From 65d71d6a73dc6592460b51e67290eccbb96bf582 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 10 Oct 2023 17:55:55 +0200 Subject: [PATCH] Migrate ejabberd uploads to mod_s3_upload and Garage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In addition to installing and configuring the new module, this also enables public access to the S3 API via `bucket-name.s3.kosmos.org` as well as Web access on `bucket-name.web.s3.kosmos.org` (when enabled). Also includes some drive-by improvements to Chef attribute naming and usage. Co-authored-by: Greg Karékinian --- clients/garage-5.json | 4 ++ data_bags/credentials/ejabberd.json | 50 +++++++++------ environments/production.json | 7 +- nodes/ejabberd-4.json | 21 +++--- nodes/ejabberd-8.json | 21 +++--- nodes/fornax.kosmos.org.json | 1 + nodes/garage-2.json | 14 ++-- nodes/garage-3.json | 14 ++-- nodes/garage-5.json | 64 +++++++++++++++++++ roles/ejabberd.rb | 1 + roles/openresty_proxy.rb | 1 + .../kosmos-ejabberd/attributes/default.rb | 23 ++----- .../kosmos-ejabberd/recipes/default.rb | 54 +++++++++------- .../kosmos-ejabberd/recipes/firewall.rb | 4 +- .../kosmos-ejabberd/recipes/letsencrypt.rb | 2 +- .../kosmos-ejabberd/recipes/nginx.rb | 10 +-- .../kosmos-ejabberd/recipes/pg_db.rb | 22 ------- .../kosmos-ejabberd/recipes/upload_service.rb | 2 +- .../templates/ejabberd.yml.erb | 17 ++++- .../kosmos-ejabberd/templates/vhost.yml.erb | 2 +- .../kosmos_garage/attributes/default.rb | 5 +- .../kosmos_garage/recipes/nginx_s3.rb | 22 +++++++ .../kosmos_garage/recipes/nginx_web.rb | 37 +++++++++-- .../kosmos_garage/templates/nginx_conf_s3.erb | 49 ++++++++++++++ .../templates/nginx_conf_web.erb | 7 +- 25 files changed, 322 insertions(+), 132 deletions(-) create mode 100644 clients/garage-5.json create mode 100644 nodes/garage-5.json create mode 100644 site-cookbooks/kosmos_garage/recipes/nginx_s3.rb create mode 100644 site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb diff --git a/clients/garage-5.json b/clients/garage-5.json new file mode 100644 index 0000000..bea3985 --- /dev/null +++ b/clients/garage-5.json @@ -0,0 +1,4 @@ +{ + "name": "garage-5", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json index 1041686..b0f6c1b 100644 --- a/data_bags/credentials/ejabberd.json +++ b/data_bags/credentials/ejabberd.json @@ -1,44 +1,58 @@ { "id": "ejabberd", "5apps_ldap_password": { - "encrypted_data": "Jyt8IRrAt2LbyaMoKmo3SS+1ywXZhr1B0VtaE6L+Rg==\n", - "iv": "fpVbd9Xl662cJvKU\n", - "auth_tag": "dmWcmajdGiFHNamYT+SZWQ==\n", + "encrypted_data": "jsV7M+1lg4cc+x3WP+sWg4K5XcyFNPrCnlPA6Tl+mA==\n", + "iv": "qkYV3ljTHgiEdpHk\n", + "auth_tag": "SUfcAAr8PmA51JVn+IWRXg==\n", "version": 3, "cipher": "aes-256-gcm" }, "kosmos_ldap_password": { - "encrypted_data": "RtKK1k/gBQYZczxRC7r2MhB65lITFH69UBbdoNjoIQ==\n", - "iv": "MtMrzXMVoxe/rRGX\n", - "auth_tag": "q5SZT+2rT+jUDh9FNjZq8Q==\n", + "encrypted_data": "JzDO3Xlr0aF6xWmHXhkWDjpimgmQDR9SgQn0EAA20g==\n", + "iv": "gtMZ06rxKzi6O3we\n", + "auth_tag": "jnjd0P3yx8p4VOuoe4AArg==\n", "version": 3, "cipher": "aes-256-gcm" }, "uploads_secret": { - "encrypted_data": "01E+ANiUyZXzeSPtgQ9G2PHP0iyW2G2ApBg0shntTtoe\n", - "iv": "97nkWn0VLV4g9NmN\n", - "auth_tag": "bvQ2owruKwJZNPQ8eb2pXQ==\n", + "encrypted_data": "LXd5zSsZDqQ/jVUVCjN8i+DjcS89xkn9jUh/+Qsqzty8\n", + "iv": "Xrh8s7woFiUDAR8N\n", + "auth_tag": "tdlaQGzJIDWjz+xRNq1/UQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "admins": { - "encrypted_data": "bqSE9Owd1uxwFnFfE3+i7CNM+6SekM84Zkp6mBm1e++e4WAwhXgjvvdD/4hx\nYSysn41o77DG\n", - "iv": "p3MHwqp0eCM0ct1R\n", - "auth_tag": "MKvzZYJgvAeNmDUgZy8hdg==\n", + "encrypted_data": "5ykS3j5SfWstOwVcgtitAHpKSCyol+cqQvpd5gEGbnqUPB1x/1XzN+L01jSY\nCPcSUSJadXyu\n", + "iv": "9OqWkcaMwUwrnUr5\n", + "auth_tag": "boB/6oxS9lyTVk3xlddUXw==\n", "version": 3, "cipher": "aes-256-gcm" }, "erlang_cookie": { - "encrypted_data": "+fYG16Q2ImhMIvnVnNRmCD3THSqkgHkEFdgqvOEFjAg8YT10do+B\n", - "iv": "znHqFysDrwAaDF9u\n", - "auth_tag": "2DQDCeEBz025Q2tXpbJq4w==\n", + "encrypted_data": "dJGPR8Wt08dndhj2i8u5QIS7xVKxMlFNIXlR7z87L6bq2GV5uSbi\n", + "iv": "MSCY5oPea7PBr4t+\n", + "auth_tag": "15UteU8giZoPWkV8f8a85Q==\n", "version": 3, "cipher": "aes-256-gcm" }, "stun_secret": { - "encrypted_data": "ZPTari/XE9MhCz4u7ydjt6hbSxCRpuqV1v198uGbAOsvqD+LI9PqmV76df0=\n", - "iv": "Tu/A0E2rQ324ksfg\n", - "auth_tag": "CFqLmR2uNrL+7wAzmgLgCA==\n", + "encrypted_data": "raGN5Q3yrVxmpYcnLtxh2lzpFUZp+uZxE0+RyWdkKOv4pmg52Sxbgw1vvdg=\n", + "iv": "3/SpX2kO/g8Fp0oY\n", + "auth_tag": "hFzJs0sz/Gf8RAivDen7Hw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_key_id": { + "encrypted_data": "TJm8USSzLn7N9IqV5UgVBCfp7XXyL5JKxvC5mdL+2ZDTnWUFuIOH5tFmigtc\n", + "iv": "fpoAWqct04pDHzeZ\n", + "auth_tag": "1aUzuzDCXePi4tKFOiZZVw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "s3_secret_key": { + "encrypted_data": "tUfqkVuGTRbc8r8hJsgaHeWSKh1EEvqzXBhLBXZ3O7QnM+zfL70DXdtLa5zl\nghmypGIUXok/wY4LCV92GoVC7SyEdYWwFHB7wqmV/QXICHMy8eE=\n", + "iv": "d4vzG9SeAtdMttO/\n", + "auth_tag": "HJkNEd11pKwSu3ImogV1iQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/environments/production.json b/environments/production.json index 954cece..8404558 100644 --- a/environments/production.json +++ b/environments/production.json @@ -16,14 +16,19 @@ "droneci": { "public_url": "https://drone.kosmos.org" }, + "ejabberd": { + "turn_ip_address": "148.251.83.201" + }, "garage": { "replication_mode": "2", "s3_api_root_domain": "s3.kosmos.org", "s3_web_root_domain": "web.s3.kosmos.org", "s3_web_domains": [ + "media.kosmos.chat", "s3.kosmos.social", "s3.community.kosmos.org" - ] + ], + "xmpp_upload_bucket": "kosmos-xmpp-uploads" }, "gitea": { "domain": "gitea.kosmos.org", diff --git a/nodes/ejabberd-4.json b/nodes/ejabberd-4.json index 3c9e8d7..eccf3bc 100644 --- a/nodes/ejabberd-4.json +++ b/nodes/ejabberd-4.json @@ -1,5 +1,6 @@ { "name": "ejabberd-4", + "chef_environment": "production", "normal": { "knife_zero": { "host": "10.1.1.113" @@ -16,7 +17,8 @@ "kvm_guest", "ldap_client", "ejabberd", - "postgresql_client" + "postgresql_client", + "garage_gateway" ], "recipes": [ "kosmos-base", @@ -24,6 +26,9 @@ "kosmos_kvm::guest", "kosmos-dirsrv::hostsfile", "kosmos_postgresql::hostsfile", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", "kosmos-ejabberd::letsencrypt", "kosmos-ejabberd", "kosmos-ejabberd::default", @@ -41,22 +46,22 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", + "firewall::default", "kosmos-base::letsencrypt", - "kosmos-ejabberd::firewall", - "tor-full::default" + "kosmos-ejabberd::firewall" ], "platform": "ubuntu", "platform_version": "20.04", "cloud": null, "chef_packages": { "chef": { - "version": "17.9.26", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.26/lib", + "version": "18.3.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib", "chef_effortless": null }, "ohai": { - "version": "17.9.1", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.1/lib/ohai" + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, @@ -66,4 +71,4 @@ "role[ldap_client]", "role[ejabberd]" ] -} \ No newline at end of file +} diff --git a/nodes/ejabberd-8.json b/nodes/ejabberd-8.json index d684b24..987dd1d 100644 --- a/nodes/ejabberd-8.json +++ b/nodes/ejabberd-8.json @@ -1,5 +1,6 @@ { "name": "ejabberd-8", + "chef_environment": "production", "normal": { "knife_zero": { "host": "10.1.1.123" @@ -16,7 +17,8 @@ "kvm_guest", "ldap_client", "ejabberd", - "postgresql_client" + "postgresql_client", + "garage_gateway" ], "recipes": [ "kosmos-base", @@ -24,6 +26,9 @@ "kosmos_kvm::guest", "kosmos-dirsrv::hostsfile", "kosmos_postgresql::hostsfile", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", "kosmos-ejabberd::letsencrypt", "kosmos-ejabberd", "kosmos-ejabberd::default", @@ -41,22 +46,22 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", + "firewall::default", "kosmos-base::letsencrypt", - "kosmos-ejabberd::firewall", - "tor-full::default" + "kosmos-ejabberd::firewall" ], "platform": "ubuntu", "platform_version": "20.04", "cloud": null, "chef_packages": { "chef": { - "version": "17.10.3", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "version": "18.3.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib", "chef_effortless": null }, "ohai": { - "version": "17.9.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, @@ -66,4 +71,4 @@ "role[ldap_client]", "role[ejabberd]" ] -} \ No newline at end of file +} diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index 6528412..a2cd55c 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -42,6 +42,7 @@ "kosmos_drone::nginx", "kosmos-ejabberd::nginx", "kosmos_garage::nginx_web", + "kosmos_garage::nginx_s3", "kosmos_gitea::nginx", "kosmos_gitea::nginx_ssh", "kosmos_rsk::nginx_testnet", diff --git a/nodes/garage-2.json b/nodes/garage-2.json index 5d80fc4..93641a6 100644 --- a/nodes/garage-2.json +++ b/nodes/garage-2.json @@ -23,7 +23,8 @@ "kosmos_kvm::guest", "kosmos_garage", "kosmos_garage::default", - "kosmos_garage::firewall", + "kosmos_garage::firewall_rpc", + "kosmos_garage::firewall_apis", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -38,21 +39,20 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "firewall::default", - "chef-sugar::default" + "firewall::default" ], "platform": "ubuntu", "platform_version": "20.04", "cloud": null, "chef_packages": { "chef": { - "version": "17.10.3", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "version": "18.3.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib", "chef_effortless": null }, "ohai": { - "version": "17.9.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, diff --git a/nodes/garage-3.json b/nodes/garage-3.json index 3205be1..be4db2a 100644 --- a/nodes/garage-3.json +++ b/nodes/garage-3.json @@ -23,7 +23,8 @@ "kosmos_kvm::guest", "kosmos_garage", "kosmos_garage::default", - "kosmos_garage::firewall", + "kosmos_garage::firewall_rpc", + "kosmos_garage::firewall_apis", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -38,21 +39,20 @@ "postfix::_attributes", "postfix::sasl_auth", "hostname::default", - "firewall::default", - "chef-sugar::default" + "firewall::default" ], "platform": "ubuntu", "platform_version": "20.04", "cloud": null, "chef_packages": { "chef": { - "version": "17.10.3", - "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", + "version": "18.3.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib", "chef_effortless": null }, "ohai": { - "version": "17.9.0", - "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" } } }, diff --git a/nodes/garage-5.json b/nodes/garage-5.json new file mode 100644 index 0000000..abc7034 --- /dev/null +++ b/nodes/garage-5.json @@ -0,0 +1,64 @@ +{ + "name": "garage-5", + "chef_environment": "production", + "normal": { + "knife_zero": { + "host": "10.1.1.33" + } + }, + "automatic": { + "fqdn": "garage-5", + "os": "linux", + "os_version": "5.15.0-84-generic", + "hostname": "garage-5", + "ipaddress": "192.168.122.55", + "roles": [ + "base", + "kvm_guest", + "garage_node" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos_kvm::guest", + "kosmos_garage", + "kosmos_garage::default", + "kosmos_garage::firewall_rpc", + "kosmos_garage::firewall_apis", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "firewall::default" + ], + "platform": "ubuntu", + "platform_version": "22.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "18.3.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib", + "chef_effortless": null + }, + "ohai": { + "version": "18.1.4", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai" + } + } + }, + "run_list": [ + "role[base]", + "role[kvm_guest]", + "role[garage_node]" + ] +} diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb index a2d802b..ffde482 100644 --- a/roles/ejabberd.rb +++ b/roles/ejabberd.rb @@ -7,6 +7,7 @@ default_run_list = %w( production_run_list = %w( role[postgresql_client] + role[garage_gateway] kosmos-ejabberd::letsencrypt kosmos-ejabberd::default ) diff --git a/roles/openresty_proxy.rb b/roles/openresty_proxy.rb index 083ce41..2ecd45e 100644 --- a/roles/openresty_proxy.rb +++ b/roles/openresty_proxy.rb @@ -23,6 +23,7 @@ production_run_list = %w( kosmos_drone::nginx kosmos-ejabberd::nginx kosmos_garage::nginx_web + kosmos_garage::nginx_s3 kosmos_gitea::nginx kosmos_gitea::nginx_ssh kosmos_rsk::nginx_testnet diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index 922a35e..cacb6dc 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,16 +1,7 @@ -node.default["kosmos-ejabberd"]["version"] = "23.04" -node.default["kosmos-ejabberd"]["package_version"] = "1" -node.default["kosmos-ejabberd"]["checksum"] = "0bc273043085f8bc333abd176e767cc0a77b7336014777c2f2d10ae27e3d8aec" -node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201" -node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478 -node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 -node.default["kosmos-ejabberd"]["turn_max_port"] = 50050 - -node.default["kosmos-ejabberd"]["uploads"] = { - "domain" => "uploads.kosmos.chat", - "max_upload_size_mb" => "100", - "upload.pm" => { - "repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git", - "revision" => "0.2" - } -} +node.default["ejabberd"]["version"] = "23.04" +node.default["ejabberd"]["package_version"] = "1" +node.default["ejabberd"]["checksum"] = "0bc273043085f8bc333abd176e767cc0a77b7336014777c2f2d10ae27e3d8aec" +node.default["ejabberd"]["turn_ip_address"] = nil +node.default["ejabberd"]["stun_turn_port"] = 3478 +node.default["ejabberd"]["turn_min_port"] = 50000 +node.default["ejabberd"]["turn_max_port"] = 50050 diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 5468f52..1ab71ae 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -5,12 +5,12 @@ ejabberd_credentials = data_bag_item("credentials", "ejabberd") -ejabberd_version = node["kosmos-ejabberd"]["version"] -package_checksum = node["kosmos-ejabberd"]["checksum"] +ejabberd_version = node["ejabberd"]["version"] +package_checksum = node["ejabberd"]["checksum"] package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}_amd64.deb" remote_file package_path do - source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["kosmos-ejabberd"]["package_version"]}_amd64.deb" + source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["ejabberd"]["package_version"]}_amd64.deb" checksum package_checksum notifies :install, "dpkg_package[ejabberd]", :immediately end @@ -22,6 +22,21 @@ dpkg_package "ejabberd" do action :nothing end +execute "update contrib modules" do + command "ejabberdctl modules_update_specs" +end + +%w[mod_s3_upload].each do |emod| + execute "install #{emod}" do + command "ejabberdctl module_install #{emod}" + not_if { ::File.exist?("/opt/ejabberd/.ejabberd-modules/#{emod}/ebin") } + end + + file "/opt/ejabberd/.ejabberd-modules/#{emod}/conf/#{emod}.yml" do + action :delete + end +end + file "/opt/ejabberd/.erlang.cookie" do mode "0400" owner "ejabberd" @@ -70,7 +85,7 @@ hosts = [ ldap_enabled: true, ldap_password: ejabberd_credentials['kosmos_ldap_password'], append_host_config: <<-EOF -modules: + modules: mod_disco: extra_domains: - kosmos.chat @@ -92,12 +107,6 @@ modules: default_room_options: mam: true preload_rooms: true - mod_muc_rtbl: {} - mod_http_upload: - put_url: "https://uploads.kosmos.chat/8af2c77" - external_secret: "#{ejabberd_credentials["uploads_secret"]}" - max_size: 104857600 - thumbnail: false # otherwise needs the identify command from ImageMagick installed EOF }, { @@ -106,7 +115,7 @@ modules: ldap_enabled: true, ldap_password: ejabberd_credentials['5apps_ldap_password'], append_host_config: <<-EOF -modules: + modules: mod_disco: extra_domains: - muc.5apps.com @@ -133,12 +142,6 @@ modules: persistent: true mam: true preload_rooms: true - mod_muc_rtbl: {} - mod_http_upload: - put_url: "https://uploads.kosmos.chat/2802cfe" - external_secret: "#{ejabberd_credentials["uploads_secret"]}" - max_size: 104857600 - thumbnail: false # otherwise needs the identify command from ImageMagick installed EOF } ] @@ -182,12 +185,19 @@ template "/opt/ejabberd/conf/ejabberd.yml" do admin_users: admin_users, stun_auth_realm: "kosmos.org", stun_secret: ejabberd_credentials['stun_secret'], - turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"], - stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], - turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], - turn_max_port: node["kosmos-ejabberd"]["turn_max_port"], + turn_ip_address: node["ejabberd"]["turn_ip_address"], + stun_turn_port: node["ejabberd"]["stun_turn_port"], + turn_min_port: node["ejabberd"]["turn_min_port"], + turn_max_port: node["ejabberd"]["turn_max_port"], private_ip_address: node["knife_zero"]["host"], - akkounts_ip_addresses: akkounts_ip_addresses + akkounts_ip_addresses: akkounts_ip_addresses, + mod_s3_upload: { + region: "garage", + bucket_url: "https://#{node["garage"]["xmpp_upload_bucket"]}.#{node["garage"]["s3_api_root_domain"]}", + download_url: "https://media.kosmos.chat", + key_id: ejabberd_credentials['s3_key_id'], + secret_key: ejabberd_credentials['s3_secret_key'] + } notifies :reload, "service[ejabberd]", :delayed end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb index ca1f393..b29ce6a 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do end firewall_rule 'ejabberd_stun_turn' do - port node["kosmos-ejabberd"]["stun_turn_port"] + port node["ejabberd"]["stun_turn_port"] protocol :udp command :allow end firewall_rule 'ejabberd_turn' do - port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"] protocol :udp command :allow end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb index 4dddb5d..77aea83 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -20,7 +20,7 @@ for domain in $RENEWED_DOMAINS; do cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.* chmod 600 /opt/ejabberd/conf/$domain.* - /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config + /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config ;; esac done diff --git a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb index 6189c36..9514014 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb @@ -20,20 +20,20 @@ end openresty_stream "ejabberd" do template "nginx_conf_streams.erb" variables ejabberd_hosts: ["10.1.1.113"], - stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], - turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], - turn_max_port: node["kosmos-ejabberd"]["turn_max_port"] + stun_turn_port: node["ejabberd"]["stun_turn_port"], + turn_min_port: node["ejabberd"]["turn_min_port"], + turn_max_port: node["ejabberd"]["turn_max_port"] action :enable end firewall_rule 'ejabberd_stun_turn' do - port node["kosmos-ejabberd"]["stun_turn_port"] + port node["ejabberd"]["stun_turn_port"] protocol :udp command :allow end firewall_rule 'ejabberd_turn' do - port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"] protocol :udp command :allow end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb b/site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb index 85fba8c..e4bf9d6 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb @@ -2,28 +2,6 @@ # Cookbook:: kosmos-ejabberd # Recipe:: pg_db # -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. -# postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') diff --git a/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb b/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb index 6b5accd..356c8d2 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb @@ -8,7 +8,7 @@ include_recipe "kosmos-nginx::with_perl" ejabberd_credentials = data_bag_item("credentials", "ejabberd") uploads_secret = ejabberd_credentials["uploads_secret"] -upload_config = node["kosmos-ejabberd"]["uploads"] +upload_config = node["ejabberd"]["uploads"] domain = upload_config["domain"] git "/opt/upload.pm" do diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 7be7fbd..5951f0e 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -77,7 +77,6 @@ listen: request_handlers: "/ws": ejabberd_http_ws "/bosh": mod_bosh - "/upload": mod_http_upload "/admin": ejabberd_web_admin custom_headers: "Access-Control-Allow-Origin": "*" @@ -261,6 +260,22 @@ modules: mod_stream_mgmt: {} mod_s2s_dialback: {} mod_http_api: {} + mod_muc_rtbl: {} + mod_s3_upload: + region: <%= @mod_s3_upload[:region] %> + bucket_url: <%= @mod_s3_upload[:bucket_url] %> + download_url: <%= @mod_s3_upload[:download_url] %> + access_key_id: <%= @mod_s3_upload[:key_id] %> + access_key_secret: <%= @mod_s3_upload[:secret_key] %> + max_size: 104857600 + put_ttl: 600 + set_public: true + service_name: 'S3 Upload' + access: local + hosts: +<% @hosts.each do |host| -%> + - "upload.<%= host[:name] %>" +<% end -%> allow_contrib_modules: true diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb index df9677e..30fd806 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb @@ -21,5 +21,5 @@ host_config: append_host_config: "<%= @host[:name] %>": - <%= @host[:append_host_config].chomp %> +<%= @host[:append_host_config].chomp %> diff --git a/site-cookbooks/kosmos_garage/attributes/default.rb b/site-cookbooks/kosmos_garage/attributes/default.rb index 68cf18f..e5e081f 100644 --- a/site-cookbooks/kosmos_garage/attributes/default.rb +++ b/site-cookbooks/kosmos_garage/attributes/default.rb @@ -1,5 +1,5 @@ -node.default['garage']['version'] = '0.8.0' -node.default['garage']['checksum']['amd64'] = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74' +node.default['garage']['version'] = '0.8.4' +node.default['garage']['checksum']['amd64'] = '45403d494847c42efc620f66c52d27c0bb0446a490e62f5b0b87489a588a767d' node.default['garage']['replication_mode'] = 'none' node.default['garage']['s3_api_port'] = 3900 node.default['garage']['rpc_port'] = 3901 @@ -9,3 +9,4 @@ node.default['garage']['k2v_api_port'] = 3904 node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost' node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost' node.default['garage']['s3_web_domains'] = [] +node.default['garage']['xmpp_upload_bucket'] = nil diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb b/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb new file mode 100644 index 0000000..c9ff909 --- /dev/null +++ b/site-cookbooks/kosmos_garage/recipes/nginx_s3.rb @@ -0,0 +1,22 @@ +# +# Cookbook Name:: kosmos_garage +# Recipe:: nginx_s3 +# + +domain_name = node['garage']['s3_api_root_domain'] +server_name = "*.#{domain_name}" + +tls_cert_for domain_name do + domain [domain_name, server_name] + auth "gandi_dns" + action :create +end + +openresty_site domain_name do + template "nginx_conf_s3.erb" + variables server_name: "#{domain_name} #{server_name}", + domain_name: domain_name, + xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'], + ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem" +end diff --git a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb index ed8884c..27919e3 100644 --- a/site-cookbooks/kosmos_garage/recipes/nginx_web.rb +++ b/site-cookbooks/kosmos_garage/recipes/nginx_web.rb @@ -15,18 +15,41 @@ proxy_cache_path #{node['openresty']['cache_dir']}/garage EOF end -domains = node['garage']['s3_web_domains'] +# +# Root domain for public Web access via bucket-name.root-domain.tld +# -domains.each do |server_name| - tls_cert_for server_name do +domain_name = node['garage']['s3_web_root_domain'] +server_name = "*.#{domain_name}" + +tls_cert_for server_name do + auth "gandi_dns" + action :create +end + +openresty_site domain_name do + template "nginx_conf_web.erb" + variables server_name: server_name, + domain_name: domain_name, + ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem" +end + +# +# Custom domains for public Web access +# + +node['garage']['s3_web_domains'].each do |domain_name| + tls_cert_for domain_name do auth "gandi_dns" action :create end - openresty_site server_name do + openresty_site domain_name do template "nginx_conf_web.erb" - variables server_name: server_name, - ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", - ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" + variables server_name: domain_name, + domain_name: domain_name, + ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem", + ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem" end end diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb new file mode 100644 index 0000000..90e5783 --- /dev/null +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb @@ -0,0 +1,49 @@ +upstream garage_s3 { + server 127.0.0.1:3900; +} + +server { + listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2; + listen [::]:443 http2 ssl; + + ssl_certificate <%= @ssl_cert %>; + ssl_certificate_key <%= @ssl_key %>; + + server_name <%= @server_name %>; + + access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn; + + error_page 401 403 404 500 /__empty-page.html; + + location = /__empty-page.html { + internal; + return 200 ""; + } + + location / { + if ($request_method = OPTIONS) { + add_header Content-Length 0; + add_header Content-Type text/plain; + return 200; + } + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_request_buffering off; + proxy_max_temp_file_size 0; + + proxy_pass http://garage_s3; + +<% if @xmpp_upload_bucket %> + # Some XMPP clients (e.g. Beagle, Siskin, Snikket, Monal) require a 201 CREATED + # for PUT requests to be considered successful + header_filter_by_lua_block { + if ngx.var.http_host == "<%= @xmpp_upload_bucket %>.<%= @domain_name %>" and + ngx.req.get_method() == "PUT" and ngx.status == ngx.HTTP_OK then + ngx.status = ngx.HTTP_CREATED + end + } +<% end %> + } +} diff --git a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb index 49e219c..d085d9a 100644 --- a/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb +++ b/site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb @@ -1,14 +1,15 @@ server { - listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; + listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2; listen [::]:443 http2 ssl; server_name <%= @server_name %>; - access_log off; - ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; + access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json; + error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn; + error_page 401 403 404 500 /__empty-page.html; location = /__empty-page.html {