From d1301dad3ed824e3eb7e1037c2fdd759a1c0d1d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Tue, 11 Jun 2024 23:12:22 +0200
Subject: [PATCH] Add, configure, deploy strfry policies

---
 data_bags/credentials/dirsrv.json             | 27 +++++++-
 environments/production.json                  |  1 +
 roles/strfry.rb                               |  2 +
 .../kosmos_kvm/attributes/default.rb          |  9 +--
 .../kosmos_strfry/attributes/default.rb       |  1 +
 site-cookbooks/kosmos_strfry/metadata.rb      |  1 +
 .../kosmos_strfry/recipes/policies.rb         | 62 +++++++++++++++++++
 .../kosmos_strfry/templates/env.erb           | 11 ++++
 site-cookbooks/strfry                         |  2 +-
 9 files changed, 108 insertions(+), 8 deletions(-)
 create mode 100644 site-cookbooks/kosmos_strfry/attributes/default.rb
 create mode 100644 site-cookbooks/kosmos_strfry/recipes/policies.rb
 create mode 100644 site-cookbooks/kosmos_strfry/templates/env.erb

diff --git a/data_bags/credentials/dirsrv.json b/data_bags/credentials/dirsrv.json
index cf4ce41..8ab60bd 100644
--- a/data_bags/credentials/dirsrv.json
+++ b/data_bags/credentials/dirsrv.json
@@ -1,9 +1,30 @@
 {
   "id": "dirsrv",
+  "admin_dn": {
+    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
+    "iv": "xfIXMhEBHBWqa4Dz\n",
+    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
   "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_dn": {
+    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
+    "iv": "GUEGtyRJXrPhWcUs\n",
+    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "service_password": {
+    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
+    "iv": "rOnUoxbnkaJtodM+\n",
+    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
     "version": 3,
     "cipher": "aes-256-gcm"
   }
diff --git a/environments/production.json b/environments/production.json
index ab93492..623c265 100644
--- a/environments/production.json
+++ b/environments/production.json
@@ -105,6 +105,7 @@
     "strfry": {
       "domain": "nostr.kosmos.org",
       "real_ip_header": "x-real-ip",
+      "policy_path": "/opt/strfry-policy.ts",
       "info": {
         "name": "Kosmos Relay",
         "description": "Members-only nostr relay for kosmos.org users",
diff --git a/roles/strfry.rb b/roles/strfry.rb
index 65472d2..256dac9 100644
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@@ -1,6 +1,8 @@
 name "strfry"
 
 run_list %w(
+  role[ldap_client]
   strfry::default
+  kosmos_strfry::policies
   kosmos_strfry::firewall
 )
diff --git a/site-cookbooks/kosmos_kvm/attributes/default.rb b/site-cookbooks/kosmos_kvm/attributes/default.rb
index 4783c7e..25863d2 100644
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@@ -1,9 +1,10 @@
-ubuntu_server_cloud_image_release = "20230506"
+release = "20240514"
+img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
-  "checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
-  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
+  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 
 # A systemd.timer OnCalendar config value
diff --git a/site-cookbooks/kosmos_strfry/attributes/default.rb b/site-cookbooks/kosmos_strfry/attributes/default.rb
new file mode 100644
index 0000000..e794f13
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@@ -0,0 +1 @@
+node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
diff --git a/site-cookbooks/kosmos_strfry/metadata.rb b/site-cookbooks/kosmos_strfry/metadata.rb
index 8498c01..c1be761 100644
--- a/site-cookbooks/kosmos_strfry/metadata.rb
+++ b/site-cookbooks/kosmos_strfry/metadata.rb
@@ -7,3 +7,4 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
 
 depends 'kosmos_openresty'
+depends 'deno'
diff --git a/site-cookbooks/kosmos_strfry/recipes/policies.rb b/site-cookbooks/kosmos_strfry/recipes/policies.rb
new file mode 100644
index 0000000..cb4d9ec
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@@ -0,0 +1,62 @@
+#
+# Cookbook Name:: kosmos_strfry
+# Recipe:: policies
+#
+
+include_recipe "deno"
+
+#
+# config
+#
+
+ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
+
+env = {
+  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
+  ldap_bind_dn: ldap_credentials["service_dn"],
+  ldap_password: ldap_credentials["service_password"],
+  ldap_search_dn: node["strfry"]["ldap_search_dn"]
+}
+
+template "/opt/.env" do
+  source 'env.erb'
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode 0600
+  sensitive true
+  variables config: env
+  notifies :restart, "service[strfry]", :delayed
+end
+
+#
+# strfry deno scripts
+#
+
+base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry"
+
+remote_file "/opt/strfry-policy.ts" do
+  source "#{base_url}/strfry-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0755"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "/opt/ldap-policy.ts" do
+  source "#{base_url}/ldap-policy.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+  notifies :restart, "service[strfry]", :delayed
+end
+
+remote_file "/opt/strfry-sync.ts" do
+  source "#{base_url}/strfry-sync.ts"
+  owner node["strfry"]["user"]
+  group node["strfry"]["group"]
+  mode "0644"
+end
+
+# service "strfry" do
+#   action :nothing
+# end
diff --git a/site-cookbooks/kosmos_strfry/templates/env.erb b/site-cookbooks/kosmos_strfry/templates/env.erb
new file mode 100644
index 0000000..4b1faa5
--- /dev/null
+++ b/site-cookbooks/kosmos_strfry/templates/env.erb
@@ -0,0 +1,11 @@
+<% @config.each do |key, value| %>
+<% if value.is_a?(Hash) %>
+<% value.each do |k, v| %>
+<%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
+<% end %>
+<% else %>
+<% if value %>
+<%= key.upcase %>=<%= value.to_s %>
+<% end %>
+<% end %>
+<% end %>
diff --git a/site-cookbooks/strfry b/site-cookbooks/strfry
index 65b6d65..a475637 160000
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@@ -1 +1 @@
-Subproject commit 65b6d65527f6869fa5492b80de878fe29b50a386
+Subproject commit a4756377b480c9bcceba4867969a0c15880913dc