Add, configure, deploy strfry policies

2024-06-11 23:12:22 +02:00 · 2024-06-11 23:12:22 +02:00 · d1301dad3e
commit d1301dad3e
parent 42c46a5645
9 changed files with 108 additions and 8 deletions
--- a/data_bags/credentials/dirsrv.json
+++ b/data_bags/credentials/dirsrv.json
@ -1,9 +1,30 @@
 {
  "id": "dirsrv",
  "admin_dn": {
    "encrypted_data": "zRtz6Scb9WtUXGyjc0xyvsre0YvqupuaFz+RPApj7DEQTmYyZPVb\n",
    "iv": "xfIXMhEBHBWqa4Dz\n",
    "auth_tag": "BcA32u1njcnCZ+yrBGSceQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "admin_password": {
-    "encrypted_data": "i71l5E129mXCcDAyME8sNMUkYUlQMgt7Eh6noyFcLNgbaMo=\n",
+    "encrypted_data": "7JpXl3JZDqKWDfYt/wuNbkbob+oRuONhkuAlpqUCCEIn+tY=\n",
-    "iv": "KNW2B8tpX7ywZwbg\n",
+    "iv": "Lcwc4NDzrfcBaIKQ\n",
-    "auth_tag": "GawQ+FSlA5v5YVyryeUxng==\n",
+    "auth_tag": "rrePS3Bhdnwbr2d/o8vMhg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "service_dn": {
    "encrypted_data": "sqRFiZreLeTPQljSfhAuV3DmsPxSC8tzWjCdu+WSSbO67sBQA+xhmGtzBhBD\nDZPGJw+jtAxzuVvPdAjxgAVgxXO6C6WEo87L1tdJewE=\n",
    "iv": "GUEGtyRJXrPhWcUs\n",
    "auth_tag": "2USsrx//3V7RCyumGCbMkg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "service_password": {
    "encrypted_data": "f2wi8B8SEt6p5G0TF3dZ72j0vMFlvwcP1suxYnshBA==\n",
    "iv": "rOnUoxbnkaJtodM+\n",
    "auth_tag": "dVLCtBVMjxLfW2D8XjJBdQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/environments/production.json
+++ b/environments/production.json
@ -105,6 +105,7 @@
    "strfry": {
      "domain": "nostr.kosmos.org",
      "real_ip_header": "x-real-ip",
      "policy_path": "/opt/strfry-policy.ts",
      "info": {
        "name": "Kosmos Relay",
        "description": "Members-only nostr relay for kosmos.org users",
--- a/roles/strfry.rb
+++ b/roles/strfry.rb
@ -1,6 +1,8 @@
 name "strfry"
 run_list %w(
  role[ldap_client]
  strfry::default
  kosmos_strfry::policies
  kosmos_strfry::firewall
 )
--- a/site-cookbooks/kosmos_kvm/attributes/default.rb
+++ b/site-cookbooks/kosmos_kvm/attributes/default.rb
@ -1,9 +1,10 @@
-ubuntu_server_cloud_image_release = "20230506"
+release = "20240514"
 img_filename = "ubuntu-22.04-server-cloudimg-amd64-disk-kvm"
 node.default["kosmos_kvm"]["host"]["qemu_base_image"] = {
-  "url" => "https://cloud-images.ubuntu.com/releases/focal/release-#{ubuntu_server_cloud_image_release}/ubuntu-20.04-server-cloudimg-amd64-disk-kvm.img",
+  "url" => "https://cloud-images.ubuntu.com/releases/jammy/release-#{release}/#{img_filename}.img",
-  "checksum" => "27d2b91fd2b715729d739e2a3155dce70d1aaae4f05c177f338b9d4b60be638c",
+  "checksum" => "2e7698b3ebd7caead06b08bd3ece241e6ce294a6db01f92ea12bcb56d6972c3f",
-  "path" => "/var/lib/libvirt/images/base/ubuntu-20.04-server-cloudimg-amd64-disk-kvm-#{ubuntu_server_cloud_image_release}.qcow2"
+  "path" => "/var/lib/libvirt/images/base/#{img_filename}-#{release}.qcow2"
 }
 # A systemd.timer OnCalendar config value
--- a/site-cookbooks/kosmos_strfry/attributes/default.rb
+++ b/site-cookbooks/kosmos_strfry/attributes/default.rb
@ -0,0 +1 @@
 node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"
--- a/site-cookbooks/kosmos_strfry/metadata.rb
+++ b/site-cookbooks/kosmos_strfry/metadata.rb
@ -7,3 +7,4 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
 depends 'kosmos_openresty'
 depends 'deno'
--- a/site-cookbooks/kosmos_strfry/recipes/policies.rb
+++ b/site-cookbooks/kosmos_strfry/recipes/policies.rb
@ -0,0 +1,62 @@
 #
 # Cookbook Name:: kosmos_strfry
 # Recipe:: policies
 #
 include_recipe "deno"
 #
 # config
 #
 ldap_credentials = Chef::EncryptedDataBagItem.load('credentials', 'dirsrv')
 env = {
  ldap_url: 'ldap://ldap.kosmos.local:389', # requires "ldap_client" role
  ldap_bind_dn: ldap_credentials["service_dn"],
  ldap_password: ldap_credentials["service_password"],
  ldap_search_dn: node["strfry"]["ldap_search_dn"]
 }
 template "/opt/.env" do
  source 'env.erb'
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode 0600
  sensitive true
  variables config: env
  notifies :restart, "service[strfry]", :delayed
 end
 #
 # strfry deno scripts
 #
 base_url = "https://gitea.kosmos.org/kosmos/akkounts/raw/branch/master/extras/strfry"
 remote_file "/opt/strfry-policy.ts" do
  source "#{base_url}/strfry-policy.ts"
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode "0755"
  notifies :restart, "service[strfry]", :delayed
 end
 remote_file "/opt/ldap-policy.ts" do
  source "#{base_url}/ldap-policy.ts"
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode "0644"
  notifies :restart, "service[strfry]", :delayed
 end
 remote_file "/opt/strfry-sync.ts" do
  source "#{base_url}/strfry-sync.ts"
  owner node["strfry"]["user"]
  group node["strfry"]["group"]
  mode "0644"
 end
 # service "strfry" do
 #   action :nothing
 # end
--- a/site-cookbooks/kosmos_strfry/templates/env.erb
+++ b/site-cookbooks/kosmos_strfry/templates/env.erb
@ -0,0 +1,11 @@
 <% @config.each do |key, value| %>
 <% if value.is_a?(Hash) %>
 <% value.each do |k, v| %>
 <%= "#{key.upcase}_#{k.upcase}" %>=<%= v.to_s %>
 <% end %>
 <% else %>
 <% if value %>
 <%= key.upcase %>=<%= value.to_s %>
 <% end %>
 <% end %>
 <% end %>
--- a/site-cookbooks/strfry
+++ b/site-cookbooks/strfry
@ -1 +1 @@
-Subproject commit 65b6d65527f6869fa5492b80de878fe29b50a386
+Subproject commit a4756377b480c9bcceba4867969a0c15880913dc
		`@ -0,0 +1 @@`
							`node.default["strfry"]["ldap_search_dn"] = "ou=kosmos.org,cn=users,dc=kosmos,dc=org"`
		`@ -1 +1 @@`
			`Subproject commit 65b6d65527f6869fa5492b80de878fe29b50a386`				`Subproject commit a4756377b480c9bcceba4867969a0c15880913dc`