kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Enable ejabberd clustering #246

Merged
raucao merged 9 commits from feature/243-ejabberd_cluster into master 2020-11-25 16:10:14 +00:00
Conversation 1 Commits 9 Files Changed 13 +102 -20
13 changed files with 102 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
clients/ejabberd-1.json Normal file
View File

@ -0,0 +1,4 @@
{
"name": "ejabberd-1",
"public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtoVmQAEmmAWjjzi5X8Ia\n9sl2aH8Lh0AsckM0aE3hvw9lGfbNCPpYWrr0uh7R6/+13Z0OghrT3yDAZ+XfH39Y\nuGomazTzSMMOEofjepo+nXSgq4meFfX5vobYG7rpBdz1EsIT1bElHduItA2zsw9J\nFpXtGd4BjumMq1VykSTA+QaEE8byes/+groQTtXPqXf5gJMxyGlh4SU0MzmkGHaW\n8c9BPCQrV0CMiuGOGJ5mZ28HajbvSg3+bpgwThh3M5uQaQ6on1N2pvJuBypUySS6\nyc4TauocUcUsULYXq9wM8/rqDYsUah0PR0WSiOi90m5thGeBchFAmhdCvrS34FlR\nVQIDAQAB\n-----END PUBLIC KEY-----\n"
}

9
data_bags/credentials/ejabberd.json
View File

@ -27,5 +27,12 @@
"auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n", "auth_tag": "yWRLb22JwJjjoK6Wdr1ujg==\n",
"version": 3, "version": 3,
"cipher": "aes-256-gcm" "cipher": "aes-256-gcm"
},
"erlang_cookie": {
"encrypted_data": "UDCzEWgVLH0z33Exx5G+OjUXw1odz4xO8qRLXODo5jBzMQdyYQCd\n",
"iv": "mm+fYYceD1nPsuo1\n",
"auth_tag": "77un6mkgrHAmnBQhrhpPfQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
} }
} }

62
nodes/ejabberd-1.json Normal file
View File

@ -0,0 +1,62 @@
{
"name": "ejabberd-1",
"normal": {
"knife_zero": {
"host": "10.147.20.166"
}
},
"automatic": {
"fqdn": "ejabberd-1",
"os": "linux",
"os_version": "5.4.0-54-generic",
"hostname": "ejabberd-1",
"ipaddress": "192.168.122.62",
"roles": [
"ejabberd",
"postgresql_client"
],
"recipes": [
"kosmos-base",
"kosmos-base::default",
"kosmos-ejabberd",
"kosmos-ejabberd::default",
"kosmos-ejabberd::letsencrypt",
"kosmos-ejabberd::backup",
"apt::default",
"timezone_iii::default",
"timezone_iii::debian",
"ntp::default",
"ntp::apparmor",
"kosmos-base::systemd_emails",
"apt::unattended-upgrades",
"kosmos-base::firewall",
"kosmos-postfix::default",
"postfix::default",
"postfix::_common",
"postfix::_attributes",
"postfix::sasl_auth",
"hostname::default",
"tor-full::default",
"kosmos-base::letsencrypt",
"backup::default",
"logrotate::default"
],
"platform": "ubuntu",
"platform_version": "20.04",
"cloud": null,
"chef_packages": {
"chef": {
"version": "15.14.0",
"chef_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/chef-15.14.0/lib"
},
"ohai": {
"version": "15.12.0",
"ohai_root": "/opt/chef/embedded/lib/ruby/gems/2.6.0/gems/ohai-15.12.0/lib/ohai"
}
}
},
"run_list": [
"recipe[kosmos-base]",
"role[ejabberd]"
]
}

4
roles/ejabberd.rb
View File

@ -12,7 +12,7 @@ production_run_list = %w(
kosmos-ejabberd::backup kosmos-ejabberd::backup
) )
env_run_lists( env_run_lists(
'production' => production_run_list,
'development' => default_run_list, 'development' => default_run_list,
'_default' => default_run_list 'production' => production_run_list,
'_default' => production_run_list
) )

8
site-cookbooks/kosmos-base/recipes/letsencrypt.rb
View File

@ -63,14 +63,6 @@ systemctl reload nginx
group "root" group "root"
end end
# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
# TODO only write to machines that actually need it (e.g. via role)
# template "/root/gandi_dns_certbot_hook.sh" do
# variables gandi_api_key: gandi_api_data_bag_item["key"]
# mode 0770
# end
# include_recipe 'kosmos-base::systemd_emails' # include_recipe 'kosmos-base::systemd_emails'
# TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services # TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services

2
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -164,7 +164,7 @@ done
# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
# has been generated before. The renew cron will take care of renewing # has been generated before. The renew cron will take care of renewing
execute "letsencrypt cert for #{new_resource.hostname}" do execute "letsencrypt cert for #{new_resource.hostname}" do
command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path /var/www/#{new_resource.hostname} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n" command "certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
only_if do only_if do
::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") && ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
!::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem") !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")

4
site-cookbooks/kosmos-ejabberd/attributes/default.rb
View File

@ -1,7 +1,7 @@
node.default["kosmos-ejabberd"]["version"] = "20.04" node.default["kosmos-ejabberd"]["version"] = "20.04"
node.default["kosmos-ejabberd"]["checksum"] = "5377ff18960a399e661fa23f4a1d9f57c78d4579ed108c52b8f68e7cd9268868" node.default["kosmos-ejabberd"]["checksum"] = "5377ff18960a399e661fa23f4a1d9f57c78d4579ed108c52b8f68e7cd9268868"
node.default["kosmos-ejabberd"]["turn_min_port"] = 49152 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000
node.default["kosmos-ejabberd"]["turn_max_port"] = 59152 node.default["kosmos-ejabberd"]["turn_max_port"] = 55000
node.override["tor"]["HiddenServices"]["ejabberd"] = { node.override["tor"]["HiddenServices"]["ejabberd"] = {
"HiddenServicePorts" => [ "HiddenServicePorts" => [

1
site-cookbooks/kosmos-ejabberd/metadata.rb
View File

@ -22,6 +22,7 @@ chef_version '>= 12.14' if respond_to?(:chef_version)
depends "kosmos-base" depends "kosmos-base"
depends "kosmos-postgresql" depends "kosmos-postgresql"
depends "kosmos-nginx" depends "kosmos-nginx"
depends "kosmos-dirsrv"
depends "backup" depends "backup"
depends "firewall" depends "firewall"
depends "tor-full" depends "tor-full"

13
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@ -43,6 +43,13 @@ dpkg_package "ejabberd" do
notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
end end
file "/opt/ejabberd/.erlang.cookie" do
mode "0400"
owner "ejabberd"
group "ejabberd"
content ejabberd_credentials['erlang_cookie']
end
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
hosts = [ hosts = [
@ -191,20 +198,20 @@ end
unless node.chef_environment == "development" unless node.chef_environment == "development"
firewall_rule 'ejabberd' do firewall_rule 'ejabberd' do
port [5222, 5223, 5269, 5280, 5443] port [5222, 5223, 5269, 5443]
protocol :tcp protocol :tcp
command :allow command :allow
end end
firewall_rule 'ejabberd_stun_turn' do firewall_rule 'ejabberd_stun_turn' do
port 3478 port 3478
protocol :udp protocol :tcp
command :allow command :allow
end end
firewall_rule 'ejabberd_turn' do firewall_rule 'ejabberd_turn' do
port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
protocol :udp protocol :tcp
command :allow command :allow
end end
end end

11
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@ -54,10 +54,17 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
group "root" group "root"
end end
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
template "/root/gandi_dns_certbot_hook.sh" do
variables gandi_api_key: gandi_api_data_bag_item["key"]
mode 0770
end
# Generate a Let's Encrypt cert (only if no cert has been generated before). # Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing # The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do execute "letsencrypt cert for kosmos xmpp" do
command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -n" command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
not_if do not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem") File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end end
@ -66,7 +73,7 @@ end
# Generate a Let's Encrypt cert (only if no cert has been generated before). # Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing # The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do execute "letsencrypt cert for 5apps xmpp" do
command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n" command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
not_if do not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem") File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end end

2
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb
View File

@ -76,7 +76,7 @@ listen:
captcha: false captcha: false
- -
port: 3478 port: 3478
transport: udp transport: tcp
module: ejabberd_stun module: ejabberd_stun
auth_realm: <%= @stun_auth_realm %> auth_realm: <%= @stun_auth_realm %>
use_turn: true use_turn: true

0
site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb → site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
View File

2
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@ -1,4 +1,6 @@
# Generated by Chef for <%= @host[:name] %> # Generated by Chef for <%= @host[:name] %>
# FIXME: The files only exist after the certbot hook created them, meaning
# we need to run Chef a second time
<% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%> <% if File.exist?("/opt/ejabberd/conf/#{@host[:name]}.crt") && File.exist?("/opt/ejabberd/conf/#{@host[:name]}.key") -%>
certfiles: certfiles:
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt" - "/opt/ejabberd/conf/<%= @host[:name] %>.crt"