From 6534086df2b55a215d9e6958190ce6bfd434008a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 16 Sep 2025 16:05:57 +0200 Subject: [PATCH 1/7] Update logger configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Remove unused/deprecated options * Hide user IPs * Set level to "info" Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 5d3860e..93f081f 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -1,10 +1,8 @@ -loglevel: 4 - log_rotate_size: 10485760 -log_rotate_date: "" log_rotate_count: 1 -log_rate_limit: 100 +loglevel: info +hide_sensitive_log_data: true hosts: <% @hosts.each do |host| -%> From 03f1d16998b9c4ea3152d42506c3937cac07d294 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 16 Sep 2025 16:07:10 +0200 Subject: [PATCH 2/7] Update SQL Schema automatically on ejabberd upgrades MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 93f081f..5cfe81f 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -93,6 +93,8 @@ auth_method: sql default_db: sql +update_sql_schema: true + shaper: normal: rate: 3000 From dde29c4a6c1cdea110b89ecfd8ac195816d61ffa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 16 Sep 2025 17:01:43 +0200 Subject: [PATCH 3/7] Upgrade ejabberd to 24.02 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos-ejabberd/attributes/default.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index 42960c5..0b97a59 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,6 +1,6 @@ -node.default["ejabberd"]["version"] = "23.10" +node.default["ejabberd"]["version"] = "24.02" node.default["ejabberd"]["package_version"] = "1" -node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77" +node.default["ejabberd"]["checksum"] = "476c187b42074b88472fd1c8042418072e47962facd47dab4e5883f6f61b2173" node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org" node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org" node.default["ejabberd"]["stun_turn_port"] = 3478 From ea4713c654ea6c98f027ef4dda4a03809126fe7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 16 Sep 2025 17:47:41 +0200 Subject: [PATCH 4/7] Move firewall config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 7 ------- site-cookbooks/kosmos-ejabberd/recipes/firewall.rb | 7 +++++++ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index aad241f..f6f2040 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -225,10 +225,3 @@ end unless node.chef_environment == "development" include_recipe "kosmos-ejabberd::firewall" end - -firewall_rule 'ejabberd_http' do - port [80] - source "10.1.1.0/24" - protocol :tcp - command :allow -end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb index b29ce6a..fcf7ca2 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -35,3 +35,10 @@ firewall_rule 'ejabberd_turn' do protocol :udp command :allow end + +firewall_rule 'ejabberd_http' do + port [80] + source "10.1.1.0/24" + protocol :tcp + command :allow +end From 73e8a2c41360c3142e52a9dfd7bc4f021e610781 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Tue, 16 Sep 2025 17:48:09 +0200 Subject: [PATCH 5/7] Fix random port being used for EPMD node MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes not being able to join a cluster from other nodes, because the ports are not within the firewall range of allowed ports. Co-authored-by: Greg Karékinian --- .../kosmos-ejabberd/recipes/default.rb | 16 +- .../templates/ejabberdctl.cfg.erb | 175 ++++++++++++++++++ 2 files changed, 182 insertions(+), 9 deletions(-) create mode 100644 site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index f6f2040..548b588 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -65,15 +65,13 @@ file "/opt/ejabberd/.hosts.erlang" do content ejabberd_hostnames.map{|h| "#{h}."}.join("\n") end -ruby_block "configure ERLANG_NODE" do - block do - file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg") - file.search_file_replace_line( - %r{#ERLANG_NODE=ejabberd@localhost}, - "ERLANG_NODE=ejabberd@#{node['name']}" - ) - file.write_file - end +template "/opt/ejabberd/conf/ejabberdctl.cfg" do + source "ejabberdctl.cfg.erb" + mode 0644 + owner 'ejabberd' + group 'ejabberd' + variables epmd_node_name: "ejabberd@#{node['name']}" + notifies :reload, "service[ejabberd]", :delayed end postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb new file mode 100644 index 0000000..b87f90c --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb @@ -0,0 +1,175 @@ +# +# In this file you can configure options that are passed by ejabberdctl +# to the erlang runtime system when starting ejabberd +# + +#' POLL: Kernel polling ([true|false]) +# +# The kernel polling option requires support in the kernel. +# Additionally, you need to enable this feature while compiling Erlang. +# +# Default: true +# +#POLL=true + +#. +#' SMP: SMP support ([enable|auto|disable]) +# +# Explanation in Erlang/OTP documentation: +# enable: starts the Erlang runtime system with SMP support enabled. +# This may fail if no runtime system with SMP support is available. +# auto: starts the Erlang runtime system with SMP support enabled if it +# is available and more than one logical processor are detected. +# disable: starts a runtime system without SMP support. +# +# Default: enable +# +#SMP=enable + +#. +#' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports +# +# ejabberd consumes two or three ports for every connection, either +# from a client or from another Jabber server. So take this into +# account when setting this limit. +# +# Default: 32000 +# Maximum: 268435456 +# +#ERL_MAX_PORTS=32000 + +#. +#' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall +# +# If Ejabberd is configured to run in cluster, and a firewall is blocking ports, +# it's possible to make Erlang use a defined range of port (instead of dynamic +# ports) for node communication. +# +# Default: not defined +# Example: 4200-4210 +# +FIREWALL_WINDOW=4200-4210 + +#. +#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes +# +# This communication is used by ejabberdctl command line tool, +# and in a cluster of several ejabberd nodes. +# +# Default: 0.0.0.0 +# +#INET_DIST_INTERFACE=127.0.0.1 + +#. +#' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections +# +# IMPORTANT: This option works only in Erlang/OTP R14B03 and newer. +# +# This environment variable may be set to a comma-separated +# list of IP addresses, in which case the epmd daemon +# will listen only on the specified address(es) and on the +# loopback address (which is implicitly added to the list if it +# has not been specified). The default behaviour is to listen on +# all available IP addresses. +# +# Default: 0.0.0.0 +# +#ERL_EPMD_ADDRESS=127.0.0.1 + +#. +#' ERL_PROCESSES: Maximum number of Erlang processes +# +# Erlang consumes a lot of lightweight processes. If there is a lot of activity +# on ejabberd so that the maximum number of processes is reached, people will +# experience greater latency times. As these processes are implemented in +# Erlang, and therefore not related to the operating system processes, you do +# not have to worry about allowing a huge number of them. +# +# Default: 250000 +# Maximum: 268435456 +# +#ERL_PROCESSES=250000 + +#. +#' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables +# +# The number of concurrent ETS and Mnesia tables is limited. When the limit is +# reached, errors will appear in the logs: +# ** Too many db tables ** +# You can safely increase this limit when starting ejabberd. It impacts memory +# consumption but the difference will be quite small. +# +# Default: 1400 +# +#ERL_MAX_ETS_TABLES=1400 + +#. +#' ERL_OPTIONS: Additional Erlang options +# +# The next variable allows to specify additional options passed to erlang while +# starting ejabberd. Some useful options are -noshell, -detached, -heart. When +# ejabberd is started from an init.d script options -noshell and -detached are +# added implicitly. See erl(1) for more info. +# +# It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you +# want to add local modules in this path. +# +# Default: "" +# +#ERL_OPTIONS="" + +#. +#' ERLANG_NODE: Erlang node name +# +# The next variable allows to explicitly specify erlang node for ejabberd +# It can be given in different formats: +# ERLANG_NODE=ejabberd +# Lets erlang add hostname to the node (ejabberd uses short name in this case) +# ERLANG_NODE=ejabberd@hostname +# Erlang uses node name as is (so make sure that hostname is a real +# machine hostname or you'll not be able to control ejabberd) +# ERLANG_NODE=ejabberd@hostname.domainname +# The same as previous, but erlang will use long hostname +# (see erl (1) manual for details) +# +# Default: ejabberd@localhost +# +ERLANG_NODE=<%= @epmd_node_name %> + +#. +#' EJABBERD_PID_PATH: ejabberd PID file +# +# Indicate the full path to the ejabberd Process identifier (PID) file. +# If this variable is defined, ejabberd writes the PID file when starts, +# and deletes it when stops. +# Remember to create the directory and grant write permission to ejabberd. +# +# Default: don't write PID file +# +#EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid + +#. +#' CONTRIB_MODULES_PATH: contributed ejabberd modules path +# +# Specify the full path to the contributed ejabberd modules. If the path is not +# defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd. +# +# Default: $HOME/.ejabberd-modules +# +#CONTRIB_MODULES_PATH=/opt/ejabberd-modules + +#. +#' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules +# +# Specify the full path to the configuration directory for contributed ejabberd +# modules. In order to configure a module named mod_foo, a mod_foo.yml file can +# be created in this directory. This file will then be used instead of the +# default configuration file provided with the module. +# +# Default: $CONTRIB_MODULES_PATH/conf +# +#CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules + +#. +#' +# vim: foldmarker=#',#. foldmethod=marker: From 2ea5b30224033fc75ff5d9e8a3aec267afd458f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 21 Sep 2025 12:42:29 +0200 Subject: [PATCH 6/7] Upgrade ejabberd to 25.08 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos-ejabberd/attributes/default.rb | 4 ++-- .../kosmos-ejabberd/templates/ejabberd.yml.erb | 12 ++++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index 0b97a59..658d2c3 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,6 +1,6 @@ -node.default["ejabberd"]["version"] = "24.02" +node.default["ejabberd"]["version"] = "25.08" node.default["ejabberd"]["package_version"] = "1" -node.default["ejabberd"]["checksum"] = "476c187b42074b88472fd1c8042418072e47962facd47dab4e5883f6f61b2173" +node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23" node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org" node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org" node.default["ejabberd"]["stun_turn_port"] = 3478 diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 5cfe81f..f1b9fd9 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -4,6 +4,9 @@ log_rotate_count: 1 loglevel: info hide_sensitive_log_data: true +log_modules_fully: + - mod_s3_upload + hosts: <% @hosts.each do |host| -%> - "<%= host[:name] %>" @@ -119,6 +122,15 @@ acl: - "::1/128" - "::FFFF:127.0.0.1/128" +api_permissions: + "webadmin commands": + who: + - admin + from: + - ejabberd_web_admin + what: + - "*" + shaper_rules: max_user_sessions: 10 max_user_offline_messages: From ae3df992e49bb8b7b4dceb391a24e3a2e24451c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Sun, 21 Sep 2025 12:45:54 +0200 Subject: [PATCH 7/7] Update node info --- nodes/ejabberd-4.json | 1 + nodes/ejabberd-8.json | 1 + 2 files changed, 2 insertions(+) diff --git a/nodes/ejabberd-4.json b/nodes/ejabberd-4.json index eccf3bc..8f88713 100644 --- a/nodes/ejabberd-4.json +++ b/nodes/ejabberd-4.json @@ -37,6 +37,7 @@ "timezone_iii::debian", "ntp::default", "ntp::apparmor", + "kosmos-base::journald_conf", "kosmos-base::systemd_emails", "apt::unattended-upgrades", "kosmos-base::firewall", diff --git a/nodes/ejabberd-8.json b/nodes/ejabberd-8.json index 987dd1d..4aab853 100644 --- a/nodes/ejabberd-8.json +++ b/nodes/ejabberd-8.json @@ -37,6 +37,7 @@ "timezone_iii::debian", "ntp::default", "ntp::apparmor", + "kosmos-base::journald_conf", "kosmos-base::systemd_emails", "apt::unattended-upgrades", "kosmos-base::firewall",