diff --git a/nodes/ejabberd-4.json b/nodes/ejabberd-4.json index eccf3bc..8f88713 100644 --- a/nodes/ejabberd-4.json +++ b/nodes/ejabberd-4.json @@ -37,6 +37,7 @@ "timezone_iii::debian", "ntp::default", "ntp::apparmor", + "kosmos-base::journald_conf", "kosmos-base::systemd_emails", "apt::unattended-upgrades", "kosmos-base::firewall", diff --git a/nodes/ejabberd-8.json b/nodes/ejabberd-8.json index 987dd1d..4aab853 100644 --- a/nodes/ejabberd-8.json +++ b/nodes/ejabberd-8.json @@ -37,6 +37,7 @@ "timezone_iii::debian", "ntp::default", "ntp::apparmor", + "kosmos-base::journald_conf", "kosmos-base::systemd_emails", "apt::unattended-upgrades", "kosmos-base::firewall", diff --git a/site-cookbooks/kosmos-ejabberd/attributes/default.rb b/site-cookbooks/kosmos-ejabberd/attributes/default.rb index 42960c5..658d2c3 100644 --- a/site-cookbooks/kosmos-ejabberd/attributes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/attributes/default.rb @@ -1,6 +1,6 @@ -node.default["ejabberd"]["version"] = "23.10" +node.default["ejabberd"]["version"] = "25.08" node.default["ejabberd"]["package_version"] = "1" -node.default["ejabberd"]["checksum"] = "1b02108c81e22ab28be84630d54061f0584b76d5c2702e598352269736b05e77" +node.default["ejabberd"]["checksum"] = "e4703bc41b5843fc4b76e8b54a9380d5895f9b3dcd4795e05ad0c260ed9b9a23" node.default["ejabberd"]["turn_domain"] = "turn.kosmos.org" node.default["ejabberd"]["stun_auth_realm"] = "kosmos.org" node.default["ejabberd"]["stun_turn_port"] = 3478 diff --git a/site-cookbooks/kosmos-ejabberd/recipes/default.rb b/site-cookbooks/kosmos-ejabberd/recipes/default.rb index aad241f..548b588 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/default.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/default.rb @@ -65,15 +65,13 @@ file "/opt/ejabberd/.hosts.erlang" do content ejabberd_hostnames.map{|h| "#{h}."}.join("\n") end -ruby_block "configure ERLANG_NODE" do - block do - file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg") - file.search_file_replace_line( - %r{#ERLANG_NODE=ejabberd@localhost}, - "ERLANG_NODE=ejabberd@#{node['name']}" - ) - file.write_file - end +template "/opt/ejabberd/conf/ejabberdctl.cfg" do + source "ejabberdctl.cfg.erb" + mode 0644 + owner 'ejabberd' + group 'ejabberd' + variables epmd_node_name: "ejabberd@#{node['name']}" + notifies :reload, "service[ejabberd]", :delayed end postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') @@ -225,10 +223,3 @@ end unless node.chef_environment == "development" include_recipe "kosmos-ejabberd::firewall" end - -firewall_rule 'ejabberd_http' do - port [80] - source "10.1.1.0/24" - protocol :tcp - command :allow -end diff --git a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb index b29ce6a..fcf7ca2 100644 --- a/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb +++ b/site-cookbooks/kosmos-ejabberd/recipes/firewall.rb @@ -35,3 +35,10 @@ firewall_rule 'ejabberd_turn' do protocol :udp command :allow end + +firewall_rule 'ejabberd_http' do + port [80] + source "10.1.1.0/24" + protocol :tcp + command :allow +end diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb index 5d3860e..f1b9fd9 100644 --- a/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberd.yml.erb @@ -1,10 +1,11 @@ -loglevel: 4 - log_rotate_size: 10485760 -log_rotate_date: "" log_rotate_count: 1 -log_rate_limit: 100 +loglevel: info +hide_sensitive_log_data: true + +log_modules_fully: + - mod_s3_upload hosts: <% @hosts.each do |host| -%> @@ -95,6 +96,8 @@ auth_method: sql default_db: sql +update_sql_schema: true + shaper: normal: rate: 3000 @@ -119,6 +122,15 @@ acl: - "::1/128" - "::FFFF:127.0.0.1/128" +api_permissions: + "webadmin commands": + who: + - admin + from: + - ejabberd_web_admin + what: + - "*" + shaper_rules: max_user_sessions: 10 max_user_offline_messages: diff --git a/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb b/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb new file mode 100644 index 0000000..b87f90c --- /dev/null +++ b/site-cookbooks/kosmos-ejabberd/templates/ejabberdctl.cfg.erb @@ -0,0 +1,175 @@ +# +# In this file you can configure options that are passed by ejabberdctl +# to the erlang runtime system when starting ejabberd +# + +#' POLL: Kernel polling ([true|false]) +# +# The kernel polling option requires support in the kernel. +# Additionally, you need to enable this feature while compiling Erlang. +# +# Default: true +# +#POLL=true + +#. +#' SMP: SMP support ([enable|auto|disable]) +# +# Explanation in Erlang/OTP documentation: +# enable: starts the Erlang runtime system with SMP support enabled. +# This may fail if no runtime system with SMP support is available. +# auto: starts the Erlang runtime system with SMP support enabled if it +# is available and more than one logical processor are detected. +# disable: starts a runtime system without SMP support. +# +# Default: enable +# +#SMP=enable + +#. +#' ERL_MAX_PORTS: Maximum number of simultaneously open Erlang ports +# +# ejabberd consumes two or three ports for every connection, either +# from a client or from another Jabber server. So take this into +# account when setting this limit. +# +# Default: 32000 +# Maximum: 268435456 +# +#ERL_MAX_PORTS=32000 + +#. +#' FIREWALL_WINDOW: Range of allowed ports to pass through a firewall +# +# If Ejabberd is configured to run in cluster, and a firewall is blocking ports, +# it's possible to make Erlang use a defined range of port (instead of dynamic +# ports) for node communication. +# +# Default: not defined +# Example: 4200-4210 +# +FIREWALL_WINDOW=4200-4210 + +#. +#' INET_DIST_INTERFACE: IP address where this Erlang node listens other nodes +# +# This communication is used by ejabberdctl command line tool, +# and in a cluster of several ejabberd nodes. +# +# Default: 0.0.0.0 +# +#INET_DIST_INTERFACE=127.0.0.1 + +#. +#' ERL_EPMD_ADDRESS: IP addresses where epmd listens for connections +# +# IMPORTANT: This option works only in Erlang/OTP R14B03 and newer. +# +# This environment variable may be set to a comma-separated +# list of IP addresses, in which case the epmd daemon +# will listen only on the specified address(es) and on the +# loopback address (which is implicitly added to the list if it +# has not been specified). The default behaviour is to listen on +# all available IP addresses. +# +# Default: 0.0.0.0 +# +#ERL_EPMD_ADDRESS=127.0.0.1 + +#. +#' ERL_PROCESSES: Maximum number of Erlang processes +# +# Erlang consumes a lot of lightweight processes. If there is a lot of activity +# on ejabberd so that the maximum number of processes is reached, people will +# experience greater latency times. As these processes are implemented in +# Erlang, and therefore not related to the operating system processes, you do +# not have to worry about allowing a huge number of them. +# +# Default: 250000 +# Maximum: 268435456 +# +#ERL_PROCESSES=250000 + +#. +#' ERL_MAX_ETS_TABLES: Maximum number of ETS and Mnesia tables +# +# The number of concurrent ETS and Mnesia tables is limited. When the limit is +# reached, errors will appear in the logs: +# ** Too many db tables ** +# You can safely increase this limit when starting ejabberd. It impacts memory +# consumption but the difference will be quite small. +# +# Default: 1400 +# +#ERL_MAX_ETS_TABLES=1400 + +#. +#' ERL_OPTIONS: Additional Erlang options +# +# The next variable allows to specify additional options passed to erlang while +# starting ejabberd. Some useful options are -noshell, -detached, -heart. When +# ejabberd is started from an init.d script options -noshell and -detached are +# added implicitly. See erl(1) for more info. +# +# It might be useful to add "-pa /usr/local/lib/ejabberd/ebin" if you +# want to add local modules in this path. +# +# Default: "" +# +#ERL_OPTIONS="" + +#. +#' ERLANG_NODE: Erlang node name +# +# The next variable allows to explicitly specify erlang node for ejabberd +# It can be given in different formats: +# ERLANG_NODE=ejabberd +# Lets erlang add hostname to the node (ejabberd uses short name in this case) +# ERLANG_NODE=ejabberd@hostname +# Erlang uses node name as is (so make sure that hostname is a real +# machine hostname or you'll not be able to control ejabberd) +# ERLANG_NODE=ejabberd@hostname.domainname +# The same as previous, but erlang will use long hostname +# (see erl (1) manual for details) +# +# Default: ejabberd@localhost +# +ERLANG_NODE=<%= @epmd_node_name %> + +#. +#' EJABBERD_PID_PATH: ejabberd PID file +# +# Indicate the full path to the ejabberd Process identifier (PID) file. +# If this variable is defined, ejabberd writes the PID file when starts, +# and deletes it when stops. +# Remember to create the directory and grant write permission to ejabberd. +# +# Default: don't write PID file +# +#EJABBERD_PID_PATH=/var/run/ejabberd/ejabberd.pid + +#. +#' CONTRIB_MODULES_PATH: contributed ejabberd modules path +# +# Specify the full path to the contributed ejabberd modules. If the path is not +# defined, ejabberd will use ~/.ejabberd-modules in home of user running ejabberd. +# +# Default: $HOME/.ejabberd-modules +# +#CONTRIB_MODULES_PATH=/opt/ejabberd-modules + +#. +#' CONTRIB_MODULES_CONF_DIR: configuration directory for contributed modules +# +# Specify the full path to the configuration directory for contributed ejabberd +# modules. In order to configure a module named mod_foo, a mod_foo.yml file can +# be created in this directory. This file will then be used instead of the +# default configuration file provided with the module. +# +# Default: $CONTRIB_MODULES_PATH/conf +# +#CONTRIB_MODULES_CONF_DIR=/etc/ejabberd/modules + +#. +#' +# vim: foldmarker=#',#. foldmethod=marker: