From 9346188ca76f579a675a140e043c5b65d6a02abb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 9 Jan 2019 18:17:50 +0100 Subject: [PATCH 01/22] Initial kosmos-ejabberd cookbook --- .../kosmos-ejabberd/.delivery/project.toml | 1 + site-cookbooks/kosmos-ejabberd/.gitignore | 22 + site-cookbooks/kosmos-ejabberd/.kitchen.yml | 23 + site-cookbooks/kosmos-ejabberd/Berksfile | 6 + site-cookbooks/kosmos-ejabberd/CHANGELOG.md | 11 + site-cookbooks/kosmos-ejabberd/LICENSE | 3 + site-cookbooks/kosmos-ejabberd/README.md | 4 + .../kosmos-ejabberd/attributes/default.rb | 2 + site-cookbooks/kosmos-ejabberd/chefignore | 104 +++ .../kosmos-ejabberd/files/pg.new.sql | 644 ++++++++++++++++++ site-cookbooks/kosmos-ejabberd/metadata.rb | 23 + .../kosmos-ejabberd/recipes/default.rb | 89 +++ .../templates/ejabberd.yml.erb | 277 ++++++++ .../default/serverspec/default_spec.rb | 23 + 14 files changed, 1232 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/.delivery/project.toml create mode 100644 site-cookbooks/kosmos-ejabberd/.gitignore create mode 100644 site-cookbooks/kosmos-ejabberd/.kitchen.yml create mode 100644 site-cookbooks/kosmos-ejabberd/Berksfile create mode 100644 site-cookbooks/kosmos-ejabberd/CHANGELOG.md create mode 100644 site-cookbooks/kosmos-ejabberd/LICENSE create mode 100644 site-cookbooks/kosmos-ejabberd/README.md create mode 100644 site-cookbooks/kosmos-ejabberd/attributes/default.rb create mode 100644 site-cookbooks/kosmos-ejabberd/chefignore create mode 100644 site-cookbooks/kosmos-ejabberd/files/pg.new.sql create mode 100644 site-cookbooks/kosmos-ejabberd/metadata.rb create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/default.rb create mode 100644 site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb create mode 100644 site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb diff --git a/site-cookbooks/kosmos-ejabberd/.delivery/project.toml b/site-cookbooks/kosmos-ejabberd/.delivery/project.toml new file mode 100644 index 0000000..6d5e361 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.delivery/project.toml @@ -0,0 +1 @@ +remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml" diff --git a/site-cookbooks/kosmos-ejabberd/.gitignore b/site-cookbooks/kosmos-ejabberd/.gitignore new file mode 100644 index 0000000..13e41c4 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.gitignore @@ -0,0 +1,22 @@ +.vagrant +*~ +*# +.#* +\#*# +.*.sw[a-z] +*.un~ + +# Bundler +Gemfile.lock +gems.locked +bin/* +.bundle/* + +# test kitchen +.kitchen/ +.kitchen.local.yml + +# Chef +Berksfile.lock +.zero-knife.rb +Policyfile.lock.json diff --git a/site-cookbooks/kosmos-ejabberd/.kitchen.yml b/site-cookbooks/kosmos-ejabberd/.kitchen.yml new file mode 100644 index 0000000..1650f7d --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/.kitchen.yml @@ -0,0 +1,23 @@ +--- +driver: + name: vagrant + +provisioner: + name: chef_zero + # You may wish to disable always updating cookbooks in CI or other testing environments. + # For example: + # always_update_cookbooks: <%= !ENV['CI'] %> + always_update_cookbooks: true + +verifier: + name: inspec + +platforms: + - name: ubuntu-16.04 + - name: ubuntu-18.04 + +suites: + - name: default + run_list: + - recipe[kosmos-ejabberd::default] + attributes: diff --git a/site-cookbooks/kosmos-ejabberd/Berksfile b/site-cookbooks/kosmos-ejabberd/Berksfile new file mode 100644 index 0000000..8c1347f --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/Berksfile @@ -0,0 +1,6 @@ +# frozen_string_literal: true +source 'https://supermarket.chef.io' +source chef_repo: ".." + +cookbook "kosmos-postgresql", path: "../kosmos-postgresql" +metadata diff --git a/site-cookbooks/kosmos-ejabberd/CHANGELOG.md b/site-cookbooks/kosmos-ejabberd/CHANGELOG.md new file mode 100644 index 0000000..6f203ef --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/CHANGELOG.md @@ -0,0 +1,11 @@ +# kosmos-ejabberd CHANGELOG + +This file is used to list changes made in each version of the kosmos-ejabberd cookbook. + +# 0.1.0 + +Initial release. + +- change 0 +- change 1 + diff --git a/site-cookbooks/kosmos-ejabberd/LICENSE b/site-cookbooks/kosmos-ejabberd/LICENSE new file mode 100644 index 0000000..fd8848e --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/LICENSE @@ -0,0 +1,3 @@ +Copyright 2019 Kosmos + +All rights reserved, do not redistribute. diff --git a/site-cookbooks/kosmos-ejabberd/README.md b/site-cookbooks/kosmos-ejabberd/README.md new file mode 100644 index 0000000..b9d427d --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/README.md @@ -0,0 +1,4 @@ +# kosmos-ejabberd + +Sets up ejabberd with vhosts for kosmos.org (public server) and 5apps.com +(private server). diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb new file mode 100644 index 0000000..3f7d227 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -0,0 +1,2 @@ +node.default["kosmos-ejabberd"]["version"] = "19.02" +node.default["kosmos-ejabberd"]["checksum"] = "aea550c58e61eab04ca9beb8896d8b04f4a79321c21dee160a67ad6787236f51" diff --git a/site-cookbooks/kosmos-ejabberd/chefignore b/site-cookbooks/kosmos-ejabberd/chefignore new file mode 100644 index 0000000..4439807 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/chefignore @@ -0,0 +1,104 @@ +# Put files/directories that should be ignored in this file when uploading +# to a chef-server or supermarket. +# Lines that start with '# ' are comments. + +# OS generated files # +###################### +.DS_Store +Icon? +nohup.out +ehthumbs.db +Thumbs.db + +# SASS # +######## +.sass-cache + +# EDITORS # +########### +\#* +.#* +*~ +*.sw[a-z] +*.bak +REVISION +TAGS* +tmtags +*_flymake.* +*_flymake +*.tmproj +.project +.settings +mkmf.log + +## COMPILED ## +############## +a.out +*.o +*.pyc +*.so +*.com +*.class +*.dll +*.exe +*/rdoc/ + +# Testing # +########### +.watchr +.rspec +spec/* +spec/fixtures/* +test/* +features/* +examples/* +Guardfile +Procfile +.kitchen* +kitchen.yml* +.rubocop.yml +spec/* +Rakefile +.travis.yml +.foodcritic +.codeclimate.yml + +# SCM # +####### +.git +*/.git +.gitignore +.gitmodules +.gitconfig +.gitattributes +.svn +*/.bzr/* +*/.hg/* +*/.svn/* + +# Berkshelf # +############# +Berksfile +Berksfile.lock +cookbooks/* +tmp + +# Bundler # +########### +vendor/* + +# Policyfile # +############## +Policyfile.rb +Policyfile.lock.json + +# Cookbooks # +############# +CONTRIBUTING* +CHANGELOG* +TESTING* + +# Vagrant # +########### +.vagrant +Vagrantfile diff --git a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql new file mode 100644 index 0000000..c585fd3 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql @@ -0,0 +1,644 @@ +-- +-- ejabberd, Copyright (C) 2002-2019 ProcessOne +-- +-- This program is free software; you can redistribute it and/or +-- modify it under the terms of the GNU General Public License as +-- published by the Free Software Foundation; either version 2 of the +-- License, or (at your option) any later version. +-- +-- This program is distributed in the hope that it will be useful, +-- but WITHOUT ANY WARRANTY; without even the implied warranty of +-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-- General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License along +-- with this program; if not, write to the Free Software Foundation, Inc., +-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-- + +-- To update from the old schema, replace with the host's domain: + +-- ALTER TABLE users ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE users DROP CONSTRAINT users_pkey; +-- ALTER TABLE users ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE users ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE last ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE last DROP CONSTRAINT last_pkey; +-- ALTER TABLE last ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE last ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE rosterusers ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_rosteru_user_jid; +-- DROP INDEX i_rosteru_username; +-- DROP INDEX i_rosteru_jid; +-- CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); +-- CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); +-- CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); +-- ALTER TABLE rosterusers ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE rostergroups ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX pk_rosterg_user_jid; +-- CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); +-- ALTER TABLE rostergroups ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sr_group ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE sr_group ADD PRIMARY KEY (server_host, name); +-- ALTER TABLE sr_group ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sr_user ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_sr_user_jid_grp; +-- DROP INDEX i_sr_user_jid; +-- DROP INDEX i_sr_user_grp; +-- ALTER TABLE sr_user ADD PRIMARY KEY (server_host, jid, grp); +-- CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); +-- CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); +-- ALTER TABLE sr_user ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE spool ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_despool; +-- CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); +-- ALTER TABLE spool ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE archive ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_username_timestamp; +-- DROP INDEX i_username_peer; +-- DROP INDEX i_username_bare_peer; +-- DROP INDEX i_timestamp; +-- CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); +-- CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); +-- CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); +-- CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); +-- ALTER TABLE archive ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE archive_prefs ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE archive_prefs DROP CONSTRAINT archive_prefs_pkey; +-- ALTER TABLE archive_prefs ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE archive_prefs ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE vcard ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE vcard DROP CONSTRAINT vcard_pkey; +-- ALTER TABLE vcard ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE vcard ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE vcard_search ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE vcard_search DROP CONSTRAINT vcard_search_pkey; +-- DROP INDEX i_vcard_search_lfn; +-- DROP INDEX i_vcard_search_lfamily; +-- DROP INDEX i_vcard_search_lgiven; +-- DROP INDEX i_vcard_search_lmiddle; +-- DROP INDEX i_vcard_search_lnickname; +-- DROP INDEX i_vcard_search_lbday; +-- DROP INDEX i_vcard_search_lctry; +-- DROP INDEX i_vcard_search_llocality; +-- DROP INDEX i_vcard_search_lemail; +-- DROP INDEX i_vcard_search_lorgname; +-- DROP INDEX i_vcard_search_lorgunit; +-- ALTER TABLE vcard_search ADD PRIMARY KEY (server_host, username); +-- CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); +-- CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); +-- CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); +-- CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); +-- CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); +-- CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); +-- CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); +-- CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); +-- CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); +-- CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); +-- CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); +-- ALTER TABLE vcard_search ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE privacy_default_list ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE privacy_default_list DROP CONSTRAINT privacy_default_list_pkey; +-- ALTER TABLE privacy_default_list ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE privacy_default_list ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE privacy_list ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_privacy_list_username; +-- DROP INDEX i_privacy_list_username_name; +-- CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); +-- CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); +-- ALTER TABLE privacy_list ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE private_storage ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_private_storage_username; +-- DROP INDEX i_private_storage_username_namespace; +-- ALTER TABLE private_storage ADD PRIMARY KEY (server_host, username, namespace); +-- CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); +-- ALTER TABLE private_storage ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE roster_version ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE roster_version DROP CONSTRAINT roster_version_pkey; +-- ALTER TABLE roster_version ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE roster_version ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_room ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_room ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_registered ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_registered ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_online_room ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_online_room ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE muc_online_users ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE muc_online_users ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE motd ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- ALTER TABLE motd DROP CONSTRAINT motd_pkey; +-- ALTER TABLE motd ADD PRIMARY KEY (server_host, username); +-- ALTER TABLE motd ALTER COLUMN server_host DROP DEFAULT; + +-- ALTER TABLE sm ADD COLUMN server_host text NOT NULL DEFAULT ''; +-- DROP INDEX i_sm_sid; +-- DROP INDEX i_sm_username; +-- ALTER TABLE sm ADD PRIMARY KEY (usec, pid); +-- CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); +-- ALTER TABLE sm ALTER COLUMN server_host DROP DEFAULT; + + +CREATE TABLE users ( + username text NOT NULL, + server_host text NOT NULL, + "password" text NOT NULL, + serverkey text NOT NULL DEFAULT '', + salt text NOT NULL DEFAULT '', + iterationcount integer NOT NULL DEFAULT 0, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +-- Add support for SCRAM auth to a database created before ejabberd 16.03: +-- ALTER TABLE users ADD COLUMN serverkey text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN salt text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0; + +CREATE TABLE last ( + username text NOT NULL, + server_host text NOT NULL, + seconds text NOT NULL, + state text NOT NULL, + PRIMARY KEY (server_host, username) +); + + +CREATE TABLE rosterusers ( + username text NOT NULL, + server_host text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + subscription character(1) NOT NULL, + ask character(1) NOT NULL, + askmessage text NOT NULL, + server character(1) NOT NULL, + subscribe text NOT NULL, + "type" text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); +CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); +CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); + + +CREATE TABLE rostergroups ( + username text NOT NULL, + server_host text NOT NULL, + jid text NOT NULL, + grp text NOT NULL +); + +CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); + +CREATE TABLE sr_group ( + name text NOT NULL, + server_host text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, name) +); + +CREATE TABLE sr_user ( + jid text NOT NULL, + server_host text NOT NULL, + grp text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, jid, grp) +); + +CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); +CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); + +CREATE TABLE spool ( + username text NOT NULL, + server_host text NOT NULL, + xml text NOT NULL, + seq SERIAL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); + +CREATE TABLE archive ( + username text NOT NULL, + server_host text NOT NULL, + timestamp BIGINT NOT NULL, + peer text NOT NULL, + bare_peer text NOT NULL, + xml text NOT NULL, + txt text, + id SERIAL, + kind text, + nick text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); +CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); +CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); +CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); + +CREATE TABLE archive_prefs ( + username text NOT NULL, + server_host text NOT NULL, + def text NOT NULL, + always text NOT NULL, + never text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE vcard ( + username text NOT NULL, + server_host text NOT NULL, + vcard text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE vcard_search ( + username text NOT NULL, + lusername text NOT NULL, + server_host text NOT NULL, + fn text NOT NULL, + lfn text NOT NULL, + family text NOT NULL, + lfamily text NOT NULL, + given text NOT NULL, + lgiven text NOT NULL, + middle text NOT NULL, + lmiddle text NOT NULL, + nickname text NOT NULL, + lnickname text NOT NULL, + bday text NOT NULL, + lbday text NOT NULL, + ctry text NOT NULL, + lctry text NOT NULL, + locality text NOT NULL, + llocality text NOT NULL, + email text NOT NULL, + lemail text NOT NULL, + orgname text NOT NULL, + lorgname text NOT NULL, + orgunit text NOT NULL, + lorgunit text NOT NULL, + PRIMARY KEY (server_host, username) +); + +CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); +CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); +CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); +CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); +CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); +CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); +CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); +CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); +CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); +CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); +CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); + +CREATE TABLE privacy_default_list ( + username text NOT NULL, + server_host text NOT NULL, + name text NOT NULL, + PRIMARY KEY (server_host, username) +); + +CREATE TABLE privacy_list ( + username text NOT NULL, + server_host text NOT NULL, + name text NOT NULL, + id SERIAL UNIQUE, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); +CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); + +CREATE TABLE privacy_list_data ( + id bigint REFERENCES privacy_list(id) ON DELETE CASCADE, + t character(1) NOT NULL, + value text NOT NULL, + action character(1) NOT NULL, + ord NUMERIC NOT NULL, + match_all boolean NOT NULL, + match_iq boolean NOT NULL, + match_message boolean NOT NULL, + match_presence_in boolean NOT NULL, + match_presence_out boolean NOT NULL +); + +CREATE INDEX i_privacy_list_data_id ON privacy_list_data USING btree (id); + +CREATE TABLE private_storage ( + username text NOT NULL, + server_host text NOT NULL, + namespace text NOT NULL, + data text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username, namespace) +); + +CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); + + +CREATE TABLE roster_version ( + username text NOT NULL, + server_host text NOT NULL, + version text NOT NULL, + PRIMARY KEY (server_host, username) +); + +-- To update from 0.9.8: +-- CREATE SEQUENCE spool_seq_seq; +-- ALTER TABLE spool ADD COLUMN seq integer; +-- ALTER TABLE spool ALTER COLUMN seq SET DEFAULT nextval('spool_seq_seq'); +-- UPDATE spool SET seq = DEFAULT; +-- ALTER TABLE spool ALTER COLUMN seq SET NOT NULL; + +-- To update from 1.x: +-- ALTER TABLE rosterusers ADD COLUMN askmessage text; +-- UPDATE rosterusers SET askmessage = ''; +-- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL; + +CREATE TABLE pubsub_node ( + host text NOT NULL, + node text NOT NULL, + parent text NOT NULL DEFAULT '', + plugin text NOT NULL, + nodeid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_node_parent ON pubsub_node USING btree (parent); +CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node USING btree (host, node); + +CREATE TABLE pubsub_node_option ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + name text NOT NULL, + val text NOT NULL +); +CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option USING btree (nodeid); + +CREATE TABLE pubsub_node_owner ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + owner text NOT NULL +); +CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner USING btree (nodeid); + +CREATE TABLE pubsub_state ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + jid text NOT NULL, + affiliation character(1), + subscriptions text NOT NULL DEFAULT '', + stateid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_state_jid ON pubsub_state USING btree (jid); +CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state USING btree (nodeid, jid); + +CREATE TABLE pubsub_item ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + itemid text NOT NULL, + publisher text NOT NULL, + creation varchar(32) NOT NULL, + modification varchar(32) NOT NULL, + payload text NOT NULL DEFAULT '' +); +CREATE INDEX i_pubsub_item_itemid ON pubsub_item USING btree (itemid); +CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item USING btree (nodeid, itemid); + +CREATE TABLE pubsub_subscription_opt ( + subid text NOT NULL, + opt_name varchar(32), + opt_value text NOT NULL +); +CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt USING btree (subid, opt_name); + +CREATE TABLE muc_room ( + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_muc_room_name_host ON muc_room USING btree (name, host); + +CREATE TABLE muc_registered ( + jid text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + nick text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_registered_nick ON muc_registered USING btree (nick); +CREATE UNIQUE INDEX i_muc_registered_jid_host ON muc_registered USING btree (jid, host); + +CREATE TABLE muc_online_room ( + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_room_name_host ON muc_online_room USING btree (name, host); + +CREATE TABLE muc_online_users ( + username text NOT NULL, + server text NOT NULL, + resource text NOT NULL, + name text NOT NULL, + host text NOT NULL, + server_host text NOT NULL, + node text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_users ON muc_online_users USING btree (username, server, resource, name, host); +CREATE INDEX i_muc_online_users_us ON muc_online_users USING btree (username, server); + +CREATE TABLE muc_room_subscribers ( + room text NOT NULL, + host text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + nodes text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_room_subscribers_host_jid ON muc_room_subscribers USING btree (host, jid); +CREATE UNIQUE INDEX i_muc_room_subscribers_host_room_jid ON muc_room_subscribers USING btree (host, room, jid); + +CREATE TABLE motd ( + username text NOT NULL, + server_host text NOT NULL, + xml text, + created_at TIMESTAMP NOT NULL DEFAULT now(), + PRIMARY KEY (server_host, username) +); + +CREATE TABLE caps_features ( + node text NOT NULL, + subnode text NOT NULL, + feature text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_caps_features_node_subnode ON caps_features USING btree (node, subnode); + +CREATE TABLE sm ( + usec bigint NOT NULL, + pid text NOT NULL, + node text NOT NULL, + username text NOT NULL, + server_host text NOT NULL, + resource text NOT NULL, + priority text NOT NULL, + info text NOT NULL, + PRIMARY KEY (usec, pid) +); + +CREATE INDEX i_sm_node ON sm USING btree (node); +CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); + +CREATE TABLE oauth_token ( + token text NOT NULL, + jid text NOT NULL, + scope text NOT NULL, + expire bigint NOT NULL +); + +CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token); + +CREATE TABLE route ( + domain text NOT NULL, + server_host text NOT NULL, + node text NOT NULL, + pid text NOT NULL, + local_hint text NOT NULL +); + +CREATE UNIQUE INDEX i_route ON route USING btree (domain, server_host, node, pid); +CREATE INDEX i_route_domain ON route USING btree (domain); + +CREATE TABLE bosh ( + sid text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_bosh_sid ON bosh USING btree (sid); + +CREATE TABLE proxy65 ( + sid text NOT NULL, + pid_t text NOT NULL, + pid_i text NOT NULL, + node_t text NOT NULL, + node_i text NOT NULL, + jid_i text NOT NULL +); + +CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 USING btree (sid); +CREATE INDEX i_proxy65_jid ON proxy65 USING btree (jid_i); + +CREATE TABLE push_session ( + username text NOT NULL, + server_host text NOT NULL, + timestamp bigint NOT NULL, + service text NOT NULL, + node text NOT NULL, + xml text NOT NULL, + PRIMARY KEY (server_host, username, timestamp) +); + +CREATE UNIQUE INDEX i_push_session_susn ON push_session USING btree (server_host, username, service, node); + +CREATE TABLE mix_channel ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + hidden boolean NOT NULL, + hmac_key text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel, service); +CREATE INDEX i_mix_channel_serv ON mix_channel (service); + +CREATE TABLE mix_participant ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + id text NOT NULL, + nick text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel, service, username, domain); +CREATE INDEX i_mix_participant_chan_serv ON mix_participant (channel, service); + +CREATE TABLE mix_subscription ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + node text NOT NULL, + jid text NOT NULL +); + +CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel, service, username, domain, node); +CREATE INDEX i_mix_subscription_chan_serv_ud ON mix_subscription (channel, service, username, domain); +CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel, service, node); +CREATE INDEX i_mix_subscription_chan_serv ON mix_subscription (channel, service); + +CREATE TABLE mix_pam ( + username text NOT NULL, + server_host text NOT NULL, + channel text NOT NULL, + service text NOT NULL, + id text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username, server_host, channel, service); +CREATE INDEX i_mix_pam_us ON mix_pam (username, server_host); + +CREATE TABLE mqtt_pub ( + username text NOT NULL, + server_host text NOT NULL, + resource text NOT NULL, + topic text NOT NULL, + qos smallint NOT NULL, + payload bytea NOT NULL, + payload_format smallint NOT NULL, + content_type text NOT NULL, + response_topic text NOT NULL, + correlation_data bytea NOT NULL, + user_properties bytea NOT NULL, + expiry bigint NOT NULL +); + +CREATE UNIQUE INDEX i_mqtt_topic_server ON mqtt_pub (topic, server_host); diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb new file mode 100644 index 0000000..1e7a7fc --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -0,0 +1,23 @@ +name 'kosmos-ejabberd' +maintainer 'Kosmos' +maintainer_email 'ops@5apps.com' +license 'All Rights Reserved' +description 'Installs/Configures kosmos-ejabberd' +long_description 'Installs/Configures kosmos-ejabberd' +version '0.1.0' +chef_version '>= 12.14' if respond_to?(:chef_version) + +# The `issues_url` points to the location where issues for this cookbook are +# tracked. A `View Issues` link will be displayed on this cookbook's page when +# uploaded to a Supermarket. +# +# issues_url 'https://github.com//kosmos-ejabberd/issues' + +# The `source_url` points to the development repository for this cookbook. A +# `View Source` link will be displayed on this cookbook's page when uploaded to +# a Supermarket. +# +# source_url 'https://github.com//kosmos-ejabberd' + +depends "kosmos-postgresql" +depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb new file mode 100644 index 0000000..db2e2f5 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -0,0 +1,89 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: default +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +include_recipe "kosmos-postgresql" + +cookbook_file "#{Chef::Config[:file_cache_path]}/pg.new.sql" do + source "pg.new.sql" + mode "0664" +end + +ejabberd_version = node["kosmos-ejabberd"]["version"] +package_checksum = node["kosmos-ejabberd"]["checksum"] +package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb" + +remote_file package_path do + source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb" + checksum package_checksum + notifies :install, "dpkg_package[ejabberd]", :immediately +end + +dpkg_package "ejabberd" do + source package_path + action :nothing + notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately +end + +postgresql_connection_info = { + host: '127.0.0.1', + port: 5432, + username: 'postgres', + password: node['postgresql']['password']['postgres'] +} + +postgresql_database 'ejabberd' do + connection postgresql_connection_info + action :create + notifies :run, "execute[create db schema]", :delayed +end + +postgresql_database_user 'ejabberd' do + connection postgresql_connection_info + password 'super_secret' + database_name 'ejabberd' + privileges [:all] + action [:create, :grant] +end + +execute "create db schema" do + user "ejabberd" + command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.new.sql" + action :nothing +end + +template "/opt/ejabberd/conf/ejabberd.yml" do + source "ejabberd.yml.erb" + mode 0640 + sensitive true + variables pgsql_password: "super_secret" + notifies :run, "execute[ejabberdctl reload_config]", :delayed +end + +execute "ejabberdctl reload_config" do + command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config" + action :nothing +end + +file "/etc/init.d/ejabberd" do + action :delete +end + +# Copy the systemd service file +file "/lib/systemd/system/ejabberd.service" do + content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") } + action :nothing + notifies :run, "execute[systemctl daemon-reload]", :immediately +end + +execute "systemctl daemon-reload" do + command "systemctl daemon-reload" + action :nothing +end + +service "ejabberd" do + action [:enable, :start] +end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb new file mode 100644 index 0000000..9730415 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -0,0 +1,277 @@ +loglevel: 4 + +log_rotate_size: 10485760 +log_rotate_date: "" +log_rotate_count: 1 + +log_rate_limit: 100 + +hosts: + - "kosmos.org" + +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> +certfiles: + - "/opt/ejabberd/conf/kosmos.org.pem" +<% end -%> + +ca_file: "/opt/ejabberd/conf/cacert.pem" + +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "cipher_server_preference" + - "no_compression" + 'DH_FILE': "/opt/ejabberd/conf/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_dhfile: 'DH_FILE' +s2s_dhfile: 'DH_FILE' +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + starttls: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5223 + ip: "::" + module: ejabberd_c2s + tls: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 131072 + shaper: s2s_shaper + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + "/ws": ejabberd_http_ws + "/bosh": mod_bosh + "/api": mod_http_api + tls: true + ## "/pub/archive": mod_http_fileserver + web_admin: true + ## register: true + captcha: false + - + port: 5443 + module: ejabberd_http + request_handlers: + "upload": mod_http_upload + <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> + tls: true + certfiles: + - "/opt/ejabberd/conf/kosmos.org.pem" + <% end -%> + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" + +s2s_use_starttls: optional + +auth_password_format: scram +auth_method: sql + +default_db: sql + +sql_type: pgsql +sql_server: "localhost" +sql_database: "ejabberd" +sql_username: "ejabberd" +sql_password: "<%= @pgsql_password %>" +new_sql_schema: true + +shaper: + normal: 1000 + fast: 50000 + +max_fsm_queue: 10000 + +acl: + admin: + user: + - "greg@5apps.com" + - "sebastian@5apps.com" + - "garret@5apps.com" + - "raucao@kosmos.org" + - "greg@kosmos.org" + - "galfert@kosmos.org" + + local: + user_regexp: "" + + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + - 5000: admin + - 100 + c2s_shaper: + - none: admin + - normal + s2s_shaper: fast + +access_rules: + local: + - allow: local + c2s: + - deny: blocked + - allow + announce: + - allow: admin + configure: + - allow: admin + muc_create: + - allow: admin + - allow: local + pubsub_createnode: + - allow: local + register: + - allow + trusted_network: + - allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + - access: + - allow: + - acl: loopback + - acl: admin + - oauth: + - scope: "ejabberd:admin" + - access: + - allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + - ip: "127.0.0.1/8" + what: + - "status" + - "connected_users_number" + +language: "en" + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: # recommends mod_adhoc + access: announce + mod_blocking: {} # requires mod_privacy + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} # requires mod_adhoc + mod_disco: + server_info: + - + modules: all + name: "abuse-addresses" + urls: ["mailto:abuse@kosmos.org"] + mod_bosh: {} + mod_http_upload: + docroot: "/var/www/xmpp.@HOST@/uploads/" + put_url: "https://xmpp.@HOST@:5443/upload" + thumbnail: false # otherwise needs the identify command from ImageMagick installed + mod_last: {} + mod_mam: + default: always + request_activates_archiving: true + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: {} + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 10 + plugins: + - "flat" + - "pep" # pep requires mod_caps + mod_push: {} + mod_push_keepalive: {} + mod_register: + welcome_message: + subject: "Welcome!" + body: |- + Hi. + Welcome to this XMPP server. + ip_access: trusted_network + access: register + mod_roster: + versioning: true + store_current_id: true + mod_shared_roster: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_avatar: {} + mod_version: {} + mod_stream_mgmt: {} + mod_s2s_dialback: {} + mod_http_api: {} + +append_host_config: + "kosmos.org": + modules: + mod_muc: + host: "chat.kosmos.org" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + default_room_options: + mam: true + +allow_contrib_modules: true + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: diff --git a/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb b/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb new file mode 100644 index 0000000..703630b --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb @@ -0,0 +1,23 @@ +require 'serverspec' + +# Required by serverspec +set :backend, :exec + +describe 'ejabberd' do + describe package('ejabberd') do + it { should be_installed } + end + + it 'is listening on port 5222 (client-to-server)' do + expect(port(5222)).to be_listening + end + + it 'is listening on port 5269 (server-to-server)' do + expect(port(5269)).to be_listening + end + + it 'runs the ejabberd service' do + expect(service('ejabberd')).to be_running + expect(service('ejabberd')).to be_enabled + end +end From 80449ccbebff49a3921ce2fcdc30b663129203ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 25 Feb 2019 18:13:06 +0100 Subject: [PATCH 02/22] Add a recipe that sets up backups for ejabberd --- site-cookbooks/kosmos-ejabberd/recipes/backup.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/backup.rb diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb new file mode 100644 index 0000000..f6f154a --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb @@ -0,0 +1,16 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: backup +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +unless node.chef_environment == "development" + # backup the data dir and the config files + node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org"] + unless node["backup"]["postgresql"]["databases"].include? "ejabberd" + node.override["backup"]["postgresql"]["databases"] = + node["backup"]["postgresql"]["databases"].to_a << "ejabberd" + end + include_recipe "backup" +end From 4519f2fe36546c256a0c27ff517dd6b431ada2f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 27 Feb 2019 12:42:18 +0100 Subject: [PATCH 03/22] Add the kosmos-postgresql and ejabberd backup recipes --- nodes/andromeda.kosmos.org.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json index 37486f8..42ec74a 100644 --- a/nodes/andromeda.kosmos.org.json +++ b/nodes/andromeda.kosmos.org.json @@ -3,11 +3,20 @@ "role[base]", "kosmos-base::andromeda_firewall", "role[ipfs_cluster_with_tls]", + "kosmos-postgresql", + "kosmos-ejabberd::backup", "kosmos-mediawiki", "sockethub", "sockethub::proxy", "kosmos-btcpayserver::proxy" ], + "normal": { + "postgresql": { + "password": { + "postgres": "iezah7ochae9uizu1Isha2Chuok8ra" + } + } + }, "automatic": { "ipaddress": "andromeda.kosmos.org" } From 1b770c0e95171c9115d1b2568d3503db2d2943fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 19 Mar 2019 16:27:46 +0100 Subject: [PATCH 04/22] Set up Let's Encrypt for the kosmos.org ejabberd server --- site-cookbooks/kosmos-ejabberd/metadata.rb | 1 + .../kosmos-ejabberd/recipes/letsencrypt.rb | 50 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 1e7a7fc..d9ed33f 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -20,4 +20,5 @@ chef_version '>= 12.14' if respond_to?(:chef_version) # source_url 'https://github.com//kosmos-ejabberd' depends "kosmos-postgresql" +depends "kosmos-base" depends "backup" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb new file mode 100644 index 0000000..825445c --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -0,0 +1,50 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: letsencrypt +# +# Copyright:: 2019, Kosmos, All Rights Reserved. +# + +include_recipe "kosmos-base::letsencrypt" + +domain = "kosmos.org" +domain_and_subdomains = [domain, "chat.#{domain}" "xmpp.#{domain}"] + +ejabberd_post_hook = <<-EOF +#!/usr/bin/env bash + +set -e + +# Copy the ejabberd certificate and restart the server if it has been renewed +# This is necessary because the ejabberd user doesn't have access to the +# letsencrypt live folder +for domain in $RENEWED_DOMAINS; do + case $domain in + # Do not copy over when renewing other kosmos.org domains + #{domain}) + cat "${RENEWED_LINEAGE}/privkey.pem" "${RENEWED_LINEAGE}/fullchain.pem" > /opt/ejabberd/conf/#{domain}.pem + chown ejabberd:ejabberd /opt/ejabberd/conf/#{domain}.pem + chmod 600 /opt/ejabberd/conf/#{domain}.pem + /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config + ;; + esac +done +EOF + +file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do + content ejabberd_post_hook + mode 0755 + owner "root" + group "root" +end + +domain_and_subdomains_switch = domain_and_subdomains.map { |d| "-d #{d}" }.join(" ") + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for kosmos xmpp" do + command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@#{domain} #{domain_and_subdomains_switch} -n" + not_if do + File.exist?("/opt/ejabberd/conf/#{domain}.pem") + end +end From 0e379644c56121d4184308b4de693ba7dfdddfd1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 17 Apr 2019 10:30:29 +0200 Subject: [PATCH 05/22] MIT license for the kosmos-ejabberd cookbook --- site-cookbooks/kosmos-ejabberd/LICENSE | 21 +++++++++++++++++-- site-cookbooks/kosmos-ejabberd/metadata.rb | 4 ++-- .../kosmos-ejabberd/recipes/backup.rb | 21 ++++++++++++++++++- .../kosmos-ejabberd/recipes/default.rb | 21 ++++++++++++++++++- .../kosmos-ejabberd/recipes/letsencrypt.rb | 21 ++++++++++++++++++- 5 files changed, 81 insertions(+), 7 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/LICENSE b/site-cookbooks/kosmos-ejabberd/LICENSE index fd8848e..f3b5d1c 100644 --- a/site-cookbooks/kosmos-ejabberd/LICENSE +++ b/site-cookbooks/kosmos-ejabberd/LICENSE @@ -1,3 +1,20 @@ -Copyright 2019 Kosmos +Copyright (c) 2019 Kosmos Developers -All rights reserved, do not redistribute. +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index d9ed33f..51ecc0a 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -1,7 +1,7 @@ name 'kosmos-ejabberd' maintainer 'Kosmos' -maintainer_email 'ops@5apps.com' -license 'All Rights Reserved' +maintainer_email 'ops@kosmos.org' +license 'MIT' description 'Installs/Configures kosmos-ejabberd' long_description 'Installs/Configures kosmos-ejabberd' version '0.1.0' diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb index f6f154a..f1d5c0f 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb @@ -2,8 +2,27 @@ # Cookbook:: kosmos-ejabberd # Recipe:: backup # -# Copyright:: 2019, Kosmos, All Rights Reserved. +# The MIT License (MIT) # +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. unless node.chef_environment == "development" # backup the data dir and the config files diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index db2e2f5..06dd379 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -2,8 +2,27 @@ # Cookbook:: kosmos-ejabberd # Recipe:: default # -# Copyright:: 2019, Kosmos, All Rights Reserved. +# The MIT License (MIT) # +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. include_recipe "kosmos-postgresql" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb index 825445c..26fa84a 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -2,8 +2,27 @@ # Cookbook:: kosmos-ejabberd # Recipe:: letsencrypt # -# Copyright:: 2019, Kosmos, All Rights Reserved. +# The MIT License (MIT) # +# Copyright:: 2019, Kosmos Developers +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +# THE SOFTWARE. include_recipe "kosmos-base::letsencrypt" From b45430f63a12a3567160846343a8a79fc97b4e8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 17 Apr 2019 11:22:12 +0200 Subject: [PATCH 06/22] Set permissions for the upload folder --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 06dd379..45a3e99 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -103,6 +103,13 @@ execute "systemctl daemon-reload" do action :nothing end +directory "/var/www/xmpp.kosmos.org/uploads" do + owner "ejabberd" + group "ejabberd" + mode 0750 + recursive true +end + service "ejabberd" do action [:enable, :start] end From b44a22675360fab7949ec7e5edb2d771b2765b53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 10 May 2019 11:43:52 +0200 Subject: [PATCH 07/22] Fix the postgresql setup for the ejabberd cookbook Create a ejabberd user with a password from an encrypted data bag --- .../kosmos-ejabberd/recipes/default.rb | 24 +++++++------------ 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 45a3e99..b3070ba 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -47,25 +47,17 @@ dpkg_package "ejabberd" do notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately end -postgresql_connection_info = { - host: '127.0.0.1', - port: 5432, - username: 'postgres', - password: node['postgresql']['password']['postgres'] -} +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') -postgresql_database 'ejabberd' do - connection postgresql_connection_info +postgresql_user 'ejabberd' do action :create - notifies :run, "execute[create db schema]", :delayed + password postgresql_data_bag_item['ejabberd_user_password'] end -postgresql_database_user 'ejabberd' do - connection postgresql_connection_info - password 'super_secret' - database_name 'ejabberd' - privileges [:all] - action [:create, :grant] +postgresql_database 'ejabberd' do + owner 'ejabberd' + action :create + notifies :run, "execute[create db schema]", :delayed end execute "create db schema" do @@ -78,7 +70,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" mode 0640 sensitive true - variables pgsql_password: "super_secret" + variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'] notifies :run, "execute[ejabberdctl reload_config]", :delayed end From ad23530653e4db1b5d3d60f9e37fa5264631fc2d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 13 May 2019 17:08:21 +0200 Subject: [PATCH 08/22] Add the firewall rules for ejabberd Includes the missing 5223 port in the andromeda_firewall recipe too --- site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb | 2 +- site-cookbooks/kosmos-ejabberd/metadata.rb | 1 + site-cookbooks/kosmos-ejabberd/recipes/default.rb | 8 ++++++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb index 3401bff..44db935 100644 --- a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb +++ b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb @@ -27,7 +27,7 @@ # Temporary extra rules for Andromeda firewall_rule 'ejabberd' do - port [5222, 5269, 5280, 5443] + port [5222, 5223, 5269, 5280, 5443] protocol :tcp command :allow end diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 51ecc0a..bbd1886 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -22,3 +22,4 @@ chef_version '>= 12.14' if respond_to?(:chef_version) depends "kosmos-postgresql" depends "kosmos-base" depends "backup" +depends "firewall" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index b3070ba..2611fab 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -105,3 +105,11 @@ end service "ejabberd" do action [:enable, :start] end + +unless node.chef_environment == "development" + firewall_rule 'ejabberd' do + port [5222, 5223, 5269, 5280, 5443] + protocol :tcp + command :allow + end +end From 88204ea91b98668c6b496445a3ea7b5d368cba7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 13 May 2019 17:59:04 +0200 Subject: [PATCH 09/22] Update the config to the current one running on andromeda --- .../templates/ejabberd.yml.erb | 85 +++++++++++-------- 1 file changed, 50 insertions(+), 35 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 9730415..485487b 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -8,11 +8,32 @@ log_rate_limit: 100 hosts: - "kosmos.org" + - "5apps.com" + +host_config: + "kosmos.org": + sql_type: pgsql + sql_server: "localhost" + sql_database: "ejabberd" + sql_username: "ejabberd" + sql_password: "<%= @pgsql_password %>" + "5apps.com": + sql_type: pgsql + sql_server: "localhost" + sql_database: "ejabberd_5apps" + sql_username: "ejabberd" + sql_password: "<%= @pgsql_password %>" -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> certfiles: +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> - "/opt/ejabberd/conf/kosmos.org.pem" <% end -%> +<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") -%> + - "/opt/ejabberd/conf/5apps.com.crt" +<% end -%> +<% if File.exist?("/opt/ejabberd/conf/5apps.com.key") -%> + - "/opt/ejabberd/conf/5apps.com.key" +<% end -%> ca_file: "/opt/ejabberd/conf/cacert.pem" @@ -55,33 +76,24 @@ listen: max_stanza_size: 131072 shaper: s2s_shaper - - port: 5280 + port: 5443 ip: "::" module: ejabberd_http request_handlers: "/ws": ejabberd_http_ws "/bosh": mod_bosh "/api": mod_http_api - tls: true - ## "/pub/archive": mod_http_fileserver - web_admin: true - ## register: true - captcha: false - - - port: 5443 - module: ejabberd_http - request_handlers: - "upload": mod_http_upload - <% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> - tls: true - certfiles: - - "/opt/ejabberd/conf/kosmos.org.pem" - <% end -%> + "/upload": mod_http_upload custom_headers: "Access-Control-Allow-Origin": "*" "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" "Access-Control-Allow-Headers": "Authorization" "Access-Control-Allow-Credentials": "true" + tls: true + ## "/pub/archive": mod_http_fileserver + web_admin: true + ## register: true + captcha: false s2s_use_starttls: optional @@ -90,13 +102,6 @@ auth_method: sql default_db: sql -sql_type: pgsql -sql_server: "localhost" -sql_database: "ejabberd" -sql_username: "ejabberd" -sql_password: "<%= @pgsql_password %>" -new_sql_schema: true - shaper: normal: 1000 fast: 50000 @@ -198,7 +203,7 @@ modules: - modules: all name: "abuse-addresses" - urls: ["mailto:abuse@kosmos.org"] + urls: ["mailto:abuse@@HOST@"] mod_bosh: {} mod_http_upload: docroot: "/var/www/xmpp.@HOST@/uploads/" @@ -208,15 +213,6 @@ modules: mod_mam: default: always request_activates_archiving: true - mod_muc: - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - default_room_options: - mam: true mod_muc_admin: {} mod_offline: access_max_user_messages: max_user_offline_messages @@ -256,16 +252,35 @@ modules: mod_http_api: {} append_host_config: + "5apps.com": + modules: + mod_muc: + host: "muc.@HOST@" + access: + - allow: local + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + max_user_conferences: 1000 + default_room_options: + anonymous: false + public: true + members_only: true + public_list: false + persistent: true + mam: true "kosmos.org": modules: mod_muc: - host: "chat.kosmos.org" + host: "chat.@HOST@" access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create + max_user_conferences: 1000 default_room_options: mam: true From 5d1aeb7b68422f1e0e9119a5fac636ff8ff82d71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 13 May 2019 18:52:39 +0200 Subject: [PATCH 10/22] Create a cert for 5apps.com and improve the renewal script --- .../kosmos-ejabberd/recipes/letsencrypt.rb | 28 +++++++++++-------- 1 file changed, 16 insertions(+), 12 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb index 26fa84a..d4cbd00 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -26,9 +26,6 @@ include_recipe "kosmos-base::letsencrypt" -domain = "kosmos.org" -domain_and_subdomains = [domain, "chat.#{domain}" "xmpp.#{domain}"] - ejabberd_post_hook = <<-EOF #!/usr/bin/env bash @@ -39,11 +36,11 @@ set -e # letsencrypt live folder for domain in $RENEWED_DOMAINS; do case $domain in - # Do not copy over when renewing other kosmos.org domains - #{domain}) - cat "${RENEWED_LINEAGE}/privkey.pem" "${RENEWED_LINEAGE}/fullchain.pem" > /opt/ejabberd/conf/#{domain}.pem - chown ejabberd:ejabberd /opt/ejabberd/conf/#{domain}.pem - chmod 600 /opt/ejabberd/conf/#{domain}.pem + kosmos.org|5apps.com) + cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key + cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt + chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.* + chmod 600 /opt/ejabberd/conf/$domain.* /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config ;; esac @@ -57,13 +54,20 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do group "root" end -domain_and_subdomains_switch = domain_and_subdomains.map { |d| "-d #{d}" }.join(" ") - # Generate a Let's Encrypt cert (only if no cert has been generated before). # The systemd timer will take care of renewing execute "letsencrypt cert for kosmos xmpp" do - command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@#{domain} #{domain_and_subdomains_switch} -n" + command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d chat.kosmos.org -d xmpp.kosmos.org -n" not_if do - File.exist?("/opt/ejabberd/conf/#{domain}.pem") + File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem") + end +end + +# Generate a Let's Encrypt cert (only if no cert has been generated before). +# The systemd timer will take care of renewing +execute "letsencrypt cert for 5apps xmpp" do + command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n" + not_if do + File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem") end end From d9390a4b920df1585dff6831bdf3d68db283d9d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 13 May 2019 18:53:45 +0200 Subject: [PATCH 11/22] Don't use a concatenated cert for kosmos.org anymore --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 485487b..2632bdb 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -25,8 +25,11 @@ host_config: sql_password: "<%= @pgsql_password %>" certfiles: -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.pem") -%> - - "/opt/ejabberd/conf/kosmos.org.pem" +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") -%> + - "/opt/ejabberd/conf/kosmos.org.crt" +<% end -%> +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%> + - "/opt/ejabberd/conf/kosmos.org.key" <% end -%> <% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") -%> - "/opt/ejabberd/conf/5apps.com.crt" From bd720b01899ae867b14ca56bafb422d10f6639c5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 11:24:08 +0200 Subject: [PATCH 12/22] Use the regular SQL schema (not the new one for all vhosts into one db) --- .../kosmos-ejabberd/files/pg.new.sql | 644 ------------------ .../kosmos-ejabberd/recipes/default.rb | 22 +- 2 files changed, 17 insertions(+), 649 deletions(-) delete mode 100644 site-cookbooks/kosmos-ejabberd/files/pg.new.sql diff --git a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql b/site-cookbooks/kosmos-ejabberd/files/pg.new.sql deleted file mode 100644 index c585fd3..0000000 --- a/site-cookbooks/kosmos-ejabberd/files/pg.new.sql +++ /dev/null @@ -1,644 +0,0 @@ --- --- ejabberd, Copyright (C) 2002-2019 ProcessOne --- --- This program is free software; you can redistribute it and/or --- modify it under the terms of the GNU General Public License as --- published by the Free Software Foundation; either version 2 of the --- License, or (at your option) any later version. --- --- This program is distributed in the hope that it will be useful, --- but WITHOUT ANY WARRANTY; without even the implied warranty of --- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU --- General Public License for more details. --- --- You should have received a copy of the GNU General Public License along --- with this program; if not, write to the Free Software Foundation, Inc., --- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. --- - --- To update from the old schema, replace with the host's domain: - --- ALTER TABLE users ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE users DROP CONSTRAINT users_pkey; --- ALTER TABLE users ADD PRIMARY KEY (server_host, username); --- ALTER TABLE users ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE last ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE last DROP CONSTRAINT last_pkey; --- ALTER TABLE last ADD PRIMARY KEY (server_host, username); --- ALTER TABLE last ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE rosterusers ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_rosteru_user_jid; --- DROP INDEX i_rosteru_username; --- DROP INDEX i_rosteru_jid; --- CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); --- CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); --- CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); --- ALTER TABLE rosterusers ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE rostergroups ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX pk_rosterg_user_jid; --- CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); --- ALTER TABLE rostergroups ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE sr_group ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE sr_group ADD PRIMARY KEY (server_host, name); --- ALTER TABLE sr_group ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE sr_user ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_sr_user_jid_grp; --- DROP INDEX i_sr_user_jid; --- DROP INDEX i_sr_user_grp; --- ALTER TABLE sr_user ADD PRIMARY KEY (server_host, jid, grp); --- CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); --- CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); --- ALTER TABLE sr_user ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE spool ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_despool; --- CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); --- ALTER TABLE spool ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE archive ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_username_timestamp; --- DROP INDEX i_username_peer; --- DROP INDEX i_username_bare_peer; --- DROP INDEX i_timestamp; --- CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); --- CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); --- CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); --- CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); --- ALTER TABLE archive ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE archive_prefs ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE archive_prefs DROP CONSTRAINT archive_prefs_pkey; --- ALTER TABLE archive_prefs ADD PRIMARY KEY (server_host, username); --- ALTER TABLE archive_prefs ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE vcard ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE vcard DROP CONSTRAINT vcard_pkey; --- ALTER TABLE vcard ADD PRIMARY KEY (server_host, username); --- ALTER TABLE vcard ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE vcard_search ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE vcard_search DROP CONSTRAINT vcard_search_pkey; --- DROP INDEX i_vcard_search_lfn; --- DROP INDEX i_vcard_search_lfamily; --- DROP INDEX i_vcard_search_lgiven; --- DROP INDEX i_vcard_search_lmiddle; --- DROP INDEX i_vcard_search_lnickname; --- DROP INDEX i_vcard_search_lbday; --- DROP INDEX i_vcard_search_lctry; --- DROP INDEX i_vcard_search_llocality; --- DROP INDEX i_vcard_search_lemail; --- DROP INDEX i_vcard_search_lorgname; --- DROP INDEX i_vcard_search_lorgunit; --- ALTER TABLE vcard_search ADD PRIMARY KEY (server_host, username); --- CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); --- CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); --- CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); --- CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); --- CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); --- CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); --- CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); --- CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); --- CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); --- CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); --- CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); --- ALTER TABLE vcard_search ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE privacy_default_list ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE privacy_default_list DROP CONSTRAINT privacy_default_list_pkey; --- ALTER TABLE privacy_default_list ADD PRIMARY KEY (server_host, username); --- ALTER TABLE privacy_default_list ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE privacy_list ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_privacy_list_username; --- DROP INDEX i_privacy_list_username_name; --- CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); --- CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); --- ALTER TABLE privacy_list ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE private_storage ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_private_storage_username; --- DROP INDEX i_private_storage_username_namespace; --- ALTER TABLE private_storage ADD PRIMARY KEY (server_host, username, namespace); --- CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); --- ALTER TABLE private_storage ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE roster_version ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE roster_version DROP CONSTRAINT roster_version_pkey; --- ALTER TABLE roster_version ADD PRIMARY KEY (server_host, username); --- ALTER TABLE roster_version ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE muc_room ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE muc_room ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE muc_registered ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE muc_registered ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE muc_online_room ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE muc_online_room ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE muc_online_users ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE muc_online_users ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE motd ADD COLUMN server_host text NOT NULL DEFAULT ''; --- ALTER TABLE motd DROP CONSTRAINT motd_pkey; --- ALTER TABLE motd ADD PRIMARY KEY (server_host, username); --- ALTER TABLE motd ALTER COLUMN server_host DROP DEFAULT; - --- ALTER TABLE sm ADD COLUMN server_host text NOT NULL DEFAULT ''; --- DROP INDEX i_sm_sid; --- DROP INDEX i_sm_username; --- ALTER TABLE sm ADD PRIMARY KEY (usec, pid); --- CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); --- ALTER TABLE sm ALTER COLUMN server_host DROP DEFAULT; - - -CREATE TABLE users ( - username text NOT NULL, - server_host text NOT NULL, - "password" text NOT NULL, - serverkey text NOT NULL DEFAULT '', - salt text NOT NULL DEFAULT '', - iterationcount integer NOT NULL DEFAULT 0, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, username) -); - --- Add support for SCRAM auth to a database created before ejabberd 16.03: --- ALTER TABLE users ADD COLUMN serverkey text NOT NULL DEFAULT ''; --- ALTER TABLE users ADD COLUMN salt text NOT NULL DEFAULT ''; --- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0; - -CREATE TABLE last ( - username text NOT NULL, - server_host text NOT NULL, - seconds text NOT NULL, - state text NOT NULL, - PRIMARY KEY (server_host, username) -); - - -CREATE TABLE rosterusers ( - username text NOT NULL, - server_host text NOT NULL, - jid text NOT NULL, - nick text NOT NULL, - subscription character(1) NOT NULL, - ask character(1) NOT NULL, - askmessage text NOT NULL, - server character(1) NOT NULL, - subscribe text NOT NULL, - "type" text, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE UNIQUE INDEX i_rosteru_sh_user_jid ON rosterusers USING btree (server_host, username, jid); -CREATE INDEX i_rosteru_sh_username ON rosterusers USING btree (server_host, username); -CREATE INDEX i_rosteru_sh_jid ON rosterusers USING btree (server_host, jid); - - -CREATE TABLE rostergroups ( - username text NOT NULL, - server_host text NOT NULL, - jid text NOT NULL, - grp text NOT NULL -); - -CREATE INDEX i_rosterg_sh_user_jid ON rostergroups USING btree (server_host, username, jid); - -CREATE TABLE sr_group ( - name text NOT NULL, - server_host text NOT NULL, - opts text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, name) -); - -CREATE TABLE sr_user ( - jid text NOT NULL, - server_host text NOT NULL, - grp text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, jid, grp) -); - -CREATE INDEX i_sr_user_sh_jid ON sr_user USING btree (server_host, jid); -CREATE INDEX i_sr_user_sh_grp ON sr_user USING btree (server_host, grp); - -CREATE TABLE spool ( - username text NOT NULL, - server_host text NOT NULL, - xml text NOT NULL, - seq SERIAL, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_spool_sh_username ON spool USING btree (server_host, username); - -CREATE TABLE archive ( - username text NOT NULL, - server_host text NOT NULL, - timestamp BIGINT NOT NULL, - peer text NOT NULL, - bare_peer text NOT NULL, - xml text NOT NULL, - txt text, - id SERIAL, - kind text, - nick text, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_archive_sh_username_timestamp ON archive USING btree (server_host, username, timestamp); -CREATE INDEX i_archive_sh_username_peer ON archive USING btree (server_host, username, peer); -CREATE INDEX i_archive_sh_username_bare_peer ON archive USING btree (server_host, username, bare_peer); -CREATE INDEX i_archive_sh_timestamp ON archive USING btree (server_host, timestamp); - -CREATE TABLE archive_prefs ( - username text NOT NULL, - server_host text NOT NULL, - def text NOT NULL, - always text NOT NULL, - never text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, username) -); - -CREATE TABLE vcard ( - username text NOT NULL, - server_host text NOT NULL, - vcard text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, username) -); - -CREATE TABLE vcard_search ( - username text NOT NULL, - lusername text NOT NULL, - server_host text NOT NULL, - fn text NOT NULL, - lfn text NOT NULL, - family text NOT NULL, - lfamily text NOT NULL, - given text NOT NULL, - lgiven text NOT NULL, - middle text NOT NULL, - lmiddle text NOT NULL, - nickname text NOT NULL, - lnickname text NOT NULL, - bday text NOT NULL, - lbday text NOT NULL, - ctry text NOT NULL, - lctry text NOT NULL, - locality text NOT NULL, - llocality text NOT NULL, - email text NOT NULL, - lemail text NOT NULL, - orgname text NOT NULL, - lorgname text NOT NULL, - orgunit text NOT NULL, - lorgunit text NOT NULL, - PRIMARY KEY (server_host, username) -); - -CREATE INDEX i_vcard_search_sh_lfn ON vcard_search(server_host, lfn); -CREATE INDEX i_vcard_search_sh_lfamily ON vcard_search(server_host, lfamily); -CREATE INDEX i_vcard_search_sh_lgiven ON vcard_search(server_host, lgiven); -CREATE INDEX i_vcard_search_sh_lmiddle ON vcard_search(server_host, lmiddle); -CREATE INDEX i_vcard_search_sh_lnickname ON vcard_search(server_host, lnickname); -CREATE INDEX i_vcard_search_sh_lbday ON vcard_search(server_host, lbday); -CREATE INDEX i_vcard_search_sh_lctry ON vcard_search(server_host, lctry); -CREATE INDEX i_vcard_search_sh_llocality ON vcard_search(server_host, llocality); -CREATE INDEX i_vcard_search_sh_lemail ON vcard_search(server_host, lemail); -CREATE INDEX i_vcard_search_sh_lorgname ON vcard_search(server_host, lorgname); -CREATE INDEX i_vcard_search_sh_lorgunit ON vcard_search(server_host, lorgunit); - -CREATE TABLE privacy_default_list ( - username text NOT NULL, - server_host text NOT NULL, - name text NOT NULL, - PRIMARY KEY (server_host, username) -); - -CREATE TABLE privacy_list ( - username text NOT NULL, - server_host text NOT NULL, - name text NOT NULL, - id SERIAL UNIQUE, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_privacy_list_sh_username ON privacy_list USING btree (server_host, username); -CREATE UNIQUE INDEX i_privacy_list_sh_username_name ON privacy_list USING btree (server_host, username, name); - -CREATE TABLE privacy_list_data ( - id bigint REFERENCES privacy_list(id) ON DELETE CASCADE, - t character(1) NOT NULL, - value text NOT NULL, - action character(1) NOT NULL, - ord NUMERIC NOT NULL, - match_all boolean NOT NULL, - match_iq boolean NOT NULL, - match_message boolean NOT NULL, - match_presence_in boolean NOT NULL, - match_presence_out boolean NOT NULL -); - -CREATE INDEX i_privacy_list_data_id ON privacy_list_data USING btree (id); - -CREATE TABLE private_storage ( - username text NOT NULL, - server_host text NOT NULL, - namespace text NOT NULL, - data text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, username, namespace) -); - -CREATE INDEX i_private_storage_sh_username ON private_storage USING btree (server_host, username); - - -CREATE TABLE roster_version ( - username text NOT NULL, - server_host text NOT NULL, - version text NOT NULL, - PRIMARY KEY (server_host, username) -); - --- To update from 0.9.8: --- CREATE SEQUENCE spool_seq_seq; --- ALTER TABLE spool ADD COLUMN seq integer; --- ALTER TABLE spool ALTER COLUMN seq SET DEFAULT nextval('spool_seq_seq'); --- UPDATE spool SET seq = DEFAULT; --- ALTER TABLE spool ALTER COLUMN seq SET NOT NULL; - --- To update from 1.x: --- ALTER TABLE rosterusers ADD COLUMN askmessage text; --- UPDATE rosterusers SET askmessage = ''; --- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL; - -CREATE TABLE pubsub_node ( - host text NOT NULL, - node text NOT NULL, - parent text NOT NULL DEFAULT '', - plugin text NOT NULL, - nodeid SERIAL UNIQUE -); -CREATE INDEX i_pubsub_node_parent ON pubsub_node USING btree (parent); -CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node USING btree (host, node); - -CREATE TABLE pubsub_node_option ( - nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, - name text NOT NULL, - val text NOT NULL -); -CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option USING btree (nodeid); - -CREATE TABLE pubsub_node_owner ( - nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, - owner text NOT NULL -); -CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner USING btree (nodeid); - -CREATE TABLE pubsub_state ( - nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, - jid text NOT NULL, - affiliation character(1), - subscriptions text NOT NULL DEFAULT '', - stateid SERIAL UNIQUE -); -CREATE INDEX i_pubsub_state_jid ON pubsub_state USING btree (jid); -CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state USING btree (nodeid, jid); - -CREATE TABLE pubsub_item ( - nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, - itemid text NOT NULL, - publisher text NOT NULL, - creation varchar(32) NOT NULL, - modification varchar(32) NOT NULL, - payload text NOT NULL DEFAULT '' -); -CREATE INDEX i_pubsub_item_itemid ON pubsub_item USING btree (itemid); -CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item USING btree (nodeid, itemid); - -CREATE TABLE pubsub_subscription_opt ( - subid text NOT NULL, - opt_name varchar(32), - opt_value text NOT NULL -); -CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt USING btree (subid, opt_name); - -CREATE TABLE muc_room ( - name text NOT NULL, - host text NOT NULL, - server_host text NOT NULL, - opts text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE UNIQUE INDEX i_muc_room_name_host ON muc_room USING btree (name, host); - -CREATE TABLE muc_registered ( - jid text NOT NULL, - host text NOT NULL, - server_host text NOT NULL, - nick text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_muc_registered_nick ON muc_registered USING btree (nick); -CREATE UNIQUE INDEX i_muc_registered_jid_host ON muc_registered USING btree (jid, host); - -CREATE TABLE muc_online_room ( - name text NOT NULL, - host text NOT NULL, - server_host text NOT NULL, - node text NOT NULL, - pid text NOT NULL -); - -CREATE UNIQUE INDEX i_muc_online_room_name_host ON muc_online_room USING btree (name, host); - -CREATE TABLE muc_online_users ( - username text NOT NULL, - server text NOT NULL, - resource text NOT NULL, - name text NOT NULL, - host text NOT NULL, - server_host text NOT NULL, - node text NOT NULL -); - -CREATE UNIQUE INDEX i_muc_online_users ON muc_online_users USING btree (username, server, resource, name, host); -CREATE INDEX i_muc_online_users_us ON muc_online_users USING btree (username, server); - -CREATE TABLE muc_room_subscribers ( - room text NOT NULL, - host text NOT NULL, - jid text NOT NULL, - nick text NOT NULL, - nodes text NOT NULL, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_muc_room_subscribers_host_jid ON muc_room_subscribers USING btree (host, jid); -CREATE UNIQUE INDEX i_muc_room_subscribers_host_room_jid ON muc_room_subscribers USING btree (host, room, jid); - -CREATE TABLE motd ( - username text NOT NULL, - server_host text NOT NULL, - xml text, - created_at TIMESTAMP NOT NULL DEFAULT now(), - PRIMARY KEY (server_host, username) -); - -CREATE TABLE caps_features ( - node text NOT NULL, - subnode text NOT NULL, - feature text, - created_at TIMESTAMP NOT NULL DEFAULT now() -); - -CREATE INDEX i_caps_features_node_subnode ON caps_features USING btree (node, subnode); - -CREATE TABLE sm ( - usec bigint NOT NULL, - pid text NOT NULL, - node text NOT NULL, - username text NOT NULL, - server_host text NOT NULL, - resource text NOT NULL, - priority text NOT NULL, - info text NOT NULL, - PRIMARY KEY (usec, pid) -); - -CREATE INDEX i_sm_node ON sm USING btree (node); -CREATE INDEX i_sm_sh_username ON sm USING btree (server_host, username); - -CREATE TABLE oauth_token ( - token text NOT NULL, - jid text NOT NULL, - scope text NOT NULL, - expire bigint NOT NULL -); - -CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token); - -CREATE TABLE route ( - domain text NOT NULL, - server_host text NOT NULL, - node text NOT NULL, - pid text NOT NULL, - local_hint text NOT NULL -); - -CREATE UNIQUE INDEX i_route ON route USING btree (domain, server_host, node, pid); -CREATE INDEX i_route_domain ON route USING btree (domain); - -CREATE TABLE bosh ( - sid text NOT NULL, - node text NOT NULL, - pid text NOT NULL -); - -CREATE UNIQUE INDEX i_bosh_sid ON bosh USING btree (sid); - -CREATE TABLE proxy65 ( - sid text NOT NULL, - pid_t text NOT NULL, - pid_i text NOT NULL, - node_t text NOT NULL, - node_i text NOT NULL, - jid_i text NOT NULL -); - -CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 USING btree (sid); -CREATE INDEX i_proxy65_jid ON proxy65 USING btree (jid_i); - -CREATE TABLE push_session ( - username text NOT NULL, - server_host text NOT NULL, - timestamp bigint NOT NULL, - service text NOT NULL, - node text NOT NULL, - xml text NOT NULL, - PRIMARY KEY (server_host, username, timestamp) -); - -CREATE UNIQUE INDEX i_push_session_susn ON push_session USING btree (server_host, username, service, node); - -CREATE TABLE mix_channel ( - channel text NOT NULL, - service text NOT NULL, - username text NOT NULL, - domain text NOT NULL, - jid text NOT NULL, - hidden boolean NOT NULL, - hmac_key text NOT NULL, - created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP -); - -CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel, service); -CREATE INDEX i_mix_channel_serv ON mix_channel (service); - -CREATE TABLE mix_participant ( - channel text NOT NULL, - service text NOT NULL, - username text NOT NULL, - domain text NOT NULL, - jid text NOT NULL, - id text NOT NULL, - nick text NOT NULL, - created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP -); - -CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel, service, username, domain); -CREATE INDEX i_mix_participant_chan_serv ON mix_participant (channel, service); - -CREATE TABLE mix_subscription ( - channel text NOT NULL, - service text NOT NULL, - username text NOT NULL, - domain text NOT NULL, - node text NOT NULL, - jid text NOT NULL -); - -CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel, service, username, domain, node); -CREATE INDEX i_mix_subscription_chan_serv_ud ON mix_subscription (channel, service, username, domain); -CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel, service, node); -CREATE INDEX i_mix_subscription_chan_serv ON mix_subscription (channel, service); - -CREATE TABLE mix_pam ( - username text NOT NULL, - server_host text NOT NULL, - channel text NOT NULL, - service text NOT NULL, - id text NOT NULL, - created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP -); - -CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username, server_host, channel, service); -CREATE INDEX i_mix_pam_us ON mix_pam (username, server_host); - -CREATE TABLE mqtt_pub ( - username text NOT NULL, - server_host text NOT NULL, - resource text NOT NULL, - topic text NOT NULL, - qos smallint NOT NULL, - payload bytea NOT NULL, - payload_format smallint NOT NULL, - content_type text NOT NULL, - response_topic text NOT NULL, - correlation_data bytea NOT NULL, - user_properties bytea NOT NULL, - expiry bigint NOT NULL -); - -CREATE UNIQUE INDEX i_mqtt_topic_server ON mqtt_pub (topic, server_host); diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 2611fab..8fc9e10 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -26,8 +26,8 @@ include_recipe "kosmos-postgresql" -cookbook_file "#{Chef::Config[:file_cache_path]}/pg.new.sql" do - source "pg.new.sql" +cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do + source "pg.sql" mode "0664" end @@ -57,12 +57,24 @@ end postgresql_database 'ejabberd' do owner 'ejabberd' action :create - notifies :run, "execute[create db schema]", :delayed + notifies :run, "execute[create db schema ejabberd]", :delayed end -execute "create db schema" do +postgresql_database 'ejabberd_5apps' do + owner 'ejabberd' + action :create + notifies :run, "execute[create db schema ejabberd_5apps]", :delayed +end + +execute "create db schema ejabberd" do user "ejabberd" - command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.new.sql" + command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql" + action :nothing +end + +execute "create db schema ejabberd_5apps" do + user "ejabberd" + command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql" action :nothing end From 0be63e59357fc0f64cdfd5073641bc9936194cc6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 11:31:42 +0200 Subject: [PATCH 13/22] Fix the config file when no TLS certs exist --- .../kosmos-ejabberd/templates/ejabberd.yml.erb | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 2632bdb..7671a07 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -24,19 +24,18 @@ host_config: sql_username: "ejabberd" sql_password: "<%= @pgsql_password %>" +<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) || + (File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%> certfiles: -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") -%> +<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%> - "/opt/ejabberd/conf/kosmos.org.crt" -<% end -%> -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%> - "/opt/ejabberd/conf/kosmos.org.key" <% end -%> -<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") -%> +<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%> - "/opt/ejabberd/conf/5apps.com.crt" -<% end -%> -<% if File.exist?("/opt/ejabberd/conf/5apps.com.key") -%> - "/opt/ejabberd/conf/5apps.com.key" <% end -%> +<% end -%> ca_file: "/opt/ejabberd/conf/cacert.pem" From 44faa1a8dfb75614d4762c5936e3657730073e8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 11:40:21 +0200 Subject: [PATCH 14/22] Change the PostgreSQL password for the ejabberd user --- data_bags/credentials/postgresql.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/data_bags/credentials/postgresql.json b/data_bags/credentials/postgresql.json index d05711a..886b65a 100644 --- a/data_bags/credentials/postgresql.json +++ b/data_bags/credentials/postgresql.json @@ -1,23 +1,23 @@ { "id": "postgresql", "ejabberd_user_password": { - "encrypted_data": "OTwgFCOLHgoFLsdcHs1U04sJf7ZzVepeDwlNmPMtO8FtyzpfySY9\n", - "iv": "k9wX2WEsJyJn+OYs\n", - "auth_tag": "fL/HNcno/MuWE+yQOFCC3g==\n", + "encrypted_data": "s31aNIv9ZTlU8cVXMDUB79Iv+EozZS1NSZVU5ey9xpBf2WYohpSqni/5Wg==\n", + "iv": "a3LWKNYmUZfSMc1Y\n", + "auth_tag": "3P+WFcDw/R1d983g7YoFUw==\n", "version": 3, "cipher": "aes-256-gcm" }, "server_password": { - "encrypted_data": "4Y87daXYAxzfYxRIkR8b+DLOp4+dYJnc91hN22iWmOfO3umv8wZU\n", - "iv": "LDeMAKUEIq9oe2Zu\n", - "auth_tag": "uVaRO+t/KSFebrEB6wp+yQ==\n", + "encrypted_data": "w7zghEF+DjUhS59cze+qviqDcy8mQpIgW6olHabas1IH4t0z+IQ7\n", + "iv": "ppqOzJGczWtwGRnX\n", + "auth_tag": "2Lhqw7Rhm35HcltsDtaJIw==\n", "version": 3, "cipher": "aes-256-gcm" }, "mastodon_user_password": { - "encrypted_data": "s/XxLUwjZsJ/XidEVi50oePBR4OQ0z/3czs9uOcw1fA1c6qqEzb98iHXpw==\n", - "iv": "pKvwLeC05f7P+cke\n", - "auth_tag": "/yHUD+RSCMhLhrnQJAZqrw==\n", + "encrypted_data": "84UPPmtNh/5MH6u4svMPhRHBGK1GFnP4G2tk/a+wQLNxSB8FlDsTuqSC2A==\n", + "iv": "UBl2ILWCc2WKcN6d\n", + "auth_tag": "NF/xcK0tmvbBo1dDFhOf7w==\n", "version": 3, "cipher": "aes-256-gcm" } From 902a013dcafc1847c1fbf2a24d422d022f727cfc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 12:18:22 +0200 Subject: [PATCH 15/22] Restart the service when the systemd unit changes --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 8fc9e10..b7573c8 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -100,6 +100,7 @@ file "/lib/systemd/system/ejabberd.service" do content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") } action :nothing notifies :run, "execute[systemctl daemon-reload]", :immediately + notifies :restart, "service[ejabberd]", :delayed end execute "systemctl daemon-reload" do From bd9491675f360f287fb6b24243342adceb55f30f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 15:10:07 +0200 Subject: [PATCH 16/22] Add the missing sql schema --- site-cookbooks/kosmos-ejabberd/files/pg.sql | 454 ++++++++++++++++++++ 1 file changed, 454 insertions(+) create mode 100644 site-cookbooks/kosmos-ejabberd/files/pg.sql diff --git a/site-cookbooks/kosmos-ejabberd/files/pg.sql b/site-cookbooks/kosmos-ejabberd/files/pg.sql new file mode 100644 index 0000000..250a22d --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/files/pg.sql @@ -0,0 +1,454 @@ +-- +-- ejabberd, Copyright (C) 2002-2019 ProcessOne +-- +-- This program is free software; you can redistribute it and/or +-- modify it under the terms of the GNU General Public License as +-- published by the Free Software Foundation; either version 2 of the +-- License, or (at your option) any later version. +-- +-- This program is distributed in the hope that it will be useful, +-- but WITHOUT ANY WARRANTY; without even the implied warranty of +-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-- General Public License for more details. +-- +-- You should have received a copy of the GNU General Public License along +-- with this program; if not, write to the Free Software Foundation, Inc., +-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +-- + +CREATE TABLE users ( + username text PRIMARY KEY, + "password" text NOT NULL, + serverkey text NOT NULL DEFAULT '', + salt text NOT NULL DEFAULT '', + iterationcount integer NOT NULL DEFAULT 0, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +-- Add support for SCRAM auth to a database created before ejabberd 16.03: +-- ALTER TABLE users ADD COLUMN serverkey text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN salt text NOT NULL DEFAULT ''; +-- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0; + +CREATE TABLE last ( + username text PRIMARY KEY, + seconds text NOT NULL, + state text NOT NULL +); + + +CREATE TABLE rosterusers ( + username text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + subscription character(1) NOT NULL, + ask character(1) NOT NULL, + askmessage text NOT NULL, + server character(1) NOT NULL, + subscribe text NOT NULL, + "type" text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_rosteru_user_jid ON rosterusers USING btree (username, jid); +CREATE INDEX i_rosteru_username ON rosterusers USING btree (username); +CREATE INDEX i_rosteru_jid ON rosterusers USING btree (jid); + + +CREATE TABLE rostergroups ( + username text NOT NULL, + jid text NOT NULL, + grp text NOT NULL +); + +CREATE INDEX pk_rosterg_user_jid ON rostergroups USING btree (username, jid); + +CREATE TABLE sr_group ( + name text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE TABLE sr_user ( + jid text NOT NULL, + grp text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_sr_user_jid_grp ON sr_user USING btree (jid, grp); +CREATE INDEX i_sr_user_jid ON sr_user USING btree (jid); +CREATE INDEX i_sr_user_grp ON sr_user USING btree (grp); + +CREATE TABLE spool ( + username text NOT NULL, + xml text NOT NULL, + seq SERIAL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_despool ON spool USING btree (username); + +CREATE TABLE archive ( + username text NOT NULL, + timestamp BIGINT NOT NULL, + peer text NOT NULL, + bare_peer text NOT NULL, + xml text NOT NULL, + txt text, + id SERIAL, + kind text, + nick text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_username_timestamp ON archive USING btree (username, timestamp); +CREATE INDEX i_username_peer ON archive USING btree (username, peer); +CREATE INDEX i_username_bare_peer ON archive USING btree (username, bare_peer); +CREATE INDEX i_timestamp ON archive USING btree (timestamp); + +CREATE TABLE archive_prefs ( + username text NOT NULL PRIMARY KEY, + def text NOT NULL, + always text NOT NULL, + never text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE TABLE vcard ( + username text PRIMARY KEY, + vcard text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE TABLE vcard_search ( + username text NOT NULL, + lusername text PRIMARY KEY, + fn text NOT NULL, + lfn text NOT NULL, + family text NOT NULL, + lfamily text NOT NULL, + given text NOT NULL, + lgiven text NOT NULL, + middle text NOT NULL, + lmiddle text NOT NULL, + nickname text NOT NULL, + lnickname text NOT NULL, + bday text NOT NULL, + lbday text NOT NULL, + ctry text NOT NULL, + lctry text NOT NULL, + locality text NOT NULL, + llocality text NOT NULL, + email text NOT NULL, + lemail text NOT NULL, + orgname text NOT NULL, + lorgname text NOT NULL, + orgunit text NOT NULL, + lorgunit text NOT NULL +); + +CREATE INDEX i_vcard_search_lfn ON vcard_search(lfn); +CREATE INDEX i_vcard_search_lfamily ON vcard_search(lfamily); +CREATE INDEX i_vcard_search_lgiven ON vcard_search(lgiven); +CREATE INDEX i_vcard_search_lmiddle ON vcard_search(lmiddle); +CREATE INDEX i_vcard_search_lnickname ON vcard_search(lnickname); +CREATE INDEX i_vcard_search_lbday ON vcard_search(lbday); +CREATE INDEX i_vcard_search_lctry ON vcard_search(lctry); +CREATE INDEX i_vcard_search_llocality ON vcard_search(llocality); +CREATE INDEX i_vcard_search_lemail ON vcard_search(lemail); +CREATE INDEX i_vcard_search_lorgname ON vcard_search(lorgname); +CREATE INDEX i_vcard_search_lorgunit ON vcard_search(lorgunit); + +CREATE TABLE privacy_default_list ( + username text PRIMARY KEY, + name text NOT NULL +); + +CREATE TABLE privacy_list ( + username text NOT NULL, + name text NOT NULL, + id SERIAL UNIQUE, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_privacy_list_username ON privacy_list USING btree (username); +CREATE UNIQUE INDEX i_privacy_list_username_name ON privacy_list USING btree (username, name); + +CREATE TABLE privacy_list_data ( + id bigint REFERENCES privacy_list(id) ON DELETE CASCADE, + t character(1) NOT NULL, + value text NOT NULL, + action character(1) NOT NULL, + ord NUMERIC NOT NULL, + match_all boolean NOT NULL, + match_iq boolean NOT NULL, + match_message boolean NOT NULL, + match_presence_in boolean NOT NULL, + match_presence_out boolean NOT NULL +); + +CREATE INDEX i_privacy_list_data_id ON privacy_list_data USING btree (id); + +CREATE TABLE private_storage ( + username text NOT NULL, + namespace text NOT NULL, + data text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_private_storage_username ON private_storage USING btree (username); +CREATE UNIQUE INDEX i_private_storage_username_namespace ON private_storage USING btree (username, namespace); + + +CREATE TABLE roster_version ( + username text PRIMARY KEY, + version text NOT NULL +); + +-- To update from 0.9.8: +-- CREATE SEQUENCE spool_seq_seq; +-- ALTER TABLE spool ADD COLUMN seq integer; +-- ALTER TABLE spool ALTER COLUMN seq SET DEFAULT nextval('spool_seq_seq'); +-- UPDATE spool SET seq = DEFAULT; +-- ALTER TABLE spool ALTER COLUMN seq SET NOT NULL; + +-- To update from 1.x: +-- ALTER TABLE rosterusers ADD COLUMN askmessage text; +-- UPDATE rosterusers SET askmessage = ''; +-- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL; + +CREATE TABLE pubsub_node ( + host text NOT NULL, + node text NOT NULL, + parent text NOT NULL DEFAULT '', + plugin text NOT NULL, + nodeid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_node_parent ON pubsub_node USING btree (parent); +CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node USING btree (host, node); + +CREATE TABLE pubsub_node_option ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + name text NOT NULL, + val text NOT NULL +); +CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option USING btree (nodeid); + +CREATE TABLE pubsub_node_owner ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + owner text NOT NULL +); +CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner USING btree (nodeid); + +CREATE TABLE pubsub_state ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + jid text NOT NULL, + affiliation character(1), + subscriptions text NOT NULL DEFAULT '', + stateid SERIAL UNIQUE +); +CREATE INDEX i_pubsub_state_jid ON pubsub_state USING btree (jid); +CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state USING btree (nodeid, jid); + +CREATE TABLE pubsub_item ( + nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE, + itemid text NOT NULL, + publisher text NOT NULL, + creation varchar(32) NOT NULL, + modification varchar(32) NOT NULL, + payload text NOT NULL DEFAULT '' +); +CREATE INDEX i_pubsub_item_itemid ON pubsub_item USING btree (itemid); +CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item USING btree (nodeid, itemid); + +CREATE TABLE pubsub_subscription_opt ( + subid text NOT NULL, + opt_name varchar(32), + opt_value text NOT NULL +); +CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt USING btree (subid, opt_name); + +CREATE TABLE muc_room ( + name text NOT NULL, + host text NOT NULL, + opts text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE UNIQUE INDEX i_muc_room_name_host ON muc_room USING btree (name, host); + +CREATE TABLE muc_registered ( + jid text NOT NULL, + host text NOT NULL, + nick text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_registered_nick ON muc_registered USING btree (nick); +CREATE UNIQUE INDEX i_muc_registered_jid_host ON muc_registered USING btree (jid, host); + +CREATE TABLE muc_online_room ( + name text NOT NULL, + host text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_room_name_host ON muc_online_room USING btree (name, host); + +CREATE TABLE muc_online_users ( + username text NOT NULL, + server text NOT NULL, + resource text NOT NULL, + name text NOT NULL, + host text NOT NULL, + node text NOT NULL +); + +CREATE UNIQUE INDEX i_muc_online_users ON muc_online_users USING btree (username, server, resource, name, host); +CREATE INDEX i_muc_online_users_us ON muc_online_users USING btree (username, server); + +CREATE TABLE muc_room_subscribers ( + room text NOT NULL, + host text NOT NULL, + jid text NOT NULL, + nick text NOT NULL, + nodes text NOT NULL, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_muc_room_subscribers_host_jid ON muc_room_subscribers USING btree (host, jid); +CREATE UNIQUE INDEX i_muc_room_subscribers_host_room_jid ON muc_room_subscribers USING btree (host, room, jid); + +CREATE TABLE motd ( + username text PRIMARY KEY, + xml text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE TABLE caps_features ( + node text NOT NULL, + subnode text NOT NULL, + feature text, + created_at TIMESTAMP NOT NULL DEFAULT now() +); + +CREATE INDEX i_caps_features_node_subnode ON caps_features USING btree (node, subnode); + +CREATE TABLE sm ( + usec bigint NOT NULL, + pid text NOT NULL, + node text NOT NULL, + username text NOT NULL, + resource text NOT NULL, + priority text NOT NULL, + info text NOT NULL +); + +CREATE UNIQUE INDEX i_sm_sid ON sm USING btree (usec, pid); +CREATE INDEX i_sm_node ON sm USING btree (node); +CREATE INDEX i_sm_username ON sm USING btree (username); + +CREATE TABLE oauth_token ( + token text NOT NULL, + jid text NOT NULL, + scope text NOT NULL, + expire bigint NOT NULL +); + +CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token); + +CREATE TABLE route ( + domain text NOT NULL, + server_host text NOT NULL, + node text NOT NULL, + pid text NOT NULL, + local_hint text NOT NULL +); + +CREATE UNIQUE INDEX i_route ON route USING btree (domain, server_host, node, pid); +CREATE INDEX i_route_domain ON route USING btree (domain); + +CREATE TABLE bosh ( + sid text NOT NULL, + node text NOT NULL, + pid text NOT NULL +); + +CREATE UNIQUE INDEX i_bosh_sid ON bosh USING btree (sid); + +CREATE TABLE proxy65 ( + sid text NOT NULL, + pid_t text NOT NULL, + pid_i text NOT NULL, + node_t text NOT NULL, + node_i text NOT NULL, + jid_i text NOT NULL +); + +CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 USING btree (sid); +CREATE INDEX i_proxy65_jid ON proxy65 USING btree (jid_i); + +CREATE TABLE push_session ( + username text NOT NULL, + timestamp bigint NOT NULL, + service text NOT NULL, + node text NOT NULL, + xml text NOT NULL +); + +CREATE UNIQUE INDEX i_push_usn ON push_session USING btree (username, service, node); +CREATE UNIQUE INDEX i_push_ut ON push_session USING btree (username, timestamp); + +CREATE TABLE mix_channel ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + hidden boolean NOT NULL, + hmac_key text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel, service); +CREATE INDEX i_mix_channel_serv ON mix_channel (service); + +CREATE TABLE mix_participant ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + jid text NOT NULL, + id text NOT NULL, + nick text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel, service, username, domain); +CREATE INDEX i_mix_participant_chan_serv ON mix_participant (channel, service); + +CREATE TABLE mix_subscription ( + channel text NOT NULL, + service text NOT NULL, + username text NOT NULL, + domain text NOT NULL, + node text NOT NULL, + jid text NOT NULL +); + +CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel, service, username, domain, node); +CREATE INDEX i_mix_subscription_chan_serv_ud ON mix_subscription (channel, service, username, domain); +CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel, service, node); +CREATE INDEX i_mix_subscription_chan_serv ON mix_subscription (channel, service); + +CREATE TABLE mix_pam ( + username text NOT NULL, + channel text NOT NULL, + service text NOT NULL, + id text NOT NULL, + created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP +); + +CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username, channel, service); +CREATE INDEX i_mix_pam_us ON mix_pam (username); From f81b7c82dea1be540cecfe8214294a7a7c80c1a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 15:16:28 +0200 Subject: [PATCH 17/22] Backup the 5apps ejabberd database and uploads dir --- site-cookbooks/kosmos-ejabberd/recipes/backup.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb index f1d5c0f..2be4e78 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb @@ -26,10 +26,14 @@ unless node.chef_environment == "development" # backup the data dir and the config files - node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org"] + node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"] unless node["backup"]["postgresql"]["databases"].include? "ejabberd" node.override["backup"]["postgresql"]["databases"] = node["backup"]["postgresql"]["databases"].to_a << "ejabberd" end + unless node["backup"]["postgresql"]["databases"].include? "ejabberd_5apps" + node.override["backup"]["postgresql"]["databases"] = + node["backup"]["postgresql"]["databases"].to_a << "ejabberd_5apps" + end include_recipe "backup" end From c9547582b78536d4cbc55ad2f5c694cd2266ce03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 15:18:05 +0200 Subject: [PATCH 18/22] Add a role for the ejabberd server Includes the backup, letsencrypt and default recipe --- roles/ejabberd.rb | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 roles/ejabberd.rb diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb new file mode 100644 index 0000000..e126017 --- /dev/null +++ b/roles/ejabberd.rb @@ -0,0 +1,7 @@ +name "ejabberd" + +run_list %w( + kosmos-ejabberd::default + kosmos-ejabberd::letsencrypt + kosmos-ejabberd::backup +) From d398c167caf9425163cdd89b1641a1898494757f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 16:39:21 +0200 Subject: [PATCH 19/22] Allow to pass extra attributes to backup PostgreSQL databases --- site-cookbooks/backup/attributes/default.rb | 3 ++- .../backup/templates/default/backup.rb.erb | 9 +++++++-- .../kosmos-ejabberd/recipes/backup.rb | 18 ++++++++++++------ .../kosmos-mastodon/recipes/default.rb | 16 +++++----------- 4 files changed, 26 insertions(+), 20 deletions(-) diff --git a/site-cookbooks/backup/attributes/default.rb b/site-cookbooks/backup/attributes/default.rb index 0d9fd55..4ce200a 100644 --- a/site-cookbooks/backup/attributes/default.rb +++ b/site-cookbooks/backup/attributes/default.rb @@ -27,7 +27,8 @@ default["backup"]["mysql"]["username"] = "root" default["backup"]["mysql"]["host"] = "localhost" # PostgreSQL default settings -default["backup"]["postgresql"]["databases"] = [] +default["backup"]["postgresql"]["databases"] = {} +default["backup"]["postgresql"]["username"] = "postgres" default["backup"]["postgresql"]["host"] = "localhost" default["backup"]["postgresql"]["port"] = 5432 diff --git a/site-cookbooks/backup/templates/default/backup.rb.erb b/site-cookbooks/backup/templates/default/backup.rb.erb index d844c20..5267f07 100644 --- a/site-cookbooks/backup/templates/default/backup.rb.erb +++ b/site-cookbooks/backup/templates/default/backup.rb.erb @@ -17,9 +17,14 @@ KosmosBackup.new(:default, 'default backup') do <%- end -%> <%- if node["backup"]["postgresql"] -%> -<%- node["backup"]["postgresql"]["databases"].each do |db_name| -%> - database PostgreSQL, :"<%= db_name.to_sym %>" do |db| +<%- node["backup"]["postgresql"]["databases"].each do |db_name, h| -%> + database PostgreSQL, :"<%= db_name %>" do |db| db.name = "<%= db_name %>" + <%- unless h.nil? -%> + <%- h.each do |k, v| -%> + db.<%= k %> = "<%= v %>" + <%- end -%> + <%- end -%> end <%- end -%> <%- end -%> diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb index 2be4e78..57fb43a 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb @@ -24,16 +24,22 @@ # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN # THE SOFTWARE. +postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') + unless node.chef_environment == "development" # backup the data dir and the config files node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"] - unless node["backup"]["postgresql"]["databases"].include? "ejabberd" - node.override["backup"]["postgresql"]["databases"] = - node["backup"]["postgresql"]["databases"].to_a << "ejabberd" + unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd" + node.override["backup"]["postgresql"]["databases"]["ejabberd"] = { + username: "ejabberd", + password: postgresql_data_bag_item['ejabberd_user_password'] + } end - unless node["backup"]["postgresql"]["databases"].include? "ejabberd_5apps" - node.override["backup"]["postgresql"]["databases"] = - node["backup"]["postgresql"]["databases"].to_a << "ejabberd_5apps" + unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd_5apps" + node.override["backup"]["postgresql"]["databases"]["ejabberd_5apps"] = { + username: "ejabberd", + password: postgresql_data_bag_item['ejabberd_user_password'] + } end include_recipe "backup" end diff --git a/site-cookbooks/kosmos-mastodon/recipes/default.rb b/site-cookbooks/kosmos-mastodon/recipes/default.rb index a9c866f..99bd11d 100644 --- a/site-cookbooks/kosmos-mastodon/recipes/default.rb +++ b/site-cookbooks/kosmos-mastodon/recipes/default.rb @@ -209,17 +209,11 @@ end # unless node.chef_environment == "development" - node.override["backup"]["postgresql"]["host"] = "localhost" - unless platform?('ubuntu') && node[:platform_version].to_f < 18.04 - node.override["backup"]["postgresql"]["username"] = "mastodon" - node.override["backup"]["postgresql"]["password"] = postgresql_data_bag_item['mastodon_user_password'] - else - node.override["backup"]["postgresql"]["username"] = "postgres" - node.override["backup"]["postgresql"]["password"] = node['postgresql']['password']['postgres'] - end - unless node["backup"]["postgresql"]["databases"].include? 'mastodon' - node.override["backup"]["postgresql"]["databases"] = - node["backup"]["postgresql"]["databases"].to_a << "mastodon" + unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon' + node.override["backup"]["postgresql"]["databases"]["mastodon"] = { + username: "mastodon", + password: postgresql_data_bag_item['mastodon_user_password'] + } end include_recipe "backup" From 5106ba20fd6fca168e57b1c2b59c701277b80f58 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 17:10:15 +0200 Subject: [PATCH 20/22] Add the version to the dpkg package to allow updates --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index b7573c8..37bdf96 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -43,6 +43,7 @@ end dpkg_package "ejabberd" do source package_path + version "#{ejabberd_version}-0" action :nothing notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately end From 4cc5f3e6d14ab9aa23cf87dbd98fca7aa8a45871 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 17:10:33 +0200 Subject: [PATCH 21/22] Remove the XMPP firewall rules for andromeda They are part of the kosmos-ejabberd cookbook now --- site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb | 6 ------ 1 file changed, 6 deletions(-) diff --git a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb index 44db935..4bdfc20 100644 --- a/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb +++ b/site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb @@ -26,12 +26,6 @@ # Temporary extra rules for Andromeda -firewall_rule 'ejabberd' do - port [5222, 5223, 5269, 5280, 5443] - protocol :tcp - command :allow -end - firewall_rule 'bitcoind' do port [8333, 8334, 8335] protocol :tcp From 63f9c3163285fb0a6f427264baca19e120f7c0b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Tue, 14 May 2019 17:11:18 +0200 Subject: [PATCH 22/22] Add the ejabberd role to andromeda --- nodes/andromeda.kosmos.org.json | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/nodes/andromeda.kosmos.org.json b/nodes/andromeda.kosmos.org.json index 6645f82..7f3025d 100644 --- a/nodes/andromeda.kosmos.org.json +++ b/nodes/andromeda.kosmos.org.json @@ -4,20 +4,13 @@ "kosmos-base::andromeda_firewall", "role[ipfs_cluster_with_tls]", "kosmos-postgresql", - "kosmos-ejabberd::backup", "kosmos-mediawiki", "sockethub", "sockethub::proxy", "kosmos-btcpayserver::proxy", - "role[mastodon]" + "role[mastodon]", + "role[ejabberd]" ], - "normal": { - "postgresql": { - "password": { - "postgres": "iezah7ochae9uizu1Isha2Chuok8ra" - } - } - }, "automatic": { "ipaddress": "andromeda.kosmos.org" }