2020-11-25 16:10:14 +00:00
13 changed files with 102 additions and 20 deletions
--- a/clients/ejabberd-1.json
+++ b/clients/ejabberd-1.json
@ -0,0 +1,4 @@
+{
+  "name": "ejabberd-1",
+  "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoVmQAEmmAWjjzi5X8Ia\n9sl2aH8Lh0AsckM0aE3hvw9lGfbNCPpYWrr0uh7R6/+13Z0OghrT3yDAZ+XfH39Y\nuGomazTzSMMOEofjepo+nXSgq4meFfX5vobYG7rpBdz1EsIT1bElHduItA2zsw9J\nFpXtGd4BjumMq1VykSTA+QaEE8byes/+groQTtXPqXf5gJMxyGlh4SU0MzmkGHaW\n8c9BPCQrV0CMiuGOGJ5mZ28HajbvSg3+bpgwThh3M5uQaQ6on1N2pvJuBypUySS6\nyc4TauocUcUsULYXq9wM8/rqDYsUah0PR0WSiOi90m5thGeBchFAmhdCvrS34FlR\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
+}
--- a/data_bags/credentials/ejabberd.json
+++ b/data_bags/credentials/ejabberd.json
@ -27,5 +27,12 @@
    "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
+  },
+  "erlang_cookie": {
+    "encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
+    "iv": "mm+fYYceD1nPsuo1\n",
+    "auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
  }
-}
+}
--- a/nodes/ejabberd-1.json
+++ b/nodes/ejabberd-1.json
@ -0,0 +1,62 @@
+{
+  "name": "ejabberd-1",
+  "normal": {
+    "knife_zero": {
+      "host": "10.147.20.166"
+    }
+  },
+  "automatic": {
+    "fqdn": "ejabberd-1",
+    "os": "linux",
+    "os_version": "5.4.0-54-generic",
+    "hostname": "ejabberd-1",
+    "ipaddress": "192.168.122.62",
+    "roles": [
+      "ejabberd",
+      "postgresql_client"
+    ],
+    "recipes": [
+      "kosmos-base",
+      "kosmos-base::default",
+      "kosmos-ejabberd",
+      "kosmos-ejabberd::default",
+      "kosmos-ejabberd::letsencrypt",
+      "kosmos-ejabberd::backup",
+      "apt::default",
+      "timezone_iii::default",
+      "timezone_iii::debian",
+      "ntp::default",
+      "ntp::apparmor",
+      "kosmos-base::systemd_emails",
+      "apt::unattended-upgrades",
+      "kosmos-base::firewall",
+      "kosmos-postfix::default",
+      "postfix::default",
+      "postfix::_common",
+      "postfix::_attributes",
+      "postfix::sasl_auth",
+      "hostname::default",
+      "tor-full::default",
+      "kosmos-base::letsencrypt",
+      "backup::default",
+      "logrotate::default"
+    ],
+    "platform": "ubuntu",
+    "platform_version": "20.04",
+    "cloud": null,
+    "chef_packages": {
+      "chef": {
+        "version": "15.14.0",
+        "chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
+      },
+      "ohai": {
+        "version": "15.12.0",
+        "ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
+      }
+    }
+  },
+  "run_list": [
+    "recipe[kosmos-base]",
+    "role[ejabberd]"
+  ]
+}
--- a/roles/ejabberd.rb
+++ b/roles/ejabberd.rb
@ -12,7 +12,7 @@ production_run_list = %w(
  kosmos-ejabberd::backup
 )
 env_run_lists(
-  'production' => production_run_list,
  'development' => default_run_list,
-  '_default' => default_run_list
+  'production' => production_run_list,
+  '_default' => production_run_list
 )
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@ -63,14 +63,6 @@ systemctl reload nginx
  group "root"
 end

-# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
-
-# TODO only write to machines that actually need it (e.g. via role)
-# template "/root/gandi_dns_certbot_hook.sh" do
-#   variables gandi_api_key: gandi_api_data_bag_item["key"]
-#   mode 0770
-# end
-
 # include_recipe 'kosmos-base::systemd_emails'

 # TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@ -164,7 +164,7 @@ done
    # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
    # has been generated before. The renew cron will take care of renewing
    execute "letsencrypt cert for #{new_resource.hostname}" do
-      command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path /var/www/#{new_resource.hostname} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
+      command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
      only_if do
        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
          !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
--- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb
@ -1,7 +1,7 @@
 node.default["kosmos-ejabberd"]["version"] = "20.04"
 node.default["kosmos-ejabberd"]["checksum"] = "5377ff18960a399e661fa23f4a1d9f57c78d4579ed108c52b8f68e7cd9268868"
-node.default["kosmos-ejabberd"]["turn_min_port"] = 49152
-node.default["kosmos-ejabberd"]["turn_max_port"] = 59152
+node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
+node.default["kosmos-ejabberd"]["turn_max_port"] = 55000

 node.override["tor"]["HiddenServices"]["ejabberd"] = {
  "HiddenServicePorts" => [
--- a/site-cookbooks/kosmos-ejabberd/metadata.rb
+++ b/site-cookbooks/kosmos-ejabberd/metadata.rb
@ -22,6 +22,7 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
 depends "kosmos-base"
 depends "kosmos-postgresql"
 depends "kosmos-nginx"
+depends "kosmos-dirsrv"
 depends "backup"
 depends "firewall"
 depends "tor-full"
--- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb
@ -43,6 +43,13 @@ dpkg_package "ejabberd" do
  notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
 end

+file "/opt/ejabberd/.erlang.cookie" do
+  mode "0400"
+  owner "ejabberd"
+  group "ejabberd"
+  content ejabberd_credentials['erlang_cookie']
+end
+
 postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')

 hosts = [
@ -191,20 +198,20 @@ end

 unless node.chef_environment == "development"
  firewall_rule 'ejabberd' do
-    port     [5222, 5223, 5269, 5280, 5443]
+    port     [5222, 5223, 5269, 5443]
    protocol :tcp
    command  :allow
  end

  firewall_rule 'ejabberd_stun_turn' do
    port     3478
-    protocol :udp
+    protocol :tcp
    command  :allow
  end

  firewall_rule 'ejabberd_turn' do
    port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
-    protocol :udp
+    protocol :tcp
    command  :allow
  end
 end
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@ -54,10 +54,17 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
  group "root"
 end

+gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+
+template "/root/gandi_dns_certbot_hook.sh" do
+  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  mode 0770
+end
+
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for kosmos xmpp" do
-  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
  end
@ -66,7 +73,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
  not_if do
    File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
  end
--- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
@ -76,7 +76,7 @@ listen:
    captcha: false
  -
    port: 3478
-    transport: udp
+    transport: tcp
    module: ejabberd_stun
    auth_realm: <%= @stun_auth_realm %>
    use_turn: true
--- a/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
+++ b/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
--- a/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
+++ b/site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
@ -1,4 +1,6 @@
 # Generated by Chef for <%= @host[:name] %>
+# FIXME: The files only exist after the certbot hook created them, meaning
+# we need to run Chef a second time
 <% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
 certfiles:
  - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"