} auth"
hook_cleanup_command = "#{hook_path} cleanup"
if new_resource.acme_domain
hook_auth_command += " #{new_resource.acme_domain}"
hook_cleanup_command += " #{new_resource.acme_domain}"
end
template hook_path do
cookbook "kosmos-base"
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
variables access_token: gandi_api_credentials["access_token"]
mode 0700
sensitive true
end
if new_resource.deploy_hook
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
file deploy_hook_path do
content new_resource.deploy_hook
mode 0755
owner "root"
group "root"
end
elsif node.run_list.roles.include?("openresty_proxy")
deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -34,10 +58,10 @@ action :create do
--preferred-challenges dns \
--manual-public-ip-logging-ok \
--agree-tos \
--manual-auth-hook '#{hook_path} auth' \
--manual-cleanup-hook '#{hook_path} cleanup' \
--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
--manual-auth-hook '#{hook_auth_command}' \
--manual-cleanup-hook '#{hook_cleanup_command}' \
--email ops@kosmos.org \
#{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
#{domains.map {|d| "-d #{d}" }.join(" ")}
CMD
not_if do

57
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,21 +1,16 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
# Example usage:
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
# ACCESS_TOKEN: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
GANDI_API_KEY="<%= @gandi_api_key %>"
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
}
HANDLER=$1; shift;

16
site-cookbooks/kosmos-bitcoin/attributes/default.rb
View File

@@ -1,5 +1,5 @@
node.default['bitcoin']['version'] = '25.0'
node.default['bitcoin']['checksum'] = '5df67cf42ca3b9a0c38cdafec5bbb517da5b58d251f32c8d2a47511f9be1ebc2'
node.default['bitcoin']['version'] = '26.0'
node.default['bitcoin']['checksum'] = 'ab1d99276e28db62d1d9f3901e85ac358d7f1ebcb942d348a9c4e46f0fcdc0a1'
node.default['bitcoin']['username'] = 'satoshi'
node.default['bitcoin']['usergroup'] = 'bitcoin'
node.default['bitcoin']['network'] = 'mainnet'
@@ -31,7 +31,7 @@ node.default['bitcoin']['conf'] = {
node.default['bitcoin']['tor_enabled'] = true
node.default['c-lightning']['repo'] = 'https://github.com/ElementsProject/lightning'
node.default['c-lightning']['revision'] = 'v0.10.2'
node.default['c-lightning']['revision'] = 'v23.11.1'
node.default['c-lightning']['source_dir'] = '/opt/c-lightning'
node.default['c-lightning']['lightning_dir'] = "/home/#{node['bitcoin']['username']}/.lightning"
node.default['c-lightning']['alias'] = 'ln3.kosmos.org'
@@ -40,7 +40,7 @@ node.default['c-lightning']['log_level'] = 'info'
node.default['c-lightning']['public_ip'] = '148.251.237.73'
node.default['lnd']['repo'] = 'https://github.com/lightningnetwork/lnd'
node.default['lnd']['revision'] = 'v0.16.4-beta'
node.default['lnd']['revision'] = 'v0.17.3-beta'
node.default['lnd']['source_dir'] = '/opt/lnd'
node.default['lnd']['lnd_dir'] = "/home/#{node['bitcoin']['username']}/.lnd"
node.default['lnd']['alias'] = 'ln2.kosmos.org'
@@ -59,7 +59,7 @@ node.default['lnd']['tor'] = {
}
node.default['boltz']['repo'] = 'https://github.com/BoltzExchange/boltz-lnd.git'
node.default['boltz']['revision'] = 'v1.2.6'
node.default['boltz']['revision'] = 'v1.2.7'
node.default['boltz']['source_dir'] = '/opt/boltz'
node.default['boltz']['boltz_dir'] = "/home/#{node['bitcoin']['username']}/.boltz-lnd"
node.default['boltz']['grpc_host'] = '127.0.0.1'
@@ -70,7 +70,7 @@ node.default['boltz']['rest_port'] = '9003'
node.default['boltz']['no_macaroons'] = 'false'
node.default['rtl']['repo'] = 'https://github.com/Ride-The-Lightning/RTL.git'
node.default['rtl']['revision'] = 'v0.12.1'
node.default['rtl']['revision'] = 'v0.15.0'
node.default['rtl']['host'] = '10.1.1.163'
node.default['rtl']['port'] = '3000'
@@ -98,7 +98,7 @@ node.default['dotnet']['ms_packages_src_url'] = "https://packages.microsoft.com/
node.default['dotnet']['ms_packages_src_checksum'] = "4df5811c41fdded83eb9e2da9336a8dfa5594a79dc8a80133bd815f4f85b9991"
node.default['nbxplorer']['repo'] = 'https://github.com/dgarage/NBXplorer'
node.default['nbxplorer']['revision'] = 'v2.3.66'
node.default['nbxplorer']['revision'] = 'v2.5.0'
node.default['nbxplorer']['source_dir'] = '/opt/nbxplorer'
node.default['nbxplorer']['config_path'] = "/home/#{node['bitcoin']['username']}/.nbxplorer/Main/settings.config"
node.default['nbxplorer']['port'] = '24445'
@@ -106,7 +106,7 @@ node.default['nbxplorer']['postgres']['database'] = 'nbxplorer'
node.default['nbxplorer']['postgres']['user'] = 'nbxplorer'
node.default['btcpay']['repo'] = 'https://github.com/btcpayserver/btcpayserver'
node.default['btcpay']['revision'] = 'v1.11.6'
node.default['btcpay']['revision'] = 'v1.12.5'
node.default['btcpay']['source_dir'] = '/opt/btcpay'
node.default['btcpay']['config_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/Main/settings.config"
node.default['btcpay']['log_path'] = "/home/#{node['bitcoin']['username']}/.btcpayserver/debug.log"

2
site-cookbooks/kosmos-bitcoin/recipes/dotnet.rb
View File

@@ -30,4 +30,4 @@ execute 'apt_update' do
action :nothing
end
apt_package 'dotnet-sdk-7.0'
apt_package 'dotnet-sdk-8.0'

1
site-cookbooks/kosmos-bitcoin/recipes/rtl.rb
View File

@@ -3,6 +3,7 @@
# Recipe:: rtl
#
node.override["nodejs"]["repo"] = "https://deb.nodesource.com/node_18.x"
include_recipe 'kosmos-nodejs'
app_name = "rtl"

6
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@@ -1,7 +1,9 @@
node.default["ejabberd"]["version"] = "23.10"
node.default["ejabberd"]["package_version"] = "1"
node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77"
node.default["ejabberd"]["turn_ip_address"] = nil
node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org"
node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org"
node.default["ejabberd"]["stun_turn_port"] = 3478
node.default["ejabberd"]["stun_turn_port_tls"] = 5349
node.default["ejabberd"]["turn_min_port"] = 50000
node.default["ejabberd"]["turn_max_port"] = 50050
node.default["ejabberd"]["turn_max_port"] = 50999

52
site-cookbooks/kosmos-ejabberd/recipes/coturn.rb Normal file
View File

@@ -0,0 +1,52 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: coturn
#
apt_package 'coturn'
domain = node["ejabberd"]["turn_domain"]
credentials = data_bag_item("credentials", "ejabberd")
tls_cert_for domain do
auth "gandi_dns"
action :create
end
template "/etc/turnserver.conf" do
source "turnserver.conf.erb"
mode 0644
variables listening_port: node["ejabberd"]["stun_turn_port"],
tls_listening_port: node["ejabberd"]["stun_turn_port_tls"],
listening_ip: node["ipaddress"],
relay_ip: node["ipaddress"],
min_port: node["ejabberd"]["turn_min_port"],
max_port: node["ejabberd"]["turn_max_port"],
realm: node["ejabberd"]["stun_auth_realm"],
static_auth_secret: credentials["stun_secret"],
cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
pkey: "/etc/letsencrypt/live/#{domain}/privkey.pem"
notifies :restart, "service[coturn]", :delayed
end
firewall_rule 'ejabberd_stun_turn' do
port node["ejabberd"]["stun_turn_port"]
protocol :udp
command :allow
end
firewall_rule 'ejabberd_stun_turn_tls' do
port node["ejabberd"]["stun_turn_port_tls"]
protocol :tcp
command :allow
end
firewall_rule 'ejabberd_turn' do
port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
protocol :udp
command :allow
end
service "coturn" do
action [:enable, :start]
end

12
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@@ -154,6 +154,11 @@ admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=xmpp))"
else
ldap_filter = "(objectClass=person)"
end
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
source "vhost.yml.erb"
@@ -167,7 +172,8 @@ hosts.each do |host|
ldap_base: ldap_base,
ldap_server: ldap_domain,
ldap_rootdn: ldap_rootdn,
ldap_encryption_type: ldap_encryption_type
ldap_encryption_type: ldap_encryption_type,
ldap_filter: ldap_filter
notifies :reload, "service[ejabberd]", :delayed
end
end
@@ -183,10 +189,10 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
sensitive true
variables hosts: hosts,
admin_users: admin_users,
stun_auth_realm: "kosmos.org",
turn_domain: node["ejabberd"]["turn_domain"],
stun_secret: ejabberd_credentials['stun_secret'],
turn_ip_address: node["ejabberd"]["turn_ip_address"],
stun_turn_port: node["ejabberd"]["stun_turn_port"],
stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["ejabberd"]["turn_max_port"],
private_ip_address: node["knife_zero"]["host"],

8
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@@ -33,11 +33,11 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
group "root"
end
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
template "/root/gandi_dns_certbot_hook.sh" do
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
variables access_token: gandi_api_credentials["access_token"]
mode 0700
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
@@ -52,7 +52,7 @@ end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.chat\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.chat\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end

2
site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
View File

@@ -19,7 +19,7 @@ end
openresty_stream "ejabberd" do
template "nginx_conf_streams.erb"
variables ejabberd_hosts: ["10.1.1.113"],
variables ejabberd_hosts: ["10.1.1.123"],
stun_turn_port: node["ejabberd"]["stun_turn_port"],
turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["ejabberd"]["turn_max_port"]

36
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@@ -87,16 +87,6 @@ listen:
## "/pub/archive": mod_http_fileserver
## register: true
captcha: false
-
port: <%= @stun_turn_port %>
transport: udp
module: ejabberd_stun
auth_realm: <%= @stun_auth_realm %>
use_turn: true
tls: false
turn_ipv4_address: <%= @turn_ip_address %>
turn_min_port: <%= @turn_min_port %>
turn_max_port: <%= @turn_max_port %>
s2s_use_starttls: optional
@@ -106,8 +96,10 @@ auth_method: sql
default_db: sql
shaper:
normal: 1000
fast: 50000
normal:
rate: 3000
burst_size: 20000
fast: 100000
max_fsm_queue: 10000
@@ -131,7 +123,7 @@ shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
- 5000: admin
- 100
- 1000
c2s_shaper:
- none: admin
- normal
@@ -238,20 +230,34 @@ modules:
store_current_id: true
mod_shared_roster: {}
mod_stun_disco:
offer_local_services: false
credentials_lifetime: 300
secret: <%= @stun_secret %>
services:
-
host: <%= @turn_ip_address %>
host: <%= @turn_domain %>
port: <%= @stun_turn_port %>
type: stun
transport: udp
restricted: false
-
host: <%= @turn_ip_address %>
host: <%= @turn_domain %>
port: <%= @stun_turn_port_tls %>
type: stuns
transport: tcp
restricted: false
-
host: <%= @turn_domain %>
port: <%= @stun_turn_port %>
type: turn
transport: udp
restricted: true
-
host: <%= @turn_domain %>
port: <%= @stun_turn_port_tls %>
type: turns
transport: tcp
restricted: true
mod_vcard:
search: false
mod_vcard_xupdate: {}

59
site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
View File

@@ -1,21 +1,16 @@
#!/usr/bin/env bash
#
set -euf -o pipefail
# ************** USAGE **************
#
# Example usage (with this hook file saved in /root/):
# Example usage:
#
# sudo su -
# certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos -d "5apps.com" -d muc.5apps.com -d "xmpp.5apps.com" \
# --manual-auth-hook "/root/letsencrypt_hook.sh auth" --manual-cleanup-hook "/root/letsencrypt_hook.sh cleanup"
#
# This hook requires configuration, continue reading.
#
# ************** CONFIGURATION **************
#
# GANDI_API_KEY: Your Gandi Live API key
# ACCESS_TOKEN: Your Gandi Live API key
#
# PROVIDER_UPDATE_DELAY:
# How many seconds to wait after updating your DNS records. This may be required,
@@ -25,10 +20,16 @@ set -euf -o pipefail
#
# Defaults to 30 seconds.
#
GANDI_API_KEY="<%= @gandi_api_key %>"
PROVIDER_UPDATE_DELAY=30
# VALIDATION_DOMAIN:
# Domain to create ACME DNS entries on. Use this when redirecting ACME subdomains
# from the original domain to a proxy validation domain that we control.
#
ACCESS_TOKEN="<%= @access_token %>"
PROVIDER_UPDATE_DELAY=10
VALIDATION_DOMAIN="${2:-}"
regex='.*\.(.*\..*)'
if [[ $CERTBOT_DOMAIN =~ $regex ]]
then
DOMAIN="${BASH_REMATCH[1]}"
@@ -36,25 +37,41 @@ else
DOMAIN="${CERTBOT_DOMAIN}"
fi
if [[ -n "$VALIDATION_DOMAIN" ]]
then
if [[ $VALIDATION_DOMAIN =~ $regex ]]
then
ACME_BASE_DOMAIN="${BASH_REMATCH[1]}"
else
echo "Validation domain has to be a subdomain, but it is not: \"${VALIDATION_DOMAIN}\""
exit 1
fi
ACME_DOMAIN="${CERTBOT_DOMAIN}.${VALIDATION_DOMAIN}"
else
ACME_BASE_DOMAIN="${DOMAIN}"
ACME_DOMAIN="_acme-challenge.${CERTBOT_DOMAIN}"
fi
# To be invoked via Certbot's --manual-auth-hook
function auth {
curl -s -D- -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
-d "{\"rrset_name\": \"_acme-challenge.${CERTBOT_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 3600,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records"
curl -s -D- \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
-d "{\"rrset_name\": \"${ACME_DOMAIN}.\",
\"rrset_type\": \"TXT\",
\"rrset_ttl\": 300,
\"rrset_values\": [\"${CERTBOT_VALIDATION}\"]}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records"
sleep ${PROVIDER_UPDATE_DELAY}
sleep ${PROVIDER_UPDATE_DELAY}
}
# To be invoked via Certbot's --manual-cleanup-hook
function cleanup {
curl -s -X DELETE -H "Content-Type: application/json" \
-H "X-Api-Key: ${GANDI_API_KEY}" \
https://dns.api.gandi.net/api/v5/domains/${DOMAIN}/records/_acme-challenge.${CERTBOT_DOMAIN}./TXT
curl -s -X DELETE \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://api.gandi.net/v5/livedns/domains/${ACME_BASE_DOMAIN}/records/${ACME_DOMAIN}./TXT"
}
HANDLER=$1; shift;

708
site-cookbooks/kosmos-ejabberd/templates/turnserver.conf.erb Normal file
View File

@@ -0,0 +1,708 @@
# Coturn TURN SERVER configuration file
#
# Boolean values note: where boolean value is supposed to be used,
# you can use '0', 'off', 'no', 'false', 'f' as 'false,
# and you can use '1', 'on', 'yes', 'true', 't' as 'true'
# If the value is missed, then it means 'true'.
#
# Listener interface device (optional, Linux only).
# NOT RECOMMENDED.
#
#listening-device=eth0
# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
listening-port=<%= @listening_port %>
# TURN listener port for TLS (Default: 5349).
# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
# port(s), too - if allowed by configuration. The TURN server
# "automatically" recognizes the type of traffic. Actually, two listening
# endpoints (the "plain" one and the "tls" one) are equivalent in terms of
# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.
# For secure TCP connections, we currently support SSL version 3 and
# TLS version 1.0, 1.1 and 1.2.
# For secure UDP connections, we support DTLS version 1.
#
tls-listening-port=<%= @tls_listening_port %>
# Alternative listening port for UDP and TCP listeners;
# default (or zero) value means "listening port plus one".
# This is needed for RFC 5780 support
# (STUN extension specs, NAT behavior discovery). The TURN Server
# supports RFC 5780 only if it is started with more than one
# listening IP address of the same family (IPv4 or IPv6).
# RFC 5780 is supported only by UDP protocol, other protocols
# are listening to that endpoint only for "symmetry".
#
#alt-listening-port=0
# Alternative listening port for TLS and DTLS protocols.
# Default (or zero) value means "TLS listening port plus one".
#
#alt-tls-listening-port=0
# Listener IP address of relay server. Multiple listeners can be specified.
# If no IP(s) specified in the config file or in the command line options,
# then all IPv4 and IPv6 system IPs will be used for listening.
#
listening-ip=<%= @listening_ip %>
#listening-ip=10.207.21.238
#listening-ip=2607:f0d0:1002:51::4
# Auxiliary STUN/TURN server listening endpoint.
# Aux servers have almost full TURN and STUN functionality.
# The (minor) limitations are:
#
# 1) Auxiliary servers do not have alternative ports and
# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).
#
# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.
#
# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.
#
# There may be multiple aux-server options, each will be used for listening
# to client requests.
#
#aux-server=172.17.19.110:33478
#aux-server=[2607:f0d0:1002:51::4]:33478
# (recommended for older Linuxes only)
# Automatically balance UDP traffic over auxiliary servers (if configured).
# The load balancing is using the ALTERNATE-SERVER mechanism.
# The TURN client must support 300 ALTERNATE-SERVER response for this
# functionality.
#
#udp-self-balance
# Relay interface device for relay sockets (optional, Linux only).
# NOT RECOMMENDED.
#
#relay-device=eth1
# Relay address (the local IP address that will be used to relay the
# packets to the peer).
# Multiple relay addresses may be used.
# The same IP(s) can be used as both listening IP(s) and relay IP(s).
#
# If no relay IP(s) specified, then the turnserver will apply the default
# policy: it will decide itself which relay addresses to be used, and it
# will always be using the client socket IP address as the relay IP address
# of the TURN session (if the requested relay address family is the same
# as the family of the client socket).
#
relay-ip=<%= @relay_ip %>
#relay-ip=2607:f0d0:1002:51::5
# For Amazon EC2 users:
#
# TURN Server public/private address mapping, if the server is behind NAT.
# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported
# as relay IP address of all allocations. This scenario works only in a simple case
# when one single relay address is be used, and no RFC5780 functionality is required.
# That single relay address must be mapped by NAT to the 'external' IP.
# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.
# For that 'external' IP, NAT must forward ports directly (relayed port 12345
# must be always mapped to the same 'external' port 12345).
#
# In more complex case when more than one IP address is involved,
# that option must be used several times, each entry must
# have form "-X <public-ip/private-ip>", to map all involved addresses.
# RFC5780 NAT discovery STUN functionality will work correctly,
# if the addresses are mapped properly, even when the TURN server itself
# is behind A NAT.
#
# By default, this value is empty, and no address mapping is used.
#
#external-ip=60.70.80.91
#
#OR:
#
#external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102
# Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread).
# If explicitly set to 0 then application runs relay process in a
# single thread, in the same thread with the listener process
# (the authentication thread will still be a separate thread).
#
# If this parameter is not set, then the default OS-dependent
# thread pattern algorithm will be employed. Usually the default
# algorithm is the most optimal, so you have to change this option
# only if you want to make some fine tweaks.
#
# In the older systems (Linux kernel before 3.9),
# the number of UDP threads is always one thread per network listening
# endpoint - including the auxiliary endpoints - unless 0 (zero) or
# 1 (one) value is set.
#
#relay-threads=0
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=<%= @min_port %>
max-port=<%= @max_port %>
# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
# By default the verbose mode is off.
verbose
# Uncomment to run TURN server in 'extra' verbose mode.
# This mode is very annoying and produces lots of output.
# Not recommended under any normal circumstances.
#
#Verbose
# Uncomment to use fingerprints in the TURN messages.
# By default the fingerprints are off.
#
#fingerprint
# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
#
#lt-cred-mech
# This option is opposite to lt-cred-mech.
# (TURN Server with no-auth option allows anonymous access).
# If neither option is defined, and no users are defined,
# then no-auth is default. If at least one user is defined,
# in this file or in command line or in usersdb file, then
# lt-cred-mech is default.
#
#no-auth
# TURN REST API flag.
# (Time Limited Long Term Credential)
# Flag that sets a special authorization option that is based upon authentication secret.
#
# This feature's purpose is to support "TURN Server REST API", see
# "TURN REST API" link in the project's page
# https://github.com/coturn/coturn/
#
# This option is used with timestamp:
#
# usercombo -> "timestamp:userid"
# turn user -> usercombo
# turn password -> base64(hmac(secret key, usercombo))
#
# This allows TURN credentials to be accounted for a specific user id.
# If you don't have a suitable id, the timestamp alone can be used.
# This option is just turning on secret-based authentication.
# The actual value of the secret is defined either by option static-auth-secret,
# or can be found in the turn_secret table in the database (see below).
#
# Read more about it:
# - https://tools.ietf.org/html/draft-uberti-behave-turn-rest-00
# - https://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf
#
# Be aware that use-auth-secret overrides some part of lt-cred-mech.
# Notice that this feature depends internally on lt-cred-mech, so if you set
# use-auth-secret then it enables internally automatically lt-cred-mech option
# like if you enable both.
#
# You can use only one of the to auth mechanisms in the same time because,
# both mechanism use the username and password validation in different way.
#
# This way be aware that you can't use both auth mechnaism in the same time!
# Use in config either the lt-cred-mech or the use-auth-secret
# to avoid any confusion.
#
use-auth-secret
# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server
# will try to use the 'dynamic' value in turn_secret table
# in user database (if present). The database-stored value can be changed on-the-fly
# by a separate program, so this is why that other mode is 'dynamic'.
#
static-auth-secret=<%= @static_auth_secret %>
# Server name used for
# the oAuth authentication purposes.
# The default value is the realm name.
#
#server-name=blackdow.carleon.gov
# Flag that allows oAuth authentication.
#
#oauth
# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
#user=username1:password1
#user=username2:password2
#
# Keys must be generated by turnadmin utility. The key value depends
# on user name, realm, and password:
#
# Example:
# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic
# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee
# ('0x' in the beginning of the key is what differentiates the key from
# password. If it has 0x then it is a key, otherwise it is a password).
#
# The corresponding user account entry in the config file will be:
#
#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee
# Or, equivalently, with open clear password (less secure):
#user=ninefingers:youhavetoberealistic
#
# SQLite database file name.
#
# Default file name is /var/db/turndb or /usr/local/var/db/turndb or
# /var/lib/turn/turndb.
#
#userdb=/var/db/turndb
# PostgreSQL database connection string in the case that we are using PostgreSQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL
# versions connection string format, see
# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING
# for 9.x and newer connection string formats.
#
#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"
# MySQL database connection string in the case that we are using MySQL
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
#
# Optional connection string parameters for the secure communications (SSL):
# ca, capath, cert, key, cipher
# (see http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
# command options description).
#
# Use string format as below (space separated parameters, all optional):
#
#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
# If you want to use in the MySQL connection string the password in encrypted format,
# then set in this option the MySQL password encryption secret key file.
#
# Warning: If this option is set, then mysql password must be set in "mysql-userdb" in encrypted format!
# If you want to use cleartext password then do not set this option!
#
# This is the file path which contain secret key of aes encryption while using password encryption.
#
#secret-key-file=/path/
# MongoDB database connection string in the case that we are using MongoDB
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format is described at http://hergert.me/docs/mongo-c-driver/mongoc_uri.html
#
#mongo-userdb="mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
# Redis database connection string in the case that we are using Redis
# as the user database.
# This database can be used for long-term credential mechanism
# and it can store the secret value for secret-based timed authentication in TURN RESP API.
# Use string format as below (space separated parameters, all optional):
#
#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).
# This database keeps allocations status information, and it can be also used for publishing
# and delivering traffic and allocation event notifications.
# The connection string has the same parameters as redis-userdb connection string.
# Use string format as below (space separated parameters, all optional):
#
#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"
# The default realm to be used for the users when no explicit
# origin/realm relationship was found in the database, or if the TURN
# server is not using any database (just the commands-line settings
# and the userdb file). Must be used with long-term credentials
# mechanism or with TURN REST API.
#
# Note: If default realm is not specified at all, then realm falls back to the host domain name.
# If domain name is empty string, or '(None)', then it is initialized to am empty string.
#
realm=<%= @realm %>
# The flag that sets the origin consistency
# check: across the session, all requests must have the same
# main ORIGIN attribute value (if the ORIGIN was
# initially used by the session).
#
#check-origin-consistency
# Per-user allocation quota.
# default value is 0 (no quota, unlimited number of sessions per user).
# This option can also be set through the database, for a particular realm.
#
#user-quota=0
# Total allocation quota.
# default value is 0 (no quota).
# This option can also be set through the database, for a particular realm.
#
#total-quota=0
# Max bytes-per-second bandwidth a TURN session is allowed to handle
# (input and output network streams are treated separately). Anything above
# that limit will be dropped or temporary suppressed (within
# the available buffer limits).
# This option can also be set through the database, for a particular realm.
#
#max-bps=0
#
# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# for the sessions, combined (input and output network streams are treated separately).
#
# bps-capacity=0
# Uncomment if no UDP client listener is desired.
# By default UDP client listener is always started.
#
#no-udp
# Uncomment if no TCP client listener is desired.
# By default TCP client listener is always started.
#
#no-tcp
# Uncomment if no TLS client listener is desired.
# By default TLS client listener is always started.
#
#no-tls
# Uncomment if no DTLS client listener is desired.
# By default DTLS client listener is always started.
#
#no-dtls
# Uncomment if no UDP relay endpoints are allowed.
# By default UDP relay endpoints are enabled (like in RFC 5766).
#
#no-udp-relay
# Uncomment if no TCP relay endpoints are allowed.
# By default TCP relay endpoints are enabled (like in RFC 6062).
#
#no-tcp-relay
# Uncomment if extra security is desired,
# with nonce value having limited lifetime.
# By default, the nonce value is unique for a session,
# and has unlimited lifetime.
# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,
# the client will get 438 error and will have to re-authenticate itself.
#
#stale-nonce=600
# Uncomment if you want to set the maximum allocation
# time before it has to be refreshed.
# Default is 3600s.
#
#max-allocate-lifetime=3600
# Uncomment to set the lifetime for the channel.
# Default value is 600 secs (10 minutes).
# This value MUST not be changed for production purposes.
#
#channel-lifetime=600
# Uncomment to set the permission lifetime.
# Default to 300 secs (5 minutes).
# In production this value MUST not be changed,
# however it can be useful for test purposes.
#
#permission-lifetime=300
# Certificate file.
# Use an absolute path or path relative to the
# configuration file.
#
cert=<%= @cert %>
# Private key file.
# Use an absolute path or path relative to the
# configuration file.
# Use PEM file format.
#
pkey=<%= @pkey %>
# Private key file password, if it is in encoded format.
# This option has no default value.
#
#pkey-pwd=...
# Allowed OpenSSL cipher list for TLS/DTLS connections.
# Default value is "DEFAULT".
#
#cipher-list="DEFAULT"
# CA file in OpenSSL format.
# Forces TURN server to verify the client SSL certificates.
# By default it is not set: there is no default value and the client
# certificate is not checked.
#
# Example:
#CA-file=/etc/ssh/id_rsa.cert
# Curve name for EC ciphers, if supported by OpenSSL
# library (TLS and DTLS). The default value is prime256v1,
# if pre-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,
# an optimal curve will be automatically calculated, if not defined
# by this option.
#
#ec-curve-name=prime256v1
# Use 566 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh566
# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.
#
#dh2066
# Use custom DH TLS key, stored in PEM format in the file.
# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.
#
#dh-file=<DH-PEM-file-name>
# Flag to prevent stdout log messages.
# By default, all log messages are going to both stdout and to
# the configured log file. With this option everything will be
# going to the configured log only (unless the log file itself is stdout).
#
#no-stdout-log
# Option to set the log file name.
# By default, the turnserver tries to open a log file in
# /var/log, /var/tmp, /tmp and current directories directories
# (which open operation succeeds first that file will be used).
# With this option you can set the definite log file name.
# The special names are "stdout" and "-" - they will force everything
# to the stdout. Also, the "syslog" name will force everything to
# the system log (syslog).
# In the runtime, the logfile can be reset with the SIGHUP signal
# to the turnserver process.
#
#log-file=/var/tmp/turn.log
# Option to redirect all log output into system log (syslog).
#
syslog
# This flag means that no log file rollover will be used, and the log file
# name will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log
# Option to set the "redirection" mode. The value of this option
# will be the address of the alternate server for UDP & TCP service in form of
# <ip>[:<port>]. The server will send this value in the attribute
# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.
# Client will receive only values with the same address family
# as the client network endpoint address family.
# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.
# The client must use the obtained value for subsequent TURN communications.
# If more than one --alternate-server options are provided, then the functionality
# can be more accurately described as "load-balancing" than a mere "redirection".
# If the port number is omitted, then the default port
# number 3478 for the UDP/TCP protocols will be used.
# Colon (:) characters in IPv6 addresses may conflict with the syntax of
# the option. To alleviate this conflict, literal IPv6 addresses are enclosed
# in square brackets in such resource identifiers, for example:
# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .
# Multiple alternate servers can be set. They will be used in the
# round-robin manner. All servers in the pool are considered of equal weight and
# the load will be distributed equally. For example, if we have 4 alternate servers,
# then each server will receive 25% of ALLOCATE requests. A alternate TURN server
# address can be used more than one time with the alternate-server option, so this
# can emulate "weighting" of the servers.
#
# Examples:
#alternate-server=1.2.3.4:5678
#alternate-server=11.22.33.44:56789
#alternate-server=5.6.7.8
#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to set alternative server for TLS & DTLS services in form of
# <ip>:<port>. If the port number is omitted, then the default port
# number 5349 for the TLS/DTLS protocols will be used. See the previous
# option for the functionality description.
#
# Examples:
#tls-alternate-server=1.2.3.4:5678
#tls-alternate-server=11.22.33.44:56789
#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478
# Option to suppress TURN functionality, only STUN requests will be processed.
# Run as STUN server only, all TURN requests will be ignored.
# By default, this option is NOT set.
#
#stun-only
# Option to suppress STUN functionality, only TURN requests will be processed.
# Run as TURN server only, all STUN requests will be ignored.
# By default, this option is NOT set.
#
#no-stun
# This is the timestamp/username separator symbol (character) in TURN REST API.
# The default value is ':'.
# rest-api-separator=:
# Flag that can be used to allow peers on the loopback addresses (127.x.x.x and ::1).
# This is an extra security measure.
#
# (To avoid any security issue that allowing loopback access may raise,
# the no-loopback-peers option is replaced by allow-loopback-peers.)
#
# Allow it only for testing in a development environment!
# In production it adds a possible security vulnerability, so for security reasons
# it is not allowed using it together with empty cli-password.
#
#allow-loopback-peers
# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
# This is an extra security measure.
#
#no-multicast-peers
# Option to set the max time, in seconds, allowed for full allocation establishment.
# Default is 60 seconds.
#
#max-allocate-timeout=60
# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45
# File name to store the pid of the process.
# Default is /var/run/turnserver.pid (if superuser account is used) or
# /var/tmp/turnserver.pid .
#
#pidfile="/var/run/turnserver.pid"
# Require authentication of the STUN Binding request.
# By default, the clients are allowed anonymous access to the STUN Binding functionality.
#
#secure-stun
# Mobility with ICE (MICE) specs support.
#
#mobility
# Allocate Address Family according
# If enabled then TURN server allocates address family according the TURN
# Client <=> Server communication address family.
# (By default coTURN works according RFC 6156.)
# !!Warning: Enabling this option breaks RFC6156 section-4.2 (violates use default IPv4)!!
#
#keep-address-family
# User name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current user ID to that user.
#
#proc-user=<user-name>
# Group name to run the process. After the initialization, the turnserver process
# will make an attempt to change the current group ID to that group.
#
#proc-group=<group-name>
# Turn OFF the CLI support.
# By default it is always ON.
# See also options cli-ip and cli-port.
#
no-cli
#Local system IP address to be used for CLI server endpoint. Default value
# is 127.0.0.1.
#
#cli-ip=127.0.0.1
# CLI server port. Default is 5766.
#
#cli-port=5766
# CLI access password. Default is empty (no password).
# For the security reasons, it is recommended to use the encrypted
# for of the password (see the -P command in the turnadmin utility).
#
# Secure form for password 'qwerty':
#
#cli-password=$5$79a316b350311570$81df9cfb9af7f5e5a76eada31e7097b663a0670f99a3c07ded3f1c8e59c5658a
#
# Or unsecure form for the same password:
#
#cli-password=qwerty
# Enable Web-admin support on https. By default it is Disabled.
# If it is enabled it also enables a http a simple static banner page
# with a small reminder that the admin page is available only on https.
#
#web-admin
# Local system IP address to be used for Web-admin server endpoint. Default value is 127.0.0.1.
#
#web-admin-ip=127.0.0.1
# Web-admin server port. Default is 8080.
#
#web-admin-port=8080
# Web-admin server listen on STUN/TURN worker threads
# By default it is disabled for security resons! (Not recommended in any production environment!)
#
#web-admin-listen-on-workers
# Server relay. NON-STANDARD AND DANGEROUS OPTION.
# Only for those applications when we want to run
# server applications on the relay endpoints.
# This option eliminates the IP permissions check on
# the packets incoming to the relay endpoints.
#
#server-relay
# Maximum number of output sessions in ps CLI command.
# This value can be changed on-the-fly in CLI. The default value is 256.
#
#cli-max-output-sessions
# Set network engine type for the process (for internal purposes).
#
#ne=[1|2|3]
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2

2
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@@ -16,7 +16,7 @@ host_config:
ldap_password: "<%= @host[:ldap_password] %>"
ldap_encrypt: <%= @ldap_encryption_type %>
ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
ldap_filter: "(objectClass=person)"
ldap_filter: "<%= @ldap_filter %>"
<% end -%>
append_host_config:

2
site-cookbooks/kosmos-ipfs/attributes/default.rb
View File

@@ -62,4 +62,4 @@ node.default['kosmos-ipfs']['ipfs']['config'] = {
node.default['kosmos-ipfs']['nginx']['domain'] = "ipfs.kosmos.org"
node.default['kosmos-ipfs']['nginx']['external_api_port'] = 5444
node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.2.0"
node.default['kosmos-ipfs']['kredits-pinner']['revision'] = "v2.3.0"

42
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@@ -44,7 +44,7 @@ end
elasticsearch_service 'elasticsearch'
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
postgresql_credentials = data_bag_item('credentials', 'postgresql')
mastodon_path = node["kosmos-mastodon"]["directory"]
mastodon_user = "mastodon"
@@ -75,7 +75,7 @@ npm_package "yarn" do
version "1.22.4"
end
ruby_version = "3.0.6"
ruby_version = "3.3.0"
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
@@ -168,7 +168,22 @@ execute "restart mastodon services" do
notifies :restart, "service[mastodon-streaming]", :delayed
end
mastodon_credentials = data_bag_item('credentials', 'mastodon')
credentials = data_bag_item('credentials', 'mastodon')
ldap_config = {
host: "ldap.kosmos.local",
port: 389,
method: "plain",
base: "ou=kosmos.org,cn=users,dc=kosmos,dc=org",
bind_dn: credentials["ldap_bind_dn"],
password: credentials["ldap_password"],
uid: "cn",
mail: "mail",
search_filter: "(&(|(cn=%{email})(mail=%{email}))(serviceEnabled=mastodon))",
uid_conversion_enabled: "true",
uid_conversion_search: "-",
uid_conversion_replace: "_"
}
template "#{mastodon_path}/.env.#{rails_env}" do
source "env.erb"
@@ -178,21 +193,22 @@ template "#{mastodon_path}/.env.#{rails_env}" do
variables redis_url: node["kosmos-mastodon"]["redis_url"],
domain: node["kosmos-mastodon"]["domain"],
alternate_domains: node["kosmos-mastodon"]["alternate_domains"],
paperclip_secret: mastodon_credentials['paperclip_secret'],
secret_key_base: mastodon_credentials['secret_key_base'],
otp_secret: mastodon_credentials['otp_secret'],
smtp_login: mastodon_credentials['smtp_user_name'],
smtp_password: mastodon_credentials['smtp_password'],
paperclip_secret: credentials['paperclip_secret'],
secret_key_base: credentials['secret_key_base'],
otp_secret: credentials['otp_secret'],
ldap: ldap_config,
smtp_login: credentials['smtp_user_name'],
smtp_password: credentials['smtp_password'],
smtp_from_address: "mail@#{node['kosmos-mastodon']['domain']}",
s3_endpoint: node["kosmos-mastodon"]["s3_endpoint"],
s3_region: node["kosmos-mastodon"]["s3_region"],
s3_bucket: node["kosmos-mastodon"]["s3_bucket"],
s3_alias_host: node["kosmos-mastodon"]["s3_alias_host"],
aws_access_key_id: mastodon_credentials['s3_key_id'],
aws_secret_access_key: mastodon_credentials['s3_secret_key'],
vapid_private_key: mastodon_credentials['vapid_private_key'],
vapid_public_key: mastodon_credentials['vapid_public_key'],
db_pass: postgresql_data_bag_item['mastodon_user_password'],
aws_access_key_id: credentials['s3_key_id'],
aws_secret_access_key: credentials['s3_secret_key'],
vapid_private_key: credentials['vapid_private_key'],
vapid_public_key: credentials['vapid_public_key'],
db_pass: postgresql_credentials['mastodon_user_password'],
db_host: "pg.kosmos.local",
default_locale: node["kosmos-mastodon"]["default_locale"],
allowed_private_addresses: node["kosmos-mastodon"]["allowed_private_addresses"],

1
site-cookbooks/kosmos-mastodon/recipes/nginx.rb
View File

@@ -34,6 +34,7 @@ end
tls_cert_for server_name do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

17
site-cookbooks/kosmos-mastodon/templates/default/env.erb
View File

@@ -29,6 +29,23 @@ SMTP_LOGIN=<%= @smtp_login %>
SMTP_PASSWORD=<%= @smtp_password %>
SMTP_FROM_ADDRESS=<%= @smtp_from_address %>
<% if @ldap %>
# LDAP configuration
LDAP_ENABLED=true
LDAP_HOST=<%= @ldap[:host] %>
LDAP_PORT=<%= @ldap[:port] %>
LDAP_METHOD='<%= @ldap[:method] %>'
LDAP_BASE='<%= @ldap[:base] %>'
LDAP_BIND_DN='<%= @ldap[:bind_dn] %>'
LDAP_PASSWORD='<%= @ldap[:password] %>'
LDAP_UID=<%= @ldap[:uid] %>
LDAP_MAIL=<%= @ldap[:mail] %>
LDAP_SEARCH_FILTER='<%= @ldap[:search_filter] %>'
LDAP_UID_CONVERSION_ENABLED=<%= @ldap[:uid_conversion_enabled] %>
LDAP_UID_CONVERSION_SEARCH=<%= @ldap[:uid_conversion_search] %>
LDAP_UID_CONVERSION_REPLACE=<%= @ldap[:uid_conversion_replace] %>
<% end %>
# Optional asset host for multi-server setups
# CDN_HOST=assets.example.com

6
site-cookbooks/kosmos-mastodon/templates/default/nginx_conf_mastodon.erb
View File

@@ -32,6 +32,12 @@ server {
<% if @onion_address %>
add_header Onion-Location https://mastodon.<%= @onion_address %>$request_uri;
<% end %>
location ~ ^/.well-known/(lnurlp|keysend) {
add_header 'Access-Control-Allow-Origin' '*';
proxy_ssl_server_name on;
proxy_pass https://accounts.kosmos.org;
}
}
<% if @onion_address %>

42
site-cookbooks/kosmos-postfix/recipes/default.rb
View File

@@ -2,39 +2,21 @@
# Cookbook Name:: kosmos-postfix
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
node.default['postfix']['main']['smtp_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
node.default['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
return if node.run_list.roles.include?("email_server")
smtp_credentials = Chef::EncryptedDataBagItem.load('credentials', 'smtp')
node.override['postfix']['sasl']['smtp_sasl_user_name'] = smtp_credentials['user_name']
node.override['postfix']['sasl']['smtp_sasl_passwd'] = smtp_credentials['password']
node.override['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
node.default['postfix']['sasl']['smtp_sasl_user_name'] = smtp_credentials['user_name']
node.default['postfix']['sasl']['smtp_sasl_passwd'] = smtp_credentials['password']
node.default['postfix']['sasl_password_file'] = "#{node['postfix']['conf_dir']}/sasl_passwd"
# Postfix doesn't support smtps relayhost, use STARTSSL instead
node.override['postfix']['main']['relayhost'] = smtp_credentials['relayhost']
node.override['postfix']['main']['smtp_sasl_auth_enable'] = 'yes'
node.override['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
node.override['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
node.override['postfix']['main']['smtp_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
node.override['postfix']['main']['smtpd_tls_CAfile'] = '/etc/ssl/certs/ca-certificates.crt'
node.default['postfix']['main']['relayhost'] = smtp_credentials['relayhost']
node.default['postfix']['main']['smtp_sasl_auth_enable'] = 'yes'
node.default['postfix']['main']['smtp_sasl_password_maps'] = "hash:#{node['postfix']['sasl_password_file']}"
node.default['postfix']['main']['smtp_sasl_security_options'] = 'noanonymous'
include_recipe 'postfix::default'

25
site-cookbooks/kosmos_email/.gitignore vendored Normal file
View File

@@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

7
site-cookbooks/kosmos_email/CHANGELOG.md Normal file
View File

@@ -0,0 +1,7 @@
# kosmos_email CHANGELOG
This file is used to list changes made in each version of the kosmos_email cookbook.
## 0.1.0
Initial release.

20
site-cookbooks/kosmos_email/LICENSE Normal file
View File

@@ -0,0 +1,20 @@
Copyright (c) Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

9
site-cookbooks/kosmos_email/attributes/default.rb Normal file
View File

@@ -0,0 +1,9 @@
node.default["email"]["root_directory"] = "/var/vmail"
node.default["email"]["domain"] = "example.com"
node.default["email"]["hostname"] = "mail.example.com"
node.default["email"]["report_contact"] = "abuse@example.com"
node.default["email"]["ldap_host"] = "ldap.kosmos.local"
node.default["email"]["ldap_search_base"] = "cn=users,dc=kosmos,dc=org"
node.default["email"]["virtual_aliases"] = {
"admin@example.com" => "administrator@example.com"
}

115
site-cookbooks/kosmos_email/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

25
site-cookbooks/kosmos_email/compliance/README.md Normal file
View File

@@ -0,0 +1,25 @@
# compliance
This directory contains Chef InSpec profile, waiver and input objects which are used with the Chef Infra Compliance Phase.
Detailed information on the Chef Infra Compliance Phase can be found in the [Chef Documentation](https://docs.chef.io/chef_compliance_phase/).
```plain
./compliance
├── inputs
├── profiles
└── waivers
```
Use the `chef generate` command from Chef Workstation to create content for these directories:
```sh
# Generate a Chef InSpec profile
chef generate profile PROFILE_NAME
# Generate a Chef InSpec waiver file
chef generate waiver WAIVER_NAME
# Generate a Chef InSpec input file
chef generate input INPUT_NAME
```

53
site-cookbooks/kosmos_email/kitchen.yml Normal file
View File

@@ -0,0 +1,53 @@
---
driver:
name: dokken
chef_version: 18.2.7
pull_platform_image: false
pull_chef_image: false
memory_limit: 2147483648 # 2GB
volumes:
# saves the apt archieves outside of the container
- /var/cache/apt/archives/:/var/cache/apt/archives/
## The forwarded_port port feature lets you connect to ports on the VM guest via
## localhost on the host.
## see also: https://www.vagrantup.com/docs/networking/forwarded_ports
# network:
# - ["forwarded_port", { guest: 4444, host: 4444 }]
transport:
name: dokken
provisioner:
name: dokken
# clean_dokken_sandbox: false
# You may wish to disable always updating cookbooks in CI or other testing environments.
# For example:
# always_update_cookbooks: <%= !ENV['CI'] %>
# always_update_cookbooks: false
## product_name and product_version specifies a specific Chef product and version to install.
## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
# product_name: chef
# product_version: 16
verifier:
name: inspec
platforms:
- name: ubuntu-22.04
driver:
image: dokken/ubuntu-22.04
privileged: true
pid_one_command: /usr/lib/systemd/systemd
intermediate_instructions:
# prevent APT from deleting the APT folder
- RUN rm /etc/apt/apt.conf.d/docker-clean
suites:
- name: default
run_list:
- recipe[kosmos_email::default]
verifier:
inspec_tests:
- test/integration/default
attributes:

11
site-cookbooks/kosmos_email/metadata.rb Normal file
View File

@@ -0,0 +1,11 @@
name 'kosmos_email'
maintainer 'Kosmos Developers'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Installs/configures an email service'
version '0.1.0'
chef_version '>= 18.0'
depends "hostname"
depends "unbound"
depends "postfix"

43
site-cookbooks/kosmos_email/recipes/default.rb Normal file
View File

@@ -0,0 +1,43 @@
#
# Cookbook:: kosmos_email
# Recipe:: default
#
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
root_dir = node["email"]["root_directory"]
ip_addr = node["knife_zero"]["host"]
extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"]
node.override["set_fqdn"] = hostname
include_recipe "hostname"
user "vmail" do
gid "mail"
system true
manage_home false
end
directory root_dir do
owner "vmail"
group "mail"
end
tls_cert_for hostname do
domain ([hostname]+extra_hostnames)
auth "gandi_dns"
deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
action :create
end
firewall_rule "private network access" do
command :allow
protocol :tcp
source "10.1.1.0/24"
end
include_recipe 'unbound'
include_recipe 'kosmos_email::opendkim'
include_recipe 'kosmos_email::spamassassin'
include_recipe 'kosmos_email::postfix'
include_recipe 'kosmos_email::dovecot'

90
site-cookbooks/kosmos_email/recipes/dovecot.rb Normal file
View File

@@ -0,0 +1,90 @@
#
# Cookbook:: kosmos_email
# Recipe:: dovecot
#
%w[
dovecot-core
dovecot-imapd
dovecot-ldap
dovecot-lmtpd
dovecot-pop3d
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
root_dir = node["email"]["root_directory"]
ip_addr = node["knife_zero"]["host"]
ldap_search_base = node["email"]["ldap_search_base"]
ldap_user_filter = "(&(objectClass=person)(mailRoutingAddress=%u))"
credentials = Chef::EncryptedDataBagItem.load('credentials', 'email')
template "/etc/dovecot/dovecot.conf" do
source "dovecot.conf.erb"
mode 0644
# TODO variables protocols: "imap pop3 lmtp"
variables protocols: "imap lmtp",
# TODO find by email_proxy role
haproxy_trusted_networks: "10.1.1.167/32"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/dovecot-ldap.conf.ext" do
source "dovecot-ldap.conf.ext.erb"
mode 0600
variables uris: "ldap://ldap.kosmos.local", # TODO add list of all IPs instead?
dn: credentials['ldap_dn'],
dnpass: credentials['ldap_dnpass'],
base: ldap_search_base,
user_filter: ldap_user_filter,
user_attrs: "",
pass_filter: ldap_user_filter,
pass_attrs: "mailRoutingAddress=user,mailpassword=password",
default_pass_scheme: "BLF-CRYPT"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-auth.conf" do
source "dovecot_10-auth.conf.erb"
mode 0644
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-mail.conf" do
source "dovecot_10-mail.conf.erb"
mode 0644
variables mail_uid: "vmail",
mail_gid: "mail",
mail_location: "mbox:~/mail:INBOX=~/mail/INBOX",
mail_home: "#{root_dir}/%d/%n"
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-master.conf" do
source "dovecot_10-master.conf.erb"
mode 0644
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/10-ssl.conf" do
source "dovecot_10-ssl.conf.erb"
mode 0644
variables ssl: "required",
ssl_cert: node['postfix']['main']['smtpd_tls_cert_file'],
ssl_key: node['postfix']['main']['smtpd_tls_key_file']
notifies :restart, "service[dovecot]", :delayed
end
template "/etc/dovecot/conf.d/15-mailboxes.conf" do
source "dovecot_15-mailboxes.conf.erb"
mode 0644
notifies :restart, "service[dovecot]", :delayed
end
service "dovecot" do
action [:enable, :start]
end

34
site-cookbooks/kosmos_email/recipes/firewall.rb Normal file
View File

@@ -0,0 +1,34 @@
#
# Cookbook:: kosmos_email
# Recipe:: firewall
#
firewall_rule "SMTP" do
command :allow
port 25
protocol :tcp
end
firewall_rule "SMTPS" do
command :allow
port 465
protocol :tcp
end
firewall_rule "SMTPS" do
command :allow
port 587
protocol :tcp
end
firewall_rule "IMAP" do
command :allow
port 143
protocol :tcp
end
firewall_rule "IMAPS" do
command :allow
port 993
protocol :tcp
end

74
site-cookbooks/kosmos_email/recipes/opendkim.rb Normal file
View File

@@ -0,0 +1,74 @@
#
# Cookbook:: kosmos_email
# Recipe:: opendkim
#
%w[
opendkim
opendkim-tools
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
selector = "mail"
socket = "inet:12301@localhost"
template "/etc/opendkim.conf" do
source "opendkim.conf.erb"
mode 0644
variables domain: domain,
selector: selector,
socket: socket
notifies :restart, "service[opendkim]", :delayed
end
template "/etc/default/opendkim" do
source "opendkim_default.erb"
mode 0644
variables socket: socket
notifies :restart, "service[opendkim]", :delayed
end
directory "/run/opendkim" do
owner "opendkim"
group "opendkim"
action :create
end
directory "/etc/opendkim"
template "/etc/opendkim/keytable" do
source "opendkim_keytable.erb"
mode 0644
variables domain: domain,
selector: selector
notifies :restart, "service[opendkim]", :delayed
end
template "/etc/opendkim/signingtable" do
source "opendkim_signingtable.erb"
mode 0644
variables domain: domain,
selector: selector
notifies :restart, "service[opendkim]", :delayed
end
directory "/etc/opendkim/keys/#{domain}" do
recursive true
end
execute "Create DKIM keys" do
cwd "/etc/opendkim/keys/#{domain}"
command "opendkim-genkey -s #{selector} -d #{domain}"
creates "/etc/opendkim/keys/#{domain}/#{selector}.private"
end
file "/etc/opendkim/keys/#{domain}/#{selector}.private" do
owner "opendkim"
group "opendkim"
end
service "opendkim" do
action [:enable, :start]
end

197
site-cookbooks/kosmos_email/recipes/postfix.rb Normal file
View File

@@ -0,0 +1,197 @@
#
# Cookbook:: kosmos_email
# Recipe:: postfix
#
%w[
postfix
postfix-ldap
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
hostname = node["email"]["hostname"]
root_dir = node["email"]["root_directory"]
ip_addr = node["knife_zero"]["host"]
ldap_host = node["email"]["ldap_host"]
ldap_search_base = node["email"]["ldap_search_base"]
credentials = Chef::EncryptedDataBagItem.load('credentials', 'email')
node.normal["postfix"]["mail_type"] = "master"
node.normal["postfix"]["use_relay_restrictions_maps"] = true
node.normal["postfix"]["relay_restrictions"] = { domain => "OK", hostname => "OK" }
node.normal['postfix']['main']['myhostname'] = hostname
node.normal['postfix']['main']['mydomain'] = "$myhostname"
node.normal['postfix']['main']['myorigin'] = "$myhostname"
node.normal['postfix']['main']['mynetworks'] = ["10.1.1.0/24", "127.0.0.0/8"]
node.normal['postfix']['main']['smtp_use_tls'] = "yes"
node.normal['postfix']['main']['smtp_tls_security_level'] = "may"
node.normal['postfix']['main']['smtpd_use_tls'] = "yes"
node.normal['postfix']['main']['smtpd_tls_cert_file'] = "/etc/letsencrypt/live/#{hostname}/fullchain.pem"
node.normal['postfix']['main']['smtpd_tls_key_file'] = "/etc/letsencrypt/live/#{hostname}/privkey.pem"
node.normal['postfix']['main']['smtpd_peername_lookup'] = "no"
node.normal['postfix']['main']['mailbox_transport'] = "lmtp:unix:private/dovecot-lmtp"
node.normal['postfix']['main']['virtual_transport'] = "lmtp:unix:private/dovecot-lmtp"
node.normal['postfix']['main']['smtputf8_enable'] = "no"
node.normal['postfix']['main']['recipient_delimiter'] = "+"
node.normal['postfix']['main']['virtual_alias_maps'] = "hash:#{root_dir}/aliases, ldap:/etc/postfix/ldap-virtual_alias_maps.cf"
node.normal['postfix']['main']['virtual_mailbox_domains'] = "ldap:/etc/postfix/ldap-virtual_mailbox_domains.cf"
node.normal['postfix']['main']['virtual_mailbox_maps'] = "ldap:/etc/postfix/ldap-virtual_mailbox_maps.cf"
node.normal['postfix']['main']['smtpd_sender_login_maps'] = "ldap:/etc/postfix/ldap-smtpd_sender_login_maps.cf"
node.normal['postfix']['main']['milter_protocol'] = "6"
node.normal['postfix']['main']['milter_default_action'] = "accept"
node.normal['postfix']['main']['smtpd_milters'] = "inet:localhost:12301 local:spamass/spamass.sock"
node.normal['postfix']['main']['non_smtpd_milters'] = "inet:localhost:12301"
node.normal['postfix']['master'] = {
"#{ip_addr}:2525": {
"active": true,
"order": 1,
"type": "inet",
"private": false,
"maxproc": "1",
"command": "postscreen",
"args": [
"-o postscreen_upstream_proxy_protocol=haproxy",
"-o postscreen_cache_map=btree:$data_directory/postscreen_2525_cache",
"-o syslog_name=postfix/2525"
]
},
"#{ip_addr}:10587": {
"active": true,
"order": 2,
"type": "inet",
"private": false,
"chroot": true,
"command": "smtpd",
"args": [
"-o syslog_name=postfix/10587",
"-o smtpd_tls_security_level=encrypt",
"-o smtpd_tls_wrappermode=no",
"-o smtpd_sasl_auth_enable=yes",
"-o smtpd_sender_restrictions=reject_sender_login_mismatch",
"-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
"-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
"-o smtpd_sasl_type=dovecot",
"-o smtpd_sasl_path=private/auth",
"-o smtpd_upstream_proxy_protocol=haproxy",
]
},
"#{ip_addr}:10465": {
"active": true,
"order": 3,
"type": "inet",
"private": false,
"chroot": true,
"command": "smtpd",
"args": [
"-o syslog_name=postfix/10465",
"-o smtpd_tls_wrappermode=yes",
"-o smtpd_sasl_auth_enable=yes",
"-o smtpd_relay_restrictions=permit_sasl_authenticated,reject",
"-o smtpd_sender_restrictions=reject_sender_login_mismatch",
"-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject",
"-o smtpd_sasl_type=dovecot",
"-o smtpd_sasl_path=private/auth",
"-o smtpd_upstream_proxy_protocol=haproxy",
]
},
"smtpd": {
"active": true,
"order": 100,
"type": "pass",
"chroot": true,
"command": "smtpd",
"args": []
},
"dnsblog": {
"active": true,
"order": 101,
"type": "unix",
"chroot": true,
"maxproc": "0",
"command": "dnsblog",
"args": []
},
"tlsproxy": {
"active": true,
"order": 102,
"type": "unix",
"chroot": true,
"maxproc": "0",
"command": "tlsproxy",
"args": []
}
}
bash "compile_postfix_aliases" do
cwd root_dir
code "postmap #{root_dir}/aliases"
action :nothing
notifies :restart, "service[postfix]", :delayed
end
template "#{root_dir}/aliases" do
source "virtual-aliases.erb"
mode 0755
variables aliases: node["email"]["virtual_aliases"]
notifies :run, "bash[compile_postfix_aliases]", :immediately
end
ldap_default_variables = {
server_host: ldap_host,
bind_dn: credentials['ldap_dn'],
bind_pw: credentials['ldap_dnpass'],
search_base: ldap_search_base
}
template "/etc/postfix/ldap-virtual_mailbox_domains.cf" do
source "postfix_ldap-map.cf.erb"
mode 0600
variables ldap_default_variables.merge({
query_filter: "mailRoutingAddress=*@%s",
result_attribute: "mailRoutingAddress",
result_format: "%d"
})
notifies :restart, "service[postfix]", :delayed
end
template "/etc/postfix/ldap-virtual_alias_maps.cf" do
source "postfix_ldap-map.cf.erb"
mode 0600
variables ldap_default_variables.merge({
query_filter: "(&(mailRoutingAddress=%s)(mailForwardingAddress=*))",
result_attribute: "mailForwardingAddress"
})
notifies :restart, "service[postfix]", :delayed
end
template "/etc/postfix/ldap-virtual_mailbox_maps.cf" do
source "postfix_ldap-map.cf.erb"
mode 0600
variables ldap_default_variables.merge({
query_filter: "mailRoutingAddress=%s",
result_attribute: "mailRoutingAddress"
})
notifies :restart, "service[postfix]", :delayed
end
template "/etc/postfix/ldap-smtpd_sender_login_maps.cf" do
source "postfix_ldap-map.cf.erb"
mode 0600
variables ldap_default_variables.merge({
query_filter: "mailRoutingAddress=%s",
result_attribute: "mailRoutingAddress, mailForwardingAddress"
})
notifies :restart, "service[postfix]", :delayed
end
include_recipe 'postfix::server'
service "postfix" do
action [:enable, :start]
end

34
site-cookbooks/kosmos_email/recipes/spamassassin.rb Normal file
View File

@@ -0,0 +1,34 @@
#
# Cookbook:: kosmos_email
# Recipe:: spamassassin
#
%w[
spamassassin
spamc
spamass-milter
].each do |pkg|
apt_package pkg
end
domain = node["email"]["domain"]
report_contact = node["email"]["report_contact"]
template "/etc/default/spamassassin" do
source "spamassassin_default.erb"
mode 0644
variables options: "-u debian-spamd --nouser-config --max-children 10"
notifies :restart, "service[spamassassin]", :delayed
end
template "/etc/spamassassin/local.cf" do
source "spamassassin_local.cf.erb"
mode 0644
variables whitelist_auth: "*@#{domain}",
report_contact: report_contact
notifies :restart, "service[spamassassin]", :delayed
end
service "spamassassin" do
action [:enable, :start]
end

151
site-cookbooks/kosmos_email/templates/dovecot-ldap.conf.ext.erb Normal file
View File

@@ -0,0 +1,151 @@
# This file is commonly accessed via passdb {} or userdb {} section in
# conf.d/auth-ldap.conf.ext
# This file is opened as root, so it should be owned by root and mode 0600.
#
# http://wiki2.dovecot.org/AuthDatabase/LDAP
#
# NOTE: If you're not using authentication binds, you'll need to give
# dovecot-auth read access to userPassword field in the LDAP server.
# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
# already be something like this:
# access to attribute=userPassword
# by dn="<dovecot's dn>" read # add this
# by anonymous auth
# by self write
# by * none
# Space separated list of LDAP hosts to use. host:port is allowed too.
#hosts =
# LDAP URIs to use. You can use this instead of hosts list. Note that this
# setting isn't supported by all LDAP libraries.
uris = <%= @uris %>
# Distinguished Name - the username used to login to the LDAP server.
# Leave it commented out to bind anonymously (useful with auth_bind=yes).
dn = <%= @dn %>
# Password for LDAP server, if dn is specified.
dnpass = <%= @dnpass %>
# Use SASL binding instead of the simple binding. Note that this changes
# ldap_version automatically to be 3 if it's lower.
#sasl_bind = no
# SASL mechanism name to use.
#sasl_mech =
# SASL realm to use.
#sasl_realm =
# SASL authorization ID, ie. the dnpass is for this "master user", but the
# dn is still the logged in user. Normally you want to keep this empty.
#sasl_authz_id =
# Use TLS to connect to the LDAP server.
#tls = no
# TLS options, currently supported only with OpenLDAP:
#tls_ca_cert_file =
#tls_ca_cert_dir =
#tls_cipher_suite =
# TLS cert/key is used only if LDAP server requires a client certificate.
#tls_cert_file =
#tls_key_file =
# Valid values: never, hard, demand, allow, try
#tls_require_cert =
# Use the given ldaprc path.
#ldaprc_path =
# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
# to get enough output.
#debug_level = 1
# Use authentication binding for verifying password's validity. This works by
# logging into LDAP server using the username and password given by client.
# The pass_filter is used to find the DN for the user. Note that the pass_attrs
# is still used, only the password field is ignored in it. Before doing any
# search, the binding is switched back to the default DN.
#auth_bind = no
# If authentication binding is used, you can save one LDAP request per login
# if users' DN can be specified with a common template. The template can use
# the standard %variables (see user_filter). Note that you can't
# use any pass_attrs if you use this setting.
#
# If you use this setting, it's a good idea to use a different
# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
# the filename is different in userdb's args). That way one connection is used
# only for LDAP binds and another connection is used for user lookups.
# Otherwise the binding is changed to the default DN before each user lookup.
#
# For example:
# auth_bind_userdn = cn=%u,ou=people,o=org
#
#auth_bind_userdn =
# LDAP protocol version to use. Likely 2 or 3.
#ldap_version = 3
# LDAP base. %variables can be used here.
# For example: dc=mail, dc=example, dc=org
base = <%= @base %>
# Dereference: never, searching, finding, always
#deref = never
# Search scope: base, onelevel, subtree
#scope = subtree
# User attributes are given in LDAP-name=dovecot-internal-name list. The
# internal names are:
# uid - System UID
# gid - System GID
# home - Home directory
# mail - Mail location
#
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/UserDatabase/ExtraFields
user_attrs = <%= @user_attrs %>
# Filter for user lookup. Some variables can be used (see
# http://wiki2.dovecot.org/Variables for full list):
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if user there's no domain
user_filter = <%= @user_filter %>
# Password checking attributes:
# user: Virtual user name (user@domain), if you wish to change the
# user-given username to something else
# password: Password, may optionally start with {type}, eg. {crypt}
# There are also other special fields which can be returned, see
# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
pass_attrs = <%= @pass_attrs %>
# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
# string. For example:
#pass_attrs = uid=user,userPassword=password,\
# homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
# Filter for password lookups
pass_filter = <%= @pass_filter %>
# Attributes and filter to get a list of all users
#iterate_attrs = uid=user
#iterate_filter = (objectClass=posixAccount)
# Default password scheme. "{scheme}" before password overrides this.
# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
default_pass_scheme = <%= @default_pass_scheme %>
# By default all LDAP lookups are performed by the auth master process.
# If blocking=yes, auth worker processes are used to perform the lookups.
# Each auth worker process creates its own LDAP connection so this can
# increase parallelism. With blocking=no the auth master process can
# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
# each connection has a maximum of 1 request running. For small systems the
# blocking=no is sufficient and uses less resources.
#blocking = no

105
site-cookbooks/kosmos_email/templates/dovecot.conf.erb Normal file
View File

@@ -0,0 +1,105 @@
## Dovecot configuration file
# If you're in a hurry, see http://wiki2.dovecot.org/QuickConfiguration
# "doveconf -n" command gives a clean output of the changed settings. Use it
# instead of copy&pasting files when posting to the Dovecot mailing list.
# '#' character and everything after it is treated as comments. Extra spaces
# and tabs are ignored. If you want to use either of these explicitly, put the
# value inside quotes, eg.: key = "# char and trailing whitespace "
# Most (but not all) settings can be overridden by different protocols and/or
# source/destination IPs by placing the settings inside sections, for example:
# protocol imap { }, local 127.0.0.1 { }, remote 10.0.0.0/8 { }
# Default values are shown for each setting, it's not required to uncomment
# those. These are exceptions to this though: No sections (e.g. namespace {})
# or plugin settings are added by default, they're listed only as examples.
# Paths are also just examples with the real defaults being based on configure
# options. The paths listed here are for configure --prefix=/usr
# --sysconfdir=/etc --localstatedir=/var
# Enable installed protocols
protocols = <%= @protocols %>
#!include_try /usr/share/dovecot/protocols.d/*.protocol
# A comma separated list of IPs or hosts where to listen in for connections.
# "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
# If you want to specify non-default ports or anything more complex,
# edit conf.d/master.conf.
#listen = *, ::
# Base directory where to store runtime data.
#base_dir = /var/run/dovecot/
# Name of this instance. In multi-instance setup doveadm and other commands
# can use -i <instance_name> to select which instance is used (an alternative
# to -c <config_path>). The instance name is also added to Dovecot processes
# in ps output.
#instance_name = dovecot
# Greeting message for clients.
#login_greeting = Dovecot ready.
# Space separated list of trusted network ranges. Connections from these
# IPs are allowed to override their IP addresses and ports (for logging and
# for authentication checks). disable_plaintext_auth is also ignored for
# these networks. Typically you'd specify your IMAP proxy servers here.
#login_trusted_networks =
# Space separated list of login access check sockets (e.g. tcpwrap)
#login_access_sockets =
# With proxy_maybe=yes if proxy destination matches any of these IPs, don't do
# proxying. This isn't necessary normally, but may be useful if the destination
# IP is e.g. a load balancer's IP.
#auth_proxy_self =
# Show more verbose process titles (in ps). Currently shows user name and
# IP address. Useful for seeing who are actually using the IMAP processes
# (eg. shared mailboxes or if same uid is used for multiple accounts).
#verbose_proctitle = no
# Should all processes be killed when Dovecot master process shuts down.
# Setting this to "no" means that Dovecot can be upgraded without
# forcing existing client connections to close (although that could also be
# a problem if the upgrade is e.g. because of a security fix).
#shutdown_clients = yes
# If non-zero, run mail commands via this many connections to doveadm server,
# instead of running them directly in the same process.
#doveadm_worker_count = 0
# UNIX socket or host:port used for connecting to doveadm server
#doveadm_socket_path = doveadm-server
# Space separated list of environment variables that are preserved on Dovecot
# startup and passed down to all of its child processes. You can also give
# key=value pairs to always set specific settings.
#import_environment = TZ
##
## Dictionary server settings
##
# Dictionary can be used to store key=value lists. This is used by several
# plugins. The dictionary can be accessed either directly or though a
# dictionary server. The following dict block maps dictionary names to URIs
# when the server is used. These can then be referenced using URIs in format
# "proxy::<name>".
dict {
#quota = mysql:/etc/dovecot/dovecot-dict-sql.conf.ext
}
# Most of the actual configuration gets included below. The filenames are
# first sorted by their ASCII value and parsed in that order. The 00-prefixes
# in filenames are intended to make it easier to understand the ordering.
!include conf.d/*.conf
# A config file can also tried to be included without giving an error if
# it's not found:
!include_try local.conf
haproxy_trusted_networks = <%= @haproxy_trusted_networks %>
haproxy_timeout = 3s

127
site-cookbooks/kosmos_email/templates/dovecot_10-auth.conf.erb Normal file
View File

@@ -0,0 +1,127 @@
##
## Authentication processes
##
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
# See also ssl=required setting.
disable_plaintext_auth = yes
# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
# bsdauth and PAM require cache_key to be set for caching to be used.
#auth_cache_size = 0
# Time to live for cached data. After TTL expires the cached record is no
# longer used, *except* if the main database lookup returns internal failure.
# We also try to handle password changes automatically: If user's previous
# authentication was successful, but this one wasn't, the cache isn't used.
# For now this works only with plaintext authentication.
#auth_cache_ttl = 1 hour
# TTL for negative hits (user not found, password mismatch).
# 0 disables caching them completely.
#auth_cache_negative_ttl = 1 hour
# Space separated list of realms for SASL authentication mechanisms that need
# them. You can leave it empty if you don't want to support multiple realms.
# Many clients simply use the first one listed here, so keep the default realm
# first.
#auth_realms =
# Default realm/domain to use if none was specified. This is used for both
# SASL realms and appending @domain to username in plaintext logins.
#auth_default_realm =
# List of allowed characters in username. If the user-given username contains
# a character not listed in here, the login automatically fails. This is just
# an extra check to make sure user can't exploit any potential quote escaping
# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
# set this value to empty.
#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
# Username character translations before it's looked up from databases. The
# value contains series of from -> to characters. For example "#@/@" means
# that '#' and '/' characters are translated to '@'.
#auth_username_translation =
# Username formatting before it's looked up from databases. You can use
# the standard variables here, eg. %Lu would lowercase the username, %n would
# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
# "-AT-". This translation is done after auth_username_translation changes.
auth_username_format = %Lu
# If you want to allow master users to log in by specifying the master
# username within the normal username string (ie. not using SASL mechanism's
# support for it), you can specify the separator character here. The format
# is then <username><separator><master username>. UW-IMAP uses "*" as the
# separator, so that could be a good choice.
#auth_master_user_separator =
# Username to use for users logging in with ANONYMOUS SASL mechanism
#auth_anonymous_username = anonymous
# Maximum number of dovecot-auth worker processes. They're used to execute
# blocking passdb and userdb queries (eg. MySQL and PAM). They're
# automatically created and destroyed as needed.
#auth_worker_max_count = 30
# Host name to use in GSSAPI principal names. The default is to use the
# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
# entries.
#auth_gssapi_hostname =
# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
# default (usually /etc/krb5.keytab) if not specified. You may need to change
# the auth service to run as root to be able to read this file.
#auth_krb5_keytab =
# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
#auth_use_winbind = no
# Path for Samba's ntlm_auth helper binary.
#auth_winbind_helper_path = /usr/bin/ntlm_auth
# Time to delay before replying to failed authentications.
#auth_failure_delay = 2 secs
# Require a valid SSL client certificate or the authentication fails.
#auth_ssl_require_client_cert = no
# Take the username from client's SSL certificate, using
# X509_NAME_get_text_by_NID() which returns the subject's DN's
# CommonName.
#auth_ssl_username_from_cert = no
# Space separated list of wanted authentication mechanisms:
# plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
# gss-spnego
# NOTE: See also disable_plaintext_auth setting.
auth_mechanisms = plain login
##
## Password and user databases
##
#
# Password database is used to verify user's password (and nothing more).
# You can have multiple passdbs and userdbs. This is useful if you want to
# allow both system users (/etc/passwd) and virtual users to login without
# duplicating the system users into virtual database.
#
# <doc/wiki/PasswordDatabase.txt>
#
# User database specifies where mails are located and what user/group IDs
# own them. For single-UID configuration use "static" userdb.
#
# <doc/wiki/UserDatabase.txt>
#!include auth-deny.conf.ext
#!include auth-master.conf.ext
#!include auth-system.conf.ext
#!include auth-sql.conf.ext
!include auth-ldap.conf.ext
#!include auth-passwdfile.conf.ext
#!include auth-checkpassword.conf.ext
#!include auth-static.conf.ext

386
site-cookbooks/kosmos_email/templates/dovecot_10-mail.conf.erb Normal file
View File

@@ -0,0 +1,386 @@
##
## Mailbox locations and namespaces
##
# Location for users' mailboxes. The default is empty, which means that Dovecot
# tries to find the mailboxes automatically. This won't work if the user
# doesn't yet have any mail, so you should explicitly tell Dovecot the full
# location.
#
# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
# kept. This is called the "root mail directory", and it must be the first
# path given in the mail_location setting.
#
# There are a few special variables you can use, eg.:
#
# %u - username
# %n - user part in user@domain, same as %u if there's no domain
# %d - domain part in user@domain, empty if there's no domain
# %h - home directory
#
# See doc/wiki/Variables.txt for full list. Some examples:
#
# mail_location = maildir:~/Maildir
# mail_location = mbox:~/mail:INBOX=/var/mail/%u
# mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
#
# <doc/wiki/MailLocation.txt>
#
mail_location = <%= @mail_location %>
mail_home = <%= @mail_home %>
# If you need to set multiple mailbox locations or want to change default
# namespace settings, you can do it by defining namespace sections.
#
# You can have private, shared and public namespaces. Private namespaces
# are for user's personal mails. Shared namespaces are for accessing other
# users' mailboxes that have been shared. Public namespaces are for shared
# mailboxes that are managed by sysadmin. If you create any shared or public
# namespaces you'll typically want to enable ACL plugin also, otherwise all
# users can access all the shared mailboxes, assuming they have permissions
# on filesystem level to do so.
namespace inbox {
}
# Example shared namespace configuration
#namespace {
#type = shared
#separator = /
# Mailboxes are visible under "shared/user@domain/"
# %%n, %%d and %%u are expanded to the destination user.
#prefix = shared/%%u/
# Mail location for other users' mailboxes. Note that %variables and ~/
# expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
# destination user's data.
#location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
# Use the default namespace for saving subscriptions.
#subscriptions = no
# List the shared/ namespace only if there are visible shared mailboxes.
#list = children
#}
# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
#mail_shared_explicit_inbox = no
# System user and group used to access mails. If you use multiple, userdb
# can override these by returning uid or gid fields. You can use either numbers
# or names. <doc/wiki/UserIds.txt>
mail_uid = <%= @mail_uid %>
mail_gid = <%= @mail_gid %>
# Group to enable temporarily for privileged operations. Currently this is
# used only with INBOX when either its initial creation or dotlocking fails.
# Typically this is set to "mail" to give access to /var/mail.
mail_privileged_group = mail
# Grant access to these supplementary groups for mail processes. Typically
# these are used to set up access to shared mailboxes. Note that it may be
# dangerous to set these if users can create symlinks (e.g. if "mail" group is
# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
#mail_access_groups =
# Allow full filesystem access to clients. There's no access checks other than
# what the operating system does for the active UID/GID. It works with both
# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
# or ~user/.
#mail_full_filesystem_access = no
# Dictionary for key=value mailbox attributes. This is used for example by
# URLAUTH and METADATA extensions.
#mail_attribute_dict =
# A comment or note that is associated with the server. This value is
# accessible for authenticated users through the IMAP METADATA server
# entry "/shared/comment".
#mail_server_comment = ""
# Indicates a method for contacting the server administrator. According to
# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
# is currently not enforced. Use for example mailto:admin@example.com. This
# value is accessible for authenticated users through the IMAP METADATA server
# entry "/shared/admin".
#mail_server_admin =
##
## Mail processes
##
# Don't use mmap() at all. This is required if you store indexes to shared
# filesystems (NFS or clustered filesystem).
#mmap_disable = no
# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
# since version 3, so this should be safe to use nowadays by default.
#dotlock_use_excl = yes
# When to use fsync() or fdatasync() calls:
# optimized (default): Whenever necessary to avoid losing important data
# always: Useful with e.g. NFS when write()s are delayed
# never: Never use it (best performance, but crashes can lose data)
#mail_fsync = optimized
# Locking method for index files. Alternatives are fcntl, flock and dotlock.
# Dotlocking uses some tricks which may create more disk I/O than other locking
# methods. NFS users: flock doesn't work, remember to change mmap_disable.
#lock_method = fcntl
# Directory where mails can be temporarily stored. Usually it's used only for
# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
# example LDA/LMTP while delivering large mails or zlib plugin for keeping
# uncompressed mails.
#mail_temp_dir = /tmp
# Valid UID range for users, defaults to 500 and above. This is mostly
# to make sure that users can't log in as daemons or other system users.
# Note that denying root logins is hardcoded to dovecot binary and can't
# be done even if first_valid_uid is set to 0.
#first_valid_uid = 500
#last_valid_uid = 0
# Valid GID range for users, defaults to non-root/wheel. Users having
# non-valid GID as primary group ID aren't allowed to log in. If user
# belongs to supplementary groups with non-valid GIDs, those groups are
# not set.
#first_valid_gid = 1
#last_valid_gid = 0
# Maximum allowed length for mail keyword name. It's only forced when trying
# to create new keywords.
#mail_max_keyword_length = 50
# ':' separated list of directories under which chrooting is allowed for mail
# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
# This setting doesn't affect login_chroot, mail_chroot or auth chroot
# settings. If this setting is empty, "/./" in home dirs are ignored.
# WARNING: Never add directories here which local users can modify, that
# may lead to root exploit. Usually this should be done only if you don't
# allow shell access for users. <doc/wiki/Chrooting.txt>
#valid_chroot_dirs =
# Default chroot directory for mail processes. This can be overridden for
# specific users in user database by giving /./ in user's home directory
# (eg. /home/./user chroots into /home). Note that usually there is no real
# need to do chrooting, Dovecot doesn't allow users to access files outside
# their mail directory anyway. If your home directories are prefixed with
# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
#mail_chroot =
# UNIX socket path to master authentication server to find users.
# This is used by imap (for shared users) and lda.
#auth_socket_path = /var/run/dovecot/auth-userdb
# Directory where to look up mail plugins.
#mail_plugin_dir = /usr/lib/dovecot/modules
# Space separated list of plugins to load for all services. Plugins specific to
# IMAP, LDA, etc. are added to this list in their own .conf files.
#mail_plugins =
##
## Mailbox handling optimizations
##
# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
# also required for IMAP NOTIFY extension to be enabled.
#mailbox_list_index = yes
# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
# of potentially returning out-of-date results after e.g. server crashes.
# The results will be automatically fixed once the folders are opened.
#mailbox_list_index_very_dirty_syncs = yes
# Should INBOX be kept up-to-date in the mailbox list index? By default it's
# not, because most of the mailbox accesses will open INBOX anyway.
#mailbox_list_index_include_inbox = no
# The minimum number of mails in a mailbox before updates are done to cache
# file. This allows optimizing Dovecot's behavior to do less disk writes at
# the cost of more disk reads.
#mail_cache_min_mail_count = 0
# When IDLE command is running, mailbox is checked once in a while to see if
# there are any new mails or other changes. This setting defines the minimum
# time to wait between those checks. Dovecot can also use inotify and
# kqueue to find out immediately when changes occur.
#mailbox_idle_check_interval = 30 secs
# Save mails with CR+LF instead of plain LF. This makes sending those mails
# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
# But it also creates a bit more disk I/O which may just make it slower.
# Also note that if other software reads the mboxes/maildirs, they may handle
# the extra CRs wrong and cause problems.
#mail_save_crlf = no
# Max number of mails to keep open and prefetch to memory. This only works with
# some mailbox formats and/or operating systems.
#mail_prefetch_count = 0
# How often to scan for stale temporary files and delete them (0 = never).
# These should exist only after Dovecot dies in the middle of saving mails.
#mail_temp_scan_interval = 1w
# How many slow mail accesses sorting can perform before it returns failure.
# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
# The untagged SORT reply is still returned, but it's likely not correct.
#mail_sort_max_read_count = 0
protocol !indexer-worker {
# If folder vsize calculation requires opening more than this many mails from
# disk (i.e. mail sizes aren't in cache already), return failure and finish
# the calculation via indexer process. Disabled by default. This setting must
# be 0 for indexer-worker processes.
#mail_vsize_bg_after_count = 0
}
##
## Maildir-specific settings
##
# By default LIST command returns all entries in maildir beginning with a dot.
# Enabling this option makes Dovecot return only entries which are directories.
# This is done by stat()ing each entry, so it causes more disk I/O.
# (For systems setting struct dirent->d_type, this check is free and it's
# done always regardless of this setting)
#maildir_stat_dirs = no
# When copying a message, do it with hard links whenever possible. This makes
# the performance much better, and it's unlikely to have any side effects.
#maildir_copy_with_hardlinks = yes
# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
# when its mtime changes unexpectedly or when we can't find the mail otherwise.
#maildir_very_dirty_syncs = no
# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
# getting the mail's physical size, except when recalculating Maildir++ quota.
# This can be useful in systems where a lot of the Maildir filenames have a
# broken size. The performance hit for enabling this is very small.
#maildir_broken_filename_sizes = no
# Always move mails from new/ directory to cur/, even when the \Recent flags
# aren't being reset.
#maildir_empty_new = no
##
## mbox-specific settings
##
# Which locking methods to use for locking mbox. There are four available:
# dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
# solution. If you want to use /var/mail/ like directory, the users
# will need write access to that directory.
# dotlock_try: Same as dotlock, but if it fails because of permissions or
# because there isn't enough disk space, just skip it.
# fcntl : Use this if possible. Works with NFS too if lockd is used.
# flock : May not exist in all systems. Doesn't work with NFS.
# lockf : May not exist in all systems. Doesn't work with NFS.
#
# You can use multiple locking methods; if you do the order they're declared
# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
# locking methods as well. Some operating systems don't allow using some of
# them simultaneously.
#
# The Debian value for mbox_write_locks differs from upstream Dovecot. It is
# changed to be compliant with Debian Policy (section 11.6) for NFS safety.
# Dovecot: mbox_write_locks = dotlock fcntl
# Debian: mbox_write_locks = fcntl dotlock
#
#mbox_read_locks = fcntl
#mbox_write_locks = fcntl dotlock
# Maximum time to wait for lock (all of them) before aborting.
#mbox_lock_timeout = 5 mins
# If dotlock exists but the mailbox isn't modified in any way, override the
# lock file after this much time.
#mbox_dotlock_change_timeout = 2 mins
# When mbox changes unexpectedly we have to fully read it to find out what
# changed. If the mbox is large this can take a long time. Since the change
# is usually just a newly appended mail, it'd be faster to simply read the
# new mails. If this setting is enabled, Dovecot does this but still safely
# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
# how it's expected to be. The only real downside to this setting is that if
# some other MUA changes message flags, Dovecot doesn't notice it immediately.
# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK
# commands.
#mbox_dirty_syncs = yes
# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
#mbox_very_dirty_syncs = no
# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
# commands and when closing the mailbox). This is especially useful for POP3
# where clients often delete all mails. The downside is that our changes
# aren't immediately visible to other MUAs.
#mbox_lazy_writes = yes
# If mbox size is smaller than this (e.g. 100k), don't write index files.
# If an index file already exists it's still read, just not updated.
#mbox_min_index_size = 0
# Mail header selection algorithm to use for MD5 POP3 UIDLs when
# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
# algorithm, but it fails if the first Received: header isn't unique in all
# mails. An alternative algorithm is "all" that selects all headers.
#mbox_md5 = apop3d
##
## mdbox-specific settings
##
# Maximum dbox file size until it's rotated.
#mdbox_rotate_size = 10M
# Maximum dbox file age until it's rotated. Typically in days. Day begins
# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
#mdbox_rotate_interval = 0
# When creating new mdbox files, immediately preallocate their size to
# mdbox_rotate_size. This setting currently works only in Linux with some
# filesystems (ext4, xfs).
#mdbox_preallocate_space = no
##
## Mail attachments
##
# sdbox and mdbox support saving mail attachments to external files, which
# also allows single instance storage for them. Other backends don't support
# this for now.
# Directory root where to store mail attachments. Disabled, if empty.
#mail_attachment_dir =
# Attachments smaller than this aren't saved externally. It's also possible to
# write a plugin to disable saving specific attachments externally.
#mail_attachment_min_size = 128k
# Filesystem backend to use for saving attachments:
# posix : No SiS done by Dovecot (but this might help FS's own deduplication)
# sis posix : SiS with immediate byte-by-byte comparison during saving
# sis-queue posix : SiS with delayed comparison and deduplication
#mail_attachment_fs = sis posix
# Hash format to use in attachment filenames. You can add any text and
# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
#mail_attachment_hash = %{sha1}
# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
# By default, all MIME parts with Content-Disposition=attachment, or inlines
# with filename parameter are consired attachments.
# add-flags - Add the keywords when saving new mails or when fetching can
# do it efficiently.
# content-type=type or !type - Include/exclude content type. Excluding will
# never consider the matched MIME part as attachment. Including will only
# negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
# exclude-inlined - Exclude any Content-Disposition=inline MIME part.
#mail_attachment_detection_options =

113
site-cookbooks/kosmos_email/templates/dovecot_10-master.conf.erb Normal file
View File

@@ -0,0 +1,113 @@
#default_process_limit = 100
#default_client_limit = 1000
# Default VSZ (virtual memory size) limit for service processes. This is mainly
# intended to catch and kill processes that leak memory before they eat up
# everything.
#default_vsz_limit = 256M
# Login user is internally used by login processes. This is the most untrusted
# user in Dovecot system. It shouldn't have access to anything at all.
#default_login_user = dovenull
# Internal user is used by unprivileged processes. It should be separate from
# login user, so that login processes can't disturb other processes.
#default_internal_user = dovecot
service imap-login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap_haproxy {
port = 10143
haproxy = yes
}
inet_listener imaps_haproxy {
port = 10993
ssl = yes
haproxy = yes
}
# Number of connections to handle before starting a new process. Typically
# the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
# is faster. <doc/wiki/LoginProcess.txt>
#service_count = 1
# Number of processes to always keep waiting for more connections.
#process_min_avail = 0
# If you set service_count=0, you probably need to grow this.
#vsz_limit = $default_vsz_limit
}
service pop3-login {
inet_listener pop3 {
#port = 110
}
inet_listener pop3s {
#port = 995
#ssl = yes
}
}
service submission-login {
inet_listener submission {
#port = 587
}
}
service lmtp {
unix_listener /var/spool/postfix/private/dovecot-lmtp {
mode = 0600
user = postfix
group = postfix
}
}
service imap {
# Most of the memory goes to mmap()ing files. You may need to increase this
# limit if you have huge mailboxes.
#vsz_limit = $default_vsz_limit
# Max. number of IMAP processes (connections)
#process_limit = 1024
}
service pop3 {
# Max. number of POP3 processes (connections)
#process_limit = 1024
}
service submission {
# Max. number of SMTP Submission processes (connections)
#process_limit = 1024
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
}
service auth-worker {
# Auth worker process is run as root by default, so that it can access
# /etc/shadow. If this isn't necessary, the user should be changed to
# $default_internal_user.
#user = root
}
service dict {
# If dict proxy is used, mail processes should have access to its socket.
# For example: mode=0660, group=vmail and global mail_access_groups=vmail
unix_listener dict {
#mode = 0600
#user =
#group =
}
}

83
site-cookbooks/kosmos_email/templates/dovecot_10-ssl.conf.erb Normal file
View File

@@ -0,0 +1,83 @@
##
## SSL settings
##
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = <%= @ssl %>
# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
ssl_cert = <<%= @ssl_cert %>
ssl_key = <<%= @ssl_key %>
# If key file is password protected, give the password here. Alternatively
# give it when starting dovecot with -p parameter. Since this file is often
# world-readable, you may want to place this setting instead to a different
# root owned 0600 file by using ssl_key_password = <path.
#ssl_key_password =
# PEM encoded trusted certificate authority. Set this only if you intend to use
# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
# followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem)
#ssl_ca =
# Require that CRL check succeeds for client certificates.
#ssl_require_crl = yes
# Directory and/or file for trusted SSL CA certificates. These are used only
# when Dovecot needs to act as an SSL client (e.g. imapc backend or
# submission service). The directory is usually /etc/ssl/certs in
# Debian-based systems and the file is /etc/pki/tls/cert.pem in
# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
# large CA bundles, because it leads to excessive memory usage.
#ssl_client_ca_dir =
ssl_client_ca_dir = /etc/ssl/certs
#ssl_client_ca_file =
# Require valid cert when connecting to a remote server
ssl_client_require_valid_cert = yes
# Request client to send a certificate. If you also want to require it, set
# auth_ssl_require_client_cert=yes in auth section.
#ssl_verify_client_cert = no
# Which field from certificate to use for username. commonName and
# x500UniqueIdentifier are the usual choices. You'll also need to set
# auth_ssl_username_from_cert=yes.
#ssl_cert_username_field = commonName
# SSL DH parameters
# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
# Or migrate from old ssl-parameters.dat file with the command dovecot
# gives on startup when ssl_dh is unset.
ssl_dh = </usr/share/dovecot/dh.pem
# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
#
# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
# version, and LATEST matches with the latest version supported by library.
#ssl_min_protocol = TLSv1.2
# SSL ciphers to use, the default is:
#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# To disable non-EC DH, use:
#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
# Colon separated list of elliptic curves to use. Empty value (the default)
# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
# example of a valid value.
#ssl_curve_list =
# Prefer the server's order of ciphers over client's.
#ssl_prefer_server_ciphers = yes
# SSL crypto device to use, for valid values run "openssl engine"
#ssl_crypto_device =
# SSL extra options. Currently supported options are:
# compression - Enable compression.
# no_ticket - Disable SSL session tickets.
#ssl_options =

106
site-cookbooks/kosmos_email/templates/dovecot_15-mailboxes.conf.erb Normal file
View File

@@ -0,0 +1,106 @@
##
## Mailbox definitions
##
# Each mailbox is specified in a separate mailbox section. The section name
# specifies the mailbox name. If it has spaces, you can put the name
# "in quotes". These sections can contain the following mailbox settings:
#
# auto:
# Indicates whether the mailbox with this name is automatically created
# implicitly when it is first accessed. The user can also be automatically
# subscribed to the mailbox after creation. The following values are
# defined for this setting:
#
# no - Never created automatically.
# create - Automatically created, but no automatic subscription.
# subscribe - Automatically created and subscribed.
#
# special_use:
# A space-separated list of SPECIAL-USE flags (RFC 6154) to use for the
# mailbox. There are no validity checks, so you could specify anything
# you want in here, but it's not a good idea to use flags other than the
# standard ones specified in the RFC:
#
# \All - This (virtual) mailbox presents all messages in the
# user's message store.
# \Archive - This mailbox is used to archive messages.
# \Drafts - This mailbox is used to hold draft messages.
# \Flagged - This (virtual) mailbox presents all messages in the
# user's message store marked with the IMAP \Flagged flag.
# \Important - This (virtual) mailbox presents all messages in the
# user's message store deemed important to user.
# \Junk - This mailbox is where messages deemed to be junk mail
# are held.
# \Sent - This mailbox is used to hold copies of messages that
# have been sent.
# \Trash - This mailbox is used to hold messages that have been
# deleted.
#
# comment:
# Defines a default comment or note associated with the mailbox. This
# value is accessible through the IMAP METADATA mailbox entries
# "/shared/comment" and "/private/comment". Users with sufficient
# privileges can override the default value for entries with a custom
# value.
# NOTE: Assumes "namespace inbox" has been defined in 10-mail.conf.
namespace inbox {
type = private
inbox = yes
mailbox Drafts {
special_use = \Drafts
auto = subscribe
}
mailbox Junk {
special_use = \Junk
auto = create
}
mailbox spam {
special_use = \Junk
auto = no
}
mailbox Spam {
special_use = \Junk
auto = no
}
mailbox Trash {
special_use = \Trash
auto = subscribe
}
mailbox TRASH {
special_use = \Trash
auto = no
}
mailbox Sent {
special_use = \Sent
auto = subscribe
}
mailbox "Sent Mail" {
special_use = \Sent
auto = no
}
mailbox "Sent Messages" {
special_use = \Sent
auto = no
}
mailbox Archive {
special_use = \Archive
auto = create
}
mailbox "Archives" {
special_use = \Archive
auto = no
}
}

59
site-cookbooks/kosmos_email/templates/opendkim.conf.erb Normal file
View File

@@ -0,0 +1,59 @@
# This is a basic configuration for signing and verifying. It can easily be
# adapted to suit a basic installation. See opendkim.conf(5) and
# /usr/share/doc/opendkim/examples/opendkim.conf.sample for complete
# documentation of available configuration parameters.
Syslog yes
SyslogSuccess yes
LogWhy yes
AutoRestart yes
AutoRestartRate 10/1h
# Common signing and verification parameters. In Debian, the "From" header is
# oversigned, because it is often the identity key used by reputation systems
# and thus somewhat security sensitive.
Canonicalization relaxed/simple
Mode sv
#SubDomains no
OversignHeaders From
# Signing domain, selector, and key (required). For example, perform signing
# for domain "example.com" with selector "2020" (2020._domainkey.example.com),
# using the private key stored in /etc/dkimkeys/example.private. More granular
# setup options can be found in /usr/share/doc/opendkim/README.opendkim.
Domain <%= @domain %>
Selector <%= @selector %>
#KeyFile /etc/dkimkeys/example.private
# In Debian, opendkim runs as user "opendkim". A umask of 007 is required when
# using a local socket with MTAs that access the socket as a non-privileged
# user (for example, Postfix). You may need to add user "postfix" to group
# "opendkim" in that case.
UserID opendkim
UMask 007
# Socket for the MTA connection (required). If the MTA is inside a chroot jail,
# it must be ensured that the socket is accessible. In Debian, Postfix runs in
# a chroot in /var/spool/postfix, therefore a Unix socket would have to be
# configured as shown on the last line below.
Socket local:/run/opendkim/opendkim.sock
#Socket inet:8891@localhost
#Socket inet:8891
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
PidFile /run/opendkim/opendkim.pid
# Hosts for which to sign rather than verify, default is 127.0.0.1. See the
# OPERATION section of opendkim(8) for more information.
#InternalHosts 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12
KeyTable refile:/etc/opendkim/keytable
SigningTable refile:/etc/opendkim/signingtable
# The trust anchor enables DNSSEC. In Debian, the trust anchor file is provided
# by the package dns-root-data.
TrustAnchorFile /usr/share/dns/root.key
#Nameservers 127.0.0.1
Socket <%= @socket %>

31
site-cookbooks/kosmos_email/templates/opendkim_default.erb Normal file
View File

@@ -0,0 +1,31 @@
# NOTE: This is a legacy configuration file. It is not used by the opendkim
# systemd service. Please use the corresponding configuration parameters in
# /etc/opendkim.conf instead.
#
# Previously, one would edit the default settings here, and then execute
# /lib/opendkim/opendkim.service.generate to generate systemd override files at
# /etc/systemd/system/opendkim.service.d/override.conf and
# /etc/tmpfiles.d/opendkim.conf. While this is still possible, it is now
# recommended to adjust the settings directly in /etc/opendkim.conf.
#
#DAEMON_OPTS=""
# Change to /var/spool/postfix/run/opendkim to use a Unix socket with
# postfix in a chroot:
#RUNDIR=/var/spool/postfix/run/opendkim
RUNDIR=/run/opendkim
#
# Uncomment to specify an alternate socket
# Note that setting this will override any Socket value in opendkim.conf
# default:
#SOCKET=local:$RUNDIR/opendkim.sock
# listen on all interfaces on port 54321:
#SOCKET=inet:54321
# listen on loopback on port 12345:
#SOCKET=inet:12345@localhost
# listen on 192.0.2.1 on port 12345:
#SOCKET=inet:12345@192.0.2.1
SOCKET=<%= @socket %>
USER=opendkim
GROUP=opendkim
PIDFILE=$RUNDIR/$NAME.pid
EXTRAAFTER=

1
site-cookbooks/kosmos_email/templates/opendkim_keytable.erb Normal file
View File

@@ -0,0 +1 @@
<%= @selector %>._domainkey.<%= @domain %> <%= @domain %>:<%= @selector %>:/etc/opendkim/keys/<%= @domain %>/mail.private

1
site-cookbooks/kosmos_email/templates/opendkim_signingtable.erb Normal file
View File

@@ -0,0 +1 @@
*@<%= @domain %> <%= @selector %>._domainkey.<%= @domain %>

10
site-cookbooks/kosmos_email/templates/postfix_ldap-map.cf.erb Normal file
View File

@@ -0,0 +1,10 @@
server_host = <%= @server_host %>
bind_dn = <%= @bind_dn %>
bind_pw = <%= @bind_pw %>
search_base = <%= @search_base %>
query_filter = <%= @query_filter %>
result_attribute = <%= @result_attribute %>
<% if @result_format %>
result_format = <%= @result_format %>
<% end %>

28
site-cookbooks/kosmos_email/templates/spamass-milter.erb Normal file
View File

@@ -0,0 +1,28 @@
# spamass-milt startup defaults
# OPTIONS are passed directly to spamass-milter.
# man spamass-milter for details
# Non-standard configuration notes:
# See README.Debian if you use the -x option with sendmail
# You should not pass the -d option in OPTIONS; use SOCKET for that.
# Default, use the spamass-milter user as the default user, ignore
# messages from localhost
OPTIONS="-u spamass-milter -i 127.0.0.1"
# Reject emails with spamassassin scores > 15.
#OPTIONS="${OPTIONS} -r 15"
# Do not modify Subject:, Content-Type: or body.
#OPTIONS="${OPTIONS} -m"
######################################
# If /usr/sbin/postfix is executable, the following are set by
# default. You can override them by uncommenting and changing them
# here.
######################################
# SOCKET="/var/spool/postfix/spamass/spamass.sock"
# SOCKETOWNER="postfix:postfix"
# SOCKETMODE="0660"
######################################

33
site-cookbooks/kosmos_email/templates/spamassassin_default.erb Normal file
View File

@@ -0,0 +1,33 @@
# /etc/default/spamassassin
# Duncan Findlay
# WARNING: please read README.spamd before using.
# There may be security risks.
# Prior to version 3.4.2-1, spamd could be enabled by setting
# ENABLED=1 in this file. This is no longer supported. Instead, please
# use the update-rc.d command, invoked for example as "update-rc.d
# spamassassin enable", to enable the spamd service.
# Options
# See man spamd for possible options. The -d option is automatically added.
# SpamAssassin uses a preforking model, so be careful! You need to
# make sure --max-children is not set to anything higher than 5,
# unless you know what you're doing.
OPTIONS="<%= @options %>"
# Pid file
# Where should spamd write its PID to file? If you use the -u or
# --username option above, this needs to be writable by that user.
# Otherwise, the init script will not be able to shut spamd down.
PIDFILE="/var/run/spamd.pid"
# Set nice level of spamd
#NICE="--nicelevel 15"
# Cronjob
# Set to anything but 0 to enable the cron job to automatically update
# spamassassin's rules on a nightly basis
CRON=0

119
site-cookbooks/kosmos_email/templates/spamassassin_local.cf.erb Normal file
View File

@@ -0,0 +1,119 @@
# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################
dns_available yes
dns_server 127.0.0.1
whitelist_auth <%= @whitelist_auth %>
# A 'contact address' users should contact for more info. (replaces
# _CONTACTADDRESS_ in the report template)
report_contact <%= @report_contact %>
# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****
# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1
# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.
# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock
# Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0
# Use Bayesian classifier (default: 1)
#
# use_bayes 1
# Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1
# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status
# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
# them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1
# Textual body scan limit (default: 50000)
#
# Amount of data per email text/* mimepart, that will be run through body
# rules. This enables safer and faster scanning of large messages,
# perhaps having very large textual attachments. There should be no need
# to change this well tested default.
#
# body_part_scan_size 50000
# Textual rawbody data scan limit (default: 500000)
#
# Amount of data per email text/* mimepart, that will be run through
# rawbody rules.
#
# rawbody_part_scan_size 500000
# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# SpamAssassin tries hard not to launch DNS queries before priority -100.
# If you want to shortcircuit without launching unneeded queries, make
# sure such rule priority is below -100. These examples are already:
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on
# the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST on
# shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on
# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on
# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham
endif # Mail::SpamAssassin::Plugin::Shortcircuit

3
site-cookbooks/kosmos_email/templates/virtual-aliases.erb Normal file
View File

@@ -0,0 +1,3 @@
<% @aliases.each do |k, v| %>
<%= "#{k}\t#{v}" %>
<% end %>

16
site-cookbooks/kosmos_email/test/integration/default/default_test.rb Normal file
View File

@@ -0,0 +1,16 @@
# Chef InSpec test for recipe kosmos_email::default
# The Chef InSpec reference, with examples and extensive documentation, can be
# found at https://docs.chef.io/inspec/resources/
describe package('postfix') do
it { should be_installed }
end
# describe package('dovecot-core') do
# it { should be_installed }
# end
describe port(25) do
it { should be_listening }
end

6
site-cookbooks/kosmos_garage/recipes/nginx_web.rb
View File

@@ -3,6 +3,8 @@
# Recipe:: nginx_web
#
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
file "#{node['openresty']['dir']}/conf.d/garage.conf" do
content <<-EOF
upstream garage_web {
@@ -40,8 +42,12 @@ end
#
node['garage']['s3_web_domains'].each do |domain_name|
second_level_domain = domain_name.match(/(?:.*\.)?([^.]+\.[^.]+)$/) { $1 }
proxy_validation = !gandi_api_credentials["domains"].include?(second_level_domain)
tls_cert_for domain_name do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org" if proxy_validation
action :create
end

10
site-cookbooks/kosmos_gitea/attributes/default.rb
View File

@@ -1,7 +1,5 @@
gitea_version = "1.20.5"
node.default["gitea"]["version"] = gitea_version
node.default["gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
node.default["gitea"]["binary_checksum"] = "ae8d21f36098a62272fcfa67ecbb567d0ba6cf5aecaaab29a6b98a407d435bdf"
node.default["gitea"]["version"] = "1.22.0"
node.default["gitea"]["checksum"] = "a31086f073cb9592d28611394b2de3655db515d961e4fdcf5b549cb40753ef3d"
node.default["gitea"]["working_directory"] = "/var/lib/gitea"
node.default["gitea"]["port"] = 3000
node.default["gitea"]["postgresql_host"] = "localhost:5432"
@@ -16,5 +14,5 @@ node.default["gitea"]["config"] = {
}
}
node.default["gitea"]["act_runner"]["download_url"] = "https://dl.gitea.com/act_runner/main/act_runner-main-linux-amd64"
node.default["gitea"]["act_runner"]["checksum"] = "577ec7c64e7458b1e97cbe61d02da1ba1f4ddf24281b175f24f65101e72c000c"
node.default["gitea"]["act_runner"]["version"] = "0.2.6"
node.default["gitea"]["act_runner"]["checksum"] = "234c2bdb871e7b0bfb84697f353395bfc7819faf9f0c0443845868b64a041057"

5
site-cookbooks/kosmos_gitea/recipes/act_runner.rb
View File

@@ -3,6 +3,8 @@
# Recipe:: act_runner
#
version = node["gitea"]["act_runner"]["version"]
download_url = "https://dl.gitea.com/act_runner/#{version}/act_runner-#{version}-linux-amd64"
working_directory = node["gitea"]["working_directory"]
gitea_credentials = data_bag_item("credentials", "gitea")
runners = gitea_credentials["runners"]
@@ -24,7 +26,7 @@ end
end
remote_file "/usr/local/bin/act_runner" do
source node["gitea"]["act_runner"]["download_url"]
source download_url
checksum node["gitea"]["act_runner"]["checksum"]
mode "0750"
end
@@ -66,6 +68,7 @@ act_runner register \
WorkingDirectory: runner_dir,
Environment: "HOME=/root",
ExecStart: "/usr/local/bin/act_runner daemon",
ExecStartPre: "/bin/sleep 3", # Wait for Gitea's API to be up when restarting at the same time
Restart: "always",
},
Install: {

6
site-cookbooks/kosmos_gitea/recipes/default.rb
View File

@@ -3,6 +3,8 @@
# Recipe:: default
#
version = node["gitea"]["version"]
download_url = "https://dl.gitea.io/gitea/#{version}/gitea-#{version}-linux-amd64"
working_directory = node["gitea"]["working_directory"]
git_home_directory = "/home/git"
repository_root_directory = "#{git_home_directory}/gitea-repositories"
@@ -107,8 +109,8 @@ template "#{config_directory}/app.ini" do
end
remote_file gitea_binary_path do
source node['gitea']['binary_url']
checksum node['gitea']['binary_checksum']
source download_url
checksum node['gitea']['checksum']
mode "0755"
notifies :restart, "service[gitea]", :delayed
end

4
site-cookbooks/kosmos_gitea/templates/default/app.ini.erb
View File

@@ -112,3 +112,7 @@ MINIO_USE_SSL=<%= c["use_ssl"] %>
[actions]
ENABLED = true
<% end %>
[other]
SHOW_FOOTER_VERSION = false
SHOW_FOOTER_TEMPLATE_LOAD_TIME = false

2
site-cookbooks/kosmos_kvm/attributes/default.rb
View File

@@ -7,6 +7,6 @@ node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
}
# A systemd.timer OnCalendar config value
node.default["kosmos_kvm"]["backup"]["schedule"] = "daily"
node.default["kosmos_kvm"]["backup"]["schedule"] = "0/3:00"
# Node/VM names excluded from backups
node.default["kosmos_kvm"]["backup"]["nodes_excluded"] = []

7
site-cookbooks/kosmos_kvm/files/backup_vm.sh
View File

@@ -22,8 +22,5 @@ borg create -v $REPOSITORY::$1_$(date +%F_%H-%M) \
/var/lib/libvirt/images/$1.qcow2 \
/root/backups/vm_meta/$1.xml
echo "Pivoting base image back to original"
virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2
echo "Removing snapshot image"
rm /var/lib/libvirt/images/$1.hotswap.qcow2
echo "Pivoting base image back to original, and removing the snapshot image"
virsh blockcommit $1 vda --pivot --base=/var/lib/libvirt/images/$1.qcow2 && rm /var/lib/libvirt/images/$1.hotswap.qcow2

14
site-cookbooks/kosmos_kvm/recipes/backup.rb
View File

@@ -7,6 +7,14 @@ apt_package "borgbackup"
borg_credentials = data_bag_item("credentials", "borg")
if borg_credentials["nodes"].keys.include?(node.name)
passphrase = borg_credentials["nodes"][node.name]["passphrase"]
repository = borg_credentials["nodes"][node.name]["repository"]
else
passphrase = borg_credentials["passphrase"]
repository = borg_credentials["repository"]
end
file "/root/.ssh/borg_rsa" do
content borg_credentials["ssh_key"]
mode '0600'
@@ -15,8 +23,8 @@ end
file "/root/.borg_credentials.env" do
content <<-EOF
BORG_RSH='ssh -i /root/.ssh/borg_rsa'
BORG_PASSPHRASE=#{borg_credentials["passphrase"]}
BORG_REPO='#{borg_credentials["repository"]}'
BORG_PASSPHRASE=#{passphrase}
BORG_REPO='#{repository}'
EOF
end
@@ -54,7 +62,7 @@ end
vm_domains = search(:node, "role:kvm_guest").map{|n| n["hostname"] } \
& `virsh list --name`.strip.chomp.split("\n")
vm_domains.reject! { |d| node["kosmos_kvm"]["backup"]["nodes_excluded"].include?(d) }
vm_domains.reject! { |d| node["kosmos_kvm"]["backup"]["nodes_excluded"].any?{ |n| d.match?(/^#{n}/) } }
template "/root/backups/backup_all_vms.sh" do
source "backup_all_vms.sh.erb"

25
site-cookbooks/kosmos_liquor-cabinet/.gitignore vendored Normal file
View File

@@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

7
site-cookbooks/kosmos_liquor-cabinet/CHANGELOG.md Normal file
View File

@@ -0,0 +1,7 @@
# kosmos_liquor-cabinet CHANGELOG
This file is used to list changes made in each version of the kosmos_liquor-cabinet cookbook.
## 0.1.0
Initial release.

21
site-cookbooks/kosmos_liquor-cabinet/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2024 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

7
site-cookbooks/kosmos_liquor-cabinet/README.md Normal file
View File

@@ -0,0 +1,7 @@
# kosmos_liquor-cabinet
Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server and
reverse proxy.
[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
[2]: https://remotestorage.io

4
site-cookbooks/kosmos_liquor-cabinet/attributes/default.rb Normal file
View File

@@ -0,0 +1,4 @@
node.default['liquor-cabinet']['app_server_role'] = 'liquor_cabinet'
node.default['liquor-cabinet']['max_upload_size'] = 100 # MB
node.default['liquor-cabinet']['server_name'] = 'storage.example.com'
node.default['liquor-cabinet']['root_redirect_url'] = 'https://example.com/storage'

115
site-cookbooks/kosmos_liquor-cabinet/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

37
site-cookbooks/kosmos_liquor-cabinet/kitchen.yml Normal file
View File

@@ -0,0 +1,37 @@
---
driver:
name: dokken
privileged: true # allows systemd services to start
provisioner:
name: dokken
transport:
name: dokken
verifier:
name: inspec
platforms:
# @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
# @see https://hub.docker.com/u/dokken
- name: ubuntu-20.04
driver:
image: dokken/ubuntu-20.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update
- name: centos-8
driver:
image: dokken/centos-8
pid_one_command: /usr/lib/systemd/systemd
suites:
- name: default
run_list:
- recipe[kosmos_liquor-cabinet::default]
verifier:
inspec_tests:
- test/integration/default
attributes:

12
site-cookbooks/kosmos_liquor-cabinet/metadata.rb Normal file
View File

@@ -0,0 +1,12 @@
name 'kosmos_liquor-cabinet'
maintainer 'Kosmos Developers'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Installs/configures Liquor Cabinet API and reverse proxy'
version '0.1.0'
chef_version '>= 18.2'
issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
# source_url 'https://gitea.kosmos.org/kosmos/chef'
depends 'liquor_cabinet'
depends 'kosmos_openresty'

6
site-cookbooks/kosmos_liquor-cabinet/recipes/default.rb Normal file
View File

@@ -0,0 +1,6 @@
#
# Cookbook:: kosmos_liquor-cabinet
# Recipe:: default
#
include_recipe 'liquor_cabinet'

30
site-cookbooks/kosmos_liquor-cabinet/recipes/nginx.rb Normal file
View File

@@ -0,0 +1,30 @@
#
# Cookbook:: kosmos_liquor-cabinet
# Recipe:: nginx
#
app_name = node['liquor-cabinet']['app_name']
domain = node[app_name]['domain']
tls_cert_for domain do
auth "gandi_dns"
action :create
end
upstream_hosts = []
search(:node, "role:#{node[app_name]['app_server_role']}").each do |node|
upstream_hosts << node["knife_zero"]["host"]
end
upstream_hosts.push("localhost") if upstream_hosts.empty?
openresty_site domain do
template "nginx_conf_liquor-cabinet.erb"
variables app_name: app_name,
server_name: domain,
root_redirect_url: node[app_name]['root_redirect_url'],
max_upload_size: node['liquor-cabinet']['max_upload_size'],
upstream_hosts: upstream_hosts,
upstream_port: node[app_name]['rainbows']['port'],
ssl_cert: "/etc/letsencrypt/live/#{domain}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain}/privkey.pem"
end

79
site-cookbooks/kosmos_liquor-cabinet/templates/nginx_conf_liquor-cabinet.erb Normal file
View File

@@ -0,0 +1,79 @@
#
# Generated by Chef
#
upstream _<%= @app_name %> {
<% @upstream_hosts.each do |host| -%>
server <%= host %>:<%= @upstream_port %>;
<% end -%>
}
# TODO use cookbook attribute when enabling
# variables_hash_max_size 2048;
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>80;
listen [::]:80;
server_name <%= @server_name %>;
# Redirect to https
location / {
return 301 https://<%= @server_name %>$request_uri;
}
}
server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2;
listen [::]:443 ssl http2;
server_name <%= @server_name %>;
access_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.access.log; # TODO json_liquor_cabinet;
error_log <%= node[:nginx][:log_dir] %>/<%= @app_name %>.error.log warn;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
# TODO
# log_by_lua_file "<%= @log_by_lua_file %>";
# We need strong ETags, disable compression
gzip off;
# brotli off;
# pagespeed off;
# Set a large maximum upload size
client_max_body_size <%= @max_upload_size %>m;
# TODO
# Use rate limiting (the zone is defined in
# /etc/nginx/conf.d/rate_limiting.conf)
# limit_req zone=per_ip burst=5000;
location = / {
return 301 <%= @root_redirect_url %>;
}
location / {
try_files $uri @proxy;
}
location @proxy {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_buffering on;
# Increase number of buffers. Default is 8
proxy_buffers 1024 8k;
# Needed for big uploads
proxy_read_timeout 180s;
proxy_send_timeout 180s;
proxy_pass http://_<%= @app_name %>;
proxy_next_upstream error timeout http_502 http_500;
}
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
}

11
site-cookbooks/kosmos_redis/recipes/backup.rb Normal file
View File

@@ -0,0 +1,11 @@
#
# Cookbook Name:: kosmos_redis
# Recipe:: backup
#
databases = node['redisio']['servers'].map do |server, _|
"dump-#{server['port']}"
end
node.override["backup"]["redis"]["databases"] = databases
include_recipe "backup"

16
site-cookbooks/kosmos_redis/recipes/default.rb
View File

@@ -3,16 +3,10 @@
# Recipe:: default
#
node.normal['redisio']['servers'] = [{
'port' => '6379',
'protected_mode' => 'no'
}]
include_recipe 'redisio::default'
include_recipe 'redisio::enable'
unless node.chef_environment == "development"
include_recipe "kosmos_redis::firewall"
# Backup the databases to S3
databases = node['redisio']['servers'].map do |server, _|
"dump-#{server['port']}"
end
node.override["backup"]["redis"]["databases"] = databases
include_recipe "backup"
end

19
site-cookbooks/kosmos_redis/recipes/replica.rb Normal file
View File

@@ -0,0 +1,19 @@
#
# Cookbook Name:: kosmos_redis
# Recipe:: replica
#
primary_host = search(:node, 'role:redis_server').first['knife_zero']['host'] rescue nil
if primary_host.nil?
Chef::Log.warn("No node found with 'redis_server' role. Stopping here.")
return
end
node.normal['redisio']['servers'] = [{
'port' => '6379',
'replicaof' => { 'address' => primary_host, 'port' => '6379' }
}]
include_recipe 'redisio::default'
include_recipe 'redisio::enable'

9
site-cookbooks/kosmos_website/templates/nginx_conf_website.erb
View File

@@ -18,15 +18,8 @@ server {
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
location /.well-known/lnurlp/ {
location ~ ^/.well-known/(webfinger|nostr|lnurlp|keysend) {
proxy_ssl_server_name on;
rewrite /.well-known/lnurlp/([^/]+) /lnurlpay/$1@kosmos.org break;
proxy_pass https://accounts.kosmos.org;
}
location /.well-known/keysend/ {
proxy_ssl_server_name on;
rewrite /.well-known/keysend/([^/]+) /keysend/$1@kosmos.org break;
proxy_pass https://accounts.kosmos.org;
}
}

25
site-cookbooks/liquor_cabinet/.gitignore vendored Normal file
View File

@@ -0,0 +1,25 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
kitchen.local.yml
# Chef Infra
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json
.idea/

7
site-cookbooks/liquor_cabinet/CHANGELOG.md Normal file
View File

@@ -0,0 +1,7 @@
# liquor_cabinet CHANGELOG
This file is used to list changes made in each version of the liquor_cabinet cookbook.
## 0.1.0
Initial release.

21
site-cookbooks/liquor_cabinet/LICENSE Normal file
View File

@@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) 2024 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

6
site-cookbooks/liquor_cabinet/README.md Normal file
View File

@@ -0,0 +1,6 @@
# liquor_cabinet
Installs/configures the [Liquor Cabinet][1] [remoteStorage][2] API server.
[1]: https://gitea.kosmos.org/5apps/liquor-cabinet
[2]: https://remotestorage.io

28
site-cookbooks/liquor_cabinet/attributes/default.rb Normal file
View File

@@ -0,0 +1,28 @@
node.default['liquor-cabinet']['app_name'] = "liquor-cabinet"
node.default['liquor-cabinet']['user'] = "deploy"
node.default['liquor-cabinet']['group'] = "deploy"
node.default['liquor-cabinet']['repo'] = 'https://gitea.kosmos.org/5apps/liquor-cabinet.git'
node.default['liquor-cabinet']['revision'] = 'master'
node.default['liquor-cabinet']['deploy_path'] = "/opt/#{node['liquor-cabinet']['app_name']}"
node.default['liquor-cabinet']['redis_server_role'] = 'redis_server'
node.default['liquor-cabinet']['redis_port'] = 6379
node.default['liquor-cabinet']['redis_db'] = 1
node.default['liquor-cabinet']['s3_endpoint'] = nil
node.default['liquor-cabinet']['s3_region'] = nil
node.default['liquor-cabinet']['s3_bucket'] = nil
node.default['liquor-cabinet']['ufw_source_allowed'] = nil
node.default['liquor-cabinet']['maintenance_mode_enabled'] = false
node.default['liquor-cabinet']['ruby']['version'] = "3.1.4"
node.default['liquor-cabinet']['rainbows'] = {
'port' => 3000,
'preload_app' => true,
'timeout' => 60,
'worker_processes' => node['cpu']['total'],
'worker_connections' => 100,
'client_header_buffer_size' => 1024,
'client_max_body_size' => 104857600,
'client_max_header_size' => 114688,
'copy_stream' => 'IO',
'keepalive_requests' => 100,
'keepalive_timeout' => 5
}

115
site-cookbooks/liquor_cabinet/chefignore Normal file
View File

@@ -0,0 +1,115 @@
# Put files/directories that should be ignored in this file when uploading
# to a Chef Infra Server or Supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
ehthumbs.db
Icon?
nohup.out
Thumbs.db
.envrc
# EDITORS #
###########
.#*
.project
.settings
*_flymake
*_flymake.*
*.bak
*.sw[a-z]
*.tmproj
*~
\#*
REVISION
TAGS*
tmtags
.vscode
.editorconfig
## COMPILED ##
##############
*.class
*.com
*.dll
*.exe
*.o
*.pyc
*.so
*/rdoc/
a.out
mkmf.log
# Testing #
###########
.circleci/*
.codeclimate.yml
.delivery/*
.foodcritic
.kitchen*
.mdlrc
.overcommit.yml
.rspec
.rubocop.yml
.travis.yml
.watchr
.yamllint
azure-pipelines.yml
Dangerfile
examples/*
features/*
Guardfile
kitchen.yml*
mlc_config.json
Procfile
Rakefile
spec/*
test/*
# SCM #
#######
.git
.gitattributes
.gitconfig
.github/*
.gitignore
.gitkeep
.gitmodules
.svn
*/.bzr/*
*/.git
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
Gemfile
Gemfile.lock
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Documentation #
#############
CODE_OF_CONDUCT*
CONTRIBUTING*
documentation/*
TESTING*
UPGRADING*
# Vagrant #
###########
.vagrant
Vagrantfile

37
site-cookbooks/liquor_cabinet/kitchen.yml Normal file
View File

@@ -0,0 +1,37 @@
---
driver:
name: dokken
privileged: true # allows systemd services to start
provisioner:
name: dokken
transport:
name: dokken
verifier:
name: inspec
platforms:
# @see https://github.com/chef-cookbooks/testing_examples/blob/main/kitchen.dokken.yml
# @see https://hub.docker.com/u/dokken
- name: ubuntu-20.04
driver:
image: dokken/ubuntu-20.04
pid_one_command: /bin/systemd
intermediate_instructions:
- RUN /usr/bin/apt-get update
- name: centos-8
driver:
image: dokken/centos-8
pid_one_command: /usr/lib/systemd/systemd
suites:
- name: default
run_list:
- recipe[liquor_cabinet::default]
verifier:
inspec_tests:
- test/integration/default
attributes:

12
site-cookbooks/liquor_cabinet/metadata.rb Normal file
View File

@@ -0,0 +1,12 @@
name 'liquor_cabinet'
maintainer 'Kosmos Developers'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Installs/configures the Liquor Cabinet remoteStorage API server'
version '0.1.0'
chef_version '>= 18.2'
issues_url 'https://gitea.kosmos.org/kosmos/chef/issues'
# source_url 'https://gitea.kosmos.org/kosmos/chef'
depends 'firewall'
depends "ruby_build"

139
site-cookbooks/liquor_cabinet/recipes/default.rb Normal file
View File

@@ -0,0 +1,139 @@
#
# Cookbook:: liquor_cabinet
# Recipe:: default
#
app_name = node['liquor-cabinet']['app_name']
deploy_user = node[app_name]['user']
deploy_group = node[app_name]['group']
deploy_path = node[app_name]['deploy_path']
credentials = Chef::EncryptedDataBagItem.load('credentials', app_name)
ruby_version = node[app_name]['ruby']['version']
ruby_path = "/opt/ruby_build/builds/#{ruby_version}"
bundle_path = "#{ruby_path}/bin/bundle"
rack_env = node.chef_environment == "production" ? "production" : "development"
ruby_build_install 'v20231225'
ruby_build_definition ruby_version do
prefix_path ruby_path
end
group deploy_group
user deploy_user do
group deploy_group
manage_home true
shell "/bin/bash"
end
directory deploy_path do
owner deploy_user
group deploy_group
mode '0750'
end
redis_server_role = node[app_name]['redis_server_role']
redis_host = search(:node, "role:#{redis_server_role}").first['knife_zero']['host'] rescue nil
if redis_host.nil?
Chef::Log.warn("No node found with '#{redis_server_role}' role. Stopping here.")
return
end
git deploy_path do
repository node[app_name]['repo']
revision node[app_name]['revision']
user deploy_user
group deploy_group
notifies :restart, "service[#{app_name}]", :delayed
end
directory "#{deploy_path}/tmp" do
owner deploy_user
group deploy_group
mode 0750
end
execute "bundle install" do
user deploy_user
cwd deploy_path
command "#{bundle_path} install --without development,test --deployment"
end
template "#{deploy_path}/config.yml.erb" do
source 'config.yml.erb'
owner deploy_user
group deploy_group
mode '0600'
sensitive true
variables environment: rack_env,
redis_host: redis_host,
redis_port: node[app_name]['redis_port'],
redis_db: node[app_name]['redis_db'],
s3_endpoint: node[app_name]['s3_endpoint'],
s3_region: node[app_name]['s3_region'],
s3_bucket: node[app_name]['s3_bucket'],
s3_access_key: credentials['s3_access_key'],
s3_secret_key: credentials['s3_secret_key'],
maintenance_mode_enabled: node[app_name]['maintenance_mode_enabled']
# TODO sentry_dsn: credentials['sentry_dsn']
notifies :restart, "service[#{app_name}]", :delayed
end
directory '/etc/rainbows' do
owner deploy_user
group deploy_group
mode '0750'
end
template "/etc/rainbows/#{app_name}.rb" do
source 'rainbows.rb.erb'
owner deploy_user
group deploy_group
mode '0640'
variables user: deploy_user,
group: deploy_group,
app_name: app_name,
working_directory: deploy_path,
config: node[app_name]['rainbows']
notifies :restart, "service[#{app_name}]", :delayed
end
systemd_unit "#{app_name}.service" do
content({
Unit: {
Description: "Liquor Cabinet remoteStorage HTTP API",
Documentation: ["https://gitea.kosmos.org/5apps/liquor-cabinet"],
After: "syslog.target network.target"
},
Service: {
Type: "simple",
User: deploy_user,
WorkingDirectory: deploy_path,
Environment: "RACK_ENV=#{rack_env}",
ExecStart: "#{bundle_path} exec rainbows -c /etc/rainbows/#{app_name}.rb -E #{rack_env}",
PIDFile: "#{deploy_path}/tmp/rainbows.pid",
TimeoutSec: "10",
Restart: "on-failure",
},
Install: {
WantedBy: "multi-user.target"
}
})
verify false
triggers_reload true
action [:create, :enable]
end
service app_name do
action [:enable, :start]
end
if node[app_name]['ufw_source_allowed']
firewall_rule app_name do
command :allow
protocol :tcp
port node[app_name]['rainbows']['port']
source node[app_name]['ufw_source_allowed']
end
end

12
site-cookbooks/liquor_cabinet/templates/config.yml.erb Normal file
View File

@@ -0,0 +1,12 @@
<%= @environment %>:
maintenance: <%= @maintenance_mode_enabled %>
redis:
host: <%= @redis_host %>
port: <%= @redis_port %>
db: <%= @redis_db %>
s3:
endpoint: <%= @s3_endpoint %>
region: <%= @s3_region %>
bucket: <%= @s3_bucket %>
access_key_id: <%= @s3_access_key %>
secret_key_id: <%= @s3_secret_key %>

32
site-cookbooks/liquor_cabinet/templates/rainbows.rb.erb Normal file
View File

@@ -0,0 +1,32 @@
##
# Rainbows config at /etc/rainbows/<%= @app_name %>.rb
# Managed by Chef - Local changes will be overwritten by Chef runs
##
# What ports/sockets to listen on, and what options for them.
listen "<%= @config['port'] %>", { tcp_nodelay: true, backlog: 100 }
# What the timeout for killing busy workers is, in seconds
timeout <%= @config['timeout'] %>
# Whether the app should be pre-loaded
preload_app <%= @config['preload_app'] %>
# How many worker processes
worker_processes <%= @config['worker_processes'] %>
# Run forked children as specified user/group
user "<%= @user %>", "<%= @group %>"
pid "<%= @working_directory %>/tmp/rainbows.pid"
Rainbows! do
use :ThreadSpawn
client_header_buffer_size <%= @config['client_header_buffer_size'] %>
client_max_body_size <%= @config['client_max_body_size'] %>
client_max_header_size <%= @config['client_max_header_size'] %>
copy_stream <%= @config['copy_stream'] %>
keepalive_requests <%= @config['keepalive_requests'] %>
keepalive_timeout <%= @config['keepalive_timeout'] %>
worker_connections <%= @config['worker_connections'] %>
end

4
site-cookbooks/sockethub/recipes/proxy.rb
View File

@@ -24,10 +24,10 @@ file "/etc/letsencrypt/renewal-hooks/post/nginx" do
group "root"
end
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
template "/root/gandi_dns_certbot_hook.sh" do
variables gandi_api_key: gandi_api_data_bag_item["key"]
variables gandi_api_key: gandi_api_credentials["key"]
mode 0770
end