kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity
716 Commits 16 Branches 0 Tags 14 MiB
Commit Graph

716 Commits

Author SHA1 Message Date
Basti 3a37cade0e
Explicitly configure STUN/TURN service discovery 
It didn't return any services without the explicit config.
 2020-05-02 14:30:36 +02:00
Basti 4448ec2173
Configure TURN properly 
Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.
 2020-05-02 14:07:14 +02:00
Basti 0bcb2597e8
Update node info 2020-05-02 12:41:30 +02:00
Râu Cao 136fc84c4f Merge branch 'feature/159-ejabberd_stun_turn' of kosmos/chef into master 2020-05-02 10:01:15 +00:00
Basti ef2fa2da72
Configure STUN/TURN 
Configures built-in STUN/TURN support, and adds the new service discovery
module for it.
 2020-05-01 16:25:38 +02:00
Basti 35a56aa221
Update version to 20.04 2020-05-01 14:55:13 +02:00
Greg 53d53f2375 Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master 2020-04-30 15:50:26 +00:00
Greg ee13c3cbe9 Merge branch 'bugfix/153-update_ejabberd_20.03' of kosmos/chef into master 2020-04-21 13:38:53 +00:00
Greg 4c1879b84e Merge branch 'bugfix/ldap_invalid_aci' of kosmos/chef into master 2020-04-21 11:22:50 +00:00
Greg 1c920a8cb2 Remove the encryption keys after TLS cert renewal 
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections

The keys will be recreated on service restart

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption

Closes #152
 2020-04-20 19:11:34 +02:00
Greg 5e3c8066f9 Add the missing certbot command to generate the LDAP TLS cert 
This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
 2020-04-20 19:10:15 +02:00
Greg d01c9a4d0a Fix the name of the deploy certbot hook 2020-04-20 19:09:43 +02:00
Greg 3ca8ab45da Fix the invalid ACIs on initial creation 
This is only executed on initial creation of the instance, the
production one is using these fixed ACIs, this was only an issue with
the setup

The issue was the ACI was set at the wrong level
 2020-04-20 19:00:28 +02:00
Greg db8bb44c8b Update ejabberd to 20.03 
The download URL has changed, they removed a prefix

Closes #153
 2020-04-20 14:53:08 +02:00
Greg f5dd2c7de9 Fix the command importing the schema on db creation 
It had an extra }, but this only fails when creating the databases
 2020-04-20 14:52:11 +02:00
Greg f5bdc3e892 Merge branch 'doc/ldap' of kosmos/chef into master 2020-04-20 09:29:34 +00:00
Basti 73e87f8f45
Improve LDAP example command 
We should not log passwords in bash history files. This change will
prompt the user for the password instead.
 2020-04-19 13:01:39 +02:00
Râu Cao 4f1bf768ee Merge branch 'feature/hal8000_zoom' of kosmos/chef into master 2020-04-16 20:19:30 +00:00
Basti cc4c8fb903
Add hubot-kredits Zoom config 2020-04-16 17:52:28 +02:00
Greg a3b95463fa Merge branch 'bugfix/mediawiki_extensions_deleted_releases' of kosmos/chef into master 2020-03-04 15:07:22 +00:00
Greg d7363d662b Switch the Mediawiki extensions to GitHub zips 
This fixes the annoying issue of Mediawiki only keeping one revision of
each branch
 2020-03-04 16:03:12 +01:00
Greg 7fa11089b1 Merge branch 'bugfix/ejabberd_restart_config_vhost_change' of kosmos/chef into master 2020-03-04 13:45:10 +00:00
Greg 970a1b6a3a Merge branch 'feature/136-ejabberd_20.02' of kosmos/chef into master 2020-03-04 13:33:52 +00:00
Greg a68ae78689 Update ejabberd to 20.02 
It includes a fix to the reload_config command that prevented us from
running a version newer than 19.05

Closes #136
 2020-03-04 13:28:13 +01:00
Greg 6cd0fa039e Restart ejabberd service when changing a vhost config 
I have ran into an issue, changes to the LDAP config for a host are
currently only loaded on startup, not on reload

https://github.com/processone/ejabberd/issues/3181

This should be fixed once
b39a1e2d74
is part of the next release
 2020-03-04 13:23:54 +01:00
gregkare 081222b75c Merge branch 'feature/140-ldap_application_accounts' of kosmos/chef into master 2020-02-27 10:45:46 +00:00
Greg d7ad95fb3f Switch the mediawiki LDAP setup to a new application account 
Needs the new directory structure:

```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]

dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```

And the new ACIs:

```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```

Refs #140
 2020-02-21 18:04:48 +01:00
Greg 6fa89b3c25 Switch the ejabberd LDAP setup to a new application account 
Needs the new directory structure:

```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]

dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

```

And the new ACIs:

```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```

Refs #140
 2020-02-21 18:03:58 +01:00
gregkare f34513220e Merge branch 'feature/130-remove_antispam' of kosmos/chef into master 2020-02-20 13:34:15 +00:00
Greg c4fdf1779f Remove the CleanTalk Antispam extension 
It is not needed anymore now that registration is closed and only LDAP
accounts can edit or create pages

Closes #130
 2020-02-20 14:31:39 +01:00
Greg 6f7474b4d1 Update the Mediawiki extensions 2020-02-20 14:30:25 +01:00
gregkare c01f5c1038 Merge branch 'feature/127-new_ldap_dir_structure' of kosmos/chef into master 2020-02-20 13:29:05 +00:00
Greg 90a0e6be9f Enable LDAP on the kosmos.org vhost 2020-02-19 12:30:55 +01:00
Greg 276daf0ed7 Switch the Mediawiki config to the new LDAP dir structure 
* Use a new read-only account instead of the admin LDAP account
* Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin
is still used to authenticate users, but every kosmos.org user has
access to the wiki. See
https://www.mediawiki.org/wiki/Extension:PluggableAuth for the
distinction between authentication and authorization

Refs #127
 2020-02-19 12:29:14 +01:00
Râu Cao afaff86551 Merge branch 'feature/134-ejabberd_19.05' of kosmos/chef into master 2020-02-17 16:37:13 +00:00
Greg 56adfa37fb Fix a warning in the config 
Migrate the web admin to a request handler
 2020-02-17 17:26:55 +01:00
Greg 0f9b2777a3 Update ejabberd to 19.05 
Versions from 19.08 to 20.01 contains a blocking bug in the
reload_config command
(https://github.com/processone/ejabberd/issues/3170)

Closes #134
 2020-02-17 17:26:45 +01:00
Râu Cao e694996ebd Merge branch 'feature/123-ejabberd_5apps' of kosmos/chef into master 2020-02-17 14:41:03 +00:00
Greg c2b2b6f08b Fix the vhost template 
hosts must be defined in the main config file
 2020-02-17 15:04:08 +01:00
Greg 72cc6342f1 Remove the unused LDAP variables from the main config file 2020-02-17 13:27:14 +01:00
Greg 38f39af2a4 Move each vhost to its own config file 2020-02-17 13:20:54 +01:00
Greg 463664448c Merge branch 'master' into feature/123-ejabberd_5apps 2020-02-17 12:21:16 +01:00
Basti 5b86aca5e8
Update andromeda node info 2020-02-15 13:52:00 -05:00
gregkare 585041e36c Merge branch 'bugfix/128-set_acis_on_users' of kosmos/chef into master 2020-02-14 15:47:16 +00:00
Greg 55eb95ae73 Verify the TLS server's certificate 
Do not proceed if a certificate is invalid
 2020-02-14 13:56:52 +01:00
Greg dc1226073c Move the admin users to the ejabberd encrypted data bag 2020-02-14 13:56:17 +01:00
Greg 49d01991fd Enable LDAP on the XMPP 5apps.com vhost 
Refactor the ejabberd config file to remove hardcoded values about the
vhosts

Refs #123
 2020-02-12 17:40:38 +01:00
Greg e56faab5b1 Set the ACIs on the base DN 
Allow users to change their own password, but nothing else (no search,
no read, no write)

This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment))

Closes #128
 2020-02-12 16:13:45 +01:00
Greg 396cc344fb Switch the ipfs cookbook from GitHub to Gitlab 2020-02-04 16:26:31 +01:00
Râu Cao 628b8c6ef8 Merge branch 'feature/124-enable_cite_extension' of kosmos/chef into master 2020-01-29 14:36:31 +00:00