From 797dd241e0fec20ec304ac4e661580435a038955 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 3 Apr 2023 15:23:46 +0200
Subject: [PATCH] Improve ejabberd HTTP API configs and access

Move the listener to a separate endpoint on port 80, which is only
accessible from the private network. Change accounts.kosmos.org to use
the new endpoint via a `.local` domain instead of faking external
access.
---
 site-cookbooks/kosmos-akkounts/recipes/default.rb        | 4 ++--
 site-cookbooks/kosmos-ejabberd/recipes/default.rb        | 8 ++++++++
 .../kosmos-ejabberd/templates/ejabberd.yml.erb           | 9 ++++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/site-cookbooks/kosmos-akkounts/recipes/default.rb b/site-cookbooks/kosmos-akkounts/recipes/default.rb
index 10290cc..cc5eada 100644
--- a/site-cookbooks/kosmos-akkounts/recipes/default.rb
+++ b/site-cookbooks/kosmos-akkounts/recipes/default.rb
@@ -84,7 +84,7 @@ end
 ejabberd_private_ip_addresses.each do |ip_address|
   IPAddr.new ip_address
   hostsfile_entry ip_address do
-    hostname 'xmpp.kosmos.org'
+    hostname 'xmpp.kosmos.local'
     action :create
   end
 rescue IPAddr::InvalidAddressError
@@ -93,7 +93,7 @@ rescue IPAddr::InvalidAddressError
 end
 
 if ejabberd_private_ip_addresses.size > 0
-  env[:ejabberd_api_url] = 'https://xmpp.kosmos.org:5443/api'
+  env[:ejabberd_api_url] = "http://xmpp.kosmos.local/api"
 end
 
 systemd_unit "akkounts.service" do
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
index 927e563..d4a4ab7 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@@ -186,6 +186,7 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
             stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
             turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
+            private_ip_address: node["knife_zero"]["host"],
             akkounts_ip_addresses: akkounts_ip_addresses
   notifies :reload, "service[ejabberd]", :delayed
 end
@@ -198,6 +199,13 @@ unless node.chef_environment == "development"
   include_recipe "kosmos-ejabberd::firewall"
 end
 
+firewall_rule 'ejabberd_http' do
+  port     [80]
+  source   "10.1.1.0/24"
+  protocol :tcp
+  command  :allow
+end
+
 #
 # Tor hidden service
 #
diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
index 4d8cb70..9e2a662 100644
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@@ -61,6 +61,14 @@ listen:
     use_proxy_protocol: true
     max_stanza_size: 131072
     shaper: s2s_shaper
+  -
+    port: 80
+    ip: "<%= @private_ip_address %>"
+    module: ejabberd_http
+    request_handlers:
+      "/api": mod_http_api
+    tls: false
+    captcha: false
   -
     port: 5443
     ip: "::"
@@ -69,7 +77,6 @@ listen:
     request_handlers:
       "/ws": ejabberd_http_ws
       "/bosh": mod_bosh
-      "/api": mod_http_api
       "/upload": mod_http_upload
       "/admin": ejabberd_web_admin
     custom_headers: