kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
1,811 Commits 7 Branches 0 Tags
Commit Graph

112 Commits

Author SHA1 Message Date
Greg Karékinian
eded62a3ec Merge branch 'master' into feature/pg_encfs 2020-06-04 15:13:53 +02:00
Greg Karékinian
27845525da Use the same JWT_SECRET as on our previous Gitea 
A different one breaks 2FA
 2020-06-02 12:12:59 +02:00
Greg Karékinian
51d4d88568 Initial kosmos_gitea cookbook 
The default recipe deploys the gitea binary, generates a config file and
our custom Kosmos label set. The service runs as a Systemd unit.

The pg_db recipe needs to run on the primary PostgreSQL (currently
andromeda).

The backup recipe is empty for now

Refs #147
 2020-05-18 19:39:43 +02:00
Greg Karékinian
d0daa9cee7 Add the encryption password for encfs to the data bag 2020-05-15 18:46:24 +02:00
Greg Karékinian
8d2ab785fc Use a self-signed TLS certificate for PostgreSQL 2020-05-13 19:10:14 +02:00
Greg Karékinian
f3f8e47cce Add replication_password to the postgresql credentials 2020-05-13 15:35:34 +02:00
Sebastian Kippe
cc4c8fb903
Add hubot-kredits Zoom config 2020-04-16 17:52:28 +02:00
Greg Karékinian
d7ad95fb3f Switch the mediawiki LDAP setup to a new application account 
Needs the new directory structure:

```
dn: cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalRole
cn: users

dn: ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: kosmos.org

dn: ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
description: 5apps
ou: 5apps.com

dn: uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: wiki
userPassword: [snip]

dn: uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]

dn: uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org
objectClass: simpleSecurityObject
objectClass: account
uid: xmpp
userPassword: [snip]
```

And the new ACIs:

```
dn: ou=5apps.com,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=5apps.com,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-5apps-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=5apps.com,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-5apps-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=5apps.com,cn=applications,dc=kosmos,dc=org";)

dn: ou=kosmos.org,cn=users,dc=kosmos,dc=org
changetype: modify
replace: aci
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///cn=wiki,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///cn=xmpp,ou=kosmos.org,cn=users,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || nsRole || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="cn || sn || uid || mail || userPassword || objectClass") (version 3.0; acl "xmpp-kosmos-read-search"; allow (read,search) userdn="ldap:///uid=wiki,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
aci: (target="ldap:///cn=*,ou=kosmos.org,cn=users,dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "xmpp-kosmos-change-password"; allow (write) userdn="ldap:///uid=xmpp,ou=kosmos.org,cn=applications,dc=kosmos,dc=org";)
```

Refs #140
 2020-02-21 18:04:48 +01:00
Greg Karékinian
c4fdf1779f Remove the CleanTalk Antispam extension 
It is not needed anymore now that registration is closed and only LDAP
accounts can edit or create pages

Closes #130
 2020-02-20 14:31:39 +01:00
Greg Karékinian
90a0e6be9f Enable LDAP on the kosmos.org vhost 2020-02-19 12:30:55 +01:00
Greg Karékinian
276daf0ed7 Switch the Mediawiki config to the new LDAP dir structure 
* Use a new read-only account instead of the admin LDAP account
* Disable the LDAPAuthorization plugin. The LDAPAuthentication2 plugin
is still used to authenticate users, but every kosmos.org user has
access to the wiki. See
https://www.mediawiki.org/wiki/Extension:PluggableAuth for the
distinction between authentication and authorization

Refs #127
 2020-02-19 12:29:14 +01:00
Greg Karékinian
dc1226073c Move the admin users to the ejabberd encrypted data bag 2020-02-14 13:56:17 +01:00
Greg Karékinian
49d01991fd Enable LDAP on the XMPP 5apps.com vhost 
Refactor the ejabberd config file to remove hardcoded values about the
vhosts

Refs #123
 2020-02-12 17:40:38 +01:00
Greg Karékinian
dc91128eca Use a custom resource to create a 389 Directory Server instance 
This replaces the default recipe and will make it much easier to create
other types of instances, for example for replication
 2019-11-29 14:34:52 +01:00
Greg Karékinian
9e4685a743 Initial version of the kosmos-dirsrv cookbook 
It sets up 389 Directory Server, including a TLS cert acquired using
Let's Encrypt in production (that requires ldap.kosmos.org pointing to
the server's IP)
 2019-11-15 15:41:30 +01:00
Sebastian Kippe
f8af66a532
Add/fix akkounts credentials 2019-10-18 13:10:43 +02:00
Greg Karékinian
9ecf40e72a Add dummy encrypted data bag secret 
TODO: replace them with the actual secrets
 2019-10-17 14:58:07 +02:00
Sebastian Kippe
070a1d1889
Configure Kredits signup for hal8000_xmpp 2019-09-01 17:15:56 +02:00
Sebastian Kippe
c50c68b50c
Configure hubot/wormhole deployment 
Adding another node.js hubot app. Wormhole is our new IRC/XMPP bridge.
 2019-07-30 09:09:19 +02:00
Greg Karékinian
aa79297387 Remove unused data bags and cookbooks 2019-05-21 14:58:01 +02:00
Greg Karékinian
44faa1a8df Change the PostgreSQL password for the ejabberd user 2019-05-14 11:40:21 +02:00
Sebastian Kippe
36cfeab15d
Remove obsolete credential item 
rs-logger is run by botka, not hal8000.
 2019-05-09 23:44:28 +02:00
Sebastian Kippe
584aab76a7
Add hal8000_xmpp recipe 
Also, configure express ports in attributes, so they are both easy to
see at once, as well as override per node/env.
 2019-05-09 23:44:18 +02:00
Sebastian Kippe
1d98bf14fe
Configure kosmos-github 
closes #35
 2019-04-19 18:45:13 +01:00
Greg Karékinian
126b5f8dd5 Update the kosmos-mastodon cookbook to use the new postgresql cookbook 
Don't depend on the deprecated database cookbook to create the database
 2019-04-10 11:49:26 +02:00
Greg Karékinian
6b9ce81212 Set postgresql password from an encrypted data bag 2019-04-03 11:34:59 +02:00
Greg Karékinian
81c68a9609 Merge branch 'master' into feature/5apps_xmpp_certs 2018-11-08 14:13:09 +01:00
Greg Karékinian
4a42fc4ae3 Merge branch 'master' into feature/25-ipfs_cluster 2018-10-26 16:46:44 +02:00
Greg Karékinian
d236d138dc Set the S3 credentials to write the new oncall file 2018-10-26 13:38:12 +02:00
Greg Karékinian
185649a5f9 Automatically generate a Let's Encrypt cert for all 5apps xmpp domains 
Uses the Gandi LiveDNS API
 2018-09-04 17:38:17 +02:00
Greg Karékinian
7a8042e356 Add initial IPFS Cluster support 
It uses an encrypted data bag to store the cluster secret that has to be
the same on all members of a cluster. It installs ipfs-cluster-service
and ipfs-cluster-ctl and starts the cluster

Refs #25
 2018-08-06 18:05:44 +02:00
Sebastian Kippe
0e974182de Configure botka for web push notifications 2018-05-07 19:34:56 +02:00
Sebastian Kippe
de082101eb Remove UID from all users 
We don't need preconfigure it. This way it won't change the UID of
existing accounts, having to recreate them in the process.
 2018-04-22 12:21:56 +02:00
Sebastian Kippe
69b38552c6 Add vapid keys 2017-07-31 13:00:20 +02:00
Sebastian Kippe
025eb77441 Update some kredits data 2017-05-12 13:46:06 +02:00
Sebastian Kippe
75b2df5c73 Set up Hubot for Kredits 2017-05-12 00:03:45 +02:00
Sebastian Kippe
4f7ee6fd3b Merge branch 'feature/15-parity' into 'master' 
Set up Parity nodes

See merge request !4
 2017-05-11 15:48:24 +00:00
Greg Karékinian
c334c05e6d Add silverbucket user 
Fixes #14
 2017-05-08 17:08:59 +02:00
Greg Karékinian
37ab52902b Use a password attribute in the parity_node resource 
The mainnet and testnet nodes use data from an encrypted data bag

Also fix a bug with the resource (hardcoded "dev" name instead of the
name attribute)
 2017-05-03 19:06:55 +02:00
Greg Karékinian
34653dc7d6 Add GitHub token and deploy a feature branch for now 2017-04-28 10:23:04 +02:00
Greg Karékinian
de11c0d691 Set up an instance of Mastodon for Kosmos 
Refs #19

Use new application cookbook, update our cookbooks
 2017-04-06 21:20:51 +02:00
Greg Karékinian
3ef2b8e5d5 Add our users to the systemd-journal group 
This allows us to autocomplete and see system logs

Fixes #17
 2017-03-19 16:37:54 +00:00
Greg Karékinian
ccaab2f42d Add an Airtable API key 2017-02-14 11:38:53 +01:00
Greg Karékinian
7378908d93 Deploy botka from its own public repo 2016-11-22 16:10:16 +01:00
Greg Karékinian
6b4cb17064 Change basti's key 2016-11-22 11:14:55 +01:00
Greg Karékinian
58fd0f4e71 Add new credentials for xmpp schlupp and update credentials 2016-10-25 15:44:21 +02:00
Greg Karékinian
cb2922b1c9 Add a cookbook to set up an instance of botka on our XMPP server 2016-10-13 15:48:16 +02:00
Greg Karékinian
691a0e5533 Deploy schlupp from new private repo 2016-08-08 13:24:23 +02:00
Greg Karékinian
a4f9dd9c2f Update backup credentials data bag 2016-07-08 13:56:42 +02:00
Greg Karékinian
e1425272c1 Add galfert user 2016-07-01 17:17:13 +02:00