diff --git a/clients/ejabberd-1.json b/clients/ejabberd-1.json new file mode 100644 index 0000000..1d6a89b --- /dev/null +++ b/clients/ejabberd-1.json @@ -0,0 +1,4 @@ +{ + "name": "ejabberd-1", + "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoVmQAEmmAWjjzi5X8Ia\n9sl2aH8Lh0AsckM0aE3hvw9lGfbNCPpYWrr0uh7R6/+13Z0OghrT3yDAZ+XfH39Y\nuGomazTzSMMOEofjepo+nXSgq4meFfX5vobYG7rpBdz1EsIT1bElHduItA2zsw9J\nFpXtGd4BjumMq1VykSTA+QaEE8byes/+groQTtXPqXf5gJMxyGlh4SU0MzmkGHaW\n8c9BPCQrV0CMiuGOGJ5mZ28HajbvSg3+bpgwThh3M5uQaQ6on1N2pvJuBypUySS6\nyc4TauocUcUsULYXq9wM8/rqDYsUah0PR0WSiOi90m5thGeBchFAmhdCvrS34FlR\nVQIDAQAB\n-----END PUBLIC KEY-----\n" +} \ No newline at end of file diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json index 5c0c89c..cb2d066 100644 --- a/data_bags/credentials/ejabberd.json +++ b/data_bags/credentials/ejabberd.json @@ -27,5 +27,12 @@ "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n", "version": 3, "cipher": "aes-256-gcm" + }, + "erlang_cookie": { + "encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n", + "iv": "mm+fYYceD1nPsuo1\n", + "auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n", + "version": 3, + "cipher": "aes-256-gcm" } -} \ No newline at end of file +} diff --git a/nodes/ejabberd-1.json b/nodes/ejabberd-1.json new file mode 100644 index 0000000..c7d54b7 --- /dev/null +++ b/nodes/ejabberd-1.json @@ -0,0 +1,62 @@ +{ + "name": "ejabberd-1", + "normal": { + "knife_zero": { + "host": "10.147.20.166" + } + }, + "automatic": { + "fqdn": "ejabberd-1", + "os": "linux", + "os_version": "5.4.0-54-generic", + "hostname": "ejabberd-1", + "ipaddress": "192.168.122.62", + "roles": [ + "ejabberd", + "postgresql_client" + ], + "recipes": [ + "kosmos-base", + "kosmos-base::default", + "kosmos-ejabberd", + "kosmos-ejabberd::default", + "kosmos-ejabberd::letsencrypt", + "kosmos-ejabberd::backup", + "apt::default", + "timezone_iii::default", + "timezone_iii::debian", + "ntp::default", + "ntp::apparmor", + "kosmos-base::systemd_emails", + "apt::unattended-upgrades", + "kosmos-base::firewall", + "kosmos-postfix::default", + "postfix::default", + "postfix::_common", + "postfix::_attributes", + "postfix::sasl_auth", + "hostname::default", + "tor-full::default", + "kosmos-base::letsencrypt", + "backup::default", + "logrotate::default" + ], + "platform": "ubuntu", + "platform_version": "20.04", + "cloud": null, + "chef_packages": { + "chef": { + "version": "15.14.0", + "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib" + }, + "ohai": { + "version": "15.12.0", + "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai" + } + } + }, + "run_list": [ + "recipe[kosmos-base]", + "role[ejabberd]" + ] +} \ No newline at end of file diff --git a/roles/ejabberd.rb b/roles/ejabberd.rb index 561ca33..824fd67 100644 --- a/roles/ejabberd.rb +++ b/roles/ejabberd.rb @@ -12,7 +12,7 @@ production_run_list = %w( kosmos-ejabberd::backup ) env_run_lists( - 'production' => production_run_list, 'development' => default_run_list, - '_default' => default_run_list + 'production' => production_run_list, + '_default' => production_run_list ) diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index ac5016e..d047bba 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -63,14 +63,6 @@ systemctl reload nginx group "root" end -# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') - -# TODO only write to machines that actually need it (e.g. via role) -# template "/root/gandi_dns_certbot_hook.sh" do -# variables gandi_api_key: gandi_api_data_bag_item["key"] -# mode 0770 -# end - # include_recipe 'kosmos-base::systemd_emails' # TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb index 7b99f9e..55aafc4 100644 --- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb +++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb @@ -164,7 +164,7 @@ done # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # has been generated before. The renew cron will take care of renewing execute "letsencrypt cert for #{new_resource.hostname}" do - command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path /var/www/#{new_resource.hostname} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n" + command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n" only_if do ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") && !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem") diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index 9a91622..fa4e89f 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,7 +1,7 @@ node.default["kosmos-ejabberd"]["version"] = "20.04" node.default["kosmos-ejabberd"]["checksum"] = "5377ff18960a399e661fa23f4a1d9f57c78d4579ed108c52b8f68e7cd9268868" -node.default["kosmos-ejabberd"]["turn_min_port"] = 49152 -node.default["kosmos-ejabberd"]["turn_max_port"] = 59152 +node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 +node.default["kosmos-ejabberd"]["turn_max_port"] = 55000 node.override["tor"]["HiddenServices"]["ejabberd"] = { "HiddenServicePorts" => [ diff --git a/site-cookbooks/kosmos-ejabberd/metadata.rb b/site-cookbooks/kosmos-ejabberd/metadata.rb index 4cf04db..6e90702 100644 --- a/site-cookbooks/kosmos-ejabberd/metadata.rb +++ b/site-cookbooks/kosmos-ejabberd/metadata.rb @@ -22,6 +22,7 @@ chef_version '>= 12.14' if respond_to?(:chef_version) depends "kosmos-base" depends "kosmos-postgresql" depends "kosmos-nginx" +depends "kosmos-dirsrv" depends "backup" depends "firewall" depends "tor-full" diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index bc3a132..aabb097 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -43,6 +43,13 @@ dpkg_package "ejabberd" do notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately end +file "/opt/ejabberd/.erlang.cookie" do + mode "0400" + owner "ejabberd" + group "ejabberd" + content ejabberd_credentials['erlang_cookie'] +end + postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') hosts = [ @@ -191,20 +198,20 @@ end unless node.chef_environment == "development" firewall_rule 'ejabberd' do - port [5222, 5223, 5269, 5280, 5443] + port [5222, 5223, 5269, 5443] protocol :tcp command :allow end firewall_rule 'ejabberd_stun_turn' do port 3478 - protocol :udp + protocol :tcp command :allow end firewall_rule 'ejabberd_turn' do port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] - protocol :udp + protocol :tcp command :allow end end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb index bfff01b..6b29885 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb @@ -54,10 +54,17 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do group "root" end +gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps') + +template "/root/gandi_dns_certbot_hook.sh" do + variables gandi_api_key: gandi_api_data_bag_item["key"] + mode 0770 +end + # Generate a Let's Encrypt cert (only if no cert has been generated before). # The systemd timer will take care of renewing execute "letsencrypt cert for kosmos xmpp" do - command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -n" + command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n" not_if do File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem") end @@ -66,7 +73,7 @@ end # Generate a Let's Encrypt cert (only if no cert has been generated before). # The systemd timer will take care of renewing execute "letsencrypt cert for 5apps xmpp" do - command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n" + command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n" not_if do File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem") end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 7889b20..0c82cc1 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -76,7 +76,7 @@ listen: captcha: false - port: 3478 - transport: udp + transport: tcp module: ejabberd_stun auth_realm: <%= @stun_auth_realm %> use_turn: true diff --git a/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb similarity index 100% rename from site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb rename to site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb diff --git a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb index eb6c943..77fe955 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb @@ -1,4 +1,6 @@ # Generated by Chef for <%= @host[:name] %> +# FIXME: The files only exist after the certbot hook created them, meaning +# we need to run Chef a second time <% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%> certfiles: - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"