Configure/deploy HTTP upload service on uploads.kosmos.chat

https://xmpp.org/extensions/xep-0363.html

(Does not contain the config for ejabberd itself yet.)

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -10,3 +10,12 @@ node.override["tor"]["HiddenServices"]["ejabberd"] = {
     "5269 127.0.0.1:5269"
   ]
 }
+
+node.default["kosmos-ejabberd"]["uploads"] = {
+  "domain" => "uploads.kosmos.chat",
+  "max_upload_size_mb" => "100",
+  "upload.pm" => {
+    "repo" => "https://gitea.kosmos.org/kosmos/ngx_http_upload.git",
+    "revision" => "0.2"
+  }
+}

site-cookbooks/kosmos-ejabberd/metadata.rb

@@ -19,8 +19,9 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 #
 # source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
 
-depends "kosmos-postgresql"
 depends "kosmos-base"
+depends "kosmos-postgresql"
+depends "kosmos-nginx"
 depends "backup"
 depends "firewall"
 depends "tor-full"

site-cookbooks/kosmos-ejabberd/recipes/upload_service.rb

@@ -0,0 +1,60 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: upload_service
+#
+
+include_recipe "kosmos-nginx::with_perl"
+
+ejabberd_credentials = data_bag_item("credentials", "ejabberd")
+uploads_secret = ejabberd_credentials["uploads_secret"]
+
+upload_config = node["kosmos-ejabberd"]["uploads"]
+domain = upload_config["domain"]
+
+git "/opt/upload.pm" do
+  repository upload_config["upload.pm"]["repo"]
+  revision upload_config["upload.pm"]["revision"]
+  action :sync
+end
+
+directory "/var/www/upload" do
+  user node["nginx"]["user"]
+  group node["nginx"]["group"]
+  mode "0640"
+end
+
+ruby_block "configure uploads secret" do
+  block do
+    file = Chef::Util::FileEdit.new("/opt/upload.pm/upload.pm")
+    file.search_file_replace(%r{it-is-secret}, uploads_secret)
+    file.write_file
+  end
+end
+
+ruby_block "configure perl module in nginx" do
+  block do
+    file = Chef::Util::FileEdit.new("/etc/nginx/nginx.conf")
+    file.insert_line_after_match(
+      %r{types_hash_bucket_size},
+      "\n\n  perl_modules /opt/upload.pm;\n  perl_require upload.pm;"
+    )
+    file.write_file
+  end
+end
+
+template "#{node["nginx"]["dir"]}/sites-available/#{domain}" do
+  source "nginx_conf_upload_service.erb"
+  owner node["nginx"]["user"]
+  mode 0640
+  variables server_name: domain,
+            ssl_cert:    "/etc/letsencrypt/live/#{domain}/fullchain.pem",
+            ssl_key:     "/etc/letsencrypt/live/#{domain}/privkey.pem",
+            max_upload_size_mb: upload_config["max_upload_size_mb"]
+  notifies :reload, "service[nginx]", :delayed
+end
+
+nginx_site domain do
+  action :enable
+end
+
+nginx_certbot_site domain

site-cookbooks/kosmos-ejabberd/templates/nginx_conf_upload_service.erb

@@ -0,0 +1,19 @@
+<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+# Generated by Chef
+
+server {
+  listen 443 ssl http2;
+  server_name <%= @server_name %>;
+
+  ssl_certificate     <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+
+  root /var/www/upload;
+
+  client_max_body_size <%= @max_upload_size_mb %>m;
+
+  location / {
+    perl upload::handle;
+  }
+}
+<% end -%>

site-cookbooks/kosmos-nginx/recipes/with_perl.rb

@@ -0,0 +1,33 @@
+node.override['nginx']['default_site_enabled'] = false
+node.override['nginx']['server_tokens']        = 'off'
+
+node.override['nginx']['package_name'] = 'nginx-core'
+include_recipe 'nginx'
+
+package 'libnginx-mod-http-perl'
+
+# Generate Strong Diffie-Hellman Group (increases security)
+# https://weakdh.org/sysadmin.html
+openssl_dhparam "/etc/ssl/private/dhparams.pem" do
+  key_length 2048
+  mode 0600
+  owner 'www-data'
+end
+
+cookbook_file "#{node['nginx']['dir']}/conf.d/tls_config.conf" do
+  source 'nginx_tls_config.conf'
+  owner  'root'
+  group  'root'
+  mode   '0644'
+  notifies :restart, 'service[nginx]'
+end
+
+unless node.chef_environment == "development"
+  include_recipe 'kosmos-base::firewall'
+
+  firewall_rule 'http/https' do
+    port     [80, 443]
+    protocol :tcp
+    command  :allow
+  end
+end