Use the new postgresql_primary role on andromeda

Was missing a couple of necessary properties, and is now using an
explicit port range for TURN, and opening those ports in UFW.

nodes/andromeda.kosmos.org.json

@@ -19,11 +19,12 @@
   "automatic": {
     "fqdn": "andromeda.kosmos.org",
     "os": "linux",
-    "os_version": "4.15.0-74-generic",
+    "os_version": "4.15.0-96-generic",
     "hostname": "andromeda",
     "ipaddress": "46.4.18.160",
     "roles": [
       "base",
+      "postgresql_primary",
       "mastodon",
       "ejabberd"
     ],
@@ -73,7 +74,6 @@
       "nginx::commons_dir",
       "nginx::commons_script",
       "nginx::commons_conf",
-      "build-essential::default",
       "ark::default",
       "composer::default",
       "composer::install",
@@ -107,7 +107,8 @@
       "tor-full::default",
       "kosmos-base::letsencrypt",
       "git::default",
-      "git::package"
+      "git::package",
+      "build-essential::default"
     ],
     "platform": "ubuntu",
     "platform_version": "18.04",
@@ -128,7 +129,7 @@
     "recipe[kosmos-base::andromeda_firewall]",
     "recipe[kosmos-ipfs]",
     "recipe[kosmos-ipfs::public_gateway]",
-    "recipe[kosmos-postgresql]",
+    "role[postgresql_primary]",
     "recipe[kosmos-mediawiki]",
     "recipe[kosmos-btcpayserver::proxy]",
     "role[mastodon]",

site-cookbooks/kosmos-ejabberd/attributes/default.rb

@@ -1,5 +1,7 @@
 node.default["kosmos-ejabberd"]["version"] = "20.04"
 node.default["kosmos-ejabberd"]["checksum"] = "5377ff18960a399e661fa23f4a1d9f57c78d4579ed108c52b8f68e7cd9268868"
+node.default["kosmos-ejabberd"]["turn_min_port"] = 49152
+node.default["kosmos-ejabberd"]["turn_max_port"] = 59152
 
 node.override["tor"]["HiddenServices"]["ejabberd"] = {
   "HiddenServicePorts" => [

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -154,7 +154,11 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
   sensitive true
   variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
             hosts: hosts,
-            admin_users: admin_users
+            admin_users: admin_users,
+            stun_auth_realm: "kosmos.org",
+            turn_ip_address: node['ipaddress'],
+            turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
+            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
   notifies :run, "execute[ejabberdctl reload_config]", :delayed
 end
 
@@ -206,6 +210,12 @@ unless node.chef_environment == "development"
     protocol :udp
     command  :allow
   end
+
+  firewall_rule 'ejabberd_turn' do
+    port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
+    protocol :udp
+    command  :allow
+  end
 end
 
 #

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -78,9 +78,11 @@ listen:
     port: 3478
     transport: udp
     module: ejabberd_stun
+    auth_realm: <%= @stun_auth_realm %>
     use_turn: true
-    ## The server's public IPv4 address:
+    turn_ip: <%= @turn_ip_address %>
-    # turn_ip: 203.0.113.3
+    turn_min_port: <%= @turn_min_port %>
+    turn_max_port: <%= @turn_max_port %>
 
 s2s_use_starttls: optional
 

site-cookbooks/kosmos-postgresql/recipes/default.rb

@@ -29,7 +29,6 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
 
 postgresql_custom_server postgresql_version do
   role "primary"
-  tls true unless node.chef_environment == "development"
 end
 
 service postgresql_service do

site-cookbooks/kosmos-postgresql/recipes/replica.rb

@@ -29,7 +29,6 @@ postgresql_service = "postgresql@#{postgresql_version}-main"
 
 postgresql_custom_server postgresql_version do
   role "replica"
-  tls true unless node.chef_environment == "development"
 end
 
 service postgresql_service do