kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
1,983 Commits 7 Branches 0 Tags
Commit Graph

121 Commits

Author SHA1 Message Date
Sebastian Kippe
74dd59ad07
Write hostname-related configs for new ejabberd cluster 2022-01-18 12:50:10 -06:00
Sebastian Kippe
5b351036ba
Remove superfluous license header 2022-01-18 11:19:20 -06:00
Sebastian Kippe
024b4bf164
Fix typo 2022-01-18 11:19:19 -06:00
Sebastian Kippe
a184f27c96
Update kosmos postgres cookbook name in other cookbooks 2021-11-30 08:47:15 -06:00
raucao
ad271e55d4 Merge pull request 'Move PostgreSQL to VMs and access via Zerotier' (#282) from feature/postgres_vms into master 
Reviewed-on: #282
 2021-01-25 10:56:42 +00:00
Greg Karékinian
90ce664f2e Update ejabberd to 20.12 
It fixes a bug that prevented the config to be reloaded for LDAP options
(https://github.com/processone/ejabberd/issues/3181) and more:
https://www.process-one.net/blog/ejabberd-20-12/
 2021-01-24 10:14:29 +01:00
Greg Karékinian
bb0e73d1b9 Switch ejabberd, mastodon and gitea to a hostname for Postgres 2021-01-23 17:11:45 +01:00
Sebastian Kippe
fd4844a012 Fix ejabberd API permission for akkounts VMs 
It should have been using a /32, not a /8 subnet, in order to only allow
the akkounts VM(s) to use the API endpoints without further
authorization.
 2021-01-22 18:41:45 +01:00
Sebastian Kippe
74cf26846e
Fix ejabberd API permission for akkounts VMs 
It should have been using a /32, not a /8 subnet, in order to only allow
the akkounts VM(s) to use the API endpoints without further
authorization.
 2021-01-12 18:06:16 +01:00
greg
f1c8faff85 Merge branch 'master' into feature/api_permissions 2020-12-10 13:26:48 +00:00
Sebastian Kippe
239b6aed51
Add API permissions for akkounts VMs 
Using the zerotier IP, which is the same as the knife-zero host.
 2020-12-08 20:00:31 +01:00
Sebastian Kippe
56d9144ad6
Disable ACME 
Throws a warning when reloading the config, because it is enabled by
default, but not configured entirely. Disabling it explicitly removes
the warning.
 2020-12-08 14:30:29 +01:00
Greg Karékinian
e6b7794e20 Extract firewall definitions to their own recipe 
This allows us to use them for KVM hosts as well. Until now we had set
up ufw rules manually on the two KVM hosts (draco and centaurus)

Refs #244
 2020-12-04 16:27:42 +01:00
Sebastian Kippe
8c60279fe1
Add cluster configs to ejabberd recipe 2020-11-25 21:02:46 +01:00
Greg Karékinian
613b316588 Add comment about needing to run Chef a second time... 
... after the TLS certs are generated
 2020-11-25 16:36:07 +01:00
Greg Karékinian
3a8af26b5f Remove firewall rule for an unused port 2020-11-25 16:36:07 +01:00
Greg Karékinian
ddb706b61c Add a missing dependency on kosmos-dirsrv 2020-11-25 16:36:07 +01:00
Greg Karékinian
085bd8abd5 Move TURN port to a different range 
It landed on a port used by PostgreSQL. Also switch STUN/TURN to TCP
because HAProxy does not support UDP.

Closes #240
 2020-11-25 16:36:07 +01:00
Greg Karékinian
7636f6ed19 Move the Gandi DNS certbot hook to kosmos-ejabberd 2020-11-25 16:36:07 +01:00
Greg Karékinian
8b1f90c568 Use the same Erlang cookie to enable clustering 
Refs #243
 2020-11-25 16:35:37 +01:00
Sebastian Kippe
f39f953b8a
Configure ejabberd nodes for HTTP upload service 2020-11-24 15:44:59 +01:00
Sebastian Kippe
0e29c930ed
Configure subdirectory level for upload.pm 
This allows to post to per-domain subdirectories from XMPP clients.
 2020-11-24 15:33:34 +01:00
Sebastian Kippe
0aef830aa3
Fix upload folder permissions 
Uploads are failing with the current mode.
 2020-11-23 20:50:01 +01:00
Sebastian Kippe
9efb9cd78c
Configure/deploy HTTP upload service on uploads.kosmos.chat 
https://xmpp.org/extensions/xep-0363.html

(Does not contain the config for ejabberd itself yet.)
 2020-11-23 17:37:14 +01:00
Greg Karékinian
2119c11243 Do not include kosmos-postgresql in kosmos-ejabberd default recipe 
It will install PostgreSQL, and we do not want that on the ejabberd
server
 2020-09-25 16:29:01 +02:00
Greg Karékinian
6f696d7634 Define access rules in the PostgreSQL primary recipe 
Access is done for the IP of a server for all users and all databases
for ejabberd and gitea
 2020-06-11 18:20:04 +02:00
Greg Karékinian
26097a7584 Use the correct database name for the access rights 2020-06-11 09:00:50 +02:00
Greg Karékinian
2c21d6255b Add PostgreSQL primary support to the kosmos-ejabberd cookbook 
* Move the PostgreSQL user and database creation to a pg_db recipe
* Generate access rights for the ejabberd servers in the pg_db recipe
* Connect to the PostgreSQL primary instead of localhost

Refs #180
 2020-06-10 18:38:40 +02:00
Greg Karékinian
091a46e972 Do not pass the pgsql_password variable to ejabberd.yml 
The password is only used in the config files for the vhosts
 2020-06-10 18:37:36 +02:00
Sebastian Kippe
4448ec2173
Configure TURN properly 
Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.
 2020-05-02 14:07:14 +02:00
Sebastian Kippe
ef2fa2da72
Configure STUN/TURN 
Configures built-in STUN/TURN support, and adds the new service discovery
module for it.
 2020-05-01 16:25:38 +02:00
Sebastian Kippe
35a56aa221
Update version to 20.04 2020-05-01 14:55:13 +02:00
Greg Karékinian
db8bb44c8b Update ejabberd to 20.03 
The download URL has changed, they removed a prefix

Closes #153
 2020-04-20 14:53:08 +02:00
Greg Karékinian
f5dd2c7de9 Fix the command importing the schema on db creation 
It had an extra }, but this only fails when creating the databases
 2020-04-20 14:52:11 +02:00
greg
7fa11089b1 Merge branch 'bugfix/ejabberd_restart_config_vhost_change' of kosmos/chef into master 2020-03-04 13:45:10 +00:00
Greg Karékinian
a68ae78689 Update ejabberd to 20.02 
It includes a fix to the reload_config command that prevented us from
running a version newer than 19.05

Closes #136
 2020-03-04 13:28:13 +01:00
Greg Karékinian
6cd0fa039e Restart ejabberd service when changing a vhost config 
I have ran into an issue, changes to the LDAP config for a host are
currently only loaded on startup, not on reload

https://github.com/processone/ejabberd/issues/3181

This should be fixed once
b39a1e2d74
is part of the next release
 2020-03-04 13:23:54 +01:00
Greg Karékinian
6fa89b3c25 Switch the ejabberd LDAP setup to a new application account 
Needs the new directory structure:

```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]

dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

```

And the new ACIs:

```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```

Refs #140
 2020-02-21 18:03:58 +01:00
Greg Karékinian
90a0e6be9f Enable LDAP on the kosmos.org vhost 2020-02-19 12:30:55 +01:00
Greg Karékinian
56adfa37fb Fix a warning in the config 
Migrate the web admin to a request handler
 2020-02-17 17:26:55 +01:00
Greg Karékinian
0f9b2777a3 Update ejabberd to 19.05 
Versions from 19.08 to 20.01 contains a blocking bug in the
reload_config command
(https://github.com/processone/ejabberd/issues/3170)

Closes #134
 2020-02-17 17:26:45 +01:00
Greg Karékinian
c2b2b6f08b Fix the vhost template 
hosts must be defined in the main config file
 2020-02-17 15:04:08 +01:00
Greg Karékinian
72cc6342f1 Remove the unused LDAP variables from the main config file 2020-02-17 13:27:14 +01:00
Greg Karékinian
38f39af2a4 Move each vhost to its own config file 2020-02-17 13:20:54 +01:00
Greg Karékinian
55eb95ae73 Verify the TLS server's certificate 
Do not proceed if a certificate is invalid
 2020-02-14 13:56:52 +01:00
Greg Karékinian
dc1226073c Move the admin users to the ejabberd encrypted data bag 2020-02-14 13:56:17 +01:00
Greg Karékinian
49d01991fd Enable LDAP on the XMPP 5apps.com vhost 
Refactor the ejabberd config file to remove hardcoded values about the
vhosts

Refs #123
 2020-02-12 17:40:38 +01:00
Greg Karékinian
544f4b78f4 Change the MUC domain for the kosmos.org XMPP server to kosmos.chat 2019-09-19 15:57:54 +02:00
Greg Karékinian
4685b16573 Add kosmos.chat to the list of Kosmos XMPP domains with a TLS cert 2019-09-19 15:56:49 +02:00
Greg Karékinian
2ecc128abd Move the hidden service attributes to the attributes file 
When it is set in the recipe the hidden service dir doesn't get set
correctly (nil), resulting in a broken torrc file
 2019-09-11 13:47:42 +02:00