Merge pull request 'Move dirsrv (LDAP) primary node to new VM' (#401) from new_ldap_server into master

Reviewed-on: #401

clients/ejabberd-8.json

@@ -0,0 +1,4 @@
+{
+  "name": "ejabberd-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2r+emfhx7bl7MxEeIDGY\nKnj3xEyFvVgXL7GwOsbKszFVgZ17yuPwa6vuiJsZsbcFC/nXgGNH2WF5FEv7XhOi\nwE8KMeNrR4xQ9BEANRlRgUTfrkhZG1NCy7PpVBb7L2r36STBuFSdQJmruJAfvTHm\na4hhmfaSIJ0Wa+Q24gL1GNwkSRdOhXRYxB4OvNIJzzuC3XqgugQVG5xzZh0kULQs\nkZVvkL5dM0FEZzBn8aK2sohTFDivvYJy7PAogC9Z5M1nPatZBowruUZvCym3Wh1J\nRtBwsS9SsTcsUqaT9FpEa7vYUney1/R8G2FAFufTyztjgBQzh78GhU+dek+ycIf1\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

clients/ldap-2.json

@@ -0,0 +1,4 @@
+{
+  "name": "ldap-2.kosmos.org",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAycyHso4sCJ/RLkuQl1Qp\nBaAJsWw8NilZyoZwuaYAC4IGJ1Pn4p+6Ly4vWveGCPbDf18VNFHwNMSjtH94EWOo\nrF8Qiamcn8/NlT6NbbN77fjOFDvwITW9+7zgJz9QNsAT7lbdv9eWlWijnslVvqtk\njx9IuqAF1tEKEfnhj8wAHLT8WPABHzmp3PdfZXKN4fjCL9VcPNruXJiCIuNPnWIo\nUxY9IRa9DiZ1jXIcWrTLLHCzq07jeo+MWpC5Uuz3U6+zfevFBHM0xpGMsouIfvLf\nF+MeckT5OhwujUL4IvfZ0Wl6/5wsvHbLFFW7KsmiBK0Su04OnKnZUSaAmtEDU2w4\nSQIDAQAB\n-----END PUBLIC KEY-----\n"
+}

data_bags/credentials/ejabberd.json

@@ -1,38 +1,45 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "RdzDZk2F4yBvgII84JGt8AF0LT4cyjRQFQvMJ5LhdB54T06Kjq3S\n",
-    "iv": "+3WlMHiNAFVE4iku\n",
-    "auth_tag": "mKheQu/KeHSyt8W783lrzA==\n",
+    "encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n",
+    "iv": "6YTMw9vMiDANQDVP\n",
+    "auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "fABWhxMuLaF2qLFdIN//R6bgBkD60WRWiBZPErB1eBOxHqOp813o\n",
-    "iv": "uBPPYY/FM2hee05V\n",
-    "auth_tag": "cO+zP2QggWIzbuVxtkct2w==\n",
+    "encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n",
+    "iv": "XC2igt4I4qNNgCYD\n",
+    "auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "uploads_secret": {
-    "encrypted_data": "03Y8CNBstV7vYopx8X54hkRSlnwwbOg5Y0KwTPV4qys1\n",
-    "iv": "gLTP7Y2Y70jL+sxH\n",
-    "auth_tag": "HJoyOF4rYm9ayKfViuKBlA==\n",
+    "encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n",
+    "iv": "fWjiwhJ7NZIvUHyt\n",
+    "auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "mRX2Lxqxb//Gd76bk+G3V+eObaq+NILiMsHHjFvjBCvJrznvRzezqW1VHhwW\ndH/ZY2gM8CVCcmYNQ8Xtg/1loPYAUjROvDRirj5i9fP7zgJRc1anNmohDOle\n34aNPYverGm+IJ21sFrAv4Xe/KleJBO5ynuiInqqvljcu3LiuvSYBXW34yWB\n",
-    "iv": "QqJJM8gmox565JUd\n",
-    "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
+    "encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n",
+    "iv": "vFjSjzaEiZJB4lAo\n",
+    "auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "erlang_cookie": {
-    "encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
-    "iv": "mm+fYYceD1nPsuo1\n",
-    "auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
+    "encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n",
+    "iv": "2fYgOBtGmqFTFddy\n",
+    "auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "stun_secret": {
+    "encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n",
+    "iv": "xevLfSR+wqEk5jVw\n",
+    "auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
-}
+}

data_bags/credentials/mediawiki.json

@@ -1,23 +1,23 @@
 {
   "id": "mediawiki",
   "db_pass": {
-    "encrypted_data": "bkvlD9N8a2EAoBDRcJ5Yhio7vQPnc5qMxH3Of/A/epieJZXBudkYrDaQZmbu\nSwYseFveqEleys4IbI+zTOaBN5LejDpH\n",
-    "iv": "OPbDsQjNBP7Yabsx\n",
-    "auth_tag": "0cl2nkL0V07cWC5SZjNXBA==\n",
+    "encrypted_data": "giNnksOeZDSsoBSsF/RvaVIbtgp5EpRJnbZdH4nt755Tx3ZjHj8Hl6kvXo2t\n34l6/6jjwUIiig1vxKt8+2pHm1hXAbJ9\n",
+    "iv": "hnDHoyGbZyuQVG5f\n",
+    "auth_tag": "3oNeFn22P25qwJ0KaVerxw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_user": {
-    "encrypted_data": "+iKtv/pB8rU0kJYlhr/KNUM63uG5RpDUCduW9sakxwaMs7V5JetSdaUmabIk\np8EiF5FDvYLUWqq5SOblTfPELMY3C0j5XwgxDKo=\n",
-    "iv": "ynjajkZHawmcE81H\n",
-    "auth_tag": "cxcsojaQW8dFZHR50QnZjw==\n",
+    "encrypted_data": "bA21rCjUKGFMxSK3BSmKmIe7JS4C8IU062abpRAe8OBqypLgbgv+YpPiF+v3\nscfMaydHNg9qtK1MzP33MmRkI43q7o2TJXpI6+vZA2Y=\n",
+    "iv": "78mNymw45lR0spXg\n",
+    "auth_tag": "3RdUdoQsquNLUAV+POkcRQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_password": {
-    "encrypted_data": "Kb5/RiGyXEf0X4KAgprCrZU+lFaWYuu6gjSXanujWxXx5YUdQLzZ\n",
-    "iv": "U1JBexbrnmJ4HNSZ\n",
-    "auth_tag": "LDeG8mOM5iLxy/VslTakSg==\n",
+    "encrypted_data": "lEaG+bHkMftmJENQ99h+HfRaYFYw4HI/ugwfwKJU2A==\n",
+    "iv": "31oRFt2sXKay+sy1\n",
+    "auth_tag": "tfkRa3lUZkj2PTl39APTTw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }

nodes/akkounts-1.json

@@ -44,6 +44,7 @@
       "redis::default",
       "backup::default",
       "logrotate::default",
+      "kosmos-dirsrv::hostsfile",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",

nodes/discourse-2.json

@@ -33,6 +33,7 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "kosmos-dirsrv::hostsfile",
       "firewall::default",
       "chef-sugar::default"
     ],

nodes/ejabberd-8.json

@@ -0,0 +1,63 @@
+{
+  "name": "ejabberd-8",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.123"
+    }
+  },
+  "automatic": {
+    "fqdn": "ejabberd-8",
+    "os": "linux",
+    "os_version": "5.4.0-1063-kvm",
+    "hostname": "ejabberd-8",
+    "ipaddress": "192.168.122.27",
+    "roles": [
+      "ejabberd",
+      "postgresql_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_postgresql::hostsfile",
+      "kosmos-ejabberd::letsencrypt",
+      "kosmos-ejabberd",
+      "kosmos-ejabberd::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-base::letsencrypt",
+      "kosmos-dirsrv::hostsfile",
+      "kosmos-ejabberd::firewall",
+      "tor-full::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[ejabberd]"
+  ]
+}

nodes/fornax.kosmos.org.json

@@ -24,6 +24,7 @@
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos-ejabberd::nginx",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",

nodes/ldap-2.kosmos.org.json

@@ -0,0 +1,57 @@
+{
+  "name": "ldap-2.kosmos.org",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.232"
+    }
+  },
+  "automatic": {
+    "fqdn": "ldap-2.kosmos.org",
+    "os": "linux",
+    "os_version": "5.4.0-1062-kvm",
+    "hostname": "ldap-2",
+    "ipaddress": "192.168.122.241",
+    "roles": [
+      "dirsrv_primary"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-dirsrv::hostsfile"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[dirsrv_primary]"
+  ]
+}

nodes/wiki-1.json

@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-91-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
@@ -40,6 +40,7 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
+      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",

roles/dirsrv_primary.rb

@@ -0,0 +1,5 @@
+name "dirsrv_primary"
+
+run_list %w(
+  recipe[kosmos-dirsrv]
+)

roles/ejabberd.rb

@@ -7,9 +7,8 @@ default_run_list = %w(
 
 production_run_list = %w(
   role[postgresql_client]
-  kosmos-ejabberd::default
   kosmos-ejabberd::letsencrypt
-  kosmos-ejabberd::backup
+  kosmos-ejabberd::default
 )
 env_run_lists(
   'development' => default_run_list,

roles/nginx_proxy.rb

@@ -6,6 +6,7 @@ default_run_list = %w(
   kosmos_drone::nginx
   kosmos_gitea::nginx
   kosmos_website::default
+  kosmos-ejabberd::nginx
 )
 
 env_run_lists(

site-cookbooks/kosmos-akkounts/metadata.rb

@@ -16,3 +16,4 @@ depends 'application_git'
 depends "postgresql"
 depends "kosmos_postgresql"
 depends "backup"
+depends "kosmos-dirsrv"

site-cookbooks/kosmos-akkounts/recipes/default.rb

@@ -22,6 +22,7 @@ package "libpq-dev"
 
 include_recipe 'kosmos-nodejs'
 include_recipe "kosmos-redis"
+include_recipe "kosmos-dirsrv::hostsfile"
 
 npm_package "yarn" do
   version "1.22.4"

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -52,6 +52,7 @@ end
   end
 end
 
+# TODO check if nginx is installed/running on the node
 file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
   content <<-EOF
 #!/usr/bin/env bash

site-cookbooks/kosmos-dirsrv/attributes/default.rb

@@ -1 +1 @@
-node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'
+node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.local'

site-cookbooks/kosmos-dirsrv/files/ldif2db

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+. /usr/share/dirsrv/data/DSSharedLib
+
+libpath_add "/usr/lib/x86_64-linux-gnu/dirsrv/"
+libpath_add ""
+libpath_add "/usr/lib/x86_64-linux-gnu"
+libpath_add "/usr/lib/x86_64-linux-gnu"
+
+export LD_LIBRARY_PATH
+SHLIB_PATH=$LD_LIBRARY_PATH
+export SHLIB_PATH
+
+usage()
+{
+    echo "Usage: ldif2db [-Z serverID] -n backendname {-s includesuffix}* [{-x excludesuffix}*] {-i ldiffile}*"
+    echo "               [-c chunksize] [-g [string]] [-G namespace_id] [-O] [-E] [-q] [-v] [-h]"
+    echo "Note: either \"-n backend\", \"-s includesuffix\", and \"-i ldiffile\" are required."
+    echo "Options:"
+    echo "        -Z serverID       - The server instance identifier"
+    echo "        -n backend        - Backend database name.  Example: userRoot"
+    echo "        -s inclduesuffix  - Suffix to include"
+    echo "        -x excludesuffix  - Suffix to exclude"
+    echo "        -i ldiffile       - LDIF file name"
+    echo "        -c chunksize      - Number of entries to process before starting a new pass"
+    echo "        -g [string]       - String is \"none\" or \"deterministic\""
+    echo "                           \"none\" - unique id is not generated"
+    echo "                           \"deterministic\" - generate name based unique id (-G name)"
+    echo "                            By default - generate time based unique id"
+    echo "        -G name           - Namespace id for name based uniqueid (-g deterministic)"
+    echo "        -O                - Do not index the attributes"
+    echo "        -E                - Encrypt attributes"
+    echo "        -q                - Quiet mode - suppresses output"
+    echo "        -v                - Display version"
+    echo "        -h                - Display usage" 
+}
+
+handleopts()
+{
+    while [ "$1" != "" ]
+    do
+        if [ "$1" = "-q" ]; then
+            return 1
+        elif [ "$1" = "-Z" ]; then
+            shift
+            servid=$1
+        elif [ "$1" = "-h" ]; then
+            usage
+            exit 0
+        fi
+        shift
+    done
+    return 0
+}
+
+while getopts "Z:vhd:i:g:G:n:s:x:NOCc:St:D:Eq" flag
+do
+    case $flag in
+        h) usage
+           exit 0;;
+        Z) servid=$OPTARG;;
+        n) args=$args" -n \"$OPTARG\"";;
+        i) args=$args" -i \"$OPTARG\"";;
+        s) args=$args" -s \"$OPTARG\"";;
+        x) args=$args" -x \"$OPTARG\"";;
+        c) args=$args" -c \"$OPTARG\"";;
+        d) args=$args" -d \"$OPTARG\"";;
+        g) args=$args" -g \"$OPTARG\"";;
+        G) args=$args" -G \"$OPTARG\"";;
+        t) args=$args" -t \"$OPTARG\"";;
+        D) args=$args" -D \"$OPTARG\"";;
+        E) args=$args" -E";;
+        v) args=$args" -v";;
+        N) args=$args" -N";;
+        C) args=$args" -C";;
+        S) args=$args" -S";;
+        O) args=$args" -O";;
+        q) args=$args" -q";;
+        ?) usage
+           exit 1;;
+    esac
+done
+
+if [ $# -lt 4 ]
+then
+    usage
+    exit 1
+fi
+
+ARGS=$@
+shift $(($OPTIND - 1))
+if [ $1 ]
+then
+    echo "ERROR - Unknown option: $1"
+    usage
+    exit 1
+fi
+
+# FIXME look up if not master
+initfile="/etc/default/dirsrv-master"
+if [ $? -eq 1 ]
+then
+    usage
+    echo "You must supply a valid server instance identifier.  Use -Z to specify instance name"
+    echo "Available instances: $initfile"
+    exit 1
+fi
+
+. $initfile
+
+handleopts $ARGS
+quiet=$?
+if [ $quiet -eq 0 ]; then
+    echo importing data ...
+fi
+
+eval /usr/sbin/ns-slapd ldif2db -D $CONFIG_DIR $args 2>&1
+
+exit $?

site-cookbooks/kosmos-dirsrv/files/template-initconfig

@@ -0,0 +1,22 @@
+# This file is sourced by dirsrv upon startup to set
+# the default environment for a single specific  directory
+# server instances.  To set defaults for all instances, edit
+# the file in the same directory called dirsrv.
+
+# These settings are used by the start-dirsrv and
+# start-slapd scripts (as well as their associates stop
+# and restart scripts).  Do not edit them unless you know
+# what you are doing.
+
+# This file is in systemd EnvironmentFile format - see man systemd.exec
+
+SERVER_DIR={{SERVER-DIR}}
+SERVERBIN_DIR={{SERVERBIN-DIR}}
+CONFIG_DIR={{CONFIG-DIR}}
+INST_DIR={{INST-DIR}}
+RUN_DIR={{RUN-DIR}}
+DS_ROOT={{DS-ROOT}}
+PRODUCT_NAME={{PRODUCT-NAME}}
+
+# Put custom instance specific settings below here.
+# if using systemd, omit the "; export VARNAME" at the end

site-cookbooks/kosmos-dirsrv/files/tls.ldif

@@ -1,26 +0,0 @@
-dn: cn=config
-changetype: modify
-replace: nsslapd-security
-nsslapd-security: on
-
-dn: cn=encryption,cn=config
-changetype: modify
-replace: nsSSLSessionTimeout
-nsSSLSessionTimeout: 0
--
-replace: nsSSLClientAuth
-nsSSLClientAuth: off
--
-replace: nsSSL3
-nsSSL3: off
--
-replace: nsSSL2
-nsSSL2: off
-
-dn: cn=RSA,cn=encryption,cn=config
-objectClass: top
-objectClass: nsEncryptionModule
-nsSSLPersonalitySSL: Server-Cert
-nsSSLActivation: on
-nsSSLToken: internal (software)
-cn: RSA

site-cookbooks/kosmos-dirsrv/metadata.rb

@@ -7,9 +7,9 @@ long_description 'Installs/Configures 389 Directory Server'
 version '0.1.2'
 chef_version '>= 14.0'
 
-depends "firewall"
 depends "apt"
+depends "firewall"
+depends "hostsfile"
 depends "ulimit"
 depends "backup"
-depends "kosmos-nginx"
 depends "kosmos-base"

site-cookbooks/kosmos-dirsrv/recipes/default.rb

@@ -2,32 +2,13 @@
 # Cookbook Name:: kosmos-dirsrv
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
+
+include_recipe "kosmos-dirsrv::hostsfile"
 
 credentials = data_bag_item("credentials", "dirsrv")
 
 dirsrv_instance "master" do
-  hostname node['kosmos-dirsrv']['master_hostname']
+  hostname "ldap.kosmos.local"
   admin_password credentials['admin_password']
   suffix "dc=kosmos,dc=org"
 end

site-cookbooks/kosmos-dirsrv/recipes/firewall.rb

@@ -2,32 +2,12 @@
 # Cookbook Name:: kosmos-dirsrv
 # Recipe:: firewall
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 include_recipe "kosmos-base::firewall"
 
 firewall_rule "ldap" do
-  port     [389, 636]
+  port     [389]
+  source   "10.1.1.0/24" # zerotier
   protocol :tcp
   command  :allow
 end

site-cookbooks/kosmos-dirsrv/recipes/hostsfile.rb

@@ -0,0 +1,15 @@
+#
+# Cookbook:: kosmos-dirsrv
+# Recipe:: hostsfile
+#
+
+dirsrv_primary = search(:node, "role:dirsrv_primary AND chef_environment:#{node.chef_environment}").first
+
+unless dirsrv_primary.nil?
+  primary_ip = dirsrv_primary['knife_zero']['host']
+
+  hostsfile_entry primary_ip do
+    hostname  "ldap.kosmos.local"
+    unique    true
+  end
+end

site-cookbooks/kosmos-dirsrv/resources/instance.rb

@@ -1,4 +1,5 @@
 resource_name :dirsrv_instance
+provides :dirsrv_instance
 
 property :instance_name,  String,  name_property: true
 property :hostname,       String,  required: true
@@ -33,6 +34,20 @@ action :create do
   inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
   service_name = "dirsrv@#{new_resource.instance_name}"
 
+  cookbook_file "/etc/dirsrv/config/template-initconfig" do
+    source "template-initconfig"
+    mode "0644"
+    owner "dirsrv"
+    group "dirsrv"
+  end
+
+  cookbook_file "/usr/sbin/ldif2db" do
+    source "ldif2db"
+    mode "0755"
+    owner "root"
+    group "root"
+  end
+
   unless ::Dir.exists?(inst_dir)
     setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
     template setup_config do
@@ -45,7 +60,7 @@ action :create do
     end
 
     execute "setup-#{new_resource.instance_name}" do
-      command "setup-ds --silent --file #{setup_config}"
+      command "/usr/share/dirsrv/setup-ds.pl --silent --file #{setup_config}"
       creates ::File.join inst_dir, 'dse.ldif'
       action :nothing
       subscribes :run, "template[#{setup_config}]", :immediately
@@ -109,75 +124,4 @@ nsslapd-allow-anonymous-access: off
     action :nothing
   end
 
-  unless node.chef_environment == "development"
-    package "libnss3-tools" # provides pk12util
-
-    cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
-      source "tls.ldif"
-      owner "root"
-      group "root"
-    end
-
-    include_recipe "kosmos-nginx"
-    include_recipe "kosmos-base::letsencrypt"
-
-    dirsrv_hook = <<-EOF
-#!/usr/bin/env bash
-
-set -e
-
-# Copy the dirsrv certificate and restart the server if it has been renewed
-# This is necessary because dirsrv uses a different format for the certificates
-for domain in $RENEWED_DOMAINS; do
-  case $domain in
-  #{new_resource.hostname})
-    openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
-    pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
-    # Remove the encryption key entries from the current database.
-    # They will be recreated on restart for the new certificate
-    awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
-    mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
-    systemctl restart #{service_name}
-    ;;
-  esac
-done
-    EOF
-
-    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
-      content dirsrv_hook
-      mode 0755
-      owner "root"
-      group "root"
-    end
-
-    template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
-      source 'nginx_conf_empty.erb'
-      owner node["nginx"]["user"]
-      mode 0640
-      notifies :reload, 'service[nginx]', :delayed
-    end
-
-    nginx_certbot_site new_resource.hostname do
-      notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
-    end
-
-    # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
-    # has been generated before. The renew cron will take care of renewing
-    execute "letsencrypt cert for #{new_resource.hostname}" do
-      root_directory = "/var/www/#{new_resource.hostname}"
-      command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
-      only_if do
-        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
-          !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
-      end
-      notifies :run, "execute[add tls config]", :immediately
-    end
-
-    execute "add tls config" do
-      command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
-      sensitive true
-      action :nothing
-      notifies :restart, "service[#{service_name}]", :immediately
-    end
-  end
 end

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,7 +1,9 @@
 node.default["kosmos-ejabberd"]["version"] = "20.12"
 node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
+node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
+node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
-node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
+node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
 
 node.override["tor"]["HiddenServices"]["ejabberd"] = {
   "HiddenServicePorts" => [

site-cookbooks/kosmos-ejabberd/recipes/backup.rb

@@ -1,45 +0,0 @@
-#
-# Cookbook:: kosmos-ejabberd
-# Recipe:: backup
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
-
-unless node.chef_environment == "development"
-  # backup the data dir and the config files
-  node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"]
-  unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd"
-    node.override["backup"]["postgresql"]["databases"]["ejabberd"] = {
-      username: "ejabberd",
-      password: postgresql_data_bag_item['ejabberd_user_password']
-    }
-  end
-  unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd_5apps"
-    node.override["backup"]["postgresql"]["databases"]["ejabberd_5apps"] = {
-      username: "ejabberd",
-      password: postgresql_data_bag_item['ejabberd_user_password']
-    }
-  end
-  include_recipe "backup"
-end

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 
 ejabberd_version = node["kosmos-ejabberd"]["version"]
@@ -122,13 +124,13 @@ modules:
 ]
 
 ldap_domain = node['kosmos-dirsrv']['master_hostname']
-ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
+ldap_encryption_type = "none"
 ldap_base = "cn=users,dc=kosmos,dc=org"
 
 admin_users = ejabberd_credentials['admins']
 
 hosts.each do |host|
-  ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
+  ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"
@@ -159,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   variables hosts: hosts,
             admin_users: admin_users,
             stun_auth_realm: "kosmos.org",
-            turn_ip_address: node["knife_zero"]["host"],
+            stun_secret: ejabberd_credentials['stun_secret'],
+            turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
             turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
             akkounts_ip_addresses: akkounts_ip_addresses

site-cookbooks/kosmos-ejabberd/recipes/firewall.rb

@@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
 end
 
 firewall_rule 'ejabberd_stun_turn' do
-  port     3478
-  protocol :tcp
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
   command  :allow
 end
 
 firewall_rule 'ejabberd_turn' do
   port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-  protocol :tcp
+  protocol :udp
   command  :allow
 end

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -2,27 +2,6 @@
 # Cookbook:: kosmos-ejabberd
 # Recipe:: letsencrypt
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 include_recipe "kosmos-base::letsencrypt"
 

site-cookbooks/kosmos-ejabberd/recipes/nginx.rb

@@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-base::firewall"
+
+ejabberd_hosts = []
+search(:node, "role:ejabberd").each do |node|
+  ejabberd_hosts << node["knife_zero"]["host"]
+end
+
+ejabberd_hosts.each do |ip_address|
+  IPAddr.new ip_address
+rescue IPAddr::InvalidAddressError
+  ejabberd_hosts.delete ip_address
+  next
+end
+
+template "#{node['nginx']['dir']}/streams-available/ejabberd" do
+  source "nginx_conf_streams.erb"
+  owner 'www-data'
+  mode 0640
+  # variables ejabberd_hosts: ejabberd_hosts
+  variables ejabberd_hosts: ["10.1.1.113"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
+            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
+            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_stream "ejabberd" do
+  action :enable
+end
+
+firewall_rule "ejabberd" do
+  port     [5222, 5223, 5269, 5443]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  protocol :udp
+  command  :allow
+end

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -78,12 +78,13 @@ listen:
     ## register: true
     captcha: false
   -
-    port: 3478
-    transport: tcp
+    port: <%= @stun_turn_port %>
+    transport: udp
     module: ejabberd_stun
     auth_realm: <%= @stun_auth_realm %>
     use_turn: true
-    turn_ip: <%= @turn_ip_address %>
+    tls: false
+    turn_ipv4_address: <%= @turn_ip_address %>
     turn_min_port: <%= @turn_min_port %>
     turn_max_port: <%= @turn_max_port %>
 
@@ -230,7 +231,21 @@ modules:
     versioning: true
     store_current_id: true
   mod_shared_roster: {}
-  mod_stun_disco: {}
+  mod_stun_disco:
+    secret: <%= @stun_secret %>
+    services:
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: stun
+        transport: udp
+        restricted: false
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: turn
+        transport: udp
+        restricted: true
   mod_vcard:
     search: false
   mod_vcard_xupdate: {}

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb

@@ -0,0 +1,81 @@
+log_format proxy '$remote_addr [$time_local] '
+           '$protocol $status $bytes_sent $bytes_received '
+           '$session_time "$upstream_addr" '
+           '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
+
+upstream ejabberd_c2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5222;
+<% end %>
+}
+
+upstream ejabberd_c2s_tls {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5223;
+<% end %>
+}
+
+upstream ejabberd_s2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5269;
+<% end %>
+}
+
+upstream ejabberd_https {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5443;
+<% end %>
+}
+
+upstream ejabberd_stun_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:<%= @stun_turn_port %>;
+<% end %>
+}
+
+upstream ejabberd_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+<% (@turn_min_port..@turn_max_port).each do |port| %>
+  server <%= "#{ip_address}:#{port.to_s}" %>;
+<% end %>
+<% end %>
+}
+
+server {
+  listen     5222;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5223;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5269;
+  proxy_pass ejabberd_s2s;
+}
+
+server {
+  listen     5443;
+  proxy_pass ejabberd_https;
+}
+
+server {
+  listen     <%= @stun_turn_port %> udp;
+  proxy_pass ejabberd_stun_turn;
+}
+
+server {
+  listen     <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
+  proxy_pass 10.1.1.113:$server_port;
+  #proxy_pass ejabberd_turn;
+}

site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb

@@ -1,11 +1,7 @@
 # Generated by Chef for <%= @host[:name] %>
-# FIXME: The files only exist after the certbot hook created them, meaning
-# we need to run Chef a second time
-<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
 certfiles:
   - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
   - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
-<% end -%>
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql
@@ -19,7 +15,6 @@ host_config:
     ldap_rootdn: "<%= @ldap_rootdn %>"
     ldap_password: "<%= @host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
-    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
     ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
     ldap_filter: "(objectClass=person)"
   <% end -%>

site-cookbooks/kosmos-mediawiki/recipes/default.rb

@@ -27,6 +27,7 @@
 include_recipe 'apt'
 include_recipe 'ark'
 include_recipe 'composer'
+include_recipe 'kosmos-dirsrv::hostsfile'
 
 server_name = 'wiki.kosmos.org'
 
@@ -158,7 +159,7 @@ if node["mediawiki"]["ldap_enabled"]
   package "php-ldap"
 
   ldap_domain = node['kosmos-dirsrv']['master_hostname']
-  ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
+  ldap_encryption_type = "clear"
   ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 end
 

site-cookbooks/kosmos_discourse/metadata.rb

@@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_discourse'
 version '0.1.0'
 chef_version '>= 14.0'
 
-depends "kosmos-nginx"
+depends 'kosmos-nginx'
 depends 'firewall'
+depends 'kosmos-dirsrv'

site-cookbooks/kosmos_discourse/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 package "docker-compose"
 deploy_path = "/opt/discourse"
 

site-cookbooks/kosmos_gitea/attributes/default.rb

@@ -1,7 +1,7 @@
-gitea_version = "1.16.5"
+gitea_version = "1.16.6"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "c0fb4107dc4debf08e6e27fd3383e06dc232ccb410123179c7ae8d7cec60765f"
+node.default["kosmos_gitea"]["binary_checksum"] = "a96751af12d5e96301a97c280bafb92782e0e9b7a0bbe8960c704c0c0361e576"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["kosmos_gitea"]["port"] = 3000

site-cookbooks/kosmos_gitea/metadata.rb

@@ -23,3 +23,4 @@ depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_postgresql"
 depends "backup"
+depends "kosmos-dirsrv"

site-cookbooks/kosmos_gitea/recipes/default.rb

@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 working_directory         = node["kosmos_gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"