* Move the PostgreSQL user and database creation to a pg_db recipe * Generate access rights for the ejabberd servers in the pg_db recipe * Connect to the PostgreSQL primary instead of localhost Refs #180
		
			
				
	
	
		
			210 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			210 lines
		
	
	
		
			6.5 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| #
 | |
| # Cookbook:: kosmos-ejabberd
 | |
| # Recipe:: default
 | |
| #
 | |
| # The MIT License (MIT)
 | |
| #
 | |
| # Copyright:: 2019, Kosmos Developers
 | |
| #
 | |
| # Permission is hereby granted, free of charge, to any person obtaining a copy
 | |
| # of this software and associated documentation files (the "Software"), to deal
 | |
| # in the Software without restriction, including without limitation the rights
 | |
| # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 | |
| # copies of the Software, and to permit persons to whom the Software is
 | |
| # furnished to do so, subject to the following conditions:
 | |
| #
 | |
| # The above copyright notice and this permission notice shall be included in
 | |
| # all copies or substantial portions of the Software.
 | |
| #
 | |
| # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 | |
| # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 | |
| # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 | |
| # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 | |
| # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 | |
| # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 | |
| # THE SOFTWARE.
 | |
| 
 | |
| include_recipe "kosmos-postgresql"
 | |
| 
 | |
| ejabberd_credentials = data_bag_item("credentials", "ejabberd")
 | |
| 
 | |
| ejabberd_version = node["kosmos-ejabberd"]["version"]
 | |
| package_checksum = node["kosmos-ejabberd"]["checksum"]
 | |
| package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb"
 | |
| 
 | |
| remote_file package_path do
 | |
|   source "https://www.process-one.net/downloads/downloads-action.php?file=/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb"
 | |
|   checksum package_checksum
 | |
|   notifies :install, "dpkg_package[ejabberd]", :immediately
 | |
| end
 | |
| 
 | |
| dpkg_package "ejabberd" do
 | |
|   source package_path
 | |
|   version "#{ejabberd_version}-0"
 | |
|   action :nothing
 | |
|   notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
 | |
| end
 | |
| 
 | |
| postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
 | |
| 
 | |
| hosts = [
 | |
|   {
 | |
|     name: "kosmos.org",
 | |
|     sql_database: "ejabberd",
 | |
|     ldap_enabled: true,
 | |
|     ldap_password: ejabberd_credentials['kosmos_ldap_password'],
 | |
|     append_host_config: <<-EOF
 | |
| modules:
 | |
|       mod_muc:
 | |
|         host: "kosmos.chat"
 | |
|         access:
 | |
|           - allow
 | |
|         access_admin:
 | |
|           - allow: admin
 | |
|         access_create: muc_create
 | |
|         access_persistent: muc_create
 | |
|         max_user_conferences: 1000
 | |
|         default_room_options:
 | |
|           mam: true
 | |
|                 EOF
 | |
|   },
 | |
|   {
 | |
|     name: "5apps.com",
 | |
|     sql_database: "ejabberd_5apps",
 | |
|     ldap_enabled: true,
 | |
|     ldap_password: ejabberd_credentials['5apps_ldap_password'],
 | |
|     append_host_config: <<-EOF
 | |
| modules:
 | |
|       mod_muc:
 | |
|         host: "muc.@HOST@"
 | |
|         access:
 | |
|           - allow: local
 | |
|         access_admin:
 | |
|           - allow: admin
 | |
|         access_create: muc_create
 | |
|         access_persistent: muc_create
 | |
|         max_user_conferences: 1000
 | |
|         default_room_options:
 | |
|           anonymous: false
 | |
|           public: true
 | |
|           members_only: true
 | |
|           public_list: false
 | |
|           persistent: true
 | |
|           mam: true
 | |
|                 EOF
 | |
|   }
 | |
| ]
 | |
| 
 | |
| ldap_domain = node['kosmos-dirsrv']['master_hostname']
 | |
| ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
 | |
| ldap_base = "cn=users,dc=kosmos,dc=org"
 | |
| 
 | |
| admin_users = ejabberd_credentials['admins']
 | |
| 
 | |
| postgresql_primary_node = postgresql_primary
 | |
| postgresql_server = postgresql_primary_node[:ipaddress]
 | |
| # PostgreSQL is on the same server, connect through localhost
 | |
| postgresql_server = "localhost" if postgresql_primary_node[:hostname] == node[:hostname]
 | |
| 
 | |
| hosts.each do |host|
 | |
|   ldap_rootdn = "uid=xmpp,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
 | |
| 
 | |
|   template "/opt/ejabberd/conf/#{host[:name]}.yml" do
 | |
|     source    "vhost.yml.erb"
 | |
|     mode      0640
 | |
|     owner     'ejabberd'
 | |
|     group     'ejabberd'
 | |
|     sensitive true
 | |
|     variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
 | |
|               sql_server: postgresql_server,
 | |
|               host: host,
 | |
|               ldap_base: ldap_base,
 | |
|               ldap_server: ldap_domain,
 | |
|               ldap_rootdn: ldap_rootdn,
 | |
|               ldap_encryption_type: ldap_encryption_type
 | |
|     # Restarting the service is needed because the LDAP options are only parsed
 | |
|     # on start (https://github.com/processone/ejabberd/issues/3181#issuecomment-594482546)
 | |
|     # This can be changed back to reloading when this is part of a release:
 | |
|     # https://github.com/processone/ejabberd/commit/b39a1e2d74cd4d400a7f062e31056057573298e8
 | |
|     #
 | |
|     # notifies :run, "execute[ejabberdctl reload_config]", :delayed
 | |
|     notifies :restart, "service[ejabberd]", :delayed
 | |
|   end
 | |
| end
 | |
| 
 | |
| template "/opt/ejabberd/conf/ejabberd.yml" do
 | |
|   source    "ejabberd.yml.erb"
 | |
|   mode      0640
 | |
|   sensitive true
 | |
|   variables hosts: hosts,
 | |
|             admin_users: admin_users,
 | |
|             stun_auth_realm: "kosmos.org",
 | |
|             turn_ip_address: node['ipaddress'],
 | |
|             turn_min_port: node["kosmos-ejabberd"]["turn_min_port"],
 | |
|             turn_max_port: node["kosmos-ejabberd"]["turn_max_port"]
 | |
|   notifies :run, "execute[ejabberdctl reload_config]", :delayed
 | |
| end
 | |
| 
 | |
| execute "ejabberdctl reload_config" do
 | |
|   command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config"
 | |
|   action :nothing
 | |
| end
 | |
| 
 | |
| file "/etc/init.d/ejabberd" do
 | |
|   action :delete
 | |
| end
 | |
| 
 | |
| # Copy the systemd service file
 | |
| file "/lib/systemd/system/ejabberd.service" do
 | |
|   content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") }
 | |
|   action :nothing
 | |
|   notifies :run, "execute[systemctl daemon-reload]", :immediately
 | |
|   notifies :restart, "service[ejabberd]", :delayed
 | |
| end
 | |
| 
 | |
| execute "systemctl daemon-reload" do
 | |
|   command "systemctl daemon-reload"
 | |
|   action :nothing
 | |
| end
 | |
| 
 | |
| # Set permissions for the upload folders
 | |
| %w(xmpp.kosmos.org xmpp.5apps.com).each do |domain|
 | |
|   directory "/opt/ejabberd/uploads/#{domain}" do
 | |
|     owner "ejabberd"
 | |
|     group "ejabberd"
 | |
|     mode 0750
 | |
|     recursive true
 | |
|   end
 | |
| end
 | |
| 
 | |
| service "ejabberd" do
 | |
|   action [:enable, :start]
 | |
| end
 | |
| 
 | |
| unless node.chef_environment == "development"
 | |
|   firewall_rule 'ejabberd' do
 | |
|     port     [5222, 5223, 5269, 5280, 5443]
 | |
|     protocol :tcp
 | |
|     command  :allow
 | |
|   end
 | |
| 
 | |
|   firewall_rule 'ejabberd_stun_turn' do
 | |
|     port     3478
 | |
|     protocol :udp
 | |
|     command  :allow
 | |
|   end
 | |
| 
 | |
|   firewall_rule 'ejabberd_turn' do
 | |
|     port     node["kosmos-ejabberd"]["turn_min_port"]..node["kosmos-ejabberd"]["turn_max_port"]
 | |
|     protocol :udp
 | |
|     command  :allow
 | |
|   end
 | |
| end
 | |
| 
 | |
| #
 | |
| # Tor hidden service
 | |
| #
 | |
| # The attributes for the hidden service are set in attributes/default.rb, due
 | |
| # to the way the tor-full cookbook builds the path to the hidden service dir
 | |
| include_recipe "tor-full"
 |