From ec58597320b371df9bc64e2898653d95e33ac16b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Tue, 19 Mar 2019 16:27:46 +0100
Subject: [PATCH] Set up Let's Encrypt for the kosmos.org ejabberd server

---
 site-cookbooks/kosmos-ejabberd/metadata.rb    |  1 +
 .../kosmos-ejabberd/recipes/letsencrypt.rb    | 50 +++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb
index 1e7a7fc..d9ed33f 100644
--- a/site-cookbooks/kosmos-ejabberd/metadata.rb
+++ b/site-cookbooks/kosmos-ejabberd/metadata.rb
@@ -20,4 +20,5 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 # source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
 
 depends "kosmos-postgresql"
+depends "kosmos-base"
 depends "backup"
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
new file mode 100644
index 0000000..825445c
--- /dev/null
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@@ -0,0 +1,50 @@
+#
+# Cookbook:: kosmos-ejabberd
+# Recipe:: letsencrypt
+#
+# Copyright:: 2019, Kosmos, All Rights Reserved.
+#
+
+include_recipe "kosmos-base::letsencrypt"
+
+domain = "kosmos.org"
+domain_and_subdomains = [domain, "chat.#{domain}" "xmpp.#{domain}"]
+
+ejabberd_post_hook = <<-EOF
+#!/usr/bin/env bash
+
+set -e
+
+# Copy the ejabberd certificate and restart the server if it has been renewed
+# This is necessary because the ejabberd user doesn't have access to the
+# letsencrypt live folder
+for domain in $RENEWED_DOMAINS; do
+  case $domain in
+  # Do not copy over when renewing other kosmos.org domains
+  #{domain})
+    cat "${RENEWED_LINEAGE}/privkey.pem" "${RENEWED_LINEAGE}/fullchain.pem" > /opt/ejabberd/conf/#{domain}.pem
+    chown ejabberd:ejabberd /opt/ejabberd/conf/#{domain}.pem
+    chmod 600 /opt/ejabberd/conf/#{domain}.pem
+    /opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config
+    ;;
+  esac
+done
+EOF
+
+file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
+  content ejabberd_post_hook
+  mode 0755
+  owner "root"
+  group "root"
+end
+
+domain_and_subdomains_switch = domain_and_subdomains.map { |d| "-d #{d}" }.join(" ")
+
+# Generate a Let's Encrypt cert (only if no cert has been generated before).
+# The systemd timer will take care of renewing
+execute "letsencrypt cert for kosmos xmpp" do
+  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@#{domain} #{domain_and_subdomains_switch} -n"
+  not_if do
+    File.exist?("/opt/ejabberd/conf/#{domain}.pem")
+  end
+end