diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json new file mode 100644 index 0000000..447c397 --- /dev/null +++ b/data_bags/credentials/ejabberd.json @@ -0,0 +1,10 @@ +{ + "id": "ejabberd", + "5apps_ldap_password": { + "encrypted_data": "NjlYL0mMpXmLP2pk1ZSo5mWt+qosx7eh7+duoPc57avQGwPJ6Vxb\n", + "iv": "q/py5XYCEXARUEA9\n", + "auth_tag": "4xoSjTjLYNzuLvoksf3Thw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 5d4e282..2b2f47e 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -26,6 +26,8 @@ include_recipe "kosmos-postgresql" +ejabberd_credentials = data_bag_item("credentials", "ejabberd") + cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do source "pg.sql" mode "0664" @@ -55,35 +57,90 @@ postgresql_user 'ejabberd' do password postgresql_data_bag_item['ejabberd_user_password'] end -postgresql_database 'ejabberd' do - owner 'ejabberd' - action :create - notifies :run, "execute[create db schema ejabberd]", :delayed +hosts = [ + { + name: "kosmos.org", + sql_database: "ejabberd", + ldap_enabled: false, + append_host_config: <<-EOF +modules: + mod_muc: + host: "kosmos.chat" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + max_user_conferences: 1000 + default_room_options: + mam: true + EOF + }, + { + name: "5apps.com", + sql_database: "ejabberd_5apps", + ldap_enabled: true, + ldap_password: ejabberd_credentials['5apps_ldap_password'], + append_host_config: <<-EOF +modules: + mod_muc: + host: "muc.@HOST@" + access: + - allow: local + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + max_user_conferences: 1000 + default_room_options: + anonymous: false + public: true + members_only: true + public_list: false + persistent: true + mam: true + EOF + } +] + +hosts.each do |host| + postgresql_database host[:sql_database] do + owner 'ejabberd' + action :create + notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed + end + + execute "create db schema #{host[:sql_database]}" do + user "ejabberd" + command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql" + action :nothing + end end -postgresql_database 'ejabberd_5apps' do - owner 'ejabberd' - action :create - notifies :run, "execute[create db schema ejabberd_5apps]", :delayed -end +ldap_domain = node['kosmos-dirsrv']['master_hostname'] +ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls" +ldap_base = "cn=users,dc=kosmos,dc=org" -execute "create db schema ejabberd" do - user "ejabberd" - command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql" - action :nothing -end - -execute "create db schema ejabberd_5apps" do - user "ejabberd" - command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql" - action :nothing -end +admin_users = [ + "greg@5apps.com", + "sebastian@5apps.com", + "garret@5apps.com", + "raucao@kosmos.org", + "greg@kosmos.org", + "galfert@kosmos.org" +] template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" mode 0640 sensitive true - variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'] + variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'], + hosts: hosts, + ldap_base: ldap_base, + ldap_server: ldap_domain, + ldap_encryption_type: ldap_encryption_type, + admin_users: admin_users notifies :run, "execute[ejabberdctl reload_config]", :delayed end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 7f66eaf..5b069d5 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -7,36 +7,38 @@ log_rotate_count: 1 log_rate_limit: 100 hosts: - - "kosmos.org" - - "5apps.com" +<% @hosts.each do |host| -%> + - "<%= host[:name] %>" +<% end -%> host_config: - "kosmos.org": +<% @hosts.each do |host| -%> + "<%= host[:name] %>": sql_type: pgsql sql_server: "localhost" - sql_database: "ejabberd" - sql_username: "ejabberd" - sql_password: "<%= @pgsql_password %>" - "5apps.com": - sql_type: pgsql - sql_server: "localhost" - sql_database: "ejabberd_5apps" + sql_database: "<%= host[:sql_database] %>" sql_username: "ejabberd" sql_password: "<%= @pgsql_password %>" + <% if host[:ldap_enabled] -%> + auth_method: ldap + ldap_servers: ["<%= @ldap_server %>"] + ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>" + ldap_password: "<%= host[:ldap_password] %>" + ldap_encrypt: <%= @ldap_encryption_type %> + ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>" + ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)" + <% end -%> +<% end -%> -<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) || - (File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%> +<% if @hosts.any? { |host| File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") } -%> certfiles: -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%> - - "/opt/ejabberd/conf/kosmos.org.crt" - - "/opt/ejabberd/conf/kosmos.org.key" -<% end -%> -<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%> - - "/opt/ejabberd/conf/5apps.com.crt" - - "/opt/ejabberd/conf/5apps.com.key" +<% @hosts.each do |host| -%> + <% if File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") -%> + - "/opt/ejabberd/conf/<%= host[:name] %>.crt" + - "/opt/ejabberd/conf/<%= host[:name] %>.key" + <% end -%> <% end -%> <% end -%> - ca_file: "/opt/ejabberd/conf/cacert.pem" define_macro: @@ -113,12 +115,9 @@ max_fsm_queue: 10000 acl: admin: user: - - "greg@5apps.com" - - "sebastian@5apps.com" - - "garret@5apps.com" - - "raucao@kosmos.org" - - "greg@kosmos.org" - - "galfert@kosmos.org" + <% @admin_users.each do |admin| -%> + - "<%= admin %>" + <% end -%> local: user_regexp: "" @@ -232,14 +231,9 @@ modules: - "pep" # pep requires mod_caps mod_push: {} mod_push_keepalive: {} + # Allow existing accounts to change their password mod_register: - welcome_message: - subject: "Welcome!" - body: |- - Hi. - Welcome to this XMPP server. - ip_access: trusted_network - access: register + access: none mod_roster: versioning: true store_current_id: true @@ -254,37 +248,10 @@ modules: mod_http_api: {} append_host_config: - "5apps.com": - modules: - mod_muc: - host: "muc.@HOST@" - access: - - allow: local - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - max_user_conferences: 1000 - default_room_options: - anonymous: false - public: true - members_only: true - public_list: false - persistent: true - mam: true - "kosmos.org": - modules: - mod_muc: - host: "kosmos.chat" - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - max_user_conferences: 1000 - default_room_options: - mam: true +<% @hosts.each do |host| -%> + "<%= host[:name] %>": + <%= host[:append_host_config].chomp %> +<% end -%> allow_contrib_modules: true