Merge pull request 'Configure/deploy HTTP upload service for Kosmos Chat/XMPP' (#245) from feature/http_upload_service into master

Reviewed-on: #245

clients/uploads-1.json

@@ -0,0 +1,4 @@
+{
+  "name": "uploads-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwJwWaz8TeGv3SFlKzLMx\nqN8GTL/c0N9ppBvv8xNSS/yF9Y40SbL418uxYzm9hIhOXgIygIgLT2EKIXX32t+R\neOJCdYycQFM3At2fhMkjhuUW0gmDRcYBcBJLC5hLh2EZ+A8V7k4qgrBpPLOjEv48\nhQY0vuAw2DGndWr4QLh5NLUmQiOrfuzcZSSNCBOTIgUZgNmRd9QcCHDq4WDH3poa\nosJo4a9JGEGUL1irOivvEdyJPwEd2f++nYAdWwj8pjCYgpRshQlLhxOlylMx7MxB\nQt2bgJC9sahfbfJCOqdlCU3DMJL0bRUiuxK77WeSsxWBJmrsiF3+Ljs2Ix+s7fnS\nywIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/ejabberd.json

@@ -1,23 +1,30 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "mfV9TyC4OM055JnyV73mq4qY840pH1tZC9LnIaA3A80CY2kVteC4\n",
+    "encrypted_data": "RdzDZk2F4yBvgII84JGt8AF0LT4cyjRQFQvMJ5LhdB54T06Kjq3S\n",
-    "iv": "gpEC3IK9BN9RkaYz\n",
+    "iv": "+3WlMHiNAFVE4iku\n",
-    "auth_tag": "WXYWOjUCgEw5OR5VMh+Enw==\n",
+    "auth_tag": "mKheQu/KeHSyt8W783lrzA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "Q9znUOIIXU+XsPWet4rDCjHsPPxlA3EfNTkEER/EdfoCajd1Txuh\n",
+    "encrypted_data": "fABWhxMuLaF2qLFdIN//R6bgBkD60WRWiBZPErB1eBOxHqOp813o\n",
-    "iv": "7SAOAwSU8rZGopB1\n",
+    "iv": "uBPPYY/FM2hee05V\n",
-    "auth_tag": "X8yIyw2BFbQMAVTMYLA67g==\n",
+    "auth_tag": "cO+zP2QggWIzbuVxtkct2w==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "uploads_secret": {
+    "encrypted_data": "03Y8CNBstV7vYopx8X54hkRSlnwwbOg5Y0KwTPV4qys1\n",
+    "iv": "gLTP7Y2Y70jL+sxH\n",
+    "auth_tag": "HJoyOF4rYm9ayKfViuKBlA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "xKtiBOgn4ysJt4byry31cVJUHEsatWDwHEzEve/N5NxTOh1f4QBD+Q68IYzv\nV0ulBjtW91yFcQqKNx/prAVcK3khbnsEzg8uoub9o6hSMwp16LL5x/u6T6u2\n5DwWBEy08yuaujkko57ir0Yv7mfRedT1i5SaH9pgg5VLm56G/PXrlPFfjwaU\n",
+    "encrypted_data": "mRX2Lxqxb//Gd76bk+G3V+eObaq+NILiMsHHjFvjBCvJrznvRzezqW1VHhwW\ndH/ZY2gM8CVCcmYNQ8Xtg/1loPYAUjROvDRirj5i9fP7zgJRc1anNmohDOle\n34aNPYverGm+IJ21sFrAv4Xe/KleJBO5ynuiInqqvljcu3LiuvSYBXW34yWB\n",
-    "iv": "fpL3EA1VbXxxi+yq\n",
+    "iv": "QqJJM8gmox565JUd\n",
-    "auth_tag": "iJMJAmw5gHWLFJM5kdzR9A==\n",
+    "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

nodes/uploads-1.json

@@ -0,0 +1,64 @@
+{
+  "name": "uploads-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.147.20.98"
+    }
+  },
+  "automatic": {
+    "fqdn": "uploads-1",
+    "os": "linux",
+    "os_version": "5.4.0-54-generic",
+    "hostname": "uploads-1",
+    "ipaddress": "192.168.122.230",
+    "roles": [
+
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos-ejabberd::upload_service",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-nginx::with_perl",
+      "nginx::default",
+      "nginx::package",
+      "nginx::ohai_plugin",
+      "nginx::repo",
+      "nginx::commons",
+      "nginx::commons_dir",
+      "nginx::commons_script",
+      "nginx::commons_conf",
+      "kosmos-base::letsencrypt"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "15.14.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
+      },
+      "ohai": {
+        "version": "15.12.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "recipe[kosmos-ejabberd::upload_service]"
+  ]
+}

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -10,3 +10,12 @@ node.override["tor"]["HiddenServices"]["ejabberd"] = {
     "5269 127.0.0.1:5269"
   ]
 }
+
+node.default["kosmos-ejabberd"]["uploads"] = {
+  "domain" => "uploads.kosmos.chat",
+  "max_upload_size_mb" => "100",
+  "upload.pm" => {
+    "repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git",
+    "revision" => "0.2"
+  }
+}

site-cookbooks/kosmos-ejabberd/metadata.rb

@@ -19,8 +19,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 #
 # source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
 
-depends "kosmos-postgresql"
 depends "kosmos-base"
+depends "kosmos-postgresql"
+depends "kosmos-nginx"
 depends "backup"
 depends "firewall"
 depends "tor-full"

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -64,6 +64,11 @@ modules:
         max_user_conferences: 1000
         default_room_options:
           mam: true
+      mod_http_upload:
+        put_url: "https://uploads.kosmos.chat/8af2c77"
+        external_secret: "#{ejabberd_credentials["uploads_secret"]}"
+        max_size: 104857600
+        thumbnail: false # otherwise needs the identify command from ImageMagick installed
                 EOF
   },
   {
@@ -89,6 +94,11 @@ modules:
           public_list: false
           persistent: true
           mam: true
+      mod_http_upload:
+        put_url: "https://uploads.kosmos.chat/2802cfe"
+        external_secret: "#{ejabberd_credentials["uploads_secret"]}"
+        max_size: 104857600
+        thumbnail: false # otherwise needs the identify command from ImageMagick installed
                 EOF
   }
 ]

site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb

@@ -0,0 +1,64 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: upload_service
+#
+
+include_recipe "kosmos-nginx::with_perl"
+
+ejabberd_credentials = data_bag_item("credentials", "ejabberd")
+uploads_secret = ejabberd_credentials["uploads_secret"]
+
+upload_config = node["kosmos-ejabberd"]["uploads"]
+domain = upload_config["domain"]
+
+git "/opt/upload.pm" do
+  repository upload_config["upload.pm"]["repo"]
+  revision upload_config["upload.pm"]["revision"]
+  action :sync
+end
+
+directory "/var/www/upload" do
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode "0755"
+end
+
+ruby_block "configure uploads.pm" do
+  block do
+    file = Chef::Util::FileEdit.new("/opt/upload.pm/upload.pm")
+    file.search_file_replace(%r{it-is-secret}, uploads_secret)
+    file.search_file_replace_line(
+      %r{my \$uri_prefix_components = 0;},
+      'my $uri_prefix_components = 1;'
+    )
+    file.write_file
+  end
+end
+
+ruby_block "configure perl module in nginx" do
+  block do
+    file = Chef::Util::FileEdit.new("/etc/nginx/nginx.conf")
+    file.insert_line_after_match(
+      %r{types_hash_bucket_size},
+      "\n\n  perl_modules /opt/upload.pm;\n  perl_require upload.pm;"
+    )
+    file.write_file
+  end
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_upload_service.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables server_name: domain,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            max_upload_size_mb: upload_config["max_upload_size_mb"]
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+nginx_certbot_site domain

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -191,10 +191,6 @@ modules:
         name: "abuse-addresses"
         urls: ["mailto:abuse@@HOST@"]
   mod_bosh: {}
-  mod_http_upload:
-    docroot: "/opt/ejabberd/uploads/xmpp.@HOST@/"
-    put_url: "https://xmpp.@HOST@:5443/upload"
-    thumbnail: false # otherwise needs the identify command from ImageMagick installed
   mod_last: {}
   mod_mam:
     default: always

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -0,0 +1,19 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+# Generated by Chef
+
+server {
+  listen 443 ssl http2;
+  server_name <%= @server_name %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  root /var/www/upload;
+
+  client_max_body_size <%= @max_upload_size_mb %>m;
+
+  location / {
+    perl upload::handle;
+  }
+}
+<% end -%>

site-cookbooks/kosmos-nginx/recipes/with_perl.rb

@@ -0,0 +1,33 @@
+node.override['nginx']['default_site_enabled'] = false
+node.override['nginx']['server_tokens']        = 'off'
+
+node.override['nginx']['package_name'] = 'nginx-core'
+include_recipe 'nginx'
+
+package 'libnginx-mod-http-perl'
+
+# Generate Strong Diffie-Hellman Group (increases security)
+# https://weakdh.org/sysadmin.html
+openssl_dhparam "/etc/ssl/private/dhparams.pem" do
+  key_length 2048
+  mode 0600
+  owner 'www-data'
+end
+
+cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
+  source 'nginx_tls_config.conf'
+  owner  'root'
+  group  'root'
+  mode   '0644'
+  notifies :restart, 'service[nginx]'
+end
+
+unless node.chef_environment == "development"
+  include_recipe 'kosmos-base::firewall'
+
+  firewall_rule 'http/https' do
+    port     [80, 443]
+    protocol :tcp
+    command  :allow
+  end
+end

site-cookbooks/kosmos-nginx/resources/nginx_certbot_site.rb

@@ -8,8 +8,6 @@ property :site, String
 action :create do
   return if node.chef_environment == "development"
 
-  include_recipe "kosmos-nginx"
-
   domain = new_resource.domain
   site = new_resource.site || domain
   root_directory = "/var/www/#{domain}"