diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json index ef6155a..bda5a71 100644 --- a/data_bags/credentials/ejabberd.json +++ b/data_bags/credentials/ejabberd.json @@ -1,16 +1,23 @@ { "id": "ejabberd", "5apps_ldap_password": { - "encrypted_data": "LRafA47WMyuQe5KA4oOc6i/pTflwpG8Gq8v7cvsTr51XwJD62i9L\n", - "iv": "CSvV2mbofDQP4T42\n", - "auth_tag": "PERdYnrFKGs+HaPBD6Um+A==\n", + "encrypted_data": "mfV9TyC4OM055JnyV73mq4qY840pH1tZC9LnIaA3A80CY2kVteC4\n", + "iv": "gpEC3IK9BN9RkaYz\n", + "auth_tag": "WXYWOjUCgEw5OR5VMh+Enw==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "kosmos_ldap_password": { + "encrypted_data": "Q9znUOIIXU+XsPWet4rDCjHsPPxlA3EfNTkEER/EdfoCajd1Txuh\n", + "iv": "7SAOAwSU8rZGopB1\n", + "auth_tag": "X8yIyw2BFbQMAVTMYLA67g==\n", "version": 3, "cipher": "aes-256-gcm" }, "admins": { - "encrypted_data": "D1fEa5S7ADU4tornw/FdcDifE6CzqM6TrLliWYxQ1AxwAuewdh0G2OfgjKOt\nvvibgIEMkr83FkX4La2wOjW8X6/DpBiyeys9RznVD4s0jmSaCG7qGHask3+R\nFLRl0gcYFCPkQopIAYihjnwvm9t1MwPXPF9c7B7rN5W2VvctQ9OEN3MgboHl\n", - "iv": "IgodYNr3muNTfkhX\n", - "auth_tag": "OJ42GSFtEp/KCxSIGhdbVg==\n", + "encrypted_data": "xKtiBOgn4ysJt4byry31cVJUHEsatWDwHEzEve/N5NxTOh1f4QBD+Q68IYzv\nV0ulBjtW91yFcQqKNx/prAVcK3khbnsEzg8uoub9o6hSMwp16LL5x/u6T6u2\n5DwWBEy08yuaujkko57ir0Yv7mfRedT1i5SaH9pgg5VLm56G/PXrlPFfjwaU\n", + "iv": "fpL3EA1VbXxxi+yq\n", + "auth_tag": "iJMJAmw5gHWLFJM5kdzR9A==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/data_bags/credentials/mediawiki.json b/data_bags/credentials/mediawiki.json index 87ef8a9..94fafcf 100644 --- a/data_bags/credentials/mediawiki.json +++ b/data_bags/credentials/mediawiki.json @@ -1,15 +1,31 @@ { "id": "mediawiki", "antispam_key": { - "encrypted_data": "0geoVeZ/umKaBCbhDfxkacWt4sWQBHrRxYGTSsaC5gw=\n", - "iv": "YxwNvI3HXeMZRHFpv+QLcQ==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "OD5RrVaQoUFbGV1Xs6i3hqZ024IJsbOC4CAWzrw5jQ==\n", + "iv": "8sfvTg7uGe1ofS2C\n", + "auth_tag": "hquilck+xxOQqHjE+szPgA==\n", + "version": 3, + "cipher": "aes-256-gcm" }, "db_pass": { - "encrypted_data": "aQ1soJeRPq9TQuDglkXrl10rIx5RpBNd5HltKVsYgLHedS5zXy8ylBhNdgBW\nb6slPhsbAB9d45aZAac7LUSbMIDIg8P+Zdx/0+IaEuwcpuQ=\n", - "iv": "RDS39dqjBPO0CyyANsa+2g==\n", - "version": 1, - "cipher": "aes-256-cbc" + "encrypted_data": "2IntmJdBmfGyHghAXDJnaew58u9dvjKCz/q1Uivs8Q+nH3wVqARkf52BIHhZ\nbIHY3cy50EwcKTxDcr1arQFmb88cKBxt\n", + "iv": "pkCrp07s4LJfaPmq\n", + "auth_tag": "yBsriBc/X2bP6v25NY3cSg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "ldap_user": { + "encrypted_data": "l/Q63Mvm/tANfvZ+1ijjTB1lpirOhAjWDz4k+R1OkzYIXQNwo6VM2saTH2eu\nBNHFLTyUSMqzlAcq6OvH++En05wk\n", + "iv": "y+n/Lo8t6O3Ab4/+\n", + "auth_tag": "7eHYjF8A0T611Y+JT1GeJg==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "ldap_password": { + "encrypted_data": "+qYb9F/f9QRRCTsMoRIyWWVQyCSLcQRHSPWD2Nf7z7Kauywh1zIg\n", + "iv": "sivNzq6G+mScbRnn\n", + "auth_tag": "ybUpDlIOJm0bsqlY5qt1xA==\n", + "version": 3, + "cipher": "aes-256-gcm" } } \ No newline at end of file diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 7085d35..5e56bce 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'ops@kosmos.org' license 'MIT' description 'Installs/Configures kosmos-ejabberd' long_description 'Installs/Configures kosmos-ejabberd' -version '0.1.2' +version '0.2.0' chef_version '>= 12.14' if respond_to?(:chef_version) # The `issues_url` points to the location where issues for this cookbook are diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index a120062..25e30c5 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -61,7 +61,8 @@ hosts = [ { name: "kosmos.org", sql_database: "ejabberd", - ldap_enabled: false, + ldap_enabled: true, + ldap_password: ejabberd_credentials['kosmos_ldap_password'], append_host_config: <<-EOF modules: mod_muc: @@ -134,6 +135,7 @@ hosts.each do |host| ldap_base: ldap_base, ldap_server: ldap_domain, ldap_encryption_type: ldap_encryption_type + notifies :run, "execute[ejabberdctl reload_config]", :delayed end end diff --git a/site-cookbooks/kosmos-mediawiki/metadata.rb b/site-cookbooks/kosmos-mediawiki/metadata.rb index 1f903bc..13c3cae 100644 --- a/site-cookbooks/kosmos-mediawiki/metadata.rb +++ b/site-cookbooks/kosmos-mediawiki/metadata.rb @@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org' license 'MIT' description 'Installs/Configures kosmos-mediawiki' long_description IO.read(File.join(File.dirname(__FILE__), 'README.md')) -version '0.2.1' +version '0.3.0' depends "mediawiki" depends "ark" diff --git a/site-cookbooks/kosmos-mediawiki/recipes/default.rb b/site-cookbooks/kosmos-mediawiki/recipes/default.rb index 950c7b7..59c1df5 100644 --- a/site-cookbooks/kosmos-mediawiki/recipes/default.rb +++ b/site-cookbooks/kosmos-mediawiki/recipes/default.rb @@ -39,8 +39,8 @@ node.override['mediawiki']['server_name'] = server_name node.override['mediawiki']['site_name'] = 'Kosmos Wiki' protocol = node.chef_environment == "development" ? "http" : "https" node.override['mediawiki']['server'] = "#{protocol}://#{server_name}" -mysql_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mysql') -mediawiki_credentials = Chef::EncryptedDataBagItem.load('credentials', 'mediawiki') +mysql_credentials = data_bag_item('credentials', 'mysql') +mediawiki_credentials = data_bag_item('credentials', 'mediawiki') node.override['mediawiki']['db']['root_password'] = mysql_credentials["root_password"] node.override['mediawiki']['db']['pass'] = mediawiki_credentials["db_pass"] @@ -167,15 +167,6 @@ if node["mediawiki"]["ldap_enabled"] action :dump end - ark "LDAPAuthorization" do - url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthorization-REL1_31-118f0eb.tar.gz" - path "#{node['mediawiki']['webdir']}/extensions" - owner node["nginx"]["user"] - group node["nginx"]["group"] - mode 0750 - action :dump - end - ark "LDAPAuthentication2" do url "https://extdist.wmflabs.org/dist/extensions/LDAPAuthentication2-REL1_31-8bd6bc8.tar.gz" path "#{node['mediawiki']['webdir']}/extensions" @@ -187,10 +178,9 @@ if node["mediawiki"]["ldap_enabled"] package "php-ldap" - ldap_credentials = data_bag_item("credentials", "dirsrv") ldap_domain = node['kosmos-dirsrv']['master_hostname'] ldap_encryption_type = node.chef_environment == "development" ? "clear" : "tls" - ldap_base = "ou=users,dc=kosmos,dc=org" + ldap_base = "ou=kosmos.org,cn=users,dc=kosmos,dc=org" end ruby_block "configuration" do @@ -260,8 +250,8 @@ $LDAPProviderDomainConfigProvider = function() "connection" => [ "server" => "#{ldap_domain}", "enctype" => "#{ldap_encryption_type}", - "user" => "cn=Directory Manager", - "pass" => "#{ldap_credentials['admin_password']}", + "user" => "#{mediawiki_credentials['ldap_user']}", + "pass" => "#{mediawiki_credentials['ldap_password']}", "basedn" => "#{ldap_base}", "groupbasedn" => "#{ldap_base}", "userbasedn" => "#{ldap_base}", @@ -270,13 +260,6 @@ $LDAPProviderDomainConfigProvider = function() "usernameattribute" => "uid", "realnameattribute" => "cn", "emailattribute" => "mail" - ], - "authorization" => [ - "rules" => [ - "attributes" => [ - "wiki" => "enabled" - ] - ] ] ] ]; @@ -288,7 +271,6 @@ $LDAPProviderDomainConfigProvider = function() $wgPluggableAuth_ButtonLabel = 'Log in'; wfLoadExtension( 'LDAPProvider' ); wfLoadExtension( 'PluggableAuth' ); -wfLoadExtension( 'LDAPAuthorization' ); wfLoadExtension( 'LDAPAuthentication2' ); # Disable account creation page, since this is not possible to create an account # when only LDAP login is enabled