1041 Commits

Author SHA1 Message Date
Greg Karékinian
1f0e2ccbdd Move the binary URL to an attribute 2020-05-21 11:51:06 +02:00
Greg Karékinian
51d4d88568 Initial kosmos_gitea cookbook
The default recipe deploys the gitea binary, generates a config file and
our custom Kosmos label set. The service runs as a Systemd unit.

The pg_db recipe needs to run on the primary PostgreSQL (currently
andromeda).

The backup recipe is empty for now

Refs #147
2020-05-18 19:39:43 +02:00
Greg Karékinian
20cbc678bc Add a method that returns the PostgreSQL service 2020-05-18 19:38:37 +02:00
Greg Karékinian
d79cdf087b Move the PGPASS environment variable to the execute resource
That way it does not appear in the list of running processes while the
command is running
2020-05-15 18:45:12 +02:00
Greg Karékinian
31dc14e88c Fix the firewall rules for PostgreSQL
I got the source and destination mixed up.
2020-05-15 18:44:42 +02:00
Greg Karékinian
55b1cbc1d7 Encrypt the Postgresql data dir on the replica (centaurus)
encfs always runs a configuration assistant when creating a new
volume, so this needs to be done manually:

   systemctl stop postgresql@12-main
   mv /var/lib/postgresql /var/lib/postgresql.old
   encfs /var/lib/postgresql_encrypted /var/lib/postgresql --public
Pick p (paranoia mode) and enter the password from the data bag twice

   mv /var/lib/postgresql/* /var/lib/postgresql/
   systemctl start postgresql@12-main

This is running on centaurus and is mounted automatically on boot by a
system unit

Refs #129
2020-05-15 18:41:31 +02:00
Greg Karékinian
57f46c6c61 Merge branch 'master' into bugfix/enable_dirsrv 2020-05-15 17:24:04 +02:00
Greg Karékinian
b4209fa294 Fix the invalid ACIs on initial creation (for real)
Follow-up to #156

I found another issue with the initial ACI creation, while creating a
fresh VM. I thought I had fixed it in #156 but I was wrong. This time
the ACIs are really set and the code runs successfully.

The ACIs are set on the suffix, so modifying it is needed

This won't be executed on a server that is already running, this is only
done on the initial setup
2020-05-15 14:05:35 +02:00
Greg Karékinian
10f0460fd5 Fix startup of the dirsrv@master Systemd unit on boot
The symlink created by Chef's service resource was wrong. Creating the
correct symlink fixes the automatic startup on boot
2020-05-15 13:54:34 +02:00
Greg Karékinian
18973fe4f6 Remove the deleted tls property from the resources 2020-05-14 15:09:15 +02:00
Greg Karékinian
fbf610a643 Merge branch 'master' into feature/160-postgres_replication 2020-05-14 15:06:00 +02:00
Greg Karékinian
069090bf44 Remove TODOs
Access rules will not be part of this cookbook, they need to be added to
the cookbooks that use a PostgreSQL database
2020-05-14 13:15:47 +02:00
Greg Karékinian
dd92d6cdb7 Remove deploying the root cert to clients from the README
We do not want to verify the root cert so this is not needed
2020-05-14 13:14:42 +02:00
Greg Karékinian
124ee5e6f3 Update the README 2020-05-14 12:36:20 +02:00
Greg Karékinian
0063776297 Remove unused dependencies 2020-05-13 19:11:00 +02:00
Greg Karékinian
8d2ab785fc Use a self-signed TLS certificate for PostgreSQL 2020-05-13 19:10:14 +02:00
Greg Karékinian
84cb3de4a0 Remove outdated comment
This was the case when the code lived inside of the custom resource
2020-05-13 19:04:12 +02:00
Greg Karékinian
eb98aa1bac Clarify the firewall and client authentication rules 2020-05-12 16:04:58 +02:00
Greg Karékinian
0180da1aa6 Fix a typo in the README 2020-05-12 15:59:55 +02:00
Greg Karékinian
254f9020ae Enable firewall rules to allow primary/replica to connect 2020-05-12 12:10:10 +02:00
Greg Karékinian
80c7263a72 Upgrade PostgreSQL from 10 to 12
Refs #160
2020-05-11 18:26:57 +02:00
Greg Karékinian
21119fff08 Add a custom resource to set up PostgreSQL 12
Supports both primary and replica. The access rules and firewall have to
be set up outside of the custom resource, so they are part of the
recipes instead

Refs #160
2020-05-11 18:23:11 +02:00
4448ec2173
Configure TURN properly
Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.
2020-05-02 14:07:14 +02:00
ef2fa2da72
Configure STUN/TURN
Configures built-in STUN/TURN support, and adds the new service discovery
module for it.
2020-05-01 16:25:38 +02:00
35a56aa221
Update version to 20.04 2020-05-01 14:55:13 +02:00
53d53f2375 Merge branch 'bugfix/152-remove_encryption_keys_tls' of kosmos/chef into master 2020-04-30 15:50:26 +00:00
ee13c3cbe9 Merge branch 'bugfix/153-update_ejabberd_20.03' of kosmos/chef into master 2020-04-21 13:38:53 +00:00
4c1879b84e Merge branch 'bugfix/ldap_invalid_aci' of kosmos/chef into master 2020-04-21 11:22:50 +00:00
Greg Karékinian
1c920a8cb2 Remove the encryption keys after TLS cert renewal
This is done with awk, this was the best way I found to perform the
multi-line deletion. It deletes both the AES AND 3DES sections

The keys will be recreated on service restart

https://access.redhat.com/documentation/en-us/red_hat_directory_server/9.0/html/administration_guide/ssl-and-attr-encryption

Closes #152
2020-04-20 19:11:34 +02:00
Greg Karékinian
5e3c8066f9 Add the missing certbot command to generate the LDAP TLS cert
This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
2020-04-20 19:10:15 +02:00
Greg Karékinian
d01c9a4d0a Fix the name of the deploy certbot hook 2020-04-20 19:09:43 +02:00
Greg Karékinian
3ca8ab45da Fix the invalid ACIs on initial creation
This is only executed on initial creation of the instance, the
production one is using these fixed ACIs, this was only an issue with
the setup

The issue was the ACI was set at the wrong level
2020-04-20 19:00:28 +02:00
Greg Karékinian
db8bb44c8b Update ejabberd to 20.03
The download URL has changed, they removed a prefix

Closes #153
2020-04-20 14:53:08 +02:00
Greg Karékinian
f5dd2c7de9 Fix the command importing the schema on db creation
It had an extra }, but this only fails when creating the databases
2020-04-20 14:52:11 +02:00
4f1bf768ee Merge branch 'feature/hal8000_zoom' of kosmos/chef into master 2020-04-16 20:19:30 +00:00
cc4c8fb903
Add hubot-kredits Zoom config 2020-04-16 17:52:28 +02:00
Greg Karékinian
43736cd8e9 Move the debug logs env variable to an attribute
Set it to 'sockethub*' for now as Nick advised, see
#91
2020-03-25 17:51:28 +01:00
Greg Karékinian
29a5947d18 Deploy Sockethub from the npm package
This is currently 3.1.4 and is set as an attribute. The recipe is very
simple now, it installs the npm package, and the systemd service runs
/usr/bin/sockethub and sets the environment variables

Closes #145
2020-03-25 12:43:39 +01:00
Greg Karékinian
d7363d662b Switch the Mediawiki extensions to GitHub zips
This fixes the annoying issue of Mediawiki only keeping one revision of
each branch
2020-03-04 16:03:12 +01:00
7fa11089b1 Merge branch 'bugfix/ejabberd_restart_config_vhost_change' of kosmos/chef into master 2020-03-04 13:45:10 +00:00
Greg Karékinian
a68ae78689 Update ejabberd to 20.02
It includes a fix to the reload_config command that prevented us from
running a version newer than 19.05

Closes #136
2020-03-04 13:28:13 +01:00
Greg Karékinian
6cd0fa039e Restart ejabberd service when changing a vhost config
I have ran into an issue, changes to the LDAP config for a host are
currently only loaded on startup, not on reload

https://github.com/processone/ejabberd/issues/3181

This should be fixed once
b39a1e2d74
is part of the next release
2020-03-04 13:23:54 +01:00
Greg Karékinian
6fa89b3c25 Switch the ejabberd LDAP setup to a new application account
Needs the new directory structure:

```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]

dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

```

And the new ACIs:

```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```

Refs #140
2020-02-21 18:03:58 +01:00
Greg Karékinian
c4fdf1779f Remove the CleanTalk Antispam extension
It is not needed anymore now that registration is closed and only LDAP
accounts can edit or create pages

Closes #130
2020-02-20 14:31:39 +01:00
Greg Karékinian
6f7474b4d1 Update the Mediawiki extensions 2020-02-20 14:30:25 +01:00
Greg Karékinian
90a0e6be9f Enable LDAP on the kosmos.org vhost 2020-02-19 12:30:55 +01:00
Greg Karékinian
276daf0ed7 Switch the Mediawiki config to the new LDAP dir structure
* Use a new read-only account instead of the admin LDAP account
* Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin
is still used to authenticate users, but every kosmos.org user has
access to the wiki. See
https://www.mediawiki.org/wiki/Extension:PluggableAuth for the
distinction between authentication and authorization

Refs #127
2020-02-19 12:29:14 +01:00
Greg Karékinian
56adfa37fb Fix a warning in the config
Migrate the web admin to a request handler
2020-02-17 17:26:55 +01:00
Greg Karékinian
0f9b2777a3 Update ejabberd to 19.05
Versions from 19.08 to 20.01 contains a blocking bug in the
reload_config command
(https://github.com/processone/ejabberd/issues/3170)

Closes #134
2020-02-17 17:26:45 +01:00
Greg Karékinian
c2b2b6f08b Fix the vhost template
hosts must be defined in the main config file
2020-02-17 15:04:08 +01:00