kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 26 Pull Requests 2 Projects 2 Activity

Chef recipes for Kosmos XMPP server #32

Merged
raucao merged 23 commits from feature/7-ejabberd_rebased_2 into master 2019-05-15 08:46:19 +00:00
Conversation 8 Commits 23 Files Changed 23 +1269 -30
23 changed files with 1269 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
data_bags/credentials/postgresql.json
View File

@ -1,23 +1,23 @@
{
"id": "postgresql",
"ejabberd_user_password": {
"encrypted_data": "OTwgFCOLHgoFLsdcHs1U04sJf7ZzVepeDwlNmPMtO8FtyzpfySY9\n",
"iv": "k9wX2WEsJyJn+OYs\n",
"auth_tag": "fL/HNcno/MuWE+yQOFCC3g==\n",
"encrypted_data": "s31aNIv9ZTlU8cVXMDUB79Iv+EozZS1NSZVU5ey9xpBf2WYohpSqni/5Wg==\n",
"iv": "a3LWKNYmUZfSMc1Y\n",
"auth_tag": "3P+WFcDw/R1d983g7YoFUw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"server_password": {
"encrypted_data": "4Y87daXYAxzfYxRIkR8b+DLOp4+dYJnc91hN22iWmOfO3umv8wZU\n",
"iv": "LDeMAKUEIq9oe2Zu\n",
"auth_tag": "uVaRO+t/KSFebrEB6wp+yQ==\n",
"encrypted_data": "w7zghEF+DjUhS59cze+qviqDcy8mQpIgW6olHabas1IH4t0z+IQ7\n",
"iv": "ppqOzJGczWtwGRnX\n",
"auth_tag": "2Lhqw7Rhm35HcltsDtaJIw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"mastodon_user_password": {
"encrypted_data": "s/XxLUwjZsJ/XidEVi50oePBR4OQ0z/3czs9uOcw1fA1c6qqEzb98iHXpw==\n",
"iv": "pKvwLeC05f7P+cke\n",
"auth_tag": "/yHUD+RSCMhLhrnQJAZqrw==\n",
"encrypted_data": "84UPPmtNh/5MH6u4svMPhRHBGK1GFnP4G2tk/a+wQLNxSB8FlDsTuqSC2A==\n",
"iv": "UBl2ILWCc2WKcN6d\n",
"auth_tag": "NF/xcK0tmvbBo1dDFhOf7w==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

4
nodes/andromeda.kosmos.org.json
View File

@ -3,11 +3,13 @@
"role[base]",
"kosmos-base::andromeda_firewall",
"role[ipfs_cluster_with_tls]",
"kosmos-postgresql",
"kosmos-mediawiki",
"sockethub",
"sockethub::proxy",
"kosmos-btcpayserver::proxy",
"role[mastodon]"
"role[mastodon]",
"role[ejabberd]"
],
"automatic": {
"ipaddress": "andromeda.kosmos.org"

7
roles/ejabberd.rb Normal file
View File

@ -0,0 +1,7 @@
name "ejabberd"
run_list %w(
kosmos-ejabberd::default
kosmos-ejabberd::letsencrypt
kosmos-ejabberd::backup
)

3
site-cookbooks/backup/attributes/default.rb
View File

@ -27,7 +27,8 @@ default["backup"]["mysql"]["username"] = "root"
default["backup"]["mysql"]["host"] = "localhost"
# PostgreSQL default settings
default["backup"]["postgresql"]["databases"] = []
default["backup"]["postgresql"]["databases"] = {}
default["backup"]["postgresql"]["username"] = "postgres"
default["backup"]["postgresql"]["host"] = "localhost"
default["backup"]["postgresql"]["port"] = 5432

9
site-cookbooks/backup/templates/default/backup.rb.erb
View File

@ -17,9 +17,14 @@ KosmosBackup.new(:default, 'default backup') do
<%- end -%>
<%- if node["backup"]["postgresql"] -%>
<%- node["backup"]["postgresql"]["databases"].each do |db_name| -%>
database PostgreSQL, :"<%= db_name.to_sym %>" do |db|
<%- node["backup"]["postgresql"]["databases"].each do |db_name, h| -%>
database PostgreSQL, :"<%= db_name %>" do |db|
db.name = "<%= db_name %>"
<%- unless h.nil? -%>
<%- h.each do |k, v| -%>
db.<%= k %> = "<%= v %>"
<%- end -%>
<%- end -%>
end
<%- end -%>
<%- end -%>

6
site-cookbooks/kosmos-base/recipes/andromeda_firewall.rb
View File

@ -26,12 +26,6 @@
# Temporary extra rules for Andromeda
firewall_rule 'ejabberd' do
port [5222, 5269, 5280, 5443]
protocol :tcp
command :allow
end
firewall_rule 'bitcoind' do
port [8333, 8334, 8335]
protocol :tcp

1
site-cookbooks/kosmos-ejabberd/.delivery/project.toml Normal file
View File

@ -0,0 +1 @@
remote_file = "https://raw.githubusercontent.com/chef-cookbooks/community_cookbook_tools/master/delivery/project.toml"

22
site-cookbooks/kosmos-ejabberd/.gitignore vendored Normal file
View File

@ -0,0 +1,22 @@
.vagrant
*~
*#
.#*
\#*#
.*.sw[a-z]
*.un~
# Bundler
Gemfile.lock
gems.locked
bin/*
.bundle/*
# test kitchen
.kitchen/
.kitchen.local.yml
# Chef
Berksfile.lock
.zero-knife.rb
Policyfile.lock.json

23
site-cookbooks/kosmos-ejabberd/.kitchen.yml Normal file
View File

@ -0,0 +1,23 @@
---
driver:
name: vagrant
provisioner:
name: chef_zero
# You may wish to disable always updating cookbooks in CI or other testing environments.
# For example:
# always_update_cookbooks: <%= !ENV['CI'] %>
always_update_cookbooks: true
verifier:
name: inspec
platforms:
- name: ubuntu-16.04
- name: ubuntu-18.04
suites:
- name: default
run_list:
- recipe[kosmos-ejabberd::default]
attributes:

6
site-cookbooks/kosmos-ejabberd/Berksfile Normal file
View File

@ -0,0 +1,6 @@
# frozen_string_literal: true
source 'https://supermarket.chef.io'
source chef_repo: ".."
cookbook "kosmos-postgresql", path: "../kosmos-postgresql"
metadata

11
site-cookbooks/kosmos-ejabberd/CHANGELOG.md Normal file
View File

@ -0,0 +1,11 @@
# kosmos-ejabberd CHANGELOG
This file is used to list changes made in each version of the kosmos-ejabberd cookbook.
# 0.1.0
Initial release.
- change 0
- change 1

20
site-cookbooks/kosmos-ejabberd/LICENSE Normal file
View File

@ -0,0 +1,20 @@
Copyright (c) 2019 Kosmos Developers
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including
without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to
permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

4
site-cookbooks/kosmos-ejabberd/README.md Normal file
View File

@ -0,0 +1,4 @@
# kosmos-ejabberd
Sets up ejabberd with vhosts for kosmos.org (public server) and 5apps.com
(private server).

2
site-cookbooks/kosmos-ejabberd/attributes/default.rb Normal file
View File

@ -0,0 +1,2 @@
node.default["kosmos-ejabberd"]["version"] = "19.02"
node.default["kosmos-ejabberd"]["checksum"] = "aea550c58e61eab04ca9beb8896d8b04f4a79321c21dee160a67ad6787236f51"

104
site-cookbooks/kosmos-ejabberd/chefignore Normal file
View File

@ -0,0 +1,104 @@
# Put files/directories that should be ignored in this file when uploading
# to a chef-server or supermarket.
# Lines that start with '# ' are comments.
# OS generated files #
######################
.DS_Store
Icon?
nohup.out
ehthumbs.db
Thumbs.db
# SASS #
########
.sass-cache
# EDITORS #
###########
\#*
.#*
*~
*.sw[a-z]
*.bak
REVISION
TAGS*
tmtags
*_flymake.*
*_flymake
*.tmproj
.project
.settings
mkmf.log
## COMPILED ##
##############
a.out
*.o
*.pyc
*.so
*.com
*.class
*.dll
*.exe
*/rdoc/
# Testing #
###########
.watchr
.rspec
spec/*
spec/fixtures/*
test/*
features/*
examples/*
Guardfile
Procfile
.kitchen*
kitchen.yml*
.rubocop.yml
spec/*
Rakefile
.travis.yml
.foodcritic
.codeclimate.yml
# SCM #
#######
.git
*/.git
.gitignore
.gitmodules
.gitconfig
.gitattributes
.svn
*/.bzr/*
*/.hg/*
*/.svn/*
# Berkshelf #
#############
Berksfile
Berksfile.lock
cookbooks/*
tmp
# Bundler #
###########
vendor/*
# Policyfile #
##############
Policyfile.rb
Policyfile.lock.json
# Cookbooks #
#############
CONTRIBUTING*
CHANGELOG*
TESTING*
# Vagrant #
###########
.vagrant
Vagrantfile

454
site-cookbooks/kosmos-ejabberd/files/pg.sql Normal file
View File

@ -0,0 +1,454 @@
--
-- ejabberd, Copyright (C) 2002-2019 ProcessOne
--
-- This program is free software; you can redistribute it and/or
-- modify it under the terms of the GNU General Public License as
-- published by the Free Software Foundation; either version 2 of the
-- License, or (at your option) any later version.
--
-- This program is distributed in the hope that it will be useful,
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-- General Public License for more details.
--
-- You should have received a copy of the GNU General Public License along
-- with this program; if not, write to the Free Software Foundation, Inc.,
-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
--
CREATE TABLE users (
username text PRIMARY KEY,
"password" text NOT NULL,
serverkey text NOT NULL DEFAULT '',
salt text NOT NULL DEFAULT '',
iterationcount integer NOT NULL DEFAULT 0,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
-- Add support for SCRAM auth to a database created before ejabberd 16.03:
-- ALTER TABLE users ADD COLUMN serverkey text NOT NULL DEFAULT '';
-- ALTER TABLE users ADD COLUMN salt text NOT NULL DEFAULT '';
-- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0;
CREATE TABLE last (
username text PRIMARY KEY,
seconds text NOT NULL,
state text NOT NULL
);
CREATE TABLE rosterusers (
username text NOT NULL,
jid text NOT NULL,
nick text NOT NULL,
subscription character(1) NOT NULL,
ask character(1) NOT NULL,
askmessage text NOT NULL,
server character(1) NOT NULL,
subscribe text NOT NULL,
"type" text,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE UNIQUE INDEX i_rosteru_user_jid ON rosterusers USING btree (username, jid);
CREATE INDEX i_rosteru_username ON rosterusers USING btree (username);
CREATE INDEX i_rosteru_jid ON rosterusers USING btree (jid);
CREATE TABLE rostergroups (
username text NOT NULL,
jid text NOT NULL,
grp text NOT NULL
);
CREATE INDEX pk_rosterg_user_jid ON rostergroups USING btree (username, jid);
CREATE TABLE sr_group (
name text NOT NULL,
opts text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE TABLE sr_user (
jid text NOT NULL,
grp text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE UNIQUE INDEX i_sr_user_jid_grp ON sr_user USING btree (jid, grp);
CREATE INDEX i_sr_user_jid ON sr_user USING btree (jid);
CREATE INDEX i_sr_user_grp ON sr_user USING btree (grp);
CREATE TABLE spool (
username text NOT NULL,
xml text NOT NULL,
seq SERIAL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_despool ON spool USING btree (username);
CREATE TABLE archive (
username text NOT NULL,
timestamp BIGINT NOT NULL,
peer text NOT NULL,
bare_peer text NOT NULL,
xml text NOT NULL,
txt text,
id SERIAL,
kind text,
nick text,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_username_timestamp ON archive USING btree (username, timestamp);
CREATE INDEX i_username_peer ON archive USING btree (username, peer);
CREATE INDEX i_username_bare_peer ON archive USING btree (username, bare_peer);
CREATE INDEX i_timestamp ON archive USING btree (timestamp);
CREATE TABLE archive_prefs (
username text NOT NULL PRIMARY KEY,
def text NOT NULL,
always text NOT NULL,
never text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE TABLE vcard (
username text PRIMARY KEY,
vcard text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE TABLE vcard_search (
username text NOT NULL,
lusername text PRIMARY KEY,
fn text NOT NULL,
lfn text NOT NULL,
family text NOT NULL,
lfamily text NOT NULL,
given text NOT NULL,
lgiven text NOT NULL,
middle text NOT NULL,
lmiddle text NOT NULL,
nickname text NOT NULL,
lnickname text NOT NULL,
bday text NOT NULL,
lbday text NOT NULL,
ctry text NOT NULL,
lctry text NOT NULL,
locality text NOT NULL,
llocality text NOT NULL,
email text NOT NULL,
lemail text NOT NULL,
orgname text NOT NULL,
lorgname text NOT NULL,
orgunit text NOT NULL,
lorgunit text NOT NULL
);
CREATE INDEX i_vcard_search_lfn ON vcard_search(lfn);
CREATE INDEX i_vcard_search_lfamily ON vcard_search(lfamily);
CREATE INDEX i_vcard_search_lgiven ON vcard_search(lgiven);
CREATE INDEX i_vcard_search_lmiddle ON vcard_search(lmiddle);
CREATE INDEX i_vcard_search_lnickname ON vcard_search(lnickname);
CREATE INDEX i_vcard_search_lbday ON vcard_search(lbday);
CREATE INDEX i_vcard_search_lctry ON vcard_search(lctry);
CREATE INDEX i_vcard_search_llocality ON vcard_search(llocality);
CREATE INDEX i_vcard_search_lemail ON vcard_search(lemail);
CREATE INDEX i_vcard_search_lorgname ON vcard_search(lorgname);
CREATE INDEX i_vcard_search_lorgunit ON vcard_search(lorgunit);
CREATE TABLE privacy_default_list (
username text PRIMARY KEY,
name text NOT NULL
);
CREATE TABLE privacy_list (
username text NOT NULL,
name text NOT NULL,
id SERIAL UNIQUE,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_privacy_list_username ON privacy_list USING btree (username);
CREATE UNIQUE INDEX i_privacy_list_username_name ON privacy_list USING btree (username, name);
CREATE TABLE privacy_list_data (
id bigint REFERENCES privacy_list(id) ON DELETE CASCADE,
t character(1) NOT NULL,
value text NOT NULL,
action character(1) NOT NULL,
ord NUMERIC NOT NULL,
match_all boolean NOT NULL,
match_iq boolean NOT NULL,
match_message boolean NOT NULL,
match_presence_in boolean NOT NULL,
match_presence_out boolean NOT NULL
);
CREATE INDEX i_privacy_list_data_id ON privacy_list_data USING btree (id);
CREATE TABLE private_storage (
username text NOT NULL,
namespace text NOT NULL,
data text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_private_storage_username ON private_storage USING btree (username);
CREATE UNIQUE INDEX i_private_storage_username_namespace ON private_storage USING btree (username, namespace);
CREATE TABLE roster_version (
username text PRIMARY KEY,
version text NOT NULL
);
-- To update from 0.9.8:
-- CREATE SEQUENCE spool_seq_seq;
-- ALTER TABLE spool ADD COLUMN seq integer;
-- ALTER TABLE spool ALTER COLUMN seq SET DEFAULT nextval('spool_seq_seq');
-- UPDATE spool SET seq = DEFAULT;
-- ALTER TABLE spool ALTER COLUMN seq SET NOT NULL;
-- To update from 1.x:
-- ALTER TABLE rosterusers ADD COLUMN askmessage text;
-- UPDATE rosterusers SET askmessage = '';
-- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL;
CREATE TABLE pubsub_node (
host text NOT NULL,
node text NOT NULL,
parent text NOT NULL DEFAULT '',
plugin text NOT NULL,
nodeid SERIAL UNIQUE
);
CREATE INDEX i_pubsub_node_parent ON pubsub_node USING btree (parent);
CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node USING btree (host, node);
CREATE TABLE pubsub_node_option (
nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE,
name text NOT NULL,
val text NOT NULL
);
CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option USING btree (nodeid);
CREATE TABLE pubsub_node_owner (
nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE,
owner text NOT NULL
);
CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner USING btree (nodeid);
CREATE TABLE pubsub_state (
nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE,
jid text NOT NULL,
affiliation character(1),
subscriptions text NOT NULL DEFAULT '',
stateid SERIAL UNIQUE
);
CREATE INDEX i_pubsub_state_jid ON pubsub_state USING btree (jid);
CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state USING btree (nodeid, jid);
CREATE TABLE pubsub_item (
nodeid bigint REFERENCES pubsub_node(nodeid) ON DELETE CASCADE,
itemid text NOT NULL,
publisher text NOT NULL,
creation varchar(32) NOT NULL,
modification varchar(32) NOT NULL,
payload text NOT NULL DEFAULT ''
);
CREATE INDEX i_pubsub_item_itemid ON pubsub_item USING btree (itemid);
CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item USING btree (nodeid, itemid);
CREATE TABLE pubsub_subscription_opt (
subid text NOT NULL,
opt_name varchar(32),
opt_value text NOT NULL
);
CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt USING btree (subid, opt_name);
CREATE TABLE muc_room (
name text NOT NULL,
host text NOT NULL,
opts text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE UNIQUE INDEX i_muc_room_name_host ON muc_room USING btree (name, host);
CREATE TABLE muc_registered (
jid text NOT NULL,
host text NOT NULL,
nick text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_muc_registered_nick ON muc_registered USING btree (nick);
CREATE UNIQUE INDEX i_muc_registered_jid_host ON muc_registered USING btree (jid, host);
CREATE TABLE muc_online_room (
name text NOT NULL,
host text NOT NULL,
node text NOT NULL,
pid text NOT NULL
);
CREATE UNIQUE INDEX i_muc_online_room_name_host ON muc_online_room USING btree (name, host);
CREATE TABLE muc_online_users (
username text NOT NULL,
server text NOT NULL,
resource text NOT NULL,
name text NOT NULL,
host text NOT NULL,
node text NOT NULL
);
CREATE UNIQUE INDEX i_muc_online_users ON muc_online_users USING btree (username, server, resource, name, host);
CREATE INDEX i_muc_online_users_us ON muc_online_users USING btree (username, server);
CREATE TABLE muc_room_subscribers (
room text NOT NULL,
host text NOT NULL,
jid text NOT NULL,
nick text NOT NULL,
nodes text NOT NULL,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_muc_room_subscribers_host_jid ON muc_room_subscribers USING btree (host, jid);
CREATE UNIQUE INDEX i_muc_room_subscribers_host_room_jid ON muc_room_subscribers USING btree (host, room, jid);
CREATE TABLE motd (
username text PRIMARY KEY,
xml text,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE TABLE caps_features (
node text NOT NULL,
subnode text NOT NULL,
feature text,
created_at TIMESTAMP NOT NULL DEFAULT now()
);
CREATE INDEX i_caps_features_node_subnode ON caps_features USING btree (node, subnode);
CREATE TABLE sm (
usec bigint NOT NULL,
pid text NOT NULL,
node text NOT NULL,
username text NOT NULL,
resource text NOT NULL,
priority text NOT NULL,
info text NOT NULL
);
CREATE UNIQUE INDEX i_sm_sid ON sm USING btree (usec, pid);
CREATE INDEX i_sm_node ON sm USING btree (node);
CREATE INDEX i_sm_username ON sm USING btree (username);
CREATE TABLE oauth_token (
token text NOT NULL,
jid text NOT NULL,
scope text NOT NULL,
expire bigint NOT NULL
);
CREATE UNIQUE INDEX i_oauth_token_token ON oauth_token USING btree (token);
CREATE TABLE route (
domain text NOT NULL,
server_host text NOT NULL,
node text NOT NULL,
pid text NOT NULL,
local_hint text NOT NULL
);
CREATE UNIQUE INDEX i_route ON route USING btree (domain, server_host, node, pid);
CREATE INDEX i_route_domain ON route USING btree (domain);
CREATE TABLE bosh (
sid text NOT NULL,
node text NOT NULL,
pid text NOT NULL
);
CREATE UNIQUE INDEX i_bosh_sid ON bosh USING btree (sid);
CREATE TABLE proxy65 (
sid text NOT NULL,
pid_t text NOT NULL,
pid_i text NOT NULL,
node_t text NOT NULL,
node_i text NOT NULL,
jid_i text NOT NULL
);
CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 USING btree (sid);
CREATE INDEX i_proxy65_jid ON proxy65 USING btree (jid_i);
CREATE TABLE push_session (
username text NOT NULL,
timestamp bigint NOT NULL,
service text NOT NULL,
node text NOT NULL,
xml text NOT NULL
);
CREATE UNIQUE INDEX i_push_usn ON push_session USING btree (username, service, node);
CREATE UNIQUE INDEX i_push_ut ON push_session USING btree (username, timestamp);
CREATE TABLE mix_channel (
channel text NOT NULL,
service text NOT NULL,
username text NOT NULL,
domain text NOT NULL,
jid text NOT NULL,
hidden boolean NOT NULL,
hmac_key text NOT NULL,
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
);
CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel, service);
CREATE INDEX i_mix_channel_serv ON mix_channel (service);
CREATE TABLE mix_participant (
channel text NOT NULL,
service text NOT NULL,
username text NOT NULL,
domain text NOT NULL,
jid text NOT NULL,
id text NOT NULL,
nick text NOT NULL,
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
);
CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel, service, username, domain);
CREATE INDEX i_mix_participant_chan_serv ON mix_participant (channel, service);
CREATE TABLE mix_subscription (
channel text NOT NULL,
service text NOT NULL,
username text NOT NULL,
domain text NOT NULL,
node text NOT NULL,
jid text NOT NULL
);
CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel, service, username, domain, node);
CREATE INDEX i_mix_subscription_chan_serv_ud ON mix_subscription (channel, service, username, domain);
CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel, service, node);
CREATE INDEX i_mix_subscription_chan_serv ON mix_subscription (channel, service);
CREATE TABLE mix_pam (
username text NOT NULL,
channel text NOT NULL,
service text NOT NULL,
id text NOT NULL,
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
);
CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username, channel, service);
CREATE INDEX i_mix_pam_us ON mix_pam (username);

25
site-cookbooks/kosmos-ejabberd/metadata.rb Normal file
View File

@ -0,0 +1,25 @@
name 'kosmos-ejabberd'
maintainer 'Kosmos'
maintainer_email 'ops@kosmos.org'
license 'MIT'
description 'Installs/Configures kosmos-ejabberd'
long_description 'Installs/Configures kosmos-ejabberd'
version '0.1.0'
chef_version '>= 12.14' if respond_to?(:chef_version)
# The `issues_url` points to the location where issues for this cookbook are
# tracked. A `View Issues` link will be displayed on this cookbook's page when
# uploaded to a Supermarket.
#
# issues_url 'https://github.com/<insert_org_here>/kosmos-ejabberd/issues'
# The `source_url` points to the development repository for this cookbook. A
# `View Source` link will be displayed on this cookbook's page when uploaded to
# a Supermarket.
#
# source_url 'https://github.com/<insert_org_here>/kosmos-ejabberd'
depends "kosmos-postgresql"
depends "kosmos-base"
depends "backup"
depends "firewall"

45
site-cookbooks/kosmos-ejabberd/recipes/backup.rb Normal file
View File

@ -0,0 +1,45 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: backup
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
unless node.chef_environment == "development"
# backup the data dir and the config files
node.override["backup"]["archives"]["ejabberd"] = ["/opt/ejabberd", "/var/www/xmpp.kosmos.org", "/var/www/xmpp.5apps.com"]
unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd"
node.override["backup"]["postgresql"]["databases"]["ejabberd"] = {
username: "ejabberd",
password: postgresql_data_bag_item['ejabberd_user_password']
}
end
unless node["backup"]["postgresql"]["databases"].keys.include? "ejabberd_5apps"
node.override["backup"]["postgresql"]["databases"]["ejabberd_5apps"] = {
username: "ejabberd",
password: postgresql_data_bag_item['ejabberd_user_password']
}
end
include_recipe "backup"
end

129
site-cookbooks/kosmos-ejabberd/recipes/default.rb Normal file
View File

@ -0,0 +1,129 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "kosmos-postgresql"
cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
source "pg.sql"
mode "0664"
end
ejabberd_version = node["kosmos-ejabberd"]["version"]
package_checksum = node["kosmos-ejabberd"]["checksum"]
package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb"
remote_file package_path do
source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb"
checksum package_checksum
notifies :install, "dpkg_package[ejabberd]", :immediately
end
dpkg_package "ejabberd" do
source package_path
version "#{ejabberd_version}-0"
action :nothing
notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
end
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
postgresql_user 'ejabberd' do
action :create
password postgresql_data_bag_item['ejabberd_user_password']
end
postgresql_database 'ejabberd' do
owner 'ejabberd'
action :create
notifies :run, "execute[create db schema ejabberd]", :delayed
end
postgresql_database 'ejabberd_5apps' do
owner 'ejabberd'
action :create
notifies :run, "execute[create db schema ejabberd_5apps]", :delayed
end
execute "create db schema ejabberd" do
user "ejabberd"
command "psql ejabberd < #{Chef::Config[:file_cache_path]}/pg.sql"
action :nothing
end
execute "create db schema ejabberd_5apps" do
user "ejabberd"
command "psql ejabberd_5apps < #{Chef::Config[:file_cache_path]}/pg.sql"
action :nothing
end
template "/opt/ejabberd/conf/ejabberd.yml" do
source "ejabberd.yml.erb"
mode 0640
sensitive true
variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password']
notifies :run, "execute[ejabberdctl reload_config]", :delayed
end
execute "ejabberdctl reload_config" do
command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config"
action :nothing
end
file "/etc/init.d/ejabberd" do
action :delete
end
# Copy the systemd service file
file "/lib/systemd/system/ejabberd.service" do
content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") }
action :nothing
notifies :run, "execute[systemctl daemon-reload]", :immediately
notifies :restart, "service[ejabberd]", :delayed
end
execute "systemctl daemon-reload" do
command "systemctl daemon-reload"
action :nothing
end
directory "/var/www/xmpp.kosmos.org/uploads" do
owner "ejabberd"
group "ejabberd"
mode 0750
recursive true
end
service "ejabberd" do
action [:enable, :start]
end
unless node.chef_environment == "development"
firewall_rule 'ejabberd' do
port [5222, 5223, 5269, 5280, 5443]
protocol :tcp
command :allow
end
end

73
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb Normal file
View File

@ -0,0 +1,73 @@
#
# Cookbook:: kosmos-ejabberd
# Recipe:: letsencrypt
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.
include_recipe "kosmos-base::letsencrypt"
ejabberd_post_hook = <<-EOF
#!/usr/bin/env bash
set -e
# Copy the ejabberd certificate and restart the server if it has been renewed
# This is necessary because the ejabberd user doesn't have access to the
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
chmod 600 /opt/ejabberd/conf/$domain.*
/opt/ejabberd-#{node["kosmos-ejabberd"]["version"]}/bin/ejabberdctl reload_config
;;
esac
done
EOF
file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
content ejabberd_post_hook
mode 0755
owner "root"
group "root"
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d chat.kosmos.org -d xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do
command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
not_if do
File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
end
end

294
site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb Normal file
View File

@ -0,0 +1,294 @@
loglevel: 4
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1
log_rate_limit: 100
hosts:
- "kosmos.org"
- "5apps.com"
host_config:
"kosmos.org":
sql_type: pgsql
sql_server: "localhost"
sql_database: "ejabberd"
sql_username: "ejabberd"
sql_password: "<%= @pgsql_password %>"
"5apps.com":
sql_type: pgsql
sql_server: "localhost"
sql_database: "ejabberd_5apps"
sql_username: "ejabberd"
sql_password: "<%= @pgsql_password %>"
<% if (File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key")) ||
(File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key")) -%>
certfiles:
<% if File.exist?("/opt/ejabberd/conf/kosmos.org.crt") && File.exist?("/opt/ejabberd/conf/kosmos.org.key") -%>
- "/opt/ejabberd/conf/kosmos.org.crt"
- "/opt/ejabberd/conf/kosmos.org.key"
<% end -%>
<% if File.exist?("/opt/ejabberd/conf/5apps.com.crt") && File.exist?("/opt/ejabberd/conf/5apps.com.key") -%>
- "/opt/ejabberd/conf/5apps.com.crt"
- "/opt/ejabberd/conf/5apps.com.key"
<% end -%>
<% end -%>
ca_file: "/opt/ejabberd/conf/cacert.pem"
define_macro:
'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
'TLS_OPTIONS':
- "no_sslv3"
- "cipher_server_preference"
- "no_compression"
'DH_FILE': "/opt/ejabberd/conf/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048
c2s_dhfile: 'DH_FILE'
s2s_dhfile: 'DH_FILE'
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
starttls: true
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
-
port: 5223
ip: "::"
module: ejabberd_c2s
tls: true
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
-
port: 5269
ip: "::"
module: ejabberd_s2s_in
max_stanza_size: 131072
shaper: s2s_shaper
-
port: 5443
ip: "::"
module: ejabberd_http
request_handlers:
"/ws": ejabberd_http_ws
"/bosh": mod_bosh
"/api": mod_http_api
"/upload": mod_http_upload
custom_headers:
"Access-Control-Allow-Origin": "*"
"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
"Access-Control-Allow-Headers": "Authorization"
"Access-Control-Allow-Credentials": "true"
tls: true
## "/pub/archive": mod_http_fileserver
web_admin: true
## register: true
captcha: false
s2s_use_starttls: optional
auth_password_format: scram
auth_method: sql
default_db: sql
shaper:
normal: 1000
fast: 50000
max_fsm_queue: 10000
acl:
admin:
user:
- "greg@5apps.com"
- "sebastian@5apps.com"
- "garret@5apps.com"
- "raucao@kosmos.org"
- "greg@kosmos.org"
- "galfert@kosmos.org"
local:
user_regexp: ""
loopback:
ip:
- "127.0.0.0/8"
- "::1/128"
- "::FFFF:127.0.0.1/128"
shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
- 5000: admin
- 100
c2s_shaper:
- none: admin
- normal
s2s_shaper: fast
access_rules:
local:
- allow: local
c2s:
- deny: blocked
- allow
announce:
- allow: admin
configure:
- allow: admin
muc_create:
- allow: admin
- allow: local
pubsub_createnode:
- allow: local
register:
- allow
trusted_network:
- allow: loopback
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
- access:
- allow:
- acl: loopback
- acl: admin
- oauth:
- scope: "ejabberd:admin"
- access:
- allow:
- acl: loopback
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
- ip: "127.0.0.1/8"
what:
- "status"
- "connected_users_number"
language: "en"
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce: # recommends mod_adhoc
access: announce
mod_blocking: {} # requires mod_privacy
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {} # requires mod_adhoc
mod_disco:
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:abuse@@HOST@"]
mod_bosh: {}
mod_http_upload:
docroot: "/var/www/xmpp.@HOST@/uploads/"
put_url: "https://xmpp.@HOST@:5443/upload"
thumbnail: false # otherwise needs the identify command from ImageMagick installed
mod_last: {}
mod_mam:
default: always
request_activates_archiving: true
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_privacy: {}
mod_private: {}
mod_proxy65: {}
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 10
plugins:
- "flat"
- "pep" # pep requires mod_caps
mod_push: {}
mod_push_keepalive: {}
mod_register:
welcome_message:
subject: "Welcome!"
body: |-
Hi.
Welcome to this XMPP server.
ip_access: trusted_network
access: register
mod_roster:
versioning: true
store_current_id: true
mod_shared_roster: {}
mod_vcard:
search: false
mod_vcard_xupdate: {}
mod_avatar: {}
mod_version: {}
mod_stream_mgmt: {}
mod_s2s_dialback: {}
mod_http_api: {}
append_host_config:
"5apps.com":
modules:
mod_muc:
host: "muc.@HOST@"
access:
- allow: local
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
max_user_conferences: 1000
default_room_options:
anonymous: false
public: true
members_only: true
public_list: false
persistent: true
mam: true
"kosmos.org":
modules:
mod_muc:
host: "chat.@HOST@"
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
max_user_conferences: 1000
default_room_options:
mam: true
allow_contrib_modules: true
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:

23
site-cookbooks/kosmos-ejabberd/test/integration/default/serverspec/default_spec.rb Normal file
View File

@ -0,0 +1,23 @@
require 'serverspec'
# Required by serverspec
set :backend, :exec
describe 'ejabberd' do
describe package('ejabberd') do
it { should be_installed }
end
it 'is listening on port 5222 (client-to-server)' do
expect(port(5222)).to be_listening
end
it 'is listening on port 5269 (server-to-server)' do
expect(port(5269)).to be_listening
end
it 'runs the ejabberd service' do
expect(service('ejabberd')).to be_running
expect(service('ejabberd')).to be_enabled
end
end

16
site-cookbooks/kosmos-mastodon/recipes/default.rb
View File

@ -209,17 +209,11 @@ end
#
unless node.chef_environment == "development"
node.override["backup"]["postgresql"]["host"] = "localhost"
unless platform?('ubuntu') && node[:platform_version].to_f < 18.04
node.override["backup"]["postgresql"]["username"] = "mastodon"
node.override["backup"]["postgresql"]["password"] = postgresql_data_bag_item['mastodon_user_password']
else
node.override["backup"]["postgresql"]["username"] = "postgres"
node.override["backup"]["postgresql"]["password"] = node['postgresql']['password']['postgres']
end
unless node["backup"]["postgresql"]["databases"].include? 'mastodon'
node.override["backup"]["postgresql"]["databases"] =
node["backup"]["postgresql"]["databases"].to_a << "mastodon"
unless node["backup"]["postgresql"]["databases"].keys.include? 'mastodon'
node.override["backup"]["postgresql"]["databases"]["mastodon"] = {
username: "mastodon",
password: postgresql_data_bag_item['mastodon_user_password']
}
end
include_recipe "backup"