From 067f5ba0d9fc9633ecf67e3134c63c416ab38ecf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 2 Dec 2021 19:07:55 +0100
Subject: [PATCH 01/25] Add node config for ldap-1

---
 clients/ldap-1.json |  4 ++++
 nodes/ldap-1.json   | 54 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)
 create mode 100644 clients/ldap-1.json
 create mode 100644 nodes/ldap-1.json

diff --git a/clients/ldap-1.json b/clients/ldap-1.json
new file mode 100644
index 0000000..5760d00
--- /dev/null
+++ b/clients/ldap-1.json
@@ -0,0 +1,4 @@
+{
+  "name": "ldap-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+bMtze1cMK3QRCnTsYwU\n5Y7EqaUU8ufrmesFhGLcMPsnZHT1KeL3GZ0Pc/ro50Eok3ryBM9DZxPRNMq5d601\n4NzHJWXgMQA9IdyNkFZejK/da+IHLLHL2BOdOx/Mhbtopcko0bupNYgBtBPPmBSD\nV0UH8t020wc7BWAx0fuIFV0iCAARo8SctLueGlEVK9VSfBFa2l95igxY71NAVV5r\n/SIkJzpHOlsKQNSqaAsVHiq+jtlJlfQ9ZdxD2EoS7GH+yWiLD4jqR5TF+Q1I/TLQ\nJuVTBg4QS2v2OgRa8bb1HdtmNo23yBJeDIUePt7KhO3Fz73wTJR2Bo6+S/D6tElZ\nawIDAQAB\n-----END PUBLIC KEY-----\n"
+}
\ No newline at end of file
diff --git a/nodes/ldap-1.json b/nodes/ldap-1.json
new file mode 100644
index 0000000..3fb5b39
--- /dev/null
+++ b/nodes/ldap-1.json
@@ -0,0 +1,54 @@
+{
+  "name": "ldap-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.63"
+    }
+  },
+  "automatic": {
+    "fqdn": "ldap-1",
+    "os": "linux",
+    "os_version": "5.4.0-1049-kvm",
+    "hostname": "ldap-1",
+    "ipaddress": "192.168.122.164",
+    "roles": [
+
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.8.25",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.8.25/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.7.12",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.12/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[ldap]"
+  ]
+}

From d1d48cb7497989b2cad2489034799c0b5bbd119c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 2 Dec 2021 19:08:16 +0100
Subject: [PATCH 02/25] Add role for ldap (dirsrv)

---
 roles/ldap.rb | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 roles/ldap.rb

diff --git a/roles/ldap.rb b/roles/ldap.rb
new file mode 100644
index 0000000..5c21643
--- /dev/null
+++ b/roles/ldap.rb
@@ -0,0 +1,5 @@
+name "ldap"
+
+run_list %w(
+  recipe[kosmos-dirsrv]
+)

From 685deea920514b656718a630a3cddd8a316bf895 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 2 Dec 2021 19:08:27 +0100
Subject: [PATCH 03/25] Simplify dirsrv setup

Connecting directly using zerotier, no more nginx
---
 site-cookbooks/kosmos-dirsrv/files/tls.ldif   | 26 -------
 site-cookbooks/kosmos-dirsrv/metadata.rb      |  1 -
 .../kosmos-dirsrv/recipes/default.rb          | 21 ------
 .../kosmos-dirsrv/recipes/firewall.rb         | 22 +-----
 .../kosmos-dirsrv/resources/instance.rb       | 71 -------------------
 .../templates/nginx_conf_empty.erb            |  0
 6 files changed, 1 insertion(+), 140 deletions(-)
 delete mode 100644 site-cookbooks/kosmos-dirsrv/files/tls.ldif
 delete mode 100644 site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb

diff --git a/site-cookbooks/kosmos-dirsrv/files/tls.ldif b/site-cookbooks/kosmos-dirsrv/files/tls.ldif
deleted file mode 100644
index 0cc5065..0000000
--- a/site-cookbooks/kosmos-dirsrv/files/tls.ldif
+++ /dev/null
@@ -1,26 +0,0 @@
-dn: cn=config
-changetype: modify
-replace: nsslapd-security
-nsslapd-security: on
-
-dn: cn=encryption,cn=config
-changetype: modify
-replace: nsSSLSessionTimeout
-nsSSLSessionTimeout: 0
--
-replace: nsSSLClientAuth
-nsSSLClientAuth: off
--
-replace: nsSSL3
-nsSSL3: off
--
-replace: nsSSL2
-nsSSL2: off
-
-dn: cn=RSA,cn=encryption,cn=config
-objectClass: top
-objectClass: nsEncryptionModule
-nsSSLPersonalitySSL: Server-Cert
-nsSSLActivation: on
-nsSSLToken: internal (software)
-cn: RSA
diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb
index b022a52..34060e5 100644
--- a/site-cookbooks/kosmos-dirsrv/metadata.rb
+++ b/site-cookbooks/kosmos-dirsrv/metadata.rb
@@ -11,5 +11,4 @@ depends "firewall"
 depends "apt"
 depends "ulimit"
 depends "backup"
-depends "kosmos-nginx"
 depends "kosmos-base"
diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb
index 6bcb871..9b00066 100644
--- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb
@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-dirsrv
 # Recipe:: default
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 credentials = data_bag_item("credentials", "dirsrv")
 
diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
index b466666..e0b7c9a 100644
--- a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
+++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
@@ -2,32 +2,12 @@
 # Cookbook Name:: kosmos-dirsrv
 # Recipe:: firewall
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2020, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 include_recipe "kosmos-base::firewall"
 
 firewall_rule "ldap" do
   port     [389, 636]
+  source   "10.1.1.0/24" # zerotier
   protocol :tcp
   command  :allow
 end
diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index d0f80bc..87675dd 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -109,75 +109,4 @@ nsslapd-allow-anonymous-access: off
     action :nothing
   end
 
-  unless node.chef_environment == "development"
-    package "libnss3-tools" # provides pk12util
-
-    cookbook_file "#{Chef::Config[:file_cache_path]}/tls.ldif" do
-      source "tls.ldif"
-      owner "root"
-      group "root"
-    end
-
-    include_recipe "kosmos-nginx"
-    include_recipe "kosmos-base::letsencrypt"
-
-    dirsrv_hook = <<-EOF
-#!/usr/bin/env bash
-
-set -e
-
-# Copy the dirsrv certificate and restart the server if it has been renewed
-# This is necessary because dirsrv uses a different format for the certificates
-for domain in $RENEWED_DOMAINS; do
-  case $domain in
-  #{new_resource.hostname})
-    openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
-    pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
-    # Remove the encryption key entries from the current database.
-    # They will be recreated on restart for the new certificate
-    awk '! /^dn: cn=3D|AES,cn=encrypted attribute keys,cn=userRoot/ {print; printf "\\n" ; }' RS="" #{inst_dir}/dse.ldif > #{inst_dir}/dse_new.ldif
-    mv #{inst_dir}/dse_new.ldif #{inst_dir}/dse.ldif
-    systemctl restart #{service_name}
-    ;;
-  esac
-done
-    EOF
-
-    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrv" do
-      content dirsrv_hook
-      mode 0755
-      owner "root"
-      group "root"
-    end
-
-    template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
-      source 'nginx_conf_empty.erb'
-      owner node["nginx"]["user"]
-      mode 0640
-      notifies :reload, 'service[nginx]', :delayed
-    end
-
-    nginx_certbot_site new_resource.hostname do
-      notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
-    end
-
-    # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
-    # has been generated before. The renew cron will take care of renewing
-    execute "letsencrypt cert for #{new_resource.hostname}" do
-      root_directory = "/var/www/#{new_resource.hostname}"
-      command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
-      only_if do
-        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
-          !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
-      end
-      notifies :run, "execute[add tls config]", :immediately
-    end
-
-    execute "add tls config" do
-      command "ldapadd -x -w #{new_resource.admin_password} -D '#{new_resource.bind_dn}' -f '#{Chef::Config[:file_cache_path]}/tls.ldif' -p #{new_resource.port} -h localhost"
-      sensitive true
-      action :nothing
-      notifies :restart, "service[#{service_name}]", :immediately
-    end
-  end
 end
diff --git a/site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb b/site-cookbooks/kosmos-dirsrv/templates/nginx_conf_empty.erb
deleted file mode 100644
index e69de29..0000000

From da3a70ef4c6303e66594a0c84bad157240cc8b04 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Thu, 2 Dec 2021 13:56:23 -0600
Subject: [PATCH 04/25] WIP dirsrv changes

---
 nodes/{ldap-1.json => ldap-1.kosmos.org.json}  | 18 ++++++++++++------
 roles/{ldap.rb => dirsrv_primary.rb}           |  2 +-
 .../kosmos-dirsrv/recipes/firewall.rb          |  2 +-
 .../kosmos-dirsrv/resources/instance.rb        |  3 ++-
 4 files changed, 16 insertions(+), 9 deletions(-)
 rename nodes/{ldap-1.json => ldap-1.kosmos.org.json} (78%)
 rename roles/{ldap.rb => dirsrv_primary.rb} (64%)

diff --git a/nodes/ldap-1.json b/nodes/ldap-1.kosmos.org.json
similarity index 78%
rename from nodes/ldap-1.json
rename to nodes/ldap-1.kosmos.org.json
index 3fb5b39..d81bfee 100644
--- a/nodes/ldap-1.json
+++ b/nodes/ldap-1.kosmos.org.json
@@ -1,22 +1,24 @@
 {
-  "name": "ldap-1",
+  "name": "ldap-1.kosmos.org",
   "normal": {
     "knife_zero": {
       "host": "10.1.1.63"
     }
   },
   "automatic": {
-    "fqdn": "ldap-1",
+    "fqdn": "ldap-1.kosmos.org",
     "os": "linux",
     "os_version": "5.4.0-1049-kvm",
     "hostname": "ldap-1",
     "ipaddress": "192.168.122.164",
     "roles": [
-
+      "dirsrv_primary"
     ],
     "recipes": [
       "kosmos-base",
       "kosmos-base::default",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
@@ -30,7 +32,11 @@
       "postfix::_common",
       "postfix::_attributes",
       "postfix::sasl_auth",
-      "hostname::default"
+      "hostname::default",
+      "kosmos-dirsrv::firewall",
+      "backup::default",
+      "logrotate::default",
+      "ulimit::default"
     ],
     "platform": "ubuntu",
     "platform_version": "20.04",
@@ -49,6 +55,6 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "role[ldap]"
+    "role[dirsrv_primary]"
   ]
-}
+}
\ No newline at end of file
diff --git a/roles/ldap.rb b/roles/dirsrv_primary.rb
similarity index 64%
rename from roles/ldap.rb
rename to roles/dirsrv_primary.rb
index 5c21643..ab18c68 100644
--- a/roles/ldap.rb
+++ b/roles/dirsrv_primary.rb
@@ -1,4 +1,4 @@
-name "ldap"
+name "dirsrv_primary"
 
 run_list %w(
   recipe[kosmos-dirsrv]
diff --git a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
index e0b7c9a..9c01304 100644
--- a/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
+++ b/site-cookbooks/kosmos-dirsrv/recipes/firewall.rb
@@ -6,7 +6,7 @@
 include_recipe "kosmos-base::firewall"
 
 firewall_rule "ldap" do
-  port     [389, 636]
+  port     [389]
   source   "10.1.1.0/24" # zerotier
   protocol :tcp
   command  :allow
diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 87675dd..7fd0374 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -1,4 +1,5 @@
 resource_name :dirsrv_instance
+provides :dirsrv_instance
 
 property :instance_name,  String,  name_property: true
 property :hostname,       String,  required: true
@@ -45,7 +46,7 @@ action :create do
     end
 
     execute "setup-#{new_resource.instance_name}" do
-      command "setup-ds --silent --file #{setup_config}"
+      command "/usr/share/dirsrv/setup-ds.pl --silent --file #{setup_config}"
       creates ::File.join inst_dir, 'dse.ldif'
       action :nothing
       subscribes :run, "template[#{setup_config}]", :immediately

From 8fe3670ce93b2e88fcde25ee0d38f33011d30cb9 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Tue, 26 Apr 2022 20:10:00 +0200
Subject: [PATCH 05/25] Remove ldap-1 node configs

---
 clients/ldap-1.json          |  4 ---
 nodes/ldap-1.kosmos.org.json | 60 ------------------------------------
 2 files changed, 64 deletions(-)
 delete mode 100644 clients/ldap-1.json
 delete mode 100644 nodes/ldap-1.kosmos.org.json

diff --git a/clients/ldap-1.json b/clients/ldap-1.json
deleted file mode 100644
index 5760d00..0000000
--- a/clients/ldap-1.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
-  "name": "ldap-1",
-  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+bMtze1cMK3QRCnTsYwU\n5Y7EqaUU8ufrmesFhGLcMPsnZHT1KeL3GZ0Pc/ro50Eok3ryBM9DZxPRNMq5d601\n4NzHJWXgMQA9IdyNkFZejK/da+IHLLHL2BOdOx/Mhbtopcko0bupNYgBtBPPmBSD\nV0UH8t020wc7BWAx0fuIFV0iCAARo8SctLueGlEVK9VSfBFa2l95igxY71NAVV5r\n/SIkJzpHOlsKQNSqaAsVHiq+jtlJlfQ9ZdxD2EoS7GH+yWiLD4jqR5TF+Q1I/TLQ\nJuVTBg4QS2v2OgRa8bb1HdtmNo23yBJeDIUePt7KhO3Fz73wTJR2Bo6+S/D6tElZ\nawIDAQAB\n-----END PUBLIC KEY-----\n"
-}
\ No newline at end of file
diff --git a/nodes/ldap-1.kosmos.org.json b/nodes/ldap-1.kosmos.org.json
deleted file mode 100644
index d81bfee..0000000
--- a/nodes/ldap-1.kosmos.org.json
+++ /dev/null
@@ -1,60 +0,0 @@
-{
-  "name": "ldap-1.kosmos.org",
-  "normal": {
-    "knife_zero": {
-      "host": "10.1.1.63"
-    }
-  },
-  "automatic": {
-    "fqdn": "ldap-1.kosmos.org",
-    "os": "linux",
-    "os_version": "5.4.0-1049-kvm",
-    "hostname": "ldap-1",
-    "ipaddress": "192.168.122.164",
-    "roles": [
-      "dirsrv_primary"
-    ],
-    "recipes": [
-      "kosmos-base",
-      "kosmos-base::default",
-      "kosmos-dirsrv",
-      "kosmos-dirsrv::default",
-      "apt::default",
-      "timezone_iii::default",
-      "timezone_iii::debian",
-      "ntp::default",
-      "ntp::apparmor",
-      "kosmos-base::systemd_emails",
-      "apt::unattended-upgrades",
-      "kosmos-base::firewall",
-      "kosmos-postfix::default",
-      "postfix::default",
-      "postfix::_common",
-      "postfix::_attributes",
-      "postfix::sasl_auth",
-      "hostname::default",
-      "kosmos-dirsrv::firewall",
-      "backup::default",
-      "logrotate::default",
-      "ulimit::default"
-    ],
-    "platform": "ubuntu",
-    "platform_version": "20.04",
-    "cloud": null,
-    "chef_packages": {
-      "chef": {
-        "version": "17.8.25",
-        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.8.25/lib",
-        "chef_effortless": null
-      },
-      "ohai": {
-        "version": "17.7.12",
-        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.7.12/lib/ohai"
-      }
-    }
-  },
-  "run_list": [
-    "recipe[kosmos-base]",
-    "role[dirsrv_primary]"
-  ]
-}
\ No newline at end of file

From 590366639e2ffab2424990008921031fda11b0d8 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Tue, 26 Apr 2022 20:10:51 +0200
Subject: [PATCH 06/25] Fix fresh dirsrv installs on Ubuntu 20.04

---
 .../kosmos-dirsrv/attributes/default.rb       |   1 -
 site-cookbooks/kosmos-dirsrv/files/ldif2db    | 119 ++++++++++++++++++
 .../kosmos-dirsrv/files/template-initconfig   |  22 ++++
 site-cookbooks/kosmos-dirsrv/metadata.rb      |   3 +-
 .../kosmos-dirsrv/recipes/default.rb          |   4 +-
 .../kosmos-dirsrv/recipes/hostsfile.rb        |  15 +++
 .../kosmos-dirsrv/resources/instance.rb       |  14 +++
 7 files changed, 175 insertions(+), 3 deletions(-)
 create mode 100755 site-cookbooks/kosmos-dirsrv/files/ldif2db
 create mode 100644 site-cookbooks/kosmos-dirsrv/files/template-initconfig
 create mode 100644 site-cookbooks/kosmos-dirsrv/recipes/hostsfile.rb

diff --git a/site-cookbooks/kosmos-dirsrv/attributes/default.rb b/site-cookbooks/kosmos-dirsrv/attributes/default.rb
index 9da7f6f..e69de29 100644
--- a/site-cookbooks/kosmos-dirsrv/attributes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb
@@ -1 +0,0 @@
-node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.org'
diff --git a/site-cookbooks/kosmos-dirsrv/files/ldif2db b/site-cookbooks/kosmos-dirsrv/files/ldif2db
new file mode 100755
index 0000000..6e04734
--- /dev/null
+++ b/site-cookbooks/kosmos-dirsrv/files/ldif2db
@@ -0,0 +1,119 @@
+#!/bin/bash
+
+. /usr/share/dirsrv/data/DSSharedLib
+
+libpath_add "/usr/lib/x86_64-linux-gnu/dirsrv/"
+libpath_add ""
+libpath_add "/usr/lib/x86_64-linux-gnu"
+libpath_add "/usr/lib/x86_64-linux-gnu"
+
+export LD_LIBRARY_PATH
+SHLIB_PATH=$LD_LIBRARY_PATH
+export SHLIB_PATH
+
+usage()
+{
+    echo "Usage: ldif2db [-Z serverID] -n backendname {-s includesuffix}* [{-x excludesuffix}*] {-i ldiffile}*"
+    echo "               [-c chunksize] [-g [string]] [-G namespace_id] [-O] [-E] [-q] [-v] [-h]"
+    echo "Note: either \"-n backend\", \"-s includesuffix\", and \"-i ldiffile\" are required."
+    echo "Options:"
+    echo "        -Z serverID       - The server instance identifier"
+    echo "        -n backend        - Backend database name.  Example: userRoot"
+    echo "        -s inclduesuffix  - Suffix to include"
+    echo "        -x excludesuffix  - Suffix to exclude"
+    echo "        -i ldiffile       - LDIF file name"
+    echo "        -c chunksize      - Number of entries to process before starting a new pass"
+    echo "        -g [string]       - String is \"none\" or \"deterministic\""
+    echo "                           \"none\" - unique id is not generated"
+    echo "                           \"deterministic\" - generate name based unique id (-G name)"
+    echo "                            By default - generate time based unique id"
+    echo "        -G name           - Namespace id for name based uniqueid (-g deterministic)"
+    echo "        -O                - Do not index the attributes"
+    echo "        -E                - Encrypt attributes"
+    echo "        -q                - Quiet mode - suppresses output"
+    echo "        -v                - Display version"
+    echo "        -h                - Display usage" 
+}
+
+handleopts()
+{
+    while [ "$1" != "" ]
+    do
+        if [ "$1" = "-q" ]; then
+            return 1
+        elif [ "$1" = "-Z" ]; then
+            shift
+            servid=$1
+        elif [ "$1" = "-h" ]; then
+            usage
+            exit 0
+        fi
+        shift
+    done
+    return 0
+}
+
+while getopts "Z:vhd:i:g:G:n:s:x:NOCc:St:D:Eq" flag
+do
+    case $flag in
+        h) usage
+           exit 0;;
+        Z) servid=$OPTARG;;
+        n) args=$args" -n \"$OPTARG\"";;
+        i) args=$args" -i \"$OPTARG\"";;
+        s) args=$args" -s \"$OPTARG\"";;
+        x) args=$args" -x \"$OPTARG\"";;
+        c) args=$args" -c \"$OPTARG\"";;
+        d) args=$args" -d \"$OPTARG\"";;
+        g) args=$args" -g \"$OPTARG\"";;
+        G) args=$args" -G \"$OPTARG\"";;
+        t) args=$args" -t \"$OPTARG\"";;
+        D) args=$args" -D \"$OPTARG\"";;
+        E) args=$args" -E";;
+        v) args=$args" -v";;
+        N) args=$args" -N";;
+        C) args=$args" -C";;
+        S) args=$args" -S";;
+        O) args=$args" -O";;
+        q) args=$args" -q";;
+        ?) usage
+           exit 1;;
+    esac
+done
+
+if [ $# -lt 4 ]
+then
+    usage
+    exit 1
+fi
+
+ARGS=$@
+shift $(($OPTIND - 1))
+if [ $1 ]
+then
+    echo "ERROR - Unknown option: $1"
+    usage
+    exit 1
+fi
+
+# FIXME look up if not master
+initfile="/etc/default/dirsrv-master"
+if [ $? -eq 1 ]
+then
+    usage
+    echo "You must supply a valid server instance identifier.  Use -Z to specify instance name"
+    echo "Available instances: $initfile"
+    exit 1
+fi
+
+. $initfile
+
+handleopts $ARGS
+quiet=$?
+if [ $quiet -eq 0 ]; then
+    echo importing data ...
+fi
+
+eval /usr/sbin/ns-slapd ldif2db -D $CONFIG_DIR $args 2>&1
+
+exit $?
diff --git a/site-cookbooks/kosmos-dirsrv/files/template-initconfig b/site-cookbooks/kosmos-dirsrv/files/template-initconfig
new file mode 100644
index 0000000..4a99993
--- /dev/null
+++ b/site-cookbooks/kosmos-dirsrv/files/template-initconfig
@@ -0,0 +1,22 @@
+# This file is sourced by dirsrv upon startup to set
+# the default environment for a single specific  directory
+# server instances.  To set defaults for all instances, edit
+# the file in the same directory called dirsrv.
+
+# These settings are used by the start-dirsrv and
+# start-slapd scripts (as well as their associates stop
+# and restart scripts).  Do not edit them unless you know
+# what you are doing.
+
+# This file is in systemd EnvironmentFile format - see man systemd.exec
+
+SERVER_DIR={{SERVER-DIR}}
+SERVERBIN_DIR={{SERVERBIN-DIR}}
+CONFIG_DIR={{CONFIG-DIR}}
+INST_DIR={{INST-DIR}}
+RUN_DIR={{RUN-DIR}}
+DS_ROOT={{DS-ROOT}}
+PRODUCT_NAME={{PRODUCT-NAME}}
+
+# Put custom instance specific settings below here.
+# if using systemd, omit the "; export VARNAME" at the end
diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb
index 34060e5..83cec26 100644
--- a/site-cookbooks/kosmos-dirsrv/metadata.rb
+++ b/site-cookbooks/kosmos-dirsrv/metadata.rb
@@ -7,8 +7,9 @@ long_description 'Installs/Configures 389 Directory Server'
 version '0.1.2'
 chef_version '>= 14.0'
 
-depends "firewall"
 depends "apt"
+depends "firewall"
+depends "hostsfile"
 depends "ulimit"
 depends "backup"
 depends "kosmos-base"
diff --git a/site-cookbooks/kosmos-dirsrv/recipes/default.rb b/site-cookbooks/kosmos-dirsrv/recipes/default.rb
index 9b00066..5ab07bb 100644
--- a/site-cookbooks/kosmos-dirsrv/recipes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/recipes/default.rb
@@ -3,10 +3,12 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 credentials = data_bag_item("credentials", "dirsrv")
 
 dirsrv_instance "master" do
-  hostname node['kosmos-dirsrv']['master_hostname']
+  hostname "ldap.kosmos.local"
   admin_password credentials['admin_password']
   suffix "dc=kosmos,dc=org"
 end
diff --git a/site-cookbooks/kosmos-dirsrv/recipes/hostsfile.rb b/site-cookbooks/kosmos-dirsrv/recipes/hostsfile.rb
new file mode 100644
index 0000000..f6e18c5
--- /dev/null
+++ b/site-cookbooks/kosmos-dirsrv/recipes/hostsfile.rb
@@ -0,0 +1,15 @@
+#
+# Cookbook:: kosmos-dirsrv
+# Recipe:: hostsfile
+#
+
+dirsrv_primary = search(:node, "role:dirsrv_primary AND chef_environment:#{node.chef_environment}").first
+
+unless dirsrv_primary.nil?
+  primary_ip = dirsrv_primary['knife_zero']['host']
+
+  hostsfile_entry primary_ip do
+    hostname  "ldap.kosmos.local"
+    unique    true
+  end
+end
diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 7fd0374..966e613 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -34,6 +34,20 @@ action :create do
   inst_dir = "/etc/dirsrv/slapd-#{new_resource.instance_name}"
   service_name = "dirsrv@#{new_resource.instance_name}"
 
+  cookbook_file "/etc/dirsrv/config/template-initconfig" do
+    source "template-initconfig"
+    mode "0644"
+    owner "dirsrv"
+    group "dirsrv"
+  end
+
+  cookbook_file "/usr/sbin/ldif2db" do
+    source "ldif2db"
+    mode "0755"
+    owner "root"
+    group "root"
+  end
+
   unless ::Dir.exists?(inst_dir)
     setup_config = "#{config[:conf_dir]}/setup-#{new_resource.instance_name}.inf"
     template setup_config do

From 3cc11e58d3cfd0948461dd70825dd0da6b27e922 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Tue, 26 Apr 2022 20:11:17 +0200
Subject: [PATCH 07/25] Add ldap-2 node config

---
 clients/ldap-2.json          |  4 +++
 nodes/ldap-2.kosmos.org.json | 57 ++++++++++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+)
 create mode 100644 clients/ldap-2.json
 create mode 100644 nodes/ldap-2.kosmos.org.json

diff --git a/clients/ldap-2.json b/clients/ldap-2.json
new file mode 100644
index 0000000..fa01ec5
--- /dev/null
+++ b/clients/ldap-2.json
@@ -0,0 +1,4 @@
+{
+  "name": "ldap-2.kosmos.org",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAycyHso4sCJ/RLkuQl1Qp\nBaAJsWw8NilZyoZwuaYAC4IGJ1Pn4p+6Ly4vWveGCPbDf18VNFHwNMSjtH94EWOo\nrF8Qiamcn8/NlT6NbbN77fjOFDvwITW9+7zgJz9QNsAT7lbdv9eWlWijnslVvqtk\njx9IuqAF1tEKEfnhj8wAHLT8WPABHzmp3PdfZXKN4fjCL9VcPNruXJiCIuNPnWIo\nUxY9IRa9DiZ1jXIcWrTLLHCzq07jeo+MWpC5Uuz3U6+zfevFBHM0xpGMsouIfvLf\nF+MeckT5OhwujUL4IvfZ0Wl6/5wsvHbLFFW7KsmiBK0Su04OnKnZUSaAmtEDU2w4\nSQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
diff --git a/nodes/ldap-2.kosmos.org.json b/nodes/ldap-2.kosmos.org.json
new file mode 100644
index 0000000..2217ed3
--- /dev/null
+++ b/nodes/ldap-2.kosmos.org.json
@@ -0,0 +1,57 @@
+{
+  "name": "ldap-2.kosmos.org",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.232"
+    }
+  },
+  "automatic": {
+    "fqdn": "ldap-2.kosmos.org",
+    "os": "linux",
+    "os_version": "5.4.0-1062-kvm",
+    "hostname": "ldap-2",
+    "ipaddress": "192.168.122.241",
+    "roles": [
+      "dirsrv_primary"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos-dirsrv",
+      "kosmos-dirsrv::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-dirsrv::hostsfile"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[dirsrv_primary]"
+  ]
+}
\ No newline at end of file

From 7ffd3bbf73038e90ddf1d0d967bd4ce72a76307d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 28 Apr 2022 12:11:04 +0200
Subject: [PATCH 08/25] Add LDAP's Zerotier IP to the akkount server's hosts

---
 nodes/akkounts-1.json                             | 1 +
 site-cookbooks/kosmos-akkounts/metadata.rb        | 1 +
 site-cookbooks/kosmos-akkounts/recipes/default.rb | 1 +
 3 files changed, 3 insertions(+)

diff --git a/nodes/akkounts-1.json b/nodes/akkounts-1.json
index 9b85cab..74896f9 100644
--- a/nodes/akkounts-1.json
+++ b/nodes/akkounts-1.json
@@ -44,6 +44,7 @@
       "redis::default",
       "backup::default",
       "logrotate::default",
+      "kosmos-dirsrv::hostsfile",
       "nodejs::npm",
       "nodejs::install",
       "kosmos-nginx::default",
diff --git a/site-cookbooks/kosmos-akkounts/metadata.rb b/site-cookbooks/kosmos-akkounts/metadata.rb
index 538869f..98f70bd 100644
--- a/site-cookbooks/kosmos-akkounts/metadata.rb
+++ b/site-cookbooks/kosmos-akkounts/metadata.rb
@@ -16,3 +16,4 @@ depends 'application_git'
 depends "postgresql"
 depends "kosmos_postgresql"
 depends "backup"
+depends "kosmos-dirsrv"
diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb
index efc1d20..2173628 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -22,6 +22,7 @@ package "libpq-dev"
 
 include_recipe 'kosmos-nodejs'
 include_recipe "kosmos-redis"
+include_recipe "kosmos-dirsrv::hostsfile"
 
 npm_package "yarn" do
   version "1.22.4"

From b869002c1aea0ed53fa2bdd6b31e0bf3927f5b4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Tue, 10 May 2022 11:50:35 +0200
Subject: [PATCH 09/25] Update Gitea to 1.16.6

---
 site-cookbooks/kosmos_gitea/attributes/default.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/site-cookbooks/kosmos_gitea/attributes/default.rb b/site-cookbooks/kosmos_gitea/attributes/default.rb
index 4ee223d..01cc968 100644
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@@ -1,7 +1,7 @@
-gitea_version = "1.16.5"
+gitea_version = "1.16.6"
 node.default["kosmos_gitea"]["version"] = gitea_version
 node.default["kosmos_gitea"]["binary_url"] = "https://dl.gitea.io/gitea/#{gitea_version}/gitea-#{gitea_version}-linux-amd64"
-node.default["kosmos_gitea"]["binary_checksum"] = "c0fb4107dc4debf08e6e27fd3383e06dc232ccb410123179c7ae8d7cec60765f"
+node.default["kosmos_gitea"]["binary_checksum"] = "a96751af12d5e96301a97c280bafb92782e0e9b7a0bbe8960c704c0c0361e576"
 node.default["kosmos_gitea"]["nginx"]["domain"] = "gitea.kosmos.org"
 node.default["kosmos_gitea"]["working_directory"] = "/var/lib/gitea"
 node.default["kosmos_gitea"]["port"] = 3000

From 907706d1d28436518ab7d61a7c2f4c61762d1242 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Tue, 10 May 2022 11:50:49 +0200
Subject: [PATCH 10/25] Set up the hosts entry for the new LDAP server

---
 site-cookbooks/kosmos_gitea/metadata.rb        | 1 +
 site-cookbooks/kosmos_gitea/recipes/default.rb | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/site-cookbooks/kosmos_gitea/metadata.rb b/site-cookbooks/kosmos_gitea/metadata.rb
index 27947c3..95cd94a 100644
--- a/site-cookbooks/kosmos_gitea/metadata.rb
+++ b/site-cookbooks/kosmos_gitea/metadata.rb
@@ -23,3 +23,4 @@ depends "firewall"
 depends "kosmos-nginx"
 depends "kosmos_postgresql"
 depends "backup"
+depends "kosmos-dirsrv"
diff --git a/site-cookbooks/kosmos_gitea/recipes/default.rb b/site-cookbooks/kosmos_gitea/recipes/default.rb
index f7f3a62..8b2ae0a 100644
--- a/site-cookbooks/kosmos_gitea/recipes/default.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/default.rb
@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 working_directory         = node["kosmos_gitea"]["working_directory"]
 git_home_directory        = "/home/git"
 repository_root_directory = "#{git_home_directory}/gitea-repositories"

From 1502d1956d7358ab3e4c3ffdc01584893865f102 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:47:32 +0200
Subject: [PATCH 11/25] Set new passwords for the LDAP service accounts

---
 data_bags/credentials/ejabberd.json | 32 ++++++++++++++---------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json
index cb2d066..3ef7052 100644
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@@ -1,38 +1,38 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "RdzDZk2F4yBvgII84JGt8AF0LT4cyjRQFQvMJ5LhdB54T06Kjq3S\n",
-    "iv": "+3WlMHiNAFVE4iku\n",
-    "auth_tag": "mKheQu/KeHSyt8W783lrzA==\n",
+    "encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n",
+    "iv": "38KjEZZbI9rNfsA1\n",
+    "auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "fABWhxMuLaF2qLFdIN//R6bgBkD60WRWiBZPErB1eBOxHqOp813o\n",
-    "iv": "uBPPYY/FM2hee05V\n",
-    "auth_tag": "cO+zP2QggWIzbuVxtkct2w==\n",
+    "encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n",
+    "iv": "07hmbipcLzslZT81\n",
+    "auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "uploads_secret": {
-    "encrypted_data": "03Y8CNBstV7vYopx8X54hkRSlnwwbOg5Y0KwTPV4qys1\n",
-    "iv": "gLTP7Y2Y70jL+sxH\n",
-    "auth_tag": "HJoyOF4rYm9ayKfViuKBlA==\n",
+    "encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n",
+    "iv": "Swez2eH4b11G/exT\n",
+    "auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "mRX2Lxqxb//Gd76bk+G3V+eObaq+NILiMsHHjFvjBCvJrznvRzezqW1VHhwW\ndH/ZY2gM8CVCcmYNQ8Xtg/1loPYAUjROvDRirj5i9fP7zgJRc1anNmohDOle\n34aNPYverGm+IJ21sFrAv4Xe/KleJBO5ynuiInqqvljcu3LiuvSYBXW34yWB\n",
-    "iv": "QqJJM8gmox565JUd\n",
-    "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
+    "encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n",
+    "iv": "9TlJYq79eQy6T1l/\n",
+    "auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "erlang_cookie": {
-    "encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
-    "iv": "mm+fYYceD1nPsuo1\n",
-    "auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
+    "encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n",
+    "iv": "c7SINIqy8p+yMlQ+\n",
+    "auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
-}
+}
\ No newline at end of file

From ff7cb1ce4a2195d91b1149481abc2b62873b2cdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:48:30 +0200
Subject: [PATCH 12/25] Generate a hosts entry for the LDAP server

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index e94674e..39a1ec6 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 
 ejabberd_version = node["kosmos-ejabberd"]["version"]

From e53e55cb2d716e283e07a49913ec0b5f7324db0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:49:00 +0200
Subject: [PATCH 13/25] Disable TLS for LDAP since we're using Zerotier
 networking

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 39a1ec6..cdde575 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -124,7 +124,7 @@ modules:
 ]
 
 ldap_domain = node['kosmos-dirsrv']['master_hostname']
-ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
+ldap_encryption_type = "none"
 ldap_base = "cn=users,dc=kosmos,dc=org"
 
 admin_users = ejabberd_credentials['admins']

From c56870008ed207fc62f54aeba5d5525823ed7290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 14:49:28 +0200
Subject: [PATCH 14/25] Use the new LDAP services application accounts

---
 site-cookbooks/kosmos-ejabberd/recipes/default.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index cdde575..68c0776 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -130,7 +130,7 @@ ldap_base = "cn=users,dc=kosmos,dc=org"
 admin_users = ejabberd_credentials['admins']
 
 hosts.each do |host|
-  ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
+  ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 
   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
     source    "vhost.yml.erb"

From c158f845f078c5f4a25c397e64cf716ad7d17bbe Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 15:12:10 +0200
Subject: [PATCH 15/25] Configure STUN/TURN for ejabberd and nginx proxy

---
 data_bags/credentials/ejabberd.json           | 37 +++++----
 nodes/fornax.kosmos.org.json                  |  1 +
 roles/nginx_proxy.rb                          |  1 +
 .../kosmos-ejabberd/attributes/default.rb     |  4 +-
 .../kosmos-ejabberd/recipes/default.rb        |  4 +-
 .../kosmos-ejabberd/recipes/firewall.rb       |  6 +-
 .../kosmos-ejabberd/recipes/nginx.rb          | 52 ++++++++++++
 .../templates/ejabberd.yml.erb                | 23 +++++-
 .../templates/nginx_conf_streams.erb          | 81 +++++++++++++++++++
 9 files changed, 185 insertions(+), 24 deletions(-)
 create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
 create mode 100644 site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb

diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json
index 3ef7052..f27ed88 100644
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@@ -1,37 +1,44 @@
 {
   "id": "ejabberd",
   "5apps_ldap_password": {
-    "encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n",
-    "iv": "38KjEZZbI9rNfsA1\n",
-    "auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n",
+    "encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n",
+    "iv": "6YTMw9vMiDANQDVP\n",
+    "auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "kosmos_ldap_password": {
-    "encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n",
-    "iv": "07hmbipcLzslZT81\n",
-    "auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n",
+    "encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n",
+    "iv": "XC2igt4I4qNNgCYD\n",
+    "auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "uploads_secret": {
-    "encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n",
-    "iv": "Swez2eH4b11G/exT\n",
-    "auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n",
+    "encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n",
+    "iv": "fWjiwhJ7NZIvUHyt\n",
+    "auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "admins": {
-    "encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n",
-    "iv": "9TlJYq79eQy6T1l/\n",
-    "auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n",
+    "encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n",
+    "iv": "vFjSjzaEiZJB4lAo\n",
+    "auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "erlang_cookie": {
-    "encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n",
-    "iv": "c7SINIqy8p+yMlQ+\n",
-    "auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n",
+    "encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n",
+    "iv": "2fYgOBtGmqFTFddy\n",
+    "auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "stun_secret": {
+    "encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n",
+    "iv": "xevLfSR+wqEk5jVw\n",
+    "auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json
index e4965b7..f8bb746 100644
--- a/nodes/fornax.kosmos.org.json
+++ b/nodes/fornax.kosmos.org.json
@@ -24,6 +24,7 @@
       "kosmos_gitea::nginx",
       "kosmos_website",
       "kosmos_website::default",
+      "kosmos-ejabberd::nginx",
       "apt::default",
       "timezone_iii::default",
       "timezone_iii::debian",
diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb
index 8b428e2..0bed71a 100644
--- a/roles/nginx_proxy.rb
+++ b/roles/nginx_proxy.rb
@@ -6,6 +6,7 @@ default_run_list = %w(
   kosmos_drone::nginx
   kosmos_gitea::nginx
   kosmos_website::default
+  kosmos-ejabberd::nginx
 )
 
 env_run_lists(
diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
index e4e6bf9..8efada3 100644
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@@ -1,7 +1,9 @@
 node.default["kosmos-ejabberd"]["version"] = "20.12"
 node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65"
+node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201"
+node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
-node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
+node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
 
 node.override["tor"]["HiddenServices"]["ejabberd"] = {
   "HiddenServicePorts" => [
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 68c0776..8afce5c 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -161,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   variables hosts: hosts,
             admin_users: admin_users,
             stun_auth_realm: "kosmos.org",
-            turn_ip_address: node["knife_zero"]["host"],
+            stun_secret: ejabberd_credentials['stun_secret'],
+            turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
             turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
             akkounts_ip_addresses: akkounts_ip_addresses
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
index 968da9b..ca1f393 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb
@@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do
 end
 
 firewall_rule 'ejabberd_stun_turn' do
-  port     3478
-  protocol :tcp
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
   command  :allow
 end
 
 firewall_rule 'ejabberd_turn' do
   port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-  protocol :tcp
+  protocol :udp
   command  :allow
 end
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
new file mode 100644
index 0000000..328985c
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb
@@ -0,0 +1,52 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: nginx
+#
+
+include_recipe "kosmos-base::firewall"
+
+ejabberd_hosts = []
+search(:node, "role:ejabberd").each do |node|
+  ejabberd_hosts << node["knife_zero"]["host"]
+end
+
+ejabberd_hosts.each do |ip_address|
+  IPAddr.new ip_address
+rescue IPAddr::InvalidAddressError
+  ejabberd_hosts.delete ip_address
+  next
+end
+
+template "#{node['nginx']['dir']}/streams-available/ejabberd" do
+  source "nginx_conf_streams.erb"
+  owner 'www-data'
+  mode 0640
+  # variables ejabberd_hosts: ejabberd_hosts
+  variables ejabberd_hosts: ["10.1.1.113"],
+            stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
+            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
+            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_stream "ejabberd" do
+  action :enable
+end
+
+firewall_rule "ejabberd" do
+  port     [5222, 5223, 5269, 5443]
+  protocol :tcp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_stun_turn' do
+  port     node["kosmos-ejabberd"]["stun_turn_port"]
+  protocol :udp
+  command  :allow
+end
+
+firewall_rule 'ejabberd_turn' do
+  port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+  protocol :udp
+  command  :allow
+end
diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index a46759d..d8f8a48 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -78,12 +78,13 @@ listen:
     ## register: true
     captcha: false
   -
-    port: 3478
-    transport: tcp
+    port: <%= @stun_turn_port %>
+    transport: udp
     module: ejabberd_stun
     auth_realm: <%= @stun_auth_realm %>
     use_turn: true
-    turn_ip: <%= @turn_ip_address %>
+    tls: false
+    turn_ipv4_address: <%= @turn_ip_address %>
     turn_min_port: <%= @turn_min_port %>
     turn_max_port: <%= @turn_max_port %>
 
@@ -230,7 +231,21 @@ modules:
     versioning: true
     store_current_id: true
   mod_shared_roster: {}
-  mod_stun_disco: {}
+  mod_stun_disco:
+    secret: <%= @stun_secret %>
+    services:
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: stun
+        transport: udp
+        restricted: false
+      -
+        host: <%= @turn_ip_address %>
+        port: <%= @stun_turn_port %>
+        type: turn
+        transport: udp
+        restricted: true
   mod_vcard:
     search: false
   mod_vcard_xupdate: {}
diff --git a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb
new file mode 100644
index 0000000..6c2fba1
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb
@@ -0,0 +1,81 @@
+log_format proxy '$remote_addr [$time_local] '
+           '$protocol $status $bytes_sent $bytes_received '
+           '$session_time "$upstream_addr" '
+           '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+
+access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
+
+upstream ejabberd_c2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5222;
+<% end %>
+}
+
+upstream ejabberd_c2s_tls {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5223;
+<% end %>
+}
+
+upstream ejabberd_s2s {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5269;
+<% end %>
+}
+
+upstream ejabberd_https {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:5443;
+<% end %>
+}
+
+upstream ejabberd_stun_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+  server <%= ip_address %>:<%= @stun_turn_port %>;
+<% end %>
+}
+
+upstream ejabberd_turn {
+  hash   $remote_addr consistent;
+<% @ejabberd_hosts.each do |ip_address| %>
+<% (@turn_min_port..@turn_max_port).each do |port| %>
+  server <%= "#{ip_address}:#{port.to_s}" %>;
+<% end %>
+<% end %>
+}
+
+server {
+  listen     5222;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5223;
+  proxy_pass ejabberd_c2s;
+}
+
+server {
+  listen     5269;
+  proxy_pass ejabberd_s2s;
+}
+
+server {
+  listen     5443;
+  proxy_pass ejabberd_https;
+}
+
+server {
+  listen     <%= @stun_turn_port %> udp;
+  proxy_pass ejabberd_stun_turn;
+}
+
+server {
+  listen     <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
+  proxy_pass 10.1.1.113:$server_port;
+  #proxy_pass ejabberd_turn;
+}

From 5c00e2d28ae95b2d9ebceeab94fbe43257d0490b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 15:37:36 +0200
Subject: [PATCH 16/25] Add an attribute containing the LDAP server's address

---
 site-cookbooks/kosmos-dirsrv/attributes/default.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/site-cookbooks/kosmos-dirsrv/attributes/default.rb b/site-cookbooks/kosmos-dirsrv/attributes/default.rb
index e69de29..00af5e8 100644
--- a/site-cookbooks/kosmos-dirsrv/attributes/default.rb
+++ b/site-cookbooks/kosmos-dirsrv/attributes/default.rb
@@ -0,0 +1 @@
+node.default['kosmos-dirsrv']['master_hostname'] = 'ldap.kosmos.local'

From 0d133de1b879e356a8a92135e23170cdf6751c60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 16:21:51 +0200
Subject: [PATCH 17/25] New config and credentials for LDAP connection in
 mediawiki

---
 data_bags/credentials/mediawiki.json           | 18 +++++++++---------
 .../kosmos-mediawiki/recipes/default.rb        |  3 ++-
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/data_bags/credentials/mediawiki.json b/data_bags/credentials/mediawiki.json
index 24ba630..85e798d 100644
--- a/data_bags/credentials/mediawiki.json
+++ b/data_bags/credentials/mediawiki.json
@@ -1,23 +1,23 @@
 {
   "id": "mediawiki",
   "db_pass": {
-    "encrypted_data": "bkvlD9N8a2EAoBDRcJ5Yhio7vQPnc5qMxH3Of/A/epieJZXBudkYrDaQZmbu\nSwYseFveqEleys4IbI+zTOaBN5LejDpH\n",
-    "iv": "OPbDsQjNBP7Yabsx\n",
-    "auth_tag": "0cl2nkL0V07cWC5SZjNXBA==\n",
+    "encrypted_data": "giNnksOeZDSsoBSsF/RvaVIbtgp5EpRJnbZdH4nt755Tx3ZjHj8Hl6kvXo2t\n34l6/6jjwUIiig1vxKt8+2pHm1hXAbJ9\n",
+    "iv": "hnDHoyGbZyuQVG5f\n",
+    "auth_tag": "3oNeFn22P25qwJ0KaVerxw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_user": {
-    "encrypted_data": "+iKtv/pB8rU0kJYlhr/KNUM63uG5RpDUCduW9sakxwaMs7V5JetSdaUmabIk\np8EiF5FDvYLUWqq5SOblTfPELMY3C0j5XwgxDKo=\n",
-    "iv": "ynjajkZHawmcE81H\n",
-    "auth_tag": "cxcsojaQW8dFZHR50QnZjw==\n",
+    "encrypted_data": "bA21rCjUKGFMxSK3BSmKmIe7JS4C8IU062abpRAe8OBqypLgbgv+YpPiF+v3\nscfMaydHNg9qtK1MzP33MmRkI43q7o2TJXpI6+vZA2Y=\n",
+    "iv": "78mNymw45lR0spXg\n",
+    "auth_tag": "3RdUdoQsquNLUAV+POkcRQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   },
   "ldap_password": {
-    "encrypted_data": "Kb5/RiGyXEf0X4KAgprCrZU+lFaWYuu6gjSXanujWxXx5YUdQLzZ\n",
-    "iv": "U1JBexbrnmJ4HNSZ\n",
-    "auth_tag": "LDeG8mOM5iLxy/VslTakSg==\n",
+    "encrypted_data": "lEaG+bHkMftmJENQ99h+HfRaYFYw4HI/ugwfwKJU2A==\n",
+    "iv": "31oRFt2sXKay+sy1\n",
+    "auth_tag": "tfkRa3lUZkj2PTl39APTTw==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
index 1024296..5046629 100644
--- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb
+++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb
@@ -27,6 +27,7 @@
 include_recipe 'apt'
 include_recipe 'ark'
 include_recipe 'composer'
+include_recipe 'kosmos-dirsrv::hostsfile'
 
 server_name = 'wiki.kosmos.org'
 
@@ -158,7 +159,7 @@ if node["mediawiki"]["ldap_enabled"]
   package "php-ldap"
 
   ldap_domain = node['kosmos-dirsrv']['master_hostname']
-  ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls"
+  ldap_encryption_type = "clear"
   ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
 end
 

From a14cd9a74f05d4ec589c3115a076f19c96f41b0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 16:22:11 +0200
Subject: [PATCH 18/25] New config for LDAP in Discourse

---
 site-cookbooks/kosmos_discourse/metadata.rb        | 3 ++-
 site-cookbooks/kosmos_discourse/recipes/default.rb | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/site-cookbooks/kosmos_discourse/metadata.rb b/site-cookbooks/kosmos_discourse/metadata.rb
index d8aa80e..1c2ac07 100644
--- a/site-cookbooks/kosmos_discourse/metadata.rb
+++ b/site-cookbooks/kosmos_discourse/metadata.rb
@@ -7,5 +7,6 @@ long_description 'Installs/Configures kosmos_discourse'
 version '0.1.0'
 chef_version '>= 14.0'
 
-depends "kosmos-nginx"
+depends 'kosmos-nginx'
 depends 'firewall'
+depends 'kosmos-dirsrv'
diff --git a/site-cookbooks/kosmos_discourse/recipes/default.rb b/site-cookbooks/kosmos_discourse/recipes/default.rb
index a313f44..4515f91 100644
--- a/site-cookbooks/kosmos_discourse/recipes/default.rb
+++ b/site-cookbooks/kosmos_discourse/recipes/default.rb
@@ -3,6 +3,8 @@
 # Recipe:: default
 #
 
+include_recipe "kosmos-dirsrv::hostsfile"
+
 package "docker-compose"
 deploy_path = "/opt/discourse"
 

From e766a96d3b8b9066db2818ed1dd6b594630c9538 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 16:22:31 +0200
Subject: [PATCH 19/25] Update the discourse-2 node after Chef run

---
 nodes/discourse-2.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/nodes/discourse-2.json b/nodes/discourse-2.json
index 4b8a773..2c1f11a 100644
--- a/nodes/discourse-2.json
+++ b/nodes/discourse-2.json
@@ -33,6 +33,7 @@
       "postfix::_attributes",
       "postfix::sasl_auth",
       "hostname::default",
+      "kosmos-dirsrv::hostsfile",
       "firewall::default",
       "chef-sugar::default"
     ],

From 32f620e95c735697a800898721372e946bfccd93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 11 May 2022 16:22:49 +0200
Subject: [PATCH 20/25] Update the wiki-1 node after Chef run

---
 nodes/wiki-1.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nodes/wiki-1.json b/nodes/wiki-1.json
index d4ef9fb..20ffbb0 100644
--- a/nodes/wiki-1.json
+++ b/nodes/wiki-1.json
@@ -8,7 +8,7 @@
   "automatic": {
     "fqdn": "wiki-1",
     "os": "linux",
-    "os_version": "5.4.0-54-generic",
+    "os_version": "5.4.0-91-generic",
     "hostname": "wiki-1",
     "ipaddress": "192.168.122.26",
     "roles": [
@@ -40,6 +40,7 @@
       "php::package",
       "php::ini",
       "composer::global_configs",
+      "kosmos-dirsrv::hostsfile",
       "mediawiki::default",
       "mediawiki::database",
       "kosmos-nginx::default",

From b3f1a74cc2eff8830de6eab5a7335f1c464c7f45 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 16:25:02 +0200
Subject: [PATCH 21/25] Remove obsolete ejabberd backups

---
 roles/ejabberd.rb                             |  1 -
 .../kosmos-ejabberd/recipes/backup.rb         | 45 -------------------
 2 files changed, 46 deletions(-)
 delete mode 100644 site-cookbooks/kosmos-ejabberd/recipes/backup.rb

diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb
index 824fd67..2ada5cb 100644
--- a/roles/ejabberd.rb
+++ b/roles/ejabberd.rb
@@ -9,7 +9,6 @@ production_run_list = %w(
   role[postgresql_client]
   kosmos-ejabberd::default
   kosmos-ejabberd::letsencrypt
-  kosmos-ejabberd::backup
 )
 env_run_lists(
   'development' => default_run_list,
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb b/site-cookbooks/kosmos-ejabberd/recipes/backup.rb
deleted file mode 100644
index 57fb43a..0000000
--- a/site-cookbooks/kosmos-ejabberd/recipes/backup.rb
+++ /dev/null
@@ -1,45 +0,0 @@
-#
-# Cookbook:: kosmos-ejabberd
-# Recipe:: backup
-#
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-
-postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
-
-unless node.chef_environment == "development"
-  # backup the data dir and the config files
-  node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"]
-  unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd"
-    node.override["backup"]["postgresql"]["databases"]["ejabberd"] = {
-      username: "ejabberd",
-      password: postgresql_data_bag_item['ejabberd_user_password']
-    }
-  end
-  unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd_5apps"
-    node.override["backup"]["postgresql"]["databases"]["ejabberd_5apps"] = {
-      username: "ejabberd",
-      password: postgresql_data_bag_item['ejabberd_user_password']
-    }
-  end
-  include_recipe "backup"
-end

From e89e0b312254d1bad055fbe54fe141759896b144 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 16:25:32 +0200
Subject: [PATCH 22/25] Fix letsencrypt bootstrap for ejabberd

---
 roles/ejabberd.rb                                      | 2 +-
 site-cookbooks/kosmos-base/recipes/letsencrypt.rb      | 1 +
 site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb | 4 ----
 3 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb
index 2ada5cb..a2d802b 100644
--- a/roles/ejabberd.rb
+++ b/roles/ejabberd.rb
@@ -7,8 +7,8 @@ default_run_list = %w(
 
 production_run_list = %w(
   role[postgresql_client]
-  kosmos-ejabberd::default
   kosmos-ejabberd::letsencrypt
+  kosmos-ejabberd::default
 )
 env_run_lists(
   'development' => default_run_list,
diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
index d047bba..ce65d33 100644
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@@ -52,6 +52,7 @@ end
   end
 end
 
+# TODO check if nginx is installed/running on the node
 file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
   content <<-EOF
 #!/usr/bin/env bash
diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
index 77fe955..4d57a23 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -1,11 +1,7 @@
 # Generated by Chef for <%= @host[:name] %>
-# FIXME: The files only exist after the certbot hook created them, meaning
-# we need to run Chef a second time
-<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
 certfiles:
   - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
   - "/opt/ejabberd/conf/<%= @host[:name] %>.key"
-<% end -%>
 host_config:
   "<%= @host[:name] %>":
     sql_type: pgsql

From decd937d43eddced2fcf1b0feff4e7210d01ac71 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 16:26:33 +0200
Subject: [PATCH 23/25] Remove superfluous license header

---
 .../kosmos-ejabberd/recipes/letsencrypt.rb    | 21 -------------------
 1 file changed, 21 deletions(-)

diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
index 6b29885..4dddb5d 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@@ -2,27 +2,6 @@
 # Cookbook:: kosmos-ejabberd
 # Recipe:: letsencrypt
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 include_recipe "kosmos-base::letsencrypt"
 

From 48c3fef1a170c4b76c4a158f70ff9a051a710ecc Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 16:26:49 +0200
Subject: [PATCH 24/25] Remove TLS config for ejabberd LDAP

---
 site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
index 4d57a23..df9677e 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@@ -15,7 +15,6 @@ host_config:
     ldap_rootdn: "<%= @ldap_rootdn %>"
     ldap_password: "<%= @host[:ldap_password] %>"
     ldap_encrypt: <%= @ldap_encryption_type %>
-    ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid
     ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>"
     ldap_filter: "(objectClass=person)"
   <% end -%>

From 2d6cbd22e4c9106a88802907bc3b5c5424d3a920 Mon Sep 17 00:00:00 2001
From: Sebastian Kippe <sebastian@kip.pe>
Date: Wed, 11 May 2022 16:27:07 +0200
Subject: [PATCH 25/25] Add ejabberd-8 node config

---
 clients/ejabberd-8.json |  4 +++
 nodes/ejabberd-8.json   | 63 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 clients/ejabberd-8.json
 create mode 100644 nodes/ejabberd-8.json

diff --git a/clients/ejabberd-8.json b/clients/ejabberd-8.json
new file mode 100644
index 0000000..b1f791a
--- /dev/null
+++ b/clients/ejabberd-8.json
@@ -0,0 +1,4 @@
+{
+  "name": "ejabberd-8",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2r+emfhx7bl7MxEeIDGY\nKnj3xEyFvVgXL7GwOsbKszFVgZ17yuPwa6vuiJsZsbcFC/nXgGNH2WF5FEv7XhOi\nwE8KMeNrR4xQ9BEANRlRgUTfrkhZG1NCy7PpVBb7L2r36STBuFSdQJmruJAfvTHm\na4hhmfaSIJ0Wa+Q24gL1GNwkSRdOhXRYxB4OvNIJzzuC3XqgugQVG5xzZh0kULQs\nkZVvkL5dM0FEZzBn8aK2sohTFDivvYJy7PAogC9Z5M1nPatZBowruUZvCym3Wh1J\nRtBwsS9SsTcsUqaT9FpEa7vYUney1/R8G2FAFufTyztjgBQzh78GhU+dek+ycIf1\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
\ No newline at end of file
diff --git a/nodes/ejabberd-8.json b/nodes/ejabberd-8.json
new file mode 100644
index 0000000..9ebc158
--- /dev/null
+++ b/nodes/ejabberd-8.json
@@ -0,0 +1,63 @@
+{
+  "name": "ejabberd-8",
+  "normal": {
+    "knife_zero": {
+      "host": "10.1.1.123"
+    }
+  },
+  "automatic": {
+    "fqdn": "ejabberd-8",
+    "os": "linux",
+    "os_version": "5.4.0-1063-kvm",
+    "hostname": "ejabberd-8",
+    "ipaddress": "192.168.122.27",
+    "roles": [
+      "ejabberd",
+      "postgresql_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos_postgresql::hostsfile",
+      "kosmos-ejabberd::letsencrypt",
+      "kosmos-ejabberd",
+      "kosmos-ejabberd::default",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "kosmos-base::letsencrypt",
+      "kosmos-dirsrv::hostsfile",
+      "kosmos-ejabberd::firewall",
+      "tor-full::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "17.10.3",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/chef-17.10.3/lib",
+        "chef_effortless": null
+      },
+      "ohai": {
+        "version": "17.9.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/3.0.0/gems/ohai-17.9.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[ejabberd]"
+  ]
+}
\ No newline at end of file