kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity
chef/site-cookbooks/kosmos-ejabberd/recipes/default.rb
Râu Cao e4112a3626
Fix TLS cert updates for kosmos.chat 
Some recipes weren't updated for the proxy validation yet. Needed to
split the ejabberd cert in two, so it can do normal validation on
`.org` and proxy validation on `.chat`.
2024-12-09 18:17:10 +04:00

234 lines
6.5 KiB
Ruby
Raw Blame History

#
# Cookbook:: kosmos-ejabberd
# Recipe:: default
#
ejabberd_credentials = data_bag_item("credentials", "ejabberd")
ejabberd_version = node["ejabberd"]["version"]
package_checksum = node["ejabberd"]["checksum"]
package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}_amd64.deb"
remote_file package_path do
source "https://github.com/processone/ejabberd/releases/download/#{ejabberd_version}/ejabberd_#{ejabberd_version}-#{node["ejabberd"]["package_version"]}_amd64.deb"
checksum package_checksum
notifies :install, "dpkg_package[ejabberd]", :immediately
end
dpkg_package "ejabberd" do
source package_path
version ejabberd_version
options '--force-confdef --force-confold'
action :nothing
end
execute "update contrib modules" do
command "ejabberdctl modules_update_specs"
end
%w[mod_s3_upload].each do |emod|
execute "install #{emod}" do
command "ejabberdctl module_install #{emod}"
not_if { ::File.exist?("/opt/ejabberd/.ejabberd-modules/#{emod}/ebin") }
end
file "/opt/ejabberd/.ejabberd-modules/#{emod}/conf/#{emod}.yml" do
action :delete
end
end
file "/opt/ejabberd/.erlang.cookie" do
mode "0400"
owner "ejabberd"
group "ejabberd"
content ejabberd_credentials['erlang_cookie']
end
ejabberd_nodes = search(:node, "role:ejabberd")
ejabberd_nodes.each do |n|
ip_address = n["knife_zero"]["host"]
IPAddr.new ip_address
hostsfile_entry ip_address do
hostname n["hostname"]
action :create
end
rescue IPAddr::InvalidAddressError
next
end
ejabberd_hostnames = ejabberd_nodes.map { |n| n["hostname"] }
file "/opt/ejabberd/.hosts.erlang" do
mode "0644"
owner "ejabberd"
group "ejabberd"
content ejabberd_hostnames.map{|h| "#{h}."}.join("\n")
end
ruby_block "configure ERLANG_NODE" do
block do
file = Chef::Util::FileEdit.new("/opt/ejabberd/conf/ejabberdctl.cfg")
file.search_file_replace_line(
%r{#ERLANG_NODE=ejabberd@localhost},
"ERLANG_NODE=ejabberd@#{node['name']}"
)
file.write_file
end
end
postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')
hosts = [
{
name: "kosmos.org",
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
extra_domains:
- kosmos.chat
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:abuse@kosmos.org"]
mod_muc:
host: kosmos.chat
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_register: muc_create
max_user_conferences: 1000
default_room_options:
mam: true
preload_rooms: true
EOF
},
{
name: "5apps.com",
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
extra_domains:
- muc.5apps.com
server_info:
-
modules: all
name: "abuse-addresses"
urls: ["mailto:mail@5apps.com"]
mod_muc:
host: "muc.@HOST@"
access:
- allow: local
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_register: muc_create
max_user_conferences: 1000
default_room_options:
anonymous: false
public: true
members_only: true
public_list: false
persistent: true
mam: true
preload_rooms: true
EOF
}
]
ldap_domain = node['kosmos-dirsrv']['master_hostname']
ldap_encryption_type = "none"
ldap_base = "cn=users,dc=kosmos,dc=org"
admin_users = ejabberd_credentials['admins']
hosts.each do |host|
ldap_rootdn = "uid=service,ou=#{host[:name]},cn=applications,dc=kosmos,dc=org"
if host[:name] == "kosmos.org"
ldap_filter = "(&(objectClass=person)(serviceEnabled=ejabberd))"
else
ldap_filter = "(objectClass=person)"
end
template "/opt/ejabberd/conf/#{host[:name]}.yml" do
source "vhost.yml.erb"
mode 0640
owner 'ejabberd'
group 'ejabberd'
sensitive true
variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
sql_server: "pg.kosmos.local",
host: host,
ldap_base: ldap_base,
ldap_server: ldap_domain,
ldap_rootdn: ldap_rootdn,
ldap_encryption_type: ldap_encryption_type,
ldap_filter: ldap_filter
notifies :reload, "service[ejabberd]", :delayed
end
end
akkounts_ip_addresses = []
search(:node, "role:akkounts").each do |n|
akkounts_ip_addresses << n["knife_zero"]["host"]
end
template "/opt/ejabberd/conf/ejabberd.yml" do
source "ejabberd.yml.erb"
mode 0640
sensitive true
variables hosts: hosts,
admin_users: admin_users,
turn_domain: node["ejabberd"]["turn_domain"],
stun_secret: ejabberd_credentials['stun_secret'],
stun_turn_port: node["ejabberd"]["stun_turn_port"],
stun_turn_port_tls: node["ejabberd"]["stun_turn_port_tls"],
turn_min_port: node["ejabberd"]["turn_min_port"],
turn_max_port: node["ejabberd"]["turn_max_port"],
private_ip_address: node["knife_zero"]["host"],
akkounts_ip_addresses: akkounts_ip_addresses,
mod_s3_upload: {
region: "garage",
bucket_url: "https://#{node["garage"]["xmpp_upload_bucket"]}.#{node["garage"]["s3_api_root_domain"]}",
download_url: "https://media.kosmos.chat",
key_id: ejabberd_credentials['s3_key_id'],
secret_key: ejabberd_credentials['s3_secret_key']
}
notifies :reload, "service[ejabberd]", :delayed
end
service "ejabberd" do
action [:enable, :start]
end
unless node.chef_environment == "development"
include_recipe "kosmos-ejabberd::firewall"
end
firewall_rule 'ejabberd_http' do
port [80]
source "10.1.1.0/24"
protocol :tcp
command :allow
end
Reference in New Issue View Git Blame Copy Permalink