kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Migrate ejabberd uploads to mod_s3_upload and Garage

Browse Source 
In addition to installing and configuring the new module, this also
enables public access to the S3 API via `bucket-name.s3.kosmos.org` as
well as Web access on `bucket-name.web.s3.kosmos.org` (when enabled).

Also includes some drive-by improvements to Chef attribute naming and
usage.

Co-authored-by: Greg Karékinian <greg@karekinian.com>
This commit is contained in:
Râu Cao 2023-10-10 17:55:55 +02:00
parent 832075dfb2
commit 65d71d6a73
Signed by: raucao
GPG Key ID: 15E65F399D084BA9
25 changed files with 322 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clients/garage-5.json Normal file
View File

@ -0,0 +1,4 @@
{
"name": "garage-5",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnJxLFOBbml94W/GAe7nm\ntZs1Ziy8IbqXySsm8bSwWhRMQ8UuseqQLG30R3Q5X5AoJbtNfd26l63qLtP2fFtL\n5km9dV+2FoIJWFetl8Wzr7CaLYAiNzTQSFHlV7+6DKmPMDcJ63GKrFR77vkSGOG6\nOWL1bJy5BOaClp/sKL/0WQ0+mRbTP6RCQ2eI+46clAg702SenBU6Nz9HDm+teKN7\nYlP1CvzXgfgfpDOsat7wGn5+oKcmKavZxcdn8bt5jRpg8v3JezaZIjMXt7XcNS4n\n0F4XO/efnZE5B5SN68j4BpD8N79zJw4HlRIGP+RaYv2qLtBeWgLHCCs9wXQXfj6b\nLwIDAQAB\n-----END PUBLIC KEY-----\n"
}

50
data_bags/credentials/ejabberd.json
View File

@ -1,44 +1,58 @@
{ {
"id": "ejabberd", "id": "ejabberd",
"5apps_ldap_password": { "5apps_ldap_password": {
"encrypted_data": "Jyt8IRrAt2LbyaMoKmo3SS+1ywXZhr1B0VtaE6L+Rg==\n", "encrypted_data": "jsV7M+1lg4cc+x3WP+sWg4K5XcyFNPrCnlPA6Tl+mA==\n",
"iv": "fpVbd9Xl662cJvKU\n", "iv": "qkYV3ljTHgiEdpHk\n",
"auth_tag": "dmWcmajdGiFHNamYT+SZWQ==\n", "auth_tag": "SUfcAAr8PmA51JVn+IWRXg==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
}, },
"kosmos_ldap_password": { "kosmos_ldap_password": {
"encrypted_data": "RtKK1k/gBQYZczxRC7r2MhB65lITFH69UBbdoNjoIQ==\n", "encrypted_data": "JzDO3Xlr0aF6xWmHXhkWDjpimgmQDR9SgQn0EAA20g==\n",
"iv": "MtMrzXMVoxe/rRGX\n", "iv": "gtMZ06rxKzi6O3we\n",
"auth_tag": "q5SZT+2rT+jUDh9FNjZq8Q==\n", "auth_tag": "jnjd0P3yx8p4VOuoe4AArg==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
}, },
"uploads_secret": { "uploads_secret": {
"encrypted_data": "01E+ANiUyZXzeSPtgQ9G2PHP0iyW2G2ApBg0shntTtoe\n", "encrypted_data": "LXd5zSsZDqQ/jVUVCjN8i+DjcS89xkn9jUh/+Qsqzty8\n",
"iv": "97nkWn0VLV4g9NmN\n", "iv": "Xrh8s7woFiUDAR8N\n",
"auth_tag": "bvQ2owruKwJZNPQ8eb2pXQ==\n", "auth_tag": "tdlaQGzJIDWjz+xRNq1/UQ==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
}, },
"admins": { "admins": {
"encrypted_data": "bqSE9Owd1uxwFnFfE3+i7CNM+6SekM84Zkp6mBm1e++e4WAwhXgjvvdD/4hx\nYSysn41o77DG\n", "encrypted_data": "5ykS3j5SfWstOwVcgtitAHpKSCyol+cqQvpd5gEGbnqUPB1x/1XzN+L01jSY\nCPcSUSJadXyu\n",
"iv": "p3MHwqp0eCM0ct1R\n", "iv": "9OqWkcaMwUwrnUr5\n",
"auth_tag": "MKvzZYJgvAeNmDUgZy8hdg==\n", "auth_tag": "boB/6oxS9lyTVk3xlddUXw==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
}, },
"erlang_cookie": { "erlang_cookie": {
"encrypted_data": "+fYG16Q2ImhMIvnVnNRmCD3THSqkgHkEFdgqvOEFjAg8YT10do+B\n", "encrypted_data": "dJGPR8Wt08dndhj2i8u5QIS7xVKxMlFNIXlR7z87L6bq2GV5uSbi\n",
"iv": "znHqFysDrwAaDF9u\n", "iv": "MSCY5oPea7PBr4t+\n",
"auth_tag": "2DQDCeEBz025Q2tXpbJq4w==\n", "auth_tag": "15UteU8giZoPWkV8f8a85Q==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
}, },
"stun_secret": { "stun_secret": {
"encrypted_data": "ZPTari/XE9MhCz4u7ydjt6hbSxCRpuqV1v198uGbAOsvqD+LI9PqmV76df0=\n", "encrypted_data": "raGN5Q3yrVxmpYcnLtxh2lzpFUZp+uZxE0+RyWdkKOv4pmg52Sxbgw1vvdg=\n",
"iv": "Tu/A0E2rQ324ksfg\n", "iv": "3/SpX2kO/g8Fp0oY\n",
"auth_tag": "CFqLmR2uNrL+7wAzmgLgCA==\n", "auth_tag": "hFzJs0sz/Gf8RAivDen7Hw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_key_id": {
"encrypted_data": "TJm8USSzLn7N9IqV5UgVBCfp7XXyL5JKxvC5mdL+2ZDTnWUFuIOH5tFmigtc\n",
"iv": "fpoAWqct04pDHzeZ\n",
"auth_tag": "1aUzuzDCXePi4tKFOiZZVw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"s3_secret_key": {
"encrypted_data": "tUfqkVuGTRbc8r8hJsgaHeWSKh1EEvqzXBhLBXZ3O7QnM+zfL70DXdtLa5zl\nghmypGIUXok/wY4LCV92GoVC7SyEdYWwFHB7wqmV/QXICHMy8eE=\n",
"iv": "d4vzG9SeAtdMttO/\n",
"auth_tag": "HJkNEd11pKwSu3ImogV1iQ==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
} }

7
environments/production.json
View File

@ -16,14 +16,19 @@
"droneci": { "droneci": {
"public_url": "https://drone.kosmos.org" "public_url": "https://drone.kosmos.org"
}, },
"ejabberd": {
"turn_ip_address": "148.251.83.201"
},
"garage": { "garage": {
"replication_mode": "2", "replication_mode": "2",
"s3_api_root_domain": "s3.kosmos.org", "s3_api_root_domain": "s3.kosmos.org",
"s3_web_root_domain": "web.s3.kosmos.org", "s3_web_root_domain": "web.s3.kosmos.org",
"s3_web_domains": [ "s3_web_domains": [
"media.kosmos.chat",
"s3.kosmos.social", "s3.kosmos.social",
"s3.community.kosmos.org" "s3.community.kosmos.org"
] ],
"xmpp_upload_bucket": "kosmos-xmpp-uploads"
}, },
"gitea": { "gitea": {
"domain": "gitea.kosmos.org", "domain": "gitea.kosmos.org",

19
nodes/ejabberd-4.json
View File

@ -1,5 +1,6 @@
{ {
"name": "ejabberd-4", "name": "ejabberd-4",
"chef_environment": "production",
"normal": { "normal": {
"knife_zero": { "knife_zero": {
"host": "10.1.1.113" "host": "10.1.1.113"
@ -16,7 +17,8 @@
"kvm_guest", "kvm_guest",
"ldap_client", "ldap_client",
"ejabberd", "ejabberd",
"postgresql_client" "postgresql_client",
"garage_gateway"
], ],
"recipes": [ "recipes": [
"kosmos-base", "kosmos-base",
@ -24,6 +26,9 @@
"kosmos_kvm::guest", "kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile", "kosmos-dirsrv::hostsfile",
"kosmos_postgresql::hostsfile", "kosmos_postgresql::hostsfile",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos-ejabberd::letsencrypt", "kosmos-ejabberd::letsencrypt",
"kosmos-ejabberd", "kosmos-ejabberd",
"kosmos-ejabberd::default", "kosmos-ejabberd::default",
@ -41,22 +46,22 @@
"postfix::_attributes", "postfix::_attributes",
"postfix::sasl_auth", "postfix::sasl_auth",
"hostname::default", "hostname::default",
"firewall::default",
"kosmos-base::letsencrypt", "kosmos-base::letsencrypt",
"kosmos-ejabberd::firewall", "kosmos-ejabberd::firewall"
"tor-full::default"
], ],
"platform": "ubuntu", "platform": "ubuntu",
"platform_version": "20.04", "platform_version": "20.04",
"cloud": null, "cloud": null,
"chef_packages": { "chef_packages": {
"chef": { "chef": {
"version": "17.9.26", "version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.9.26/lib", "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null "chef_effortless": null
}, },
"ohai": { "ohai": {
"version": "17.9.1", "version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.1/lib/ohai" "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
} }
} }
}, },

19
nodes/ejabberd-8.json
View File

@ -1,5 +1,6 @@
{ {
"name": "ejabberd-8", "name": "ejabberd-8",
"chef_environment": "production",
"normal": { "normal": {
"knife_zero": { "knife_zero": {
"host": "10.1.1.123" "host": "10.1.1.123"
@ -16,7 +17,8 @@
"kvm_guest", "kvm_guest",
"ldap_client", "ldap_client",
"ejabberd", "ejabberd",
"postgresql_client" "postgresql_client",
"garage_gateway"
], ],
"recipes": [ "recipes": [
"kosmos-base", "kosmos-base",
@ -24,6 +26,9 @@
"kosmos_kvm::guest", "kosmos_kvm::guest",
"kosmos-dirsrv::hostsfile", "kosmos-dirsrv::hostsfile",
"kosmos_postgresql::hostsfile", "kosmos_postgresql::hostsfile",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos-ejabberd::letsencrypt", "kosmos-ejabberd::letsencrypt",
"kosmos-ejabberd", "kosmos-ejabberd",
"kosmos-ejabberd::default", "kosmos-ejabberd::default",
@ -41,22 +46,22 @@
"postfix::_attributes", "postfix::_attributes",
"postfix::sasl_auth", "postfix::sasl_auth",
"hostname::default", "hostname::default",
"firewall::default",
"kosmos-base::letsencrypt", "kosmos-base::letsencrypt",
"kosmos-ejabberd::firewall", "kosmos-ejabberd::firewall"
"tor-full::default"
], ],
"platform": "ubuntu", "platform": "ubuntu",
"platform_version": "20.04", "platform_version": "20.04",
"cloud": null, "cloud": null,
"chef_packages": { "chef_packages": {
"chef": { "chef": {
"version": "17.10.3", "version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null "chef_effortless": null
}, },
"ohai": { "ohai": {
"version": "17.9.0", "version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
} }
} }
}, },

1
nodes/fornax.kosmos.org.json
View File

@ -42,6 +42,7 @@
"kosmos_drone::nginx", "kosmos_drone::nginx",
"kosmos-ejabberd::nginx", "kosmos-ejabberd::nginx",
"kosmos_garage::nginx_web", "kosmos_garage::nginx_web",
"kosmos_garage::nginx_s3",
"kosmos_gitea::nginx", "kosmos_gitea::nginx",
"kosmos_gitea::nginx_ssh", "kosmos_gitea::nginx_ssh",
"kosmos_rsk::nginx_testnet", "kosmos_rsk::nginx_testnet",

14
nodes/garage-2.json
View File

@ -23,7 +23,8 @@
"kosmos_kvm::guest", "kosmos_kvm::guest",
"kosmos_garage", "kosmos_garage",
"kosmos_garage::default", "kosmos_garage::default",
"kosmos_garage::firewall", "kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default", "apt::default",
"timezone_iii::default", "timezone_iii::default",
"timezone_iii::debian", "timezone_iii::debian",
@ -38,21 +39,20 @@
"postfix::_attributes", "postfix::_attributes",
"postfix::sasl_auth", "postfix::sasl_auth",
"hostname::default", "hostname::default",
"firewall::default", "firewall::default"
"chef-sugar::default"
], ],
"platform": "ubuntu", "platform": "ubuntu",
"platform_version": "20.04", "platform_version": "20.04",
"cloud": null, "cloud": null,
"chef_packages": { "chef_packages": {
"chef": { "chef": {
"version": "17.10.3", "version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null "chef_effortless": null
}, },
"ohai": { "ohai": {
"version": "17.9.0", "version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
} }
} }
}, },

14
nodes/garage-3.json
View File

@ -23,7 +23,8 @@
"kosmos_kvm::guest", "kosmos_kvm::guest",
"kosmos_garage", "kosmos_garage",
"kosmos_garage::default", "kosmos_garage::default",
"kosmos_garage::firewall", "kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default", "apt::default",
"timezone_iii::default", "timezone_iii::default",
"timezone_iii::debian", "timezone_iii::debian",
@ -38,21 +39,20 @@
"postfix::_attributes", "postfix::_attributes",
"postfix::sasl_auth", "postfix::sasl_auth",
"hostname::default", "hostname::default",
"firewall::default", "firewall::default"
"chef-sugar::default"
], ],
"platform": "ubuntu", "platform": "ubuntu",
"platform_version": "20.04", "platform_version": "20.04",
"cloud": null, "cloud": null,
"chef_packages": { "chef_packages": {
"chef": { "chef": {
"version": "17.10.3", "version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib", "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null "chef_effortless": null
}, },
"ohai": { "ohai": {
"version": "17.9.0", "version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai" "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
} }
} }
}, },

64
nodes/garage-5.json Normal file
View File

@ -0,0 +1,64 @@
{
"name": "garage-5",
"chef_environment": "production",
"normal": {
"knife_zero": {
"host": "10.1.1.33"
}
},
"automatic": {
"fqdn": "garage-5",
"os": "linux",
"os_version": "5.15.0-84-generic",
"hostname": "garage-5",
"ipaddress": "192.168.122.55",
"roles": [
"base",
"kvm_guest",
"garage_node"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos_kvm::guest",
"kosmos_garage",
"kosmos_garage::default",
"kosmos_garage::firewall_rpc",
"kosmos_garage::firewall_apis",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"firewall::default"
],
"platform": "ubuntu",
"platform_version": "22.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "18.3.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/chef-18.3.0/lib",
"chef_effortless": null
},
"ohai": {
"version": "18.1.4",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/ohai-18.1.4/lib/ohai"
}
}
},
"run_list": [
"role[base]",
"role[kvm_guest]",
"role[garage_node]"
]
}

1
roles/ejabberd.rb
View File

@ -7,6 +7,7 @@ default_run_list = %w(
production_run_list = %w( production_run_list = %w(
role[postgresql_client] role[postgresql_client]
role[garage_gateway]
kosmos-ejabberd::letsencrypt kosmos-ejabberd::letsencrypt
kosmos-ejabberd::default kosmos-ejabberd::default
) )

1
roles/openresty_proxy.rb
View File

@ -23,6 +23,7 @@ production_run_list = %w(
kosmos_drone::nginx kosmos_drone::nginx
kosmos-ejabberd::nginx kosmos-ejabberd::nginx
kosmos_garage::nginx_web kosmos_garage::nginx_web
kosmos_garage::nginx_s3
kosmos_gitea::nginx kosmos_gitea::nginx
kosmos_gitea::nginx_ssh kosmos_gitea::nginx_ssh
kosmos_rsk::nginx_testnet kosmos_rsk::nginx_testnet

23
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@ -1,16 +1,7 @@
node.default["kosmos-ejabberd"]["version"] = "23.04" node.default["ejabberd"]["version"] = "23.04"
node.default["kosmos-ejabberd"]["package_version"] = "1" node.default["ejabberd"]["package_version"] = "1"
node.default["kosmos-ejabberd"]["checksum"] = "0bc273043085f8bc333abd176e767cc0a77b7336014777c2f2d10ae27e3d8aec" node.default["ejabberd"]["checksum"] = "0bc273043085f8bc333abd176e767cc0a77b7336014777c2f2d10ae27e3d8aec"
node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201" node.default["ejabberd"]["turn_ip_address"] = nil
node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478 node.default["ejabberd"]["stun_turn_port"] = 3478
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 node.default["ejabberd"]["turn_min_port"] = 50000
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050 node.default["ejabberd"]["turn_max_port"] = 50050
node.default["kosmos-ejabberd"]["uploads"] = {
"domain" => "uploads.kosmos.chat",
"max_upload_size_mb" => "100",
"upload.pm" => {
"repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git",
"revision" => "0.2"
}
}

50
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@ -5,12 +5,12 @@
ejabberd_credentials = data_bag_item("credentials", "ejabberd") ejabberd_credentials = data_bag_item("credentials", "ejabberd")
ejabberd_version = node["kosmos-ejabberd"]["version"] ejabberd_version = node["ejabberd"]["version"]
package_checksum = node["kosmos-ejabberd"]["checksum"] package_checksum = node["ejabberd"]["checksum"]
package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}_amd64.deb" package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}_amd64.deb"
remote_file package_path do remote_file package_path do
source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["kosmos-ejabberd"]["package_version"]}_amd64.deb" source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["ejabberd"]["package_version"]}_amd64.deb"
checksum package_checksum checksum package_checksum
notifies :install, "dpkg_package[ejabberd]", :immediately notifies :install, "dpkg_package[ejabberd]", :immediately
end end
@ -22,6 +22,21 @@ dpkg_package "ejabberd" do
action :nothing action :nothing
end end
execute "update contrib modules" do
command "ejabberdctl modules_update_specs"
end
%w[mod_s3_upload].each do |emod|
execute "install #{emod}" do
command "ejabberdctl module_install #{emod}"
not_if { ::File.exist?("/opt/ejabberd/.ejabberd-modules/#{emod}/ebin") }
end
file "/opt/ejabberd/.ejabberd-modules/#{emod}/conf/#{emod}.yml" do
action :delete
end
end
file "/opt/ejabberd/.erlang.cookie" do file "/opt/ejabberd/.erlang.cookie" do
mode "0400" mode "0400"
owner "ejabberd" owner "ejabberd"
@ -92,12 +107,6 @@ modules:
default_room_options: default_room_options:
mam: true mam: true
preload_rooms: true preload_rooms: true
mod_muc_rtbl: {}
mod_http_upload:
put_url: "https://uploads.kosmos.chat/8af2c77"
external_secret: "#{ejabberd_credentials["uploads_secret"]}"
max_size: 104857600
thumbnail: false # otherwise needs the identify command from ImageMagick installed
EOF EOF
}, },
{ {
@ -133,12 +142,6 @@ modules:
persistent: true persistent: true
mam: true mam: true
preload_rooms: true preload_rooms: true
mod_muc_rtbl: {}
mod_http_upload:
put_url: "https://uploads.kosmos.chat/2802cfe"
external_secret: "#{ejabberd_credentials["uploads_secret"]}"
max_size: 104857600
thumbnail: false # otherwise needs the identify command from ImageMagick installed
EOF EOF
} }
] ]
@ -182,12 +185,19 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
admin_users: admin_users, admin_users: admin_users,
stun_auth_realm: "kosmos.org", stun_auth_realm: "kosmos.org",
stun_secret: ejabberd_credentials['stun_secret'], stun_secret: ejabberd_credentials['stun_secret'],
turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"], turn_ip_address: node["ejabberd"]["turn_ip_address"],
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], stun_turn_port: node["ejabberd"]["stun_turn_port"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"], turn_max_port: node["ejabberd"]["turn_max_port"],
private_ip_address: node["knife_zero"]["host"], private_ip_address: node["knife_zero"]["host"],
akkounts_ip_addresses: akkounts_ip_addresses akkounts_ip_addresses: akkounts_ip_addresses,
mod_s3_upload: {
region: "garage",
bucket_url: "https://#{node["garage"]["xmpp_upload_bucket"]}.#{node["garage"]["s3_api_root_domain"]}",
download_url: "https://media.kosmos.chat",
key_id: ejabberd_credentials['s3_key_id'],
secret_key: ejabberd_credentials['s3_secret_key']
}
notifies :reload, "service[ejabberd]", :delayed notifies :reload, "service[ejabberd]", :delayed
end end

4
site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
View File

@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
end end
firewall_rule 'ejabberd_stun_turn' do firewall_rule 'ejabberd_stun_turn' do
port node["kosmos-ejabberd"]["stun_turn_port"] port node["ejabberd"]["stun_turn_port"]
protocol :udp protocol :udp
command :allow command :allow
end end
firewall_rule 'ejabberd_turn' do firewall_rule 'ejabberd_turn' do
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
protocol :udp protocol :udp
command :allow command :allow
end end

2
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@ -20,7 +20,7 @@ for domain in $RENEWED_DOMAINS; do
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.* chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
chmod 600 /opt/ejabberd/conf/$domain.* chmod 600 /opt/ejabberd/conf/$domain.*
/opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config /opt/ejabberd-#{node["ejabberd"]["version"]}/bin/ejabberdctl reload_config
;; ;;
esac esac
done done

10
site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
View File

@ -20,20 +20,20 @@ end
openresty_stream "ejabberd" do openresty_stream "ejabberd" do
template "nginx_conf_streams.erb" template "nginx_conf_streams.erb"
variables ejabberd_hosts: ["10.1.1.113"], variables ejabberd_hosts: ["10.1.1.113"],
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], stun_turn_port: node["ejabberd"]["stun_turn_port"],
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"] turn_max_port: node["ejabberd"]["turn_max_port"]
action :enable action :enable
end end
firewall_rule 'ejabberd_stun_turn' do firewall_rule 'ejabberd_stun_turn' do
port node["kosmos-ejabberd"]["stun_turn_port"] port node["ejabberd"]["stun_turn_port"]
protocol :udp protocol :udp
command :allow command :allow
end end
firewall_rule 'ejabberd_turn' do firewall_rule 'ejabberd_turn' do
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] port node["ejabberd"]["turn_min_port"]..node["ejabberd"]["turn_max_port"]
protocol :udp protocol :udp
command :allow command :allow
end end

22
site-cookbooks/kosmos-ejabberd/recipes/pg_db.rb
View File

@ -2,28 +2,6 @@
# Cookbook:: kosmos-ejabberd # Cookbook:: kosmos-ejabberd
# Recipe:: pg_db # Recipe:: pg_db
# #
# The MIT License (MIT)
#
# Copyright:: 2020, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
#
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')

2
site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb
View File

@ -8,7 +8,7 @@ include_recipe "kosmos-nginx::with_perl"
ejabberd_credentials = data_bag_item("credentials", "ejabberd") ejabberd_credentials = data_bag_item("credentials", "ejabberd")
uploads_secret = ejabberd_credentials["uploads_secret"] uploads_secret = ejabberd_credentials["uploads_secret"]
upload_config = node["kosmos-ejabberd"]["uploads"] upload_config = node["ejabberd"]["uploads"]
domain = upload_config["domain"] domain = upload_config["domain"]
git "/opt/upload.pm" do git "/opt/upload.pm" do

17
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@ -77,7 +77,6 @@ listen:
request_handlers: request_handlers:
"/ws": ejabberd_http_ws "/ws": ejabberd_http_ws
"/bosh": mod_bosh "/bosh": mod_bosh
"/upload": mod_http_upload
"/admin": ejabberd_web_admin "/admin": ejabberd_web_admin
custom_headers: custom_headers:
"Access-Control-Allow-Origin": "*" "Access-Control-Allow-Origin": "*"
@ -261,6 +260,22 @@ modules:
mod_stream_mgmt: {} mod_stream_mgmt: {}
mod_s2s_dialback: {} mod_s2s_dialback: {}
mod_http_api: {} mod_http_api: {}
mod_muc_rtbl: {}
mod_s3_upload:
region: <%= @mod_s3_upload[:region] %>
bucket_url: <%= @mod_s3_upload[:bucket_url] %>
download_url: <%= @mod_s3_upload[:download_url] %>
access_key_id: <%= @mod_s3_upload[:key_id] %>
access_key_secret: <%= @mod_s3_upload[:secret_key] %>
max_size: 104857600
put_ttl: 600
set_public: true
service_name: 'S3 Upload'
access: local
hosts:
<% @hosts.each do |host| -%>
- "upload.<%= host[:name] %>"
<% end -%>
allow_contrib_modules: true allow_contrib_modules: true

5
site-cookbooks/kosmos_garage/attributes/default.rb
View File

@ -1,5 +1,5 @@
node.default['garage']['version'] = '0.8.0' node.default['garage']['version'] = '0.8.4'
node.default['garage']['checksum']['amd64'] = '66dd2ea1f677281a43e10eb619523b1b269f8fde9047ce8caa70958f3b13ca74' node.default['garage']['checksum']['amd64'] = '45403d494847c42efc620f66c52d27c0bb0446a490e62f5b0b87489a588a767d'
node.default['garage']['replication_mode'] = 'none' node.default['garage']['replication_mode'] = 'none'
node.default['garage']['s3_api_port'] = 3900 node.default['garage']['s3_api_port'] = 3900
node.default['garage']['rpc_port'] = 3901 node.default['garage']['rpc_port'] = 3901
@ -9,3 +9,4 @@ node.default['garage']['k2v_api_port'] = 3904
node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost' node.default['garage']['s3_api_root_domain'] = '.s3.garage.localhost'
node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost' node.default['garage']['s3_web_root_domain'] = '.web.garage.localhost'
node.default['garage']['s3_web_domains'] = [] node.default['garage']['s3_web_domains'] = []
node.default['garage']['xmpp_upload_bucket'] = nil

22
site-cookbooks/kosmos_garage/recipes/nginx_s3.rb Normal file
View File

@ -0,0 +1,22 @@
#
# Cookbook Name:: kosmos_garage
# Recipe:: nginx_s3
#
domain_name = node['garage']['s3_api_root_domain']
server_name = "*.#{domain_name}"
tls_cert_for domain_name do
domain [domain_name, server_name]
auth "gandi_dns"
action :create
end
openresty_site domain_name do
template "nginx_conf_s3.erb"
variables server_name: "#{domain_name} #{server_name}",
domain_name: domain_name,
xmpp_upload_bucket: node['garage']['xmpp_upload_bucket'],
ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
end

33
site-cookbooks/kosmos_garage/recipes/nginx_web.rb
View File

@ -15,18 +15,41 @@ proxy_cache_path #{node['openresty']['cache_dir']}/garage
EOF EOF
end end
domains = node['garage']['s3_web_domains'] #
# Root domain for public Web access via bucket-name.root-domain.tld
#
domain_name = node['garage']['s3_web_root_domain']
server_name = "*.#{domain_name}"
domains.each do |server_name|
tls_cert_for server_name do tls_cert_for server_name do
auth "gandi_dns" auth "gandi_dns"
action :create action :create
end end
openresty_site server_name do openresty_site domain_name do
template "nginx_conf_web.erb" template "nginx_conf_web.erb"
variables server_name: server_name, variables server_name: server_name,
ssl_cert: "/etc/letsencrypt/live/#{server_name}/fullchain.pem", domain_name: domain_name,
ssl_key: "/etc/letsencrypt/live/#{server_name}/privkey.pem" ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
end
#
# Custom domains for public Web access
#
node['garage']['s3_web_domains'].each do |domain_name|
tls_cert_for domain_name do
auth "gandi_dns"
action :create
end
openresty_site domain_name do
template "nginx_conf_web.erb"
variables server_name: domain_name,
domain_name: domain_name,
ssl_cert: "/etc/letsencrypt/live/#{domain_name}/fullchain.pem",
ssl_key: "/etc/letsencrypt/live/#{domain_name}/privkey.pem"
end end
end end

49
site-cookbooks/kosmos_garage/templates/nginx_conf_s3.erb Normal file
View File

@ -0,0 +1,49 @@
upstream garage_s3 {
server 127.0.0.1:3900;
}
server {
listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
listen [::]:443 http2 ssl;
ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>;
server_name <%= @server_name %>;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
error_page 401 403 404 500 /__empty-page.html;
location = /__empty-page.html {
internal;
return 200 "";
}
location / {
if ($request_method = OPTIONS) {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_request_buffering off;
proxy_max_temp_file_size 0;
proxy_pass http://garage_s3;
<% if @xmpp_upload_bucket %>
# Some XMPP clients (e.g. Beagle, Siskin, Snikket, Monal) require a 201 CREATED
# for PUT requests to be considered successful
header_filter_by_lua_block {
if ngx.var.http_host == "<%= @xmpp_upload_bucket %>.<%= @domain_name %>" and
ngx.req.get_method() == "PUT" and ngx.status == ngx.HTTP_OK then
ngx.status = ngx.HTTP_CREATED
end
}
<% end %>
}
}

7
site-cookbooks/kosmos_garage/templates/nginx_conf_web.erb
View File

@ -1,14 +1,15 @@
server { server {
listen <%= "#{node['openresty']['listen_ip']}:" if node['openresty']['listen_ip'] %>443 ssl http2; listen <%= "#{node[:openresty][:listen_ip]}:" if node[:openresty][:listen_ip] %>443 ssl http2;
listen [::]:443 http2 ssl; listen [::]:443 http2 ssl;
server_name <%= @server_name %>; server_name <%= @server_name %>;
access_log off;
ssl_certificate <%= @ssl_cert %>; ssl_certificate <%= @ssl_cert %>;
ssl_certificate_key <%= @ssl_key %>; ssl_certificate_key <%= @ssl_key %>;
access_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.access.log json;
error_log <%= node[:openresty][:log_dir] %>/<%= @domain_name %>.error.log warn;
error_page 401 403 404 500 /__empty-page.html; error_page 401 403 404 500 /__empty-page.html;
location = /__empty-page.html { location = /__empty-page.html {