diff --git a/data_bags/credentials/ejabberd.json b/data_bags/credentials/ejabberd.json index 3ef7052..f27ed88 100644 --- a/data_bags/credentials/ejabberd.json +++ b/data_bags/credentials/ejabberd.json @@ -1,37 +1,44 @@ { "id": "ejabberd", "5apps_ldap_password": { - "encrypted_data": "+sg4xj4nVTepvCOQ+Nupln+Ni2zkpxEHyJxj8IQqug==\n", - "iv": "38KjEZZbI9rNfsA1\n", - "auth_tag": "O3onB3RmxU09fBsQO9h5OA==\n", + "encrypted_data": "3o0jv/jKAIVR/FcyLH5JfDlbqsEYC1LnN2qK25b47Q==\n", + "iv": "6YTMw9vMiDANQDVP\n", + "auth_tag": "hIfhn4fHcuV34TLt0o4BLg==\n", "version": 3, "cipher": "aes-256-gcm" }, "kosmos_ldap_password": { - "encrypted_data": "GFTIbthhsiVnkRk8C8cqvyBTCnSQ7JgqM1djR63BYg==\n", - "iv": "07hmbipcLzslZT81\n", - "auth_tag": "yCSwv9oI/eDY5ATXn5oFmQ==\n", + "encrypted_data": "3DuaEKmfnBycnPHtOPX59i1Iu2MiDsUv2NhHMLVRVA==\n", + "iv": "XC2igt4I4qNNgCYD\n", + "auth_tag": "cRKNVa+dgIeKtMJbV26fMQ==\n", "version": 3, "cipher": "aes-256-gcm" }, "uploads_secret": { - "encrypted_data": "QMY6QnL/hxGAxG4hQBFSsM7sRR3izZO62EjZAIV2F165\n", - "iv": "Swez2eH4b11G/exT\n", - "auth_tag": "zKsX7IYoMKPOmdGxZcfMPQ==\n", + "encrypted_data": "Hsa0CNxtxgSeqcConNMINdNHnq8Nb4FTokRg3yZB2Fw5\n", + "iv": "fWjiwhJ7NZIvUHyt\n", + "auth_tag": "BS7TfOFSLeozLtuD6pRr6g==\n", "version": 3, "cipher": "aes-256-gcm" }, "admins": { - "encrypted_data": "NMmjCdV3H/cg3G2/gToqxj0iq1UpOBwjaK8eya46doNOC77AlOdV5uPTJvqI\nJYmy31RUFPtjQUfCsidPpsbdx3k6sQjiPSRZDEA9u6S35w9hNBXHz1PLCDKb\nCfEtwM30xhmcDSFEllpXFE+0Bh1lUF/cHFt9/z5ZjSPYKSQg5cM2h89nMScJ\n", - "iv": "9TlJYq79eQy6T1l/\n", - "auth_tag": "E8KMY1uIVWtnAFmdiP1R5g==\n", + "encrypted_data": "5Nr8AHUFlFCjjG/OtLXcJIfvAF0MLbiGYgmG3ck8Da+duGMLz35Kh/BT4ZCd\nOK/7ID35whjRm0CbaanzfffDiTaa8Bo/DI+2rZDdaFyiaOeGvOXv21YwC7IT\nIZkH6pphbxzR86kfxtPB9bqhkA7rq9toCU1TU3TCXlNG6flR0c02j6t3Nwu7\n", + "iv": "vFjSjzaEiZJB4lAo\n", + "auth_tag": "3DEcFQSC1H7q/o9EiAwS3A==\n", "version": 3, "cipher": "aes-256-gcm" }, "erlang_cookie": { - "encrypted_data": "YKCUrV/vEH2zWXlZJWIQkYhK+uwBaHvSpYmdVQwQgQTxege7HtTs\n", - "iv": "c7SINIqy8p+yMlQ+\n", - "auth_tag": "b7OyWy3QFaQLENmiNqaFPg==\n", + "encrypted_data": "+W8iX2Ye1QL6Tqy4J5DyBIQ8oPEaIWONV1tsoTEZT+YjqqTfFgqo\n", + "iv": "2fYgOBtGmqFTFddy\n", + "auth_tag": "6tfWx9FA/oD7c4THW7cQlQ==\n", + "version": 3, + "cipher": "aes-256-gcm" + }, + "stun_secret": { + "encrypted_data": "bgLeWgPdI3LQTlxZI2Wcn2/NY+zyumxUPJUFqUrZn7MEEXQOl1Dd2W0Vzks=\n", + "iv": "xevLfSR+wqEk5jVw\n", + "auth_tag": "7Jvcaq2UlLJVIX7TqSX2OQ==\n", "version": 3, "cipher": "aes-256-gcm" } diff --git a/nodes/fornax.kosmos.org.json b/nodes/fornax.kosmos.org.json index e4965b7..f8bb746 100644 --- a/nodes/fornax.kosmos.org.json +++ b/nodes/fornax.kosmos.org.json @@ -24,6 +24,7 @@ "kosmos_gitea::nginx", "kosmos_website", "kosmos_website::default", + "kosmos-ejabberd::nginx", "apt::default", "timezone_iii::default", "timezone_iii::debian", diff --git a/roles/nginx_proxy.rb b/roles/nginx_proxy.rb index 8b428e2..0bed71a 100644 --- a/roles/nginx_proxy.rb +++ b/roles/nginx_proxy.rb @@ -6,6 +6,7 @@ default_run_list = %w( kosmos_drone::nginx kosmos_gitea::nginx kosmos_website::default + kosmos-ejabberd::nginx ) env_run_lists( diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index e4e6bf9..8efada3 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,7 +1,9 @@ node.default["kosmos-ejabberd"]["version"] = "20.12" node.default["kosmos-ejabberd"]["checksum"] = "3d2a4e9d1aa2d189017f4f310eff4d0b6c6d7cd911209cfbcca7b0ec5b577b65" +node.default["kosmos-ejabberd"]["turn_ip_address"] = "148.251.83.201" +node.default["kosmos-ejabberd"]["stun_turn_port"] = 3478 node.default["kosmos-ejabberd"]["turn_min_port"] = 50000 -node.default["kosmos-ejabberd"]["turn_max_port"] = 55000 +node.default["kosmos-ejabberd"]["turn_max_port"] = 50050 node.override["tor"]["HiddenServices"]["ejabberd"] = { "HiddenServicePorts" => [ diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index 68c0776..8afce5c 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -161,7 +161,9 @@ template "/opt/ejabberd/conf/ejabberd.yml" do variables hosts: hosts, admin_users: admin_users, stun_auth_realm: "kosmos.org", - turn_ip_address: node["knife_zero"]["host"], + stun_secret: ejabberd_credentials['stun_secret'], + turn_ip_address: node["kosmos-ejabberd"]["turn_ip_address"], + stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], turn_max_port: node["kosmos-ejabberd"]["turn_max_port"], akkounts_ip_addresses: akkounts_ip_addresses diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb index 968da9b..ca1f393 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -25,13 +25,13 @@ firewall_rule 'erlang_cluster' do end firewall_rule 'ejabberd_stun_turn' do - port 3478 - protocol :tcp + port node["kosmos-ejabberd"]["stun_turn_port"] + protocol :udp command :allow end firewall_rule 'ejabberd_turn' do port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] - protocol :tcp + protocol :udp command :allow end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb new file mode 100644 index 0000000..328985c --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/recipes/nginx.rb @@ -0,0 +1,52 @@ +# +# Cookbook:: kosmos-ejabberd +# Recipe:: nginx +# + +include_recipe "kosmos-base::firewall" + +ejabberd_hosts = [] +search(:node, "role:ejabberd").each do |node| + ejabberd_hosts << node["knife_zero"]["host"] +end + +ejabberd_hosts.each do |ip_address| + IPAddr.new ip_address +rescue IPAddr::InvalidAddressError + ejabberd_hosts.delete ip_address + next +end + +template "#{node['nginx']['dir']}/streams-available/ejabberd" do + source "nginx_conf_streams.erb" + owner 'www-data' + mode 0640 + # variables ejabberd_hosts: ejabberd_hosts + variables ejabberd_hosts: ["10.1.1.113"], + stun_turn_port: node["kosmos-ejabberd"]["stun_turn_port"], + turn_min_port: node["kosmos-ejabberd"]["turn_min_port"], + turn_max_port: node["kosmos-ejabberd"]["turn_max_port"] + notifies :reload, 'service[nginx]', :delayed +end + +nginx_stream "ejabberd" do + action :enable +end + +firewall_rule "ejabberd" do + port [5222, 5223, 5269, 5443] + protocol :tcp + command :allow +end + +firewall_rule 'ejabberd_stun_turn' do + port node["kosmos-ejabberd"]["stun_turn_port"] + protocol :udp + command :allow +end + +firewall_rule 'ejabberd_turn' do + port node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"] + protocol :udp + command :allow +end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index a46759d..d8f8a48 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -78,12 +78,13 @@ listen: ## register: true captcha: false - - port: 3478 - transport: tcp + port: <%= @stun_turn_port %> + transport: udp module: ejabberd_stun auth_realm: <%= @stun_auth_realm %> use_turn: true - turn_ip: <%= @turn_ip_address %> + tls: false + turn_ipv4_address: <%= @turn_ip_address %> turn_min_port: <%= @turn_min_port %> turn_max_port: <%= @turn_max_port %> @@ -230,7 +231,21 @@ modules: versioning: true store_current_id: true mod_shared_roster: {} - mod_stun_disco: {} + mod_stun_disco: + secret: <%= @stun_secret %> + services: + - + host: <%= @turn_ip_address %> + port: <%= @stun_turn_port %> + type: stun + transport: udp + restricted: false + - + host: <%= @turn_ip_address %> + port: <%= @stun_turn_port %> + type: turn + transport: udp + restricted: true mod_vcard: search: false mod_vcard_xupdate: {} diff --git a/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb new file mode 100644 index 0000000..6c2fba1 --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/nginx_conf_streams.erb @@ -0,0 +1,81 @@ +log_format proxy '$remote_addr [$time_local] ' + '$protocol $status $bytes_sent $bytes_received ' + '$session_time "$upstream_addr" ' + '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'; + +access_log /var/log/nginx/streams.log proxy buffer=32k flush=1m; + +upstream ejabberd_c2s { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> + server <%= ip_address %>:5222; +<% end %> +} + +upstream ejabberd_c2s_tls { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> + server <%= ip_address %>:5223; +<% end %> +} + +upstream ejabberd_s2s { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> + server <%= ip_address %>:5269; +<% end %> +} + +upstream ejabberd_https { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> + server <%= ip_address %>:5443; +<% end %> +} + +upstream ejabberd_stun_turn { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> + server <%= ip_address %>:<%= @stun_turn_port %>; +<% end %> +} + +upstream ejabberd_turn { + hash $remote_addr consistent; +<% @ejabberd_hosts.each do |ip_address| %> +<% (@turn_min_port..@turn_max_port).each do |port| %> + server <%= "#{ip_address}:#{port.to_s}" %>; +<% end %> +<% end %> +} + +server { + listen 5222; + proxy_pass ejabberd_c2s; +} + +server { + listen 5223; + proxy_pass ejabberd_c2s; +} + +server { + listen 5269; + proxy_pass ejabberd_s2s; +} + +server { + listen 5443; + proxy_pass ejabberd_https; +} + +server { + listen <%= @stun_turn_port %> udp; + proxy_pass ejabberd_stun_turn; +} + +server { + listen <%= "#{@turn_min_port}-#{@turn_max_port}" %> udp; + proxy_pass 10.1.1.113:$server_port; + #proxy_pass ejabberd_turn; +}