Compare commits
2 Commits
438ee4ace0
...
0f12a54eab
| Author | SHA1 | Date | |
|---|---|---|---|
|
0f12a54eab
|
||
|
|
68b56789c5
|
@ -1,9 +1,9 @@
|
||||
{
|
||||
"id": "tor",
|
||||
"services": {
|
||||
"encrypted_data": "GjdhL4Hgm7mrwU47e2GfotqgRSuiN+0Q19X45EWkdwbIojDfeWXwzOYFFJQK\nAWidVWKM0rdjBXkamZwbJJm8wzDi+1YFBSfE/q4NXY3Zg4JnBulMaBr4xrRn\nYbmSiRIPe0XMpwT3WbuBatZTe6EMGJJEZPgkfIcg7WjhjEnFY9xRSjrOSJGp\nBzcL1cKc+y2JyQZlpKtFK947g15EEytHWg3BdwkIvm4H+J8faM2y56lsfX8E\nG1dw9i3CKqjF2hDKe2V9yIOBji1P2Nh0Z7e3kLGhF5Nx4xfEdCHXAOQ/+vyt\nJf3pka0VQ9TsnWlkR+9CwtD9iLTnNOvO9wfHx0GuVRaR6QhMYDF2gd/9G8Zp\nQDlfJSEioETnwLwcPV7eBZ+Vso+N56J+fHHlGK3vEZSxegqNU2siLl26yZe+\nTrhKbiynLoM1290RgTNjsvMSaVLQobB5Fwpn+B01vvbIGGZ9XZWAvuCi8GmR\n",
|
||||
"iv": "rj5lIBWPovDtMtnh\n",
|
||||
"auth_tag": "2K55wQOY6FAWpKgskMx7xw==\n",
|
||||
"encrypted_data": "CvvJlXfs1KhAveBJ/IdTGa19F/bREnr7DCCuw3CiZ8D04gdn4Yw6WbGwvqhR\nahv5hUvvHTQS/YUxdXE3joTp9MyZ3DK5PbR8sOCWVfylG9YYOJD8nUhxQLA9\nMKU75j5v1K2pAZ4qLkG9HNUPWV4SYWgGY5ok9GzlhCd/g0NGaqZBFyARDxLu\n+diFg9bz2FfELfcgz0m9abbCZDKJkEozVyU+VgXMge0hU52GUrlQnYZe/c43\ngBavOScolmwv7ej7mKmpJMRvNXNSx1avjS/8tQP68KZGBTEbUYisRHKVKWpA\ngBZR/5oGlcn3gLt25xTWRv/GaH+pUfqwKCpjd1vhpEqhK7poDXQUm9mDB3bG\nzLQUwPhJ8gmD9nl+8t3fmKiPPFdaKapOtSpsCTutkzlmGwwo3bhQsYjcD+5U\nqDoHR5UjDwADszjUiRV3/iNHojXCEic0u1RFCNsojYNwP718grVnUcx+U/50\n5A2vgahLG89tmY7DN2padd0xgHM8SkZVGga8DGQNWAPzo12DEJWbtcIwR6gd\nbyOwdPDVvUibBhyGMbBwyfzoFMsS//fulq4xJpoQH1yd9Hd/05YlMJSuP2TW\nLpVBTq5rEA4EAVIVgTMfkkP2nHAeEeCfLkaV8fURKTonaX0g8b5vcPzkpv0F\nVPNeGEBs3tRaIe0dm5eN21HD2lpHyiSKOZwidQH/NAZWB/IK73LGExjd+GnP\ndnqGBQ1wWsYGaM/UQTxbCn+p0QDlJVUWKGgfimjn5ru7le3dZmkCyAB28gLz\nJgXoAAZz3+E+nhdnLeBKkVTLFGzZyNxMlSt33T1QlpCSgCMvzF9kVmzmoexm\nvEtsZrWHvIHN9EVVCC8KgkGyTkmFnTM48BGyGM2ovjLYsOeeef5tqUd6noBi\nJxfYbUIySXtuSXr7pIAE1+Qzp8duRdjaJ0CYbYWf\n",
|
||||
"iv": "qtzvl79A/PZc5JjE\n",
|
||||
"auth_tag": "QXY8QZigLC4nVMIELoZRUA==\n",
|
||||
"version": 3,
|
||||
"cipher": "aes-256-gcm"
|
||||
}
|
||||
|
||||
@ -45,6 +45,7 @@
|
||||
"kosmos_assets::nginx_site",
|
||||
"kosmos_discourse::nginx",
|
||||
"kosmos_drone::nginx",
|
||||
"kosmos-ejabberd::nginx",
|
||||
"kosmos_garage::nginx_web",
|
||||
"kosmos_gitea::nginx",
|
||||
"kosmos_gitea::nginx_ssh",
|
||||
|
||||
@ -4,13 +4,6 @@ override_attributes(
|
||||
'openresty' => {
|
||||
'server_names_hash_bucket_size' => 128
|
||||
},
|
||||
'tor' => {
|
||||
'HiddenServices' => {
|
||||
'web' => {
|
||||
'HiddenServicePorts' => ['80 127.0.0.1:80', '443 127.0.0.1:443']
|
||||
}
|
||||
}
|
||||
}
|
||||
)
|
||||
|
||||
development_run_list = %w(
|
||||
@ -20,7 +13,6 @@ development_run_list = %w(
|
||||
|
||||
default_run_list = %w(
|
||||
role[openresty]
|
||||
kosmos-ejabberd::nginx
|
||||
)
|
||||
|
||||
production_run_list = %w(
|
||||
@ -29,6 +21,7 @@ production_run_list = %w(
|
||||
kosmos_assets::nginx_site
|
||||
kosmos_discourse::nginx
|
||||
kosmos_drone::nginx
|
||||
kosmos-ejabberd::nginx
|
||||
kosmos_garage::nginx_web
|
||||
kosmos_gitea::nginx
|
||||
kosmos_gitea::nginx_ssh
|
||||
|
||||
@ -5,6 +5,17 @@
|
||||
|
||||
tor_services = data_bag_item('credentials', 'tor')['services']
|
||||
|
||||
tor_service "ejabberd" do
|
||||
hostname tor_services['ejabberd']['hostname']
|
||||
public_key tor_services['ejabberd']['public_key']
|
||||
secret_key tor_services['ejabberd']['secret_key']
|
||||
# TODO configure IP from node attribute
|
||||
# (This is hardcoded for draco atm)
|
||||
ports [ "5222 148.251.237.73:5222",
|
||||
"5223 148.251.237.73:5223",
|
||||
"5269 148.251.237.73:5269" ]
|
||||
end
|
||||
|
||||
tor_service "web" do
|
||||
hostname tor_services['web']['hostname']
|
||||
public_key tor_services['web']['public_key']
|
||||
|
||||
@ -5,8 +5,8 @@ provides :tor_service
|
||||
|
||||
property :name, [String], name_property: true
|
||||
property :hostname, [String], required: true
|
||||
property :public_key, [String], required: true
|
||||
property :secret_key, [String], required: true
|
||||
property :public_key, [String], required: true # base64 encoded content of generated key file
|
||||
property :secret_key, [String], required: true # base64 encoded content of generated key file
|
||||
property :ports, [Array], required: true
|
||||
|
||||
default_action :create
|
||||
|
||||
@ -6,14 +6,6 @@ node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478
|
||||
node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
|
||||
node.default["kosmos-ejabberd"]["turn_max_port"] = 50050
|
||||
|
||||
node.override["tor"]["HiddenServices"]["ejabberd"] = {
|
||||
"HiddenServicePorts" => [
|
||||
"5222 127.0.0.1:5222",
|
||||
"5223 127.0.0.1:5223",
|
||||
"5269 127.0.0.1:5269"
|
||||
]
|
||||
}
|
||||
|
||||
node.default["kosmos-ejabberd"]["uploads"] = {
|
||||
"domain" => "uploads.kosmos.chat",
|
||||
"max_upload_size_mb" => "100",
|
||||
|
||||
@ -205,10 +205,3 @@ firewall_rule 'ejabberd_http' do
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
#
|
||||
# Tor hidden service
|
||||
#
|
||||
# The attributes for the hidden service are set in attributes/default.rb, due
|
||||
# to the way the tor-full cookbook builds the path to the hidden service dir
|
||||
include_recipe "tor-full"
|
||||
|
||||
@ -17,28 +17,15 @@ rescue IPAddr::InvalidAddressError
|
||||
next
|
||||
end
|
||||
|
||||
template "#{node['nginx']['dir']}/streams-available/ejabberd" do
|
||||
source "nginx_conf_streams.erb"
|
||||
owner 'www-data'
|
||||
mode 0640
|
||||
# variables ejabberd_hosts: ejabberd_hosts
|
||||
openresty_stream "ejabberd" do
|
||||
template "nginx_conf_streams.erb"
|
||||
variables ejabberd_hosts: ["10.1.1.113"],
|
||||
stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"],
|
||||
turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
|
||||
turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
|
||||
notifies :reload, 'service[nginx]', :delayed
|
||||
end
|
||||
|
||||
nginx_stream "ejabberd" do
|
||||
action :enable
|
||||
end
|
||||
|
||||
firewall_rule "ejabberd" do
|
||||
port [5222, 5223, 5269, 5443]
|
||||
protocol :tcp
|
||||
command :allow
|
||||
end
|
||||
|
||||
firewall_rule 'ejabberd_stun_turn' do
|
||||
port node["kosmos-ejabberd"]["stun_turn_port"]
|
||||
protocol :udp
|
||||
|
||||
@ -5,34 +5,6 @@ log_format proxy '$remote_addr [$time_local] '
|
||||
|
||||
access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m;
|
||||
|
||||
upstream ejabberd_c2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5222;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_c2s_tls {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5223;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_s2s {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5269;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_https {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
server <%= ip_address %>:5443;
|
||||
<% end %>
|
||||
}
|
||||
|
||||
upstream ejabberd_stun_turn {
|
||||
hash $remote_addr consistent;
|
||||
<% @ejabberd_hosts.each do |ip_address| %>
|
||||
@ -50,36 +22,12 @@ upstream ejabberd_turn {
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5222;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5223;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_c2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5269;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_s2s;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 5443;
|
||||
proxy_protocol on;
|
||||
proxy_pass ejabberd_https;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
listen <%= @stun_turn_port %> udp;
|
||||
proxy_pass ejabberd_stun_turn;
|
||||
}
|
||||
|
||||
server {
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp;
|
||||
proxy_pass 10.1.1.113:$server_port;
|
||||
#proxy_pass ejabberd_turn;
|
||||
}
|
||||
|
||||
@ -85,7 +85,7 @@ ruby_block "read-hostnames" do
|
||||
block do
|
||||
# Set generated hostname for hidden services
|
||||
node['tor']['HiddenServices'].each do |name, service|
|
||||
path = File.join(service['HiddenServiceDir'], "/hostname")
|
||||
path = "/var/lib/tor/#{name}/hostname"
|
||||
node.normal['tor']['HiddenServices'][name]['hostname'] = File.read(path).strip()
|
||||
end
|
||||
end
|
||||
@ -96,10 +96,6 @@ template '/etc/tor/torrc' do
|
||||
source 'torrc.erb'
|
||||
notifies :restart, 'service[tor]', :immediately
|
||||
notifies :run, "ruby_block[read-hostnames]"
|
||||
# Set default HiddenServiceDir
|
||||
node['tor']['HiddenServices'].each do |name, service|
|
||||
node.default['tor']['HiddenServices'][name]['HiddenServiceDir'] = File.join("/var/lib/tor/", name, "/")
|
||||
end
|
||||
end
|
||||
|
||||
# Install exit policy notice
|
||||
|
||||
@ -88,7 +88,7 @@ DataDirectory <%= node['tor']['DataDirectory'] %>
|
||||
#HiddenServicePort 22 127.0.0.1:22
|
||||
<% node['tor']['HiddenServices'].each do |name, service| -%>
|
||||
|
||||
HiddenServiceDir <%= service['HiddenServiceDir'] %>
|
||||
HiddenServiceDir /var/lib/tor/<%= name %>/
|
||||
<% service['HiddenServicePorts'].each do |port| -%>
|
||||
HiddenServicePort <%= port %>
|
||||
<% end -%>
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user