Merge pull request 'Configure STUN/TURN for ejabberd and nginx proxy' (#407) from feature/ejabberd_stun_n_turn into new_ldap_server

Reviewed-on: #407
2022-05-11 14:21:14 +00:00 · 2022-05-11 14:21:14 +00:00 · 5c31531357
parent 5c00e2d28a c158f845f0
commit 5c31531357
9 changed files with 185 additions and 24 deletions
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@ -1,37 +1,44 @@
 {
  "id": "ejabberd",
  "5apps_ldap_password": {
-    "encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n",
-    "iv": "38KjEZZbI9rNfsA1\n",
-    "auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n",
+    "encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n",
+    "iv": "6YTMw9vMiDANQDVP\n",
+    "auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "kosmos_ldap_password": {
-    "encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n",
-    "iv": "07hmbipcLzslZT81\n",
-    "auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n",
+    "encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n",
+    "iv": "XC2igt4I4qNNgCYD\n",
+    "auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "uploads_secret": {
-    "encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n",
-    "iv": "Swez2eH4b11G/exT\n",
-    "auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n",
+    "encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n",
+    "iv": "fWjiwhJ7NZIvUHyt\n",
+    "auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admins": {
-    "encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n",
-    "iv": "9TlJYq79eQy6T1l/\n",
-    "auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n",
+    "encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n",
+    "iv": "vFjSjzaEiZJB4lAo\n",
+    "auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "erlang_cookie": {
-    "encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n",
-    "iv": "c7SINIqy8p+yMlQ+\n",
-    "auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n",
+    "encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n",
+    "iv": "2fYgOBtGmqFTFddy\n",
+    "auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "stun_secret": {
+    "encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n",
+    "iv": "xevLfSR+wqEk5jVw\n",
+    "auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@ -24,6 +24,7 @@
      "kosmos_gitea::nginx",
      "kosmos_website",
      "kosmos_website::default",
+      "kosmos-ejabberd::nginx",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@ -6,6 +6,7 @@ default_run_list = %w(
  kosmos_drone::nginx
  kosmos_gitea::nginx
  kosmos_website::default
+  kosmos-ejabberd::nginx
 )

 env_run_lists(
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@ -1,7 +1,9 @@
 node.default["kosmos-ejabberd"]["version"] = "20.12"
 node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
+node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
+node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
-node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
+node.default["kosmos-ejabberd"]["turn_max_port"] = 50050

 node.override["tor"]["HiddenServices"]["ejabberd"] = {
  "HiddenServicePorts" => [
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -161,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
  variables hosts: hosts,
            admin_users: admin_users,
            stun_auth_realm: "kosmos.org",
-            turn_ip_address: node["knife_zero"]["host"],
+            stun_secret: ejabberd_credentials['stun_secret'],
+            turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
            akkounts_ip_addresses: akkounts_ip_addresses
--- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
 end

 firewall_rule 'ejabberd_stun_turn' do
-  port     3478
-  protocol :tcp
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
  command  :allow
 end

 firewall_rule 'ejabberd_turn' do
  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-  protocol :tcp
+  protocol :udp
  command  :allow
 end
--- a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-base::firewall"
+
+ejabberd_hosts = []
+search(:node, "role:ejabberd").each do |node|
+  ejabberd_hosts << node["knife_zero"]["host"]
+end
+
+ejabberd_hosts.each do |ip_address|
+  IPAddr.new ip_address
+rescue IPAddr::InvalidAddressError
+  ejabberd_hosts.delete ip_address
+  next
+end
+
+template "#{node['nginx']['dir']}/streams-available/ejabberd" do
+  source "nginx_conf_streams.erb"
+  owner 'www-data'
+  mode 0640
+  # variables ejabberd_hosts: ejabberd_hosts
+  variables ejabberd_hosts: ["10.1.1.113"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
+            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
+            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_stream "ejabberd" do
+  action :enable
+end
+
+firewall_rule "ejabberd" do
+  port     [5222, 5223, 5269, 5443]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  protocol :udp
+  command  :allow
+end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -78,12 +78,13 @@ listen:
    ## register: true
    captcha: false
  -
-    port: 3478
-    transport: tcp
+    port: <%= @stun_turn_port %>
+    transport: udp
    module: ejabberd_stun
    auth_realm: <%= @stun_auth_realm %>
    use_turn: true
-    turn_ip: <%= @turn_ip_address %>
+    tls: false
+    turn_ipv4_address: <%= @turn_ip_address %>
    turn_min_port: <%= @turn_min_port %>
    turn_max_port: <%= @turn_max_port %>

@ -230,7 +231,21 @@ modules:
    versioning: true
    store_current_id: true
  mod_shared_roster: {}
-  mod_stun_disco: {}
+  mod_stun_disco:
+    secret: <%= @stun_secret %>
+    services:
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: stun
+        transport: udp
+        restricted: false
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: turn
+        transport: udp
+        restricted: true
  mod_vcard:
    search: false
  mod_vcard_xupdate: {}
--- a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb
@ -0,0 +1,81 @@
+log_format proxy '$remote_addr [$time_local] '
+           '$protocol $status $bytes_sent $bytes_received '
+           '$session_time "$upstream_addr" '
+           '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
+
+upstream ejabberd_c2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5222;
+<% end %>
+}
+
+upstream ejabberd_c2s_tls {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5223;
+<% end %>
+}
+
+upstream ejabberd_s2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5269;
+<% end %>
+}
+
+upstream ejabberd_https {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5443;
+<% end %>
+}
+
+upstream ejabberd_stun_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:<%= @stun_turn_port %>;
+<% end %>
+}
+
+upstream ejabberd_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+<% (@turn_min_port..@turn_max_port).each do |port| %>
+  server <%= "#{ip_address}:#{port.to_s}" %>;
+<% end %>
+<% end %>
+}
+
+server {
+  listen     5222;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5223;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5269;
+  proxy_pass ejabberd_s2s;
+}
+
+server {
+  listen     5443;
+  proxy_pass ejabberd_https;
+}
+
+server {
+  listen     <%= @stun_turn_port %> udp;
+  proxy_pass ejabberd_stun_turn;
+}
+
+server {
+  listen     <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
+  proxy_pass 10.1.1.113:$server_port;
+  #proxy_pass ejabberd_turn;
+}