Merge pull request 'Move dirsrv (LDAP) primary node to new VM' (#401) from new_ldap_server into master
Reviewed-on: #401
This commit is contained in:
commit
6a85c2d5c6
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "ejabberd-8",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2r+emfhx7bl7MxEeIDGY\nKnj3xEyFvVgXL7GwOsbKszFVgZ17yuPwa6vuiJsZsbcFC/nXgGNH2WF5FEv7XhOi\nwE8KMeNrR4xQ9BEANRlRgUTfrkhZG1NCy7PpVBb7L2r36STBuFSdQJmruJAfvTHm\na4hhmfaSIJ0Wa+Q24gL1GNwkSRdOhXRYxB4OvNIJzzuC3XqgugQVG5xzZh0kULQs\nkZVvkL5dM0FEZzBn8aK2sohTFDivvYJy7PAogC9Z5M1nPatZBowruUZvCym3Wh1J\nRtBwsS9SsTcsUqaT9FpEa7vYUney1/R8G2FAFufTyztjgBQzh78GhU+dek+ycIf1\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
{
|
||||
"name": "ldap-2.kosmos.org",
|
||||
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAycyHso4sCJ/RLkuQl1Qp\nBaAJsWw8NilZyoZwuaYAC4IGJ1Pn4p+6Ly4vWveGCPbDf18VNFHwNMSjtH94EWOo\nrF8Qiamcn8/NlT6NbbN77fjOFDvwITW9+7zgJz9QNsAT7lbdv9eWlWijnslVvqtk\njx9IuqAF1tEKEfnhj8wAHLT8WPABHzmp3PdfZXKN4fjCL9VcPNruXJiCIuNPnWIo\nUxY9IRa9DiZ1jXIcWrTLLHCzq07jeo+MWpC5Uuz3U6+zfevFBHM0xpGMsouIfvLf\nF+MeckT5OhwujUL4IvfZ0Wl6/5wsvHbLFFW7KsmiBK0Su04OnKnZUSaAmtEDU2w4\nSQIDAQAB\n-----END PUBLIC KEY-----\n"
|
||||
}
|
|
@ -1,38 +1,45 @@
|
|||
{
|
||||
"id": "ejabberd",
|
||||
"5apps_ldap_password": {
|
||||
"encrypted_data": "RdzDZk2F4yBvgII84JGt8AF0LT4cyjRQFQvMJ5LhdB54T06Kjq3S\n",
|
||||
"iv": "+3WlMHiNAFVE4iku\n",
|
||||
"auth_tag": "mKheQu/KeHSyt8W783lrzA==\n",
|
||||
"encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n",
|
||||
"iv": "6YTMw9vMiDANQDVP\n",
|
||||
"auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"kosmos_ldap_password": {
|
||||
"encrypted_data": "fABWhxMuLaF2qLFdIN//R6bgBkD60WRWiBZPErB1eBOxHqOp813o\n",
|
||||
"iv": "uBPPYY/FM2hee05V\n",
|
||||
"auth_tag": "cO+zP2QggWIzbuVxtkct2w==\n",
|
||||
"encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n",
|
||||
"iv": "XC2igt4I4qNNgCYD\n",
|
||||
"auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"uploads_secret": {
|
||||
"encrypted_data": "03Y8CNBstV7vYopx8X54hkRSlnwwbOg5Y0KwTPV4qys1\n",
|
||||
"iv": "gLTP7Y2Y70jL+sxH\n",
|
||||
"auth_tag": "HJoyOF4rYm9ayKfViuKBlA==\n",
|
||||
"encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n",
|
||||
"iv": "fWjiwhJ7NZIvUHyt\n",
|
||||
"auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"admins": {
|
||||
"encrypted_data": "mRX2Lxqxb//Gd76bk+G3V+eObaq+NILiMsHHjFvjBCvJrznvRzezqW1VHhwW\ndH/ZY2gM8CVCcmYNQ8Xtg/1loPYAUjROvDRirj5i9fP7zgJRc1anNmohDOle\n34aNPYverGm+IJ21sFrAv4Xe/KleJBO5ynuiInqqvljcu3LiuvSYBXW34yWB\n",
|
||||
"iv": "QqJJM8gmox565JUd\n",
|
||||
"auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
|
||||
"encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n",
|
||||
"iv": "vFjSjzaEiZJB4lAo\n",
|
||||
"auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"erlang_cookie": {
|
||||
"encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
|
||||
"iv": "mm+fYYceD1nPsuo1\n",
|
||||
"auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
|
||||
"encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n",
|
||||
"iv": "2fYgOBtGmqFTFddy\n",
|
||||
"auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"stun_secret": {
|
||||
"encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n",
|
||||
"iv": "xevLfSR+wqEk5jVw\n",
|
||||
"auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,23 +1,23 @@
|
|||
{
|
||||
"id": "mediawiki",
|
||||
"db_pass": {
|
||||
"encrypted_data": "bkvlD9N8a2EAoBDRcJ5Yhio7vQPnc5qMxH3Of/A/epieJZXBudkYrDaQZmbu\nSwYseFveqEleys4IbI+zTOaBN5LejDpH\n",
|
||||
"iv": "OPbDsQjNBP7Yabsx\n",
|
||||
"auth_tag": "0cl2nkL0V07cWC5SZjNXBA==\n",
|
||||
"encrypted_data": "giNnksOeZDSsoBSsF/RvaVIbtgp5EpRJnbZdH4nt755Tx3ZjHj8Hl6kvXo2t\n34l6/6jjwUIiig1vxKt8+2pHm1hXAbJ9\n",
|
||||
"iv": "hnDHoyGbZyuQVG5f\n",
|
||||
"auth_tag": "3oNeFn22P25qwJ0KaVerxw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"ldap_user": {
|
||||
"encrypted_data": "+iKtv/pB8rU0kJYlhr/KNUM63uG5RpDUCduW9sakxwaMs7V5JetSdaUmabIk\np8EiF5FDvYLUWqq5SOblTfPELMY3C0j5XwgxDKo=\n",
|
||||
"iv": "ynjajkZHawmcE81H\n",
|
||||
"auth_tag": "cxcsojaQW8dFZHR50QnZjw==\n",
|
||||
"encrypted_data": "bA21rCjUKGFMxSK3BSmKmIe7JS4C8IU062abpRAe8OBqypLgbgv+YpPiF+v3\nscfMaydHNg9qtK1MzP33MmRkI43q7o2TJXpI6+vZA2Y=\n",
|
||||
"iv": "78mNymw45lR0spXg\n",
|
||||
"auth_tag": "3RdUdoQsquNLUAV+POkcRQ==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
},
|
||||
"ldap_password": {
|
||||
"encrypted_data": "Kb5/RiGyXEf0X4KAgprCrZU+lFaWYuu6gjSXanujWxXx5YUdQLzZ\n",
|
||||
"iv": "U1JBexbrnmJ4HNSZ\n",
|
||||
"auth_tag": "LDeG8mOM5iLxy/VslTakSg==\n",
|
||||
"encrypted_data": "lEaG+bHkMftmJENQ99h+HfRaYFYw4HI/ugwfwKJU2A==\n",
|
||||
"iv": "31oRFt2sXKay+sy1\n",
|
||||
"auth_tag": "tfkRa3lUZkj2PTl39APTTw==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
|
|
@ -44,6 +44,7 @@
|
|||
"redis::default",
|
||||
"backup::default",
|
||||
"logrotate::default",
|
||||
"kosmos-dirsrv::hostsfile",
|
||||
"nodejs::npm",
|
||||
"nodejs::install",
|
||||
"kosmos-nginx::default",
|
||||
|
|
|
@ -33,6 +33,7 @@
|
|||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"kosmos-dirsrv::hostsfile",
|
||||
"firewall::default",
|
||||
"chef-sugar::default"
|
||||
],
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
{
|
||||
"name": "ejabberd-8",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.123"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "ejabberd-8",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1063-kvm",
|
||||
"hostname": "ejabberd-8",
|
||||
"ipaddress": "192.168.122.27",
|
||||
"roles": [
|
||||
"ejabberd",
|
||||
"postgresql_client"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos_postgresql::hostsfile",
|
||||
"kosmos-ejabberd::letsencrypt",
|
||||
"kosmos-ejabberd",
|
||||
"kosmos-ejabberd::default",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"kosmos-base::letsencrypt",
|
||||
"kosmos-dirsrv::hostsfile",
|
||||
"kosmos-ejabberd::firewall",
|
||||
"tor-full::default"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.10.3",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.9.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[ejabberd]"
|
||||
]
|
||||
}
|
|
@ -24,6 +24,7 @@
|
|||
"kosmos_gitea::nginx",
|
||||
"kosmos_website",
|
||||
"kosmos_website::default",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
|
|
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
"name": "ldap-2.kosmos.org",
|
||||
"normal": {
|
||||
"knife_zero": {
|
||||
"host": "10.1.1.232"
|
||||
}
|
||||
},
|
||||
"automatic": {
|
||||
"fqdn": "ldap-2.kosmos.org",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-1062-kvm",
|
||||
"hostname": "ldap-2",
|
||||
"ipaddress": "192.168.122.241",
|
||||
"roles": [
|
||||
"dirsrv_primary"
|
||||
],
|
||||
"recipes": [
|
||||
"kosmos-base",
|
||||
"kosmos-base::default",
|
||||
"kosmos-dirsrv",
|
||||
"kosmos-dirsrv::default",
|
||||
"apt::default",
|
||||
"timezone_iii::default",
|
||||
"timezone_iii::debian",
|
||||
"ntp::default",
|
||||
"ntp::apparmor",
|
||||
"kosmos-base::systemd_emails",
|
||||
"apt::unattended-upgrades",
|
||||
"kosmos-base::firewall",
|
||||
"kosmos-postfix::default",
|
||||
"postfix::default",
|
||||
"postfix::_common",
|
||||
"postfix::_attributes",
|
||||
"postfix::sasl_auth",
|
||||
"hostname::default",
|
||||
"kosmos-dirsrv::hostsfile"
|
||||
],
|
||||
"platform": "ubuntu",
|
||||
"platform_version": "20.04",
|
||||
"cloud": null,
|
||||
"chef_packages": {
|
||||
"chef": {
|
||||
"version": "17.10.3",
|
||||
"chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
|
||||
"chef_effortless": null
|
||||
},
|
||||
"ohai": {
|
||||
"version": "17.9.0",
|
||||
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
|
||||
}
|
||||
}
|
||||
},
|
||||
"run_list": [
|
||||
"recipe[kosmos-base]",
|
||||
"role[dirsrv_primary]"
|
||||
]
|
||||
}
|
|
@ -8,7 +8,7 @@
|
|||
"automatic": {
|
||||
"fqdn": "wiki-1",
|
||||
"os": "linux",
|
||||
"os_version": "5.4.0-54-generic",
|
||||
"os_version": "5.4.0-91-generic",
|
||||
"hostname": "wiki-1",
|
||||
"ipaddress": "192.168.122.26",
|
||||
"roles": [
|
||||
|
@ -40,6 +40,7 @@
|
|||
"php::package",
|
||||
"php::ini",
|
||||
"composer::global_configs",
|
||||
"kosmos-dirsrv::hostsfile",
|
||||
"mediawiki::default",
|
||||
"mediawiki::database",
|
||||
"kosmos-nginx::default",
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
name "dirsrv_primary"
|
||||
|
||||
run_list %w(
|
||||
recipe[kosmos-dirsrv]
|
||||
)
|
|
@ -7,9 +7,8 @@ default_run_list = %w(
|
|||
|
||||
production_run_list = %w(
|
||||
role[postgresql_client]
|
||||
kosmos-ejabberd::default
|
||||
kosmos-ejabberd::letsencrypt
|
||||
kosmos-ejabberd::backup
|
||||
kosmos-ejabberd::default
|
||||
)
|
||||
env_run_lists(
|
||||
'development' => default_run_list,
|
||||
|
|
|
@ -6,6 +6,7 @@ default_run_list = %w(
|
|||
kosmos_drone::nginx
|
||||
kosmos_gitea::nginx
|
||||
kosmos_website::default
|
||||
kosmos-ejabberd::nginx
|
||||
)
|
||||
|
||||
env_run_lists(
|
||||
|
|
|
@ -16,3 +16,4 @@ depends 'application_git'
|
|||
depends "postgresql"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "kosmos-dirsrv"
|
||||
|
|
|
@ -22,6 +22,7 @@ package "libpq-dev"
|
|||
|
||||
include_recipe 'kosmos-nodejs'
|
||||
include_recipe "kosmos-redis"
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
npm_package "yarn" do
|
||||
version "1.22.4"
|
||||
|
|
|
@ -52,6 +52,7 @@ end
|
|||
end
|
||||
end
|
||||
|
||||
# TODO check if nginx is installed/running on the node
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
|
||||
content <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
|
|
@ -1 +1 @@
|
|||
node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'
|
||||
node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.local'
|
||||
|
|
|
@ -0,0 +1,119 @@
|
|||
#!/bin/bash
|
||||
|
||||
. /usr/share/dirsrv/data/DSSharedLib
|
||||
|
||||
libpath_add "/usr/lib/x86_64-linux-gnu/dirsrv/"
|
||||
libpath_add ""
|
||||
libpath_add "/usr/lib/x86_64-linux-gnu"
|
||||
libpath_add "/usr/lib/x86_64-linux-gnu"
|
||||
|
||||
export LD_LIBRARY_PATH
|
||||
SHLIB_PATH=$LD_LIBRARY_PATH
|
||||
export SHLIB_PATH
|
||||
|
||||
usage()
|
||||
{
|
||||
echo "Usage: ldif2db [-Z serverID] -n backendname {-s includesuffix}* [{-x excludesuffix}*] {-i ldiffile}*"
|
||||
echo " [-c chunksize] [-g [string]] [-G namespace_id] [-O] [-E] [-q] [-v] [-h]"
|
||||
echo "Note: either \"-n backend\", \"-s includesuffix\", and \"-i ldiffile\" are required."
|
||||
echo "Options:"
|
||||
echo " -Z serverID - The server instance identifier"
|
||||
echo " -n backend - Backend database name. Example: userRoot"
|
||||
echo " -s inclduesuffix - Suffix to include"
|
||||
echo " -x excludesuffix - Suffix to exclude"
|
||||
echo " -i ldiffile - LDIF file name"
|
||||
echo " -c chunksize - Number of entries to process before starting a new pass"
|
||||
echo " -g [string] - String is \"none\" or \"deterministic\""
|
||||
echo " \"none\" - unique id is not generated"
|
||||
echo " \"deterministic\" - generate name based unique id (-G name)"
|
||||
echo " By default - generate time based unique id"
|
||||
echo " -G name - Namespace id for name based uniqueid (-g deterministic)"
|
||||
echo " -O - Do not index the attributes"
|
||||
echo " -E - Encrypt attributes"
|
||||
echo " -q - Quiet mode - suppresses output"
|
||||
echo " -v - Display version"
|
||||
echo " -h - Display usage"
|
||||
}
|
||||
|
||||
handleopts()
|
||||
{
|
||||
while [ "$1" != "" ]
|
||||
do
|
||||
if [ "$1" = "-q" ]; then
|
||||
return 1
|
||||
elif [ "$1" = "-Z" ]; then
|
||||
shift
|
||||
servid=$1
|
||||
elif [ "$1" = "-h" ]; then
|
||||
usage
|
||||
exit 0
|
||||
fi
|
||||
shift
|
||||
done
|
||||
return 0
|
||||
}
|
||||
|
||||
while getopts "Z:vhd:i:g:G:n:s:x:NOCc:St:D:Eq" flag
|
||||
do
|
||||
case $flag in
|
||||
h) usage
|
||||
exit 0;;
|
||||
Z) servid=$OPTARG;;
|
||||
n) args=$args" -n \"$OPTARG\"";;
|
||||
i) args=$args" -i \"$OPTARG\"";;
|
||||
s) args=$args" -s \"$OPTARG\"";;
|
||||
x) args=$args" -x \"$OPTARG\"";;
|
||||
c) args=$args" -c \"$OPTARG\"";;
|
||||
d) args=$args" -d \"$OPTARG\"";;
|
||||
g) args=$args" -g \"$OPTARG\"";;
|
||||
G) args=$args" -G \"$OPTARG\"";;
|
||||
t) args=$args" -t \"$OPTARG\"";;
|
||||
D) args=$args" -D \"$OPTARG\"";;
|
||||
E) args=$args" -E";;
|
||||
v) args=$args" -v";;
|
||||
N) args=$args" -N";;
|
||||
C) args=$args" -C";;
|
||||
S) args=$args" -S";;
|
||||
O) args=$args" -O";;
|
||||
q) args=$args" -q";;
|
||||
?) usage
|
||||
exit 1;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ $# -lt 4 ]
|
||||
then
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
ARGS=$@
|
||||
shift $(($OPTIND - 1))
|
||||
if [ $1 ]
|
||||
then
|
||||
echo "ERROR - Unknown option: $1"
|
||||
usage
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# FIXME look up if not master
|
||||
initfile="/etc/default/dirsrv-master"
|
||||
if [ $? -eq 1 ]
|
||||
then
|
||||
usage
|
||||
echo "You must supply a valid server instance identifier. Use -Z to specify instance name"
|
||||
echo "Available instances: $initfile"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
. $initfile
|
||||
|
||||
handleopts $ARGS
|
||||
quiet=$?
|
||||
if [ $quiet -eq 0 ]; then
|
||||
echo importing data ...
|
||||
fi
|
||||
|
||||
eval /usr/sbin/ns-slapd ldif2db -D $CONFIG_DIR $args 2>&1
|
||||
|
||||
exit $?
|
|
@ -0,0 +1,22 @@
|
|||
# This file is sourced by dirsrv upon startup to set
|
||||
# the default environment for a single specific directory
|
||||
# server instances. To set defaults for all instances, edit
|
||||
# the file in the same directory called dirsrv.
|
||||
|
||||
# These settings are used by the start-dirsrv and
|
||||
# start-slapd scripts (as well as their associates stop
|
||||
# and restart scripts). Do not edit them unless you know
|
||||
# what you are doing.
|
||||
|
||||
# This file is in systemd EnvironmentFile format - see man systemd.exec
|
||||
|
||||
SERVER_DIR={{SERVER-DIR}}
|
||||
SERVERBIN_DIR={{SERVERBIN-DIR}}
|
||||
CONFIG_DIR={{CONFIG-DIR}}
|
||||
INST_DIR={{INST-DIR}}
|
||||
RUN_DIR={{RUN-DIR}}
|
||||
DS_ROOT={{DS-ROOT}}
|
||||
PRODUCT_NAME={{PRODUCT-NAME}}
|
||||
|
||||
# Put custom instance specific settings below here.
|
||||
# if using systemd, omit the "; export VARNAME" at the end
|
|
@ -1,26 +0,0 @@
|
|||
dn: cn=config
|
||||
changetype: modify
|
||||
replace: nsslapd-security
|
||||
nsslapd-security: on
|
||||
|
||||
dn: cn=encryption,cn=config
|
||||
changetype: modify
|
||||
replace: nsSSLSessionTimeout
|
||||
nsSSLSessionTimeout: 0
|
||||
-
|
||||
replace: nsSSLClientAuth
|
||||
nsSSLClientAuth: off
|
||||
-
|
||||
replace: nsSSL3
|
||||
nsSSL3: off
|
||||
-
|
||||
replace: nsSSL2
|
||||
nsSSL2: off
|
||||
|
||||
dn: cn=RSA,cn=encryption,cn=config
|
||||
objectClass: top
|
||||
objectClass: nsEncryptionModule
|
||||
nsSSLPersonalitySSL: Server-Cert
|
||||
nsSSLActivation: on
|
||||
nsSSLToken: internal (software)
|
||||
cn: RSA
|
|
@ -7,9 +7,9 @@ long_description 'Installs/Configures 389 Directory Server'
|
|||
version '0.1.2'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "firewall"
|
||||
depends "apt"
|
||||
depends "firewall"
|
||||
depends "hostsfile"
|
||||
depends "ulimit"
|
||||
depends "backup"
|
||||
depends "kosmos-nginx"
|
||||
depends "kosmos-base"
|
||||
|
|
|
@ -2,32 +2,13 @@
|
|||
# Cookbook Name:: kosmos-dirsrv
|
||||
# Recipe:: default
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
credentials = data_bag_item("credentials", "dirsrv")
|
||||
|
||||
dirsrv_instance "master" do
|
||||
hostname node['kosmos-dirsrv']['master_hostname']
|
||||
hostname "ldap.kosmos.local"
|
||||
admin_password credentials['admin_password']
|
||||
suffix "dc=kosmos,dc=org"
|
||||
end
|
||||
|
|
|
@ -2,32 +2,12 @@
|
|||
# Cookbook Name:: kosmos-dirsrv
|
||||
# Recipe:: firewall
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2020, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
firewall_rule "ldap" do
|
||||
port [389, 636]
|
||||
port [389]
|
||||
source "10.1.1.0/24" # zerotier
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
|
|
@ -0,0 +1,15 @@
|
|||
#
|
||||
# Cookbook:: kosmos-dirsrv
|
||||
# Recipe:: hostsfile
|
||||
#
|
||||
|
||||
dirsrv_primary = search(:node, "role:dirsrv_primary AND chef_environment:#{node.chef_environment}").first
|
||||
|
||||
unless dirsrv_primary.nil?
|
||||
primary_ip = dirsrv_primary['knife_zero']['host']
|
||||
|
||||
hostsfile_entry primary_ip do
|
||||
hostname "ldap.kosmos.local"
|
||||
unique true
|
||||
end
|
||||
end
|
|
@ -1,4 +1,5 @@
|
|||
resource_name :dirsrv_instance
|
||||
provides :dirsrv_instance
|
||||
|
||||
property :instance_name, String, name_property: true
|
||||
property :hostname, String, required: true
|
||||
|
@ -33,6 +34,20 @@ action :create do
|
|||
inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
|
||||
service_name = "dirsrv@#{new_resource.instance_name}"
|
||||
|
||||
cookbook_file "/etc/dirsrv/config/template-initconfig" do
|
||||
source "template-initconfig"
|
||||
mode "0644"
|
||||
owner "dirsrv"
|
||||
group "dirsrv"
|
||||
end
|
||||
|
||||
cookbook_file "/usr/sbin/ldif2db" do
|
||||
source "ldif2db"
|
||||
mode "0755"
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
unless ::Dir.exists?(inst_dir)
|
||||
setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
|
||||
template setup_config do
|
||||
|
@ -45,7 +60,7 @@ action :create do
|
|||
end
|
||||
|
||||
execute "setup-#{new_resource.instance_name}" do
|
||||
command "setup-ds --silent --file #{setup_config}"
|
||||
command "/usr/share/dirsrv/setup-ds.pl --silent --file #{setup_config}"
|
||||
creates ::File.join inst_dir, 'dse.ldif'
|
||||
action :nothing
|
||||
subscribes :run, "template[#{setup_config}]", :immediately
|
||||
|
@ -109,75 +124,4 @@ nsslapd-allow-anonymous-access: off
|
|||
action :nothing
|
||||
end
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
package "libnss3-tools" # provides pk12util
|
||||
|
||||
cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
|
||||
source "tls.ldif"
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
include_recipe "kosmos-nginx"
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
dirsrv_hook = <<-EOF
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
|
||||
# Copy the dirsrv certificate and restart the server if it has been renewed
|
||||
# This is necessary because dirsrv uses a different format for the certificates
|
||||
for domain in $RENEWED_DOMAINS; do
|
||||
case $domain in
|
||||
#{new_resource.hostname})
|
||||
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
|
||||
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
|
||||
# Remove the encryption key entries from the current database.
|
||||
# They will be recreated on restart for the new certificate
|
||||
awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
|
||||
mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
|
||||
systemctl restart #{service_name}
|
||||
;;
|
||||
esac
|
||||
done
|
||||
EOF
|
||||
|
||||
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
|
||||
content dirsrv_hook
|
||||
mode 0755
|
||||
owner "root"
|
||||
group "root"
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
|
||||
source 'nginx_conf_empty.erb'
|
||||
owner node["nginx"]["user"]
|
||||
mode 0640
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_certbot_site new_resource.hostname do
|
||||
notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
|
||||
end
|
||||
|
||||
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
|
||||
# has been generated before. The renew cron will take care of renewing
|
||||
execute "letsencrypt cert for #{new_resource.hostname}" do
|
||||
root_directory = "/var/www/#{new_resource.hostname}"
|
||||
command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
|
||||
only_if do
|
||||
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
|
||||
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
|
||||
end
|
||||
notifies :run, "execute[add tls config]", :immediately
|
||||
end
|
||||
|
||||
execute "add tls config" do
|
||||
command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
|
||||
sensitive true
|
||||
action :nothing
|
||||
notifies :restart, "service[#{service_name}]", :immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,7 +1,9 @@
|
|||
node.default["kosmos-ejabberd"]["version"] = "20.12"
|
||||
node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
|
||||
node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
|
||||
node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
|
||||
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
|
||||
|
||||
node.override["tor"]["HiddenServices"]["ejabberd"] = {
|
||||
"HiddenServicePorts" => [
|
||||
|
|
|
@ -1,45 +0,0 @@
|
|||
#
|
||||
# Cookbook:: kosmos-ejabberd
|
||||
# Recipe:: backup
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
|
||||
|
||||
unless node.chef_environment == "development"
|
||||
# backup the data dir and the config files
|
||||
node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"]
|
||||
unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd"
|
||||
node.override["backup"]["postgresql"]["databases"]["ejabberd"] = {
|
||||
username: "ejabberd",
|
||||
password: postgresql_data_bag_item['ejabberd_user_password']
|
||||
}
|
||||
end
|
||||
unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd_5apps"
|
||||
node.override["backup"]["postgresql"]["databases"]["ejabberd_5apps"] = {
|
||||
username: "ejabberd",
|
||||
password: postgresql_data_bag_item['ejabberd_user_password']
|
||||
}
|
||||
end
|
||||
include_recipe "backup"
|
||||
end
|
|
@ -3,6 +3,8 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
ejabberd_credentials = data_bag_item("credentials", "ejabberd")
|
||||
|
||||
ejabberd_version = node["kosmos-ejabberd"]["version"]
|
||||
|
@ -122,13 +124,13 @@ modules:
|
|||
]
|
||||
|
||||
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
||||
ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
|
||||
ldap_encryption_type = "none"
|
||||
ldap_base = "cn=users,dc=kosmos,dc=org"
|
||||
|
||||
admin_users = ejabberd_credentials['admins']
|
||||
|
||||
hosts.each do |host|
|
||||
ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
|
||||
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
|
||||
|
||||
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
|
||||
source "vhost.yml.erb"
|
||||
|
@ -159,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
|
|||
variables hosts: hosts,
|
||||
admin_users: admin_users,
|
||||
stun_auth_realm: "kosmos.org",
|
||||
turn_ip_address: node["knife_zero"]["host"],
|
||||
stun_secret: ejabberd_credentials['stun_secret'],
|
||||
turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
|
||||
akkounts_ip_addresses: akkounts_ip_addresses
|
||||
|
|
|
@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
|
|||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port 3478
|
||||
protocol :tcp
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_turn' do
|
||||
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
|
||||
protocol :tcp
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
|
|
@ -2,27 +2,6 @@
|
|||
# Cookbook:: kosmos-ejabberd
|
||||
# Recipe:: letsencrypt
|
||||
#
|
||||
# The MIT License (MIT)
|
||||
#
|
||||
# Copyright:: 2019, Kosmos Developers
|
||||
#
|
||||
# Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
# of this software and associated documentation files (the "Software"), to deal
|
||||
# in the Software without restriction, including without limitation the rights
|
||||
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
# copies of the Software, and to permit persons to whom the Software is
|
||||
# furnished to do so, subject to the following conditions:
|
||||
#
|
||||
# The above copyright notice and this permission notice shall be included in
|
||||
# all copies or substantial portions of the Software.
|
||||
#
|
||||
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
# THE SOFTWARE.
|
||||
|
||||
include_recipe "kosmos-base::letsencrypt"
|
||||
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
#
|
||||
# Cookbook:: kosmos-ejabberd
|
||||
# Recipe:: nginx
|
||||
#
|
||||
|
||||
include_recipe "kosmos-base::firewall"
|
||||
|
||||
ejabberd_hosts = []
|
||||
search(:node, "role:ejabberd").each do |node|
|
||||
ejabberd_hosts << node["knife_zero"]["host"]
|
||||
end
|
||||
|
||||
ejabberd_hosts.each do |ip_address|
|
||||
IPAddr.new ip_address
|
||||
rescue IPAddr::InvalidAddressError
|
||||
ejabberd_hosts.delete ip_address
|
||||
next
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
|
||||
source "nginx_conf_streams.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
# variables ejabberd_hosts: ejabberd_hosts
|
||||
variables ejabberd_hosts: ["10.1.1.113"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ejabberd" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
firewall_rule "ejabberd" do
|
||||
port [5222, 5223, 5269, 5443]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_turn' do
|
||||
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
|
||||
protocol :udp
|
||||
command :allow
|
||||
end
|
|
@ -78,12 +78,13 @@ listen:
|
|||
## register: true
|
||||
captcha: false
|
||||
-
|
||||
port: 3478
|
||||
transport: tcp
|
||||
port: <%= @stun_turn_port %>
|
||||
transport: udp
|
||||
module: ejabberd_stun
|
||||
auth_realm: <%= @stun_auth_realm %>
|
||||
use_turn: true
|
||||
turn_ip: <%= @turn_ip_address %>
|
||||
tls: false
|
||||
turn_ipv4_address: <%= @turn_ip_address %>
|
||||
turn_min_port: <%= @turn_min_port %>
|
||||
turn_max_port: <%= @turn_max_port %>
|
||||
|
||||
|
@ -230,7 +231,21 @@ modules:
|
|||
versioning: true
|
||||
store_current_id: true
|
||||
mod_shared_roster: {}
|
||||
mod_stun_disco: {}
|
||||
mod_stun_disco:
|
||||
secret: <%= @stun_secret %>
|
||||
services:
|
||||
-
|
||||
host: <%= @turn_ip_address %>
|
||||
port: <%= @stun_turn_port %>
|
||||
type: stun
|
||||
transport: udp
|
||||
restricted: false
|
||||
-
|
||||
host: <%= @turn_ip_address %>
|
||||
port: <%= @stun_turn_port %>
|
||||
type: turn
|
||||
transport: udp
|
||||
restricted: true
|
||||
mod_vcard:
|
||||
search: false
|
||||
mod_vcard_xupdate: {}
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
log_format proxy '$remote_addr [$time_local] '
|
||||
'$protocol $status $bytes_sent $bytes_received '
|
||||
'$session_time "$upstream_addr" '
|
||||
'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
|
||||
|
||||
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
|
||||
|
||||
upstream ejabberd_c2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5222;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_c2s_tls {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5223;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_s2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5269;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_https {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5443;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_stun_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:<%= @stun_turn_port %>;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
<% (@turn_min_port..@turn_max_port).each do |port| %>
|
||||
server <%= "#{ip_address}:#{port.to_s}" %>;
|
||||
<% end %>
|
||||
<% end %>
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5222;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5223;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5269;
|
||||
proxy_pass ejabberd_s2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5443;
|
||||
proxy_pass ejabberd_https;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
proxy_pass ejabberd_stun_turn;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
proxy_pass 10.1.1.113:$server_port;
|
||||
#proxy_pass ejabberd_turn;
|
||||
}
|
|
@ -1,11 +1,7 @@
|
|||
# Generated by Chef for <%= @host[:name] %>
|
||||
# FIXME: The files only exist after the certbot hook created them, meaning
|
||||
# we need to run Chef a second time
|
||||
<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
|
||||
certfiles:
|
||||
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
|
||||
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
|
||||
<% end -%>
|
||||
host_config:
|
||||
"<%= @host[:name] %>":
|
||||
sql_type: pgsql
|
||||
|
@ -19,7 +15,6 @@ host_config:
|
|||
ldap_rootdn: "<%= @ldap_rootdn %>"
|
||||
ldap_password: "<%= @host[:ldap_password] %>"
|
||||
ldap_encrypt: <%= @ldap_encryption_type %>
|
||||
ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
|
||||
ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
|
||||
ldap_filter: "(objectClass=person)"
|
||||
<% end -%>
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
include_recipe 'apt'
|
||||
include_recipe 'ark'
|
||||
include_recipe 'composer'
|
||||
include_recipe 'kosmos-dirsrv::hostsfile'
|
||||
|
||||
server_name = 'wiki.kosmos.org'
|
||||
|
||||
|
@ -158,7 +159,7 @@ if node["mediawiki"]["ldap_enabled"]
|
|||
package "php-ldap"
|
||||
|
||||
ldap_domain = node['kosmos-dirsrv']['master_hostname']
|
||||
ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
|
||||
ldap_encryption_type = "clear"
|
||||
ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
|
||||
end
|
||||
|
||||
|
|
|
@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_discourse'
|
|||
version '0.1.0'
|
||||
chef_version '>= 14.0'
|
||||
|
||||
depends "kosmos-nginx"
|
||||
depends 'kosmos-nginx'
|
||||
depends 'firewall'
|
||||
depends 'kosmos-dirsrv'
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
package "docker-compose"
|
||||
deploy_path = "/opt/discourse"
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
gitea_version = "1.16.5"
|
||||
gitea_version = "1.16.6"
|
||||
node.default["kosmos_gitea"]["version"] = gitea_version
|
||||
node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "c0fb4107dc4debf08e6e27fd3383e06dc232ccb410123179c7ae8d7cec60765f"
|
||||
node.default["kosmos_gitea"]["binary_checksum"] = "a96751af12d5e96301a97c280bafb92782e0e9b7a0bbe8960c704c0c0361e576"
|
||||
node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
|
||||
node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
|
||||
node.default["kosmos_gitea"]["port"] = 3000
|
||||
|
|
|
@ -23,3 +23,4 @@ depends "firewall"
|
|||
depends "kosmos-nginx"
|
||||
depends "kosmos_postgresql"
|
||||
depends "backup"
|
||||
depends "kosmos-dirsrv"
|
||||
|
|
|
@ -3,6 +3,8 @@
|
|||
# Recipe:: default
|
||||
#
|
||||
|
||||
include_recipe "kosmos-dirsrv::hostsfile"
|
||||
|
||||
working_directory = node["kosmos_gitea"]["working_directory"]
|
||||
git_home_directory = "/home/git"
|
||||
repository_root_directory = "#{git_home_directory}/gitea-repositories"
|
||||
|
|
Loading…
Reference in New Issue