From 49d01991fd1e1e6ddd8803ed5f15db5488755626 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Wed, 12 Feb 2020 17:40:38 +0100 Subject: [PATCH 1/6] Enable LDAP on the XMPP 5apps.com vhost Refactor the ejabberd config file to remove hardcoded values about the vhosts Refs #123 --- data_bags/credentials/ejabberd.json | 10 ++ .../kosmos-ejabberd/recipes/default.rb | 99 +++++++++++++++---- .../templates/ejabberd.yml.erb | 95 ++++++------------ 3 files changed, 119 insertions(+), 85 deletions(-) create mode 100644 data_bags/credentials/ejabberd.json diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json new file mode 100644 index 0000000..447c397 --- /dev/null +++ b/data_bags/credentials/ejabberd.json @@ -0,0 +1,10 @@ +{ + "id": "ejabberd", + "5apps_ldap_password": { + "encrypted_data": "NjlYL0mMpXmLP2pk1ZSo5mWt+qosx7eh7+duoPc57avQGwPJ6Vxb\n", + "iv": "q/py5XYCEXARUEA9\n", + "auth_tag": "4xoSjTjLYNzuLvoksf3Thw==\n", + "version": 3, + "cipher": "aes-256-gcm" + } +} \ No newline at end of file diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 5d4e282..2b2f47e 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -26,6 +26,8 @@ include_recipe "kosmos-postgresql" +ejabberd_credentials = data_bag_item("credentials", "ejabberd") + cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do source "pg.sql" mode "0664" @@ -55,35 +57,90 @@ postgresql_user 'ejabberd' do password postgresql_data_bag_item['ejabberd_user_password'] end -postgresql_database 'ejabberd' do - owner 'ejabberd' - action :create - notifies :run, "execute[create db schema ejabberd]", :delayed +hosts = [ + { + name: "kosmos.org", + sql_database: "ejabberd", + ldap_enabled: false, + append_host_config: <<-EOF +modules: + mod_muc: + host: "kosmos.chat" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + max_user_conferences: 1000 + default_room_options: + mam: true + EOF + }, + { + name: "5apps.com", + sql_database: "ejabberd_5apps", + ldap_enabled: true, + ldap_password: ejabberd_credentials['5apps_ldap_password'], + append_host_config: <<-EOF +modules: + mod_muc: + host: "muc.@HOST@" + access: + - allow: local + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + max_user_conferences: 1000 + default_room_options: + anonymous: false + public: true + members_only: true + public_list: false + persistent: true + mam: true + EOF + } +] + +hosts.each do |host| + postgresql_database host[:sql_database] do + owner 'ejabberd' + action :create + notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed + end + + execute "create db schema #{host[:sql_database]}" do + user "ejabberd" + command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql" + action :nothing + end end -postgresql_database 'ejabberd_5apps' do - owner 'ejabberd' - action :create - notifies :run, "execute[create db schema ejabberd_5apps]", :delayed -end +ldap_domain = node['kosmos-dirsrv']['master_hostname'] +ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls" +ldap_base = "cn=users,dc=kosmos,dc=org" -execute "create db schema ejabberd" do - user "ejabberd" - command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql" - action :nothing -end - -execute "create db schema ejabberd_5apps" do - user "ejabberd" - command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql" - action :nothing -end +admin_users = [ + "greg@5apps.com", + "sebastian@5apps.com", + "garret@5apps.com", + "raucao@kosmos.org", + "greg@kosmos.org", + "galfert@kosmos.org" +] template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" mode 0640 sensitive true - variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'] + variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'], + hosts: hosts, + ldap_base: ldap_base, + ldap_server: ldap_domain, + ldap_encryption_type: ldap_encryption_type, + admin_users: admin_users notifies :run, "execute[ejabberdctl reload_config]", :delayed end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 7f66eaf..5b069d5 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -7,36 +7,38 @@ log_rotate_count: 1 log_rate_limit: 100 hosts: - - "kosmos.org" - - "5apps.com" +<% @hosts.each do |host| -%> + - "<%= host[:name] %>" +<% end -%> host_config: - "kosmos.org": +<% @hosts.each do |host| -%> + "<%= host[:name] %>": sql_type: pgsql sql_server: "localhost" - sql_database: "ejabberd" - sql_username: "ejabberd" - sql_password: "<%= @pgsql_password %>" - "5apps.com": - sql_type: pgsql - sql_server: "localhost" - sql_database: "ejabberd_5apps" + sql_database: "<%= host[:sql_database] %>" sql_username: "ejabberd" sql_password: "<%= @pgsql_password %>" + <% if host[:ldap_enabled] -%> + auth_method: ldap + ldap_servers: ["<%= @ldap_server %>"] + ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>" + ldap_password: "<%= host[:ldap_password] %>" + ldap_encrypt: <%= @ldap_encryption_type %> + ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>" + ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)" + <% end -%> +<% end -%> -<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) || - (File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%> +<% if @hosts.any? { |host| File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") } -%> certfiles: -<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%> - - "/opt/ejabberd/conf/kosmos.org.crt" - - "/opt/ejabberd/conf/kosmos.org.key" -<% end -%> -<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%> - - "/opt/ejabberd/conf/5apps.com.crt" - - "/opt/ejabberd/conf/5apps.com.key" +<% @hosts.each do |host| -%> + <% if File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") -%> + - "/opt/ejabberd/conf/<%= host[:name] %>.crt" + - "/opt/ejabberd/conf/<%= host[:name] %>.key" + <% end -%> <% end -%> <% end -%> - ca_file: "/opt/ejabberd/conf/cacert.pem" define_macro: @@ -113,12 +115,9 @@ max_fsm_queue: 10000 acl: admin: user: - - "greg@5apps.com" - - "sebastian@5apps.com" - - "garret@5apps.com" - - "raucao@kosmos.org" - - "greg@kosmos.org" - - "galfert@kosmos.org" + <% @admin_users.each do |admin| -%> + - "<%= admin %>" + <% end -%> local: user_regexp: "" @@ -232,14 +231,9 @@ modules: - "pep" # pep requires mod_caps mod_push: {} mod_push_keepalive: {} + # Allow existing accounts to change their password mod_register: - welcome_message: - subject: "Welcome!" - body: |- - Hi. - Welcome to this XMPP server. - ip_access: trusted_network - access: register + access: none mod_roster: versioning: true store_current_id: true @@ -254,37 +248,10 @@ modules: mod_http_api: {} append_host_config: - "5apps.com": - modules: - mod_muc: - host: "muc.@HOST@" - access: - - allow: local - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - max_user_conferences: 1000 - default_room_options: - anonymous: false - public: true - members_only: true - public_list: false - persistent: true - mam: true - "kosmos.org": - modules: - mod_muc: - host: "kosmos.chat" - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - max_user_conferences: 1000 - default_room_options: - mam: true +<% @hosts.each do |host| -%> + "<%= host[:name] %>": + <%= host[:append_host_config].chomp %> +<% end -%> allow_contrib_modules: true From dc1226073c47cdb0bd1b3275e588f562f100349c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 14 Feb 2020 13:56:17 +0100 Subject: [PATCH 2/6] Move the admin users to the ejabberd encrypted data bag --- data_bags/credentials/ejabberd.json | 13 ++++++++++--- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 9 +-------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json index 447c397..ef6155a 100644 --- a/data_bags/credentials/ejabberd.json +++ b/data_bags/credentials/ejabberd.json @@ -1,9 +1,16 @@ { "id": "ejabberd", "5apps_ldap_password": { - "encrypted_data": "NjlYL0mMpXmLP2pk1ZSo5mWt+qosx7eh7+duoPc57avQGwPJ6Vxb\n", - "iv": "q/py5XYCEXARUEA9\n", - "auth_tag": "4xoSjTjLYNzuLvoksf3Thw==\n", + "encrypted_data": "LRafA47WMyuQe5KA4oOc6i/pTflwpG8Gq8v7cvsTr51XwJD62i9L\n", + "iv": "CSvV2mbofDQP4T42\n", + "auth_tag": "PERdYnrFKGs+HaPBD6Um+A==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "admins": { + "encrypted_data": "D1fEa5S7ADU4tornw/FdcDifE6CzqM6TrLliWYxQ1AxwAuewdh0G2OfgjKOt\nvvibgIEMkr83FkX4La2wOjW8X6/DpBiyeys9RznVD4s0jmSaCG7qGHask3+R\nFLRl0gcYFCPkQopIAYihjnwvm9t1MwPXPF9c7B7rN5W2VvctQ9OEN3MgboHl\n", + "iv": "IgodYNr3muNTfkhX\n", + "auth_tag": "OJ42GSFtEp/KCxSIGhdbVg==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 2b2f47e..86e80f4 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -122,14 +122,7 @@ ldap_domain = node['kosmos-dirsrv']['master_hostname'] ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls" ldap_base = "cn=users,dc=kosmos,dc=org" -admin_users = [ - "greg@5apps.com", - "sebastian@5apps.com", - "garret@5apps.com", - "raucao@kosmos.org", - "greg@kosmos.org", - "galfert@kosmos.org" -] +admin_users = ejabberd_credentials['admins'] template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" From 55eb95ae73820acd7ca57aa15e4fa629f5e1e993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Fri, 14 Feb 2020 13:56:52 +0100 Subject: [PATCH 3/6] Verify the TLS server's certificate Do not proceed if a certificate is invalid --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 1 + 1 file changed, 1 insertion(+) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 5b069d5..a8c37e9 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -25,6 +25,7 @@ host_config: ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>" ldap_password: "<%= host[:ldap_password] %>" ldap_encrypt: <%= @ldap_encryption_type %> + ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>" ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)" <% end -%> From 38f39af2a4c80cf18fc3d71709947d275cc71d97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 17 Feb 2020 13:20:54 +0100 Subject: [PATCH 4/6] Move each vhost to its own config file --- .../kosmos-ejabberd/recipes/default.rb | 25 +++++++++--- .../templates/ejabberd.yml.erb | 38 +------------------ .../kosmos-ejabberd/templates/vhost.yml.erb | 31 +++++++++++++++ 3 files changed, 51 insertions(+), 43 deletions(-) create mode 100644 site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 86e80f4..1c07c3c 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -104,6 +104,12 @@ modules: } ] +ldap_domain = node['kosmos-dirsrv']['master_hostname'] +ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls" +ldap_base = "cn=users,dc=kosmos,dc=org" + +admin_users = ejabberd_credentials['admins'] + hosts.each do |host| postgresql_database host[:sql_database] do owner 'ejabberd' @@ -116,14 +122,21 @@ hosts.each do |host| command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql" action :nothing end + + template "/opt/ejabberd/conf/#{host[:name]}.yml" do + source "vhost.yml.erb" + mode 0640 + owner 'ejabberd' + group 'ejabberd' + sensitive true + variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'], + host: host, + ldap_base: ldap_base, + ldap_server: ldap_domain, + ldap_encryption_type: ldap_encryption_type + end end -ldap_domain = node['kosmos-dirsrv']['master_hostname'] -ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls" -ldap_base = "cn=users,dc=kosmos,dc=org" - -admin_users = ejabberd_credentials['admins'] - template "/opt/ejabberd/conf/ejabberd.yml" do source "ejabberd.yml.erb" mode 0640 diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index a8c37e9..a78f3a1 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -6,40 +6,10 @@ log_rotate_count: 1 log_rate_limit: 100 -hosts: <% @hosts.each do |host| -%> - - "<%= host[:name] %>" +include_config_file: "/opt/ejabberd/conf/<%= host[:name] %>.yml" <% end -%> -host_config: -<% @hosts.each do |host| -%> - "<%= host[:name] %>": - sql_type: pgsql - sql_server: "localhost" - sql_database: "<%= host[:sql_database] %>" - sql_username: "ejabberd" - sql_password: "<%= @pgsql_password %>" - <% if host[:ldap_enabled] -%> - auth_method: ldap - ldap_servers: ["<%= @ldap_server %>"] - ldap_rootdn: "cn=xmpp,ou=<%= host[:name] %>,<%= @ldap_base %>" - ldap_password: "<%= host[:ldap_password] %>" - ldap_encrypt: <%= @ldap_encryption_type %> - ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid - ldap_base: "ou=<%= host[:name] %>,<%= @ldap_base %>" - ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= host[:name] %>,<%= @ldap_base %>)" - <% end -%> -<% end -%> - -<% if @hosts.any? { |host| File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") } -%> -certfiles: -<% @hosts.each do |host| -%> - <% if File.exist?("/opt/ejabberd/conf/#{host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{host[:name]}.key") -%> - - "/opt/ejabberd/conf/<%= host[:name] %>.crt" - - "/opt/ejabberd/conf/<%= host[:name] %>.key" - <% end -%> -<% end -%> -<% end -%> ca_file: "/opt/ejabberd/conf/cacert.pem" define_macro: @@ -248,12 +218,6 @@ modules: mod_s2s_dialback: {} mod_http_api: {} -append_host_config: -<% @hosts.each do |host| -%> - "<%= host[:name] %>": - <%= host[:append_host_config].chomp %> -<% end -%> - allow_contrib_modules: true ### Local Variables: diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb new file mode 100644 index 0000000..616d71e --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb @@ -0,0 +1,31 @@ +# Generated by Chef for <%= @host[:name] %> +hosts: + - "<%= @host[:name] %>" + +<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%> +certfiles: + - "/opt/ejabberd/conf/<%= @host[:name] %>.crt" + - "/opt/ejabberd/conf/<%= @host[:name] %>.key" +<% end -%> +host_config: + "<%= @host[:name] %>": + sql_type: pgsql + sql_server: "localhost" + sql_database: "<%= @host[:sql_database] %>" + sql_username: "ejabberd" + sql_password: "<%= @pgsql_password %>" + <% if @host[:ldap_enabled] -%> + auth_method: ldap + ldap_servers: ["<%= @ldap_server %>"] + ldap_rootdn: "cn=xmpp,ou=<%= @host[:name] %>,<%= @ldap_base %>" + ldap_password: "<%= @host[:ldap_password] %>" + ldap_encrypt: <%= @ldap_encryption_type %> + ldap_tls_verify: hard # when TLS is enabled, don't proceed if a cert is invalid + ldap_base: "ou=<%= @host[:name] %>,<%= @ldap_base %>" + ldap_filter: "(nsRole=cn=xmpp_role,ou=<%= @host[:name] %>,<%= @ldap_base %>)" + <% end -%> + +append_host_config: + "<%= @host[:name] %>": + <%= @host[:append_host_config].chomp %> + From 72cc6342f15687636e2357e8ab84ad37f718a00e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 17 Feb 2020 13:27:14 +0100 Subject: [PATCH 5/6] Remove the unused LDAP variables from the main config file --- site-cookbooks/kosmos-ejabberd/recipes/default.rb | 3 --- 1 file changed, 3 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 1c07c3c..a120062 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -143,9 +143,6 @@ template "/opt/ejabberd/conf/ejabberd.yml" do sensitive true variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'], hosts: hosts, - ldap_base: ldap_base, - ldap_server: ldap_domain, - ldap_encryption_type: ldap_encryption_type, admin_users: admin_users notifies :run, "execute[ejabberdctl reload_config]", :delayed end From c2b2b6f08b8854b4ceb495df070c12c5c0ebc8d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= Date: Mon, 17 Feb 2020 15:04:08 +0100 Subject: [PATCH 6/6] Fix the vhost template hosts must be defined in the main config file --- site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb | 5 +++++ site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index a78f3a1..fc4cbe5 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -6,6 +6,11 @@ log_rotate_count: 1 log_rate_limit: 100 +hosts: +<% @hosts.each do |host| -%> + - "<%= host[:name] %>" +<% end -%> + <% @hosts.each do |host| -%> include_config_file: "/opt/ejabberd/conf/<%= host[:name] %>.yml" <% end -%> diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb index 616d71e..875af76 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb @@ -1,7 +1,4 @@ # Generated by Chef for <%= @host[:name] %> -hosts: - - "<%= @host[:name] %>" - <% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%> certfiles: - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"