Add API permissions for akkounts VMs

Using the zerotier IP, which is the same as the knife-zero host.

nodes/akkounts-1.json

@@ -68,7 +68,6 @@
   },
   "run_list": [
     "recipe[kosmos-base]",
-    "recipe[kosmos-akkounts::default]",
-    "recipe[kosmos-akkounts::nginx]"
+    "role[akkounts]"
   ]
-}
+}

roles/akkounts.rb

@@ -0,0 +1,12 @@
+name "akkounts"
+
+default_run_list = %w(
+  kosmos-akkounts::default
+  kosmos-akkounts::nginx
+)
+
+env_run_lists(
+  '_default' => default_run_list,
+  'development' => default_run_list,
+  'production' => default_run_list
+)

site-cookbooks/kosmos-ejabberd/recipes/default.rb

@@ -169,6 +169,11 @@ hosts.each do |host|
   end
 end
 
+akkounts_ip_addresses = []
+search(:node, "role:akkounts").each do |node|
+  akkounts_ip_addresses << node["knife_zero"]["host"]
+end
+
 template "/opt/ejabberd/conf/ejabberd.yml" do
   source    "ejabberd.yml.erb"
   mode      0640
@@ -178,7 +183,8 @@ template "/opt/ejabberd/conf/ejabberd.yml" do
             stun_auth_realm: "kosmos.org",
             turn_ip_address: node['ipaddress'],
             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
-            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
+            turn_max_port: node["kosmos-ejabberd"]["turn_max_port"],
+            akkounts_ip_addresses: akkounts_ip_addresses
   notifies :run, "execute[ejabberdctl reload_config]", :delayed
 end
 

site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb

@@ -174,6 +174,14 @@ api_permissions:
     what:
       - "status"
       - "connected_users_number"
+  "akkounts":
+    who:
+<% @akkounts_ip_addresses.each do |ip| -%>
+      - ip: "<%= ip %>/8"
+<% end -%>
+    what:
+      - "add_rosteritem"
+      - "delete_rosteritem"
 
 language: "en"