Basti
3a37cade0e
Explicitly configure STUN/TURN service discovery
...
It didn't return any services without the explicit config.
2020-05-02 14:30:36 +02:00
Basti
4448ec2173
Configure TURN properly
...
Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.
2020-05-02 14:07:14 +02:00
Basti
0bcb2597e8
Update node info
2020-05-02 12:41:30 +02:00
Râu Cao
136fc84c4f
Merge branch 'feature/159-ejabberd_stun_turn' of kosmos/chef into master
2020-05-02 10:01:15 +00:00
Basti
ef2fa2da72
Configure STUN/TURN
...
Configures built-in STUN/TURN support, and adds the new service discovery
module for it.
2020-05-01 16:25:38 +02:00
Basti
35a56aa221
Update version to 20.04
2020-05-01 14:55:13 +02:00
Greg
53d53f2375
Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master
2020-04-30 15:50:26 +00:00
Greg
ee13c3cbe9
Merge branch 'bugfix/153-update_ejabberd_20.03' of kosmos/chef into master
2020-04-21 13:38:53 +00:00
Greg
4c1879b84e
Merge branch 'bugfix/ldap_invalid_aci' of kosmos/chef into master
2020-04-21 11:22:50 +00:00
Greg
1c920a8cb2
Remove the encryption keys after TLS cert renewal
...
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections
The keys will be recreated on service restart
https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption
Closes #152
2020-04-20 19:11:34 +02:00
Greg
5e3c8066f9
Add the missing certbot command to generate the LDAP TLS cert
...
This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
2020-04-20 19:10:15 +02:00
Greg
d01c9a4d0a
Fix the name of the deploy certbot hook
2020-04-20 19:09:43 +02:00
Greg
3ca8ab45da
Fix the invalid ACIs on initial creation
...
This is only executed on initial creation of the instance, the
production one is using these fixed ACIs, this was only an issue with
the setup
The issue was the ACI was set at the wrong level
2020-04-20 19:00:28 +02:00
Greg
db8bb44c8b
Update ejabberd to 20.03
...
The download URL has changed, they removed a prefix
Closes #153
2020-04-20 14:53:08 +02:00
Greg
f5dd2c7de9
Fix the command importing the schema on db creation
...
It had an extra }, but this only fails when creating the databases
2020-04-20 14:52:11 +02:00
Greg
f5bdc3e892
Merge branch 'doc/ldap' of kosmos/chef into master
2020-04-20 09:29:34 +00:00
Basti
73e87f8f45
Improve LDAP example command
...
We should not log passwords in bash history files. This change will
prompt the user for the password instead.
2020-04-19 13:01:39 +02:00
Râu Cao
4f1bf768ee
Merge branch 'feature/hal8000_zoom' of kosmos/chef into master
2020-04-16 20:19:30 +00:00
Basti
cc4c8fb903
Add hubot-kredits Zoom config
2020-04-16 17:52:28 +02:00
Greg
a3b95463fa
Merge branch 'bugfix/mediawiki_extensions_deleted_releases' of kosmos/chef into master
2020-03-04 15:07:22 +00:00
Greg
d7363d662b
Switch the Mediawiki extensions to GitHub zips
...
This fixes the annoying issue of Mediawiki only keeping one revision of
each branch
2020-03-04 16:03:12 +01:00
Greg
7fa11089b1
Merge branch 'bugfix/ejabberd_restart_config_vhost_change' of kosmos/chef into master
2020-03-04 13:45:10 +00:00
Greg
970a1b6a3a
Merge branch 'feature/136-ejabberd_20.02' of kosmos/chef into master
2020-03-04 13:33:52 +00:00
Greg
a68ae78689
Update ejabberd to 20.02
...
It includes a fix to the reload_config command that prevented us from
running a version newer than 19.05
Closes #136
2020-03-04 13:28:13 +01:00
Greg
6cd0fa039e
Restart ejabberd service when changing a vhost config
...
I have ran into an issue, changes to the LDAP config for a host are
currently only loaded on startup, not on reload
https://github.com/processone/ejabberd/issues/3181
This should be fixed once
b39a1e2d74
is part of the next release
2020-03-04 13:23:54 +01:00
gregkare
081222b75c
Merge branch 'feature/140-ldap_application_accounts' of kosmos/chef into master
2020-02-27 10:45:46 +00:00
Greg
d7ad95fb3f
Switch the mediawiki LDAP setup to a new application account
...
Needs the new directory structure:
```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com
dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]
dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```
And the new ACIs:
```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```
Refs #140
2020-02-21 18:04:48 +01:00
Greg
6fa89b3c25
Switch the ejabberd LDAP setup to a new application account
...
Needs the new directory structure:
```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users
dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org
dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com
dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]
dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```
And the new ACIs:
```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```
Refs #140
2020-02-21 18:03:58 +01:00
gregkare
f34513220e
Merge branch 'feature/130-remove_antispam' of kosmos/chef into master
2020-02-20 13:34:15 +00:00
Greg
c4fdf1779f
Remove the CleanTalk Antispam extension
...
It is not needed anymore now that registration is closed and only LDAP
accounts can edit or create pages
Closes #130
2020-02-20 14:31:39 +01:00
Greg
6f7474b4d1
Update the Mediawiki extensions
2020-02-20 14:30:25 +01:00
gregkare
c01f5c1038
Merge branch 'feature/127-new_ldap_dir_structure' of kosmos/chef into master
2020-02-20 13:29:05 +00:00
Greg
90a0e6be9f
Enable LDAP on the kosmos.org vhost
2020-02-19 12:30:55 +01:00
Greg
276daf0ed7
Switch the Mediawiki config to the new LDAP dir structure
...
* Use a new read-only account instead of the admin LDAP account
* Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin
is still used to authenticate users, but every kosmos.org user has
access to the wiki. See
https://www.mediawiki.org/wiki/Extension:PluggableAuth for the
distinction between authentication and authorization
Refs #127
2020-02-19 12:29:14 +01:00
Râu Cao
afaff86551
Merge branch 'feature/134-ejabberd_19.05' of kosmos/chef into master
2020-02-17 16:37:13 +00:00
Greg
56adfa37fb
Fix a warning in the config
...
Migrate the web admin to a request handler
2020-02-17 17:26:55 +01:00
Greg
0f9b2777a3
Update ejabberd to 19.05
...
Versions from 19.08 to 20.01 contains a blocking bug in the
reload_config command
(https://github.com/processone/ejabberd/issues/3170 )
Closes #134
2020-02-17 17:26:45 +01:00
Râu Cao
e694996ebd
Merge branch 'feature/123-ejabberd_5apps' of kosmos/chef into master
2020-02-17 14:41:03 +00:00
Greg
c2b2b6f08b
Fix the vhost template
...
hosts must be defined in the main config file
2020-02-17 15:04:08 +01:00
Greg
72cc6342f1
Remove the unused LDAP variables from the main config file
2020-02-17 13:27:14 +01:00
Greg
38f39af2a4
Move each vhost to its own config file
2020-02-17 13:20:54 +01:00
Greg
463664448c
Merge branch 'master' into feature/123-ejabberd_5apps
2020-02-17 12:21:16 +01:00
Basti
5b86aca5e8
Update andromeda node info
2020-02-15 13:52:00 -05:00
gregkare
585041e36c
Merge branch 'bugfix/128-set_acis_on_users' of kosmos/chef into master
2020-02-14 15:47:16 +00:00
Greg
55eb95ae73
Verify the TLS server's certificate
...
Do not proceed if a certificate is invalid
2020-02-14 13:56:52 +01:00
Greg
dc1226073c
Move the admin users to the ejabberd encrypted data bag
2020-02-14 13:56:17 +01:00
Greg
49d01991fd
Enable LDAP on the XMPP 5apps.com vhost
...
Refactor the ejabberd config file to remove hardcoded values about the
vhosts
Refs #123
2020-02-12 17:40:38 +01:00
Greg
e56faab5b1
Set the ACIs on the base DN
...
Allow users to change their own password, but nothing else (no search,
no read, no write)
This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment) )
Closes #128
2020-02-12 16:13:45 +01:00
Greg
396cc344fb
Switch the ipfs cookbook from GitHub to Gitlab
2020-02-04 16:26:31 +01:00
Râu Cao
628b8c6ef8
Merge branch 'feature/124-enable_cite_extension' of kosmos/chef into master
2020-01-29 14:36:31 +00:00