Improve ejabberd HTTP API configs and access

Move the listener to a separate endpoint on port 80, which is only
accessible from the private network. Change accounts.kosmos.org to use
the new endpoint via a `.local` domain instead of faking external
access.

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -186,6 +186,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
             stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
             turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
+            private_ip_address: node["knife_zero"]["host"],
             akkounts_ip_addresses: akkounts_ip_addresses
   notifies :reload, "service[ejabberd]", :delayed
 end
@@ -198,6 +199,13 @@ unless node.chef_environment == "development"
   include_recipe "kosmos-ejabberd::firewall"
 end
 
+firewall_rule 'ejabberd_http' do
+  port     [80]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
+
 #
 # Tor hidden service
 #