chef/site-cookbooks/kosmos-ejabberd/recipes/default.rb

#
# Cookbook:: kosmos-ejabberd
# Recipe:: default
#
# The MIT License (MIT)
#
# Copyright:: 2019, Kosmos Developers
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
# THE SOFTWARE.

include_recipe "kosmos-postgresql"

ejabberd_credentials = data_bag_item("credentials", "ejabberd")

cookbook_file "#{Chef::Config[:file_cache_path]}/pg.sql" do
  source "pg.sql"
  mode "0664"
end

ejabberd_version = node["kosmos-ejabberd"]["version"]
package_checksum = node["kosmos-ejabberd"]["checksum"]
package_path = "#{Chef::Config['file_cache_path']}/ejabberd_#{ejabberd_version}-0_amd64.deb"

remote_file package_path do
  source "https://www.process-one.net/downloads/downloads-action.php?file=/ejabberd/#{ejabberd_version}/ejabberd_#{ejabberd_version}-0_amd64.deb"
  checksum package_checksum
  notifies :install, "dpkg_package[ejabberd]", :immediately
end

dpkg_package "ejabberd" do
  source package_path
  version "#{ejabberd_version}-0"
  action :nothing
  notifies :create, "file[/lib/systemd/system/ejabberd.service]", :immediately
end

postgresql_data_bag_item = data_bag_item('credentials', 'postgresql')

postgresql_user 'ejabberd' do
  action :create
  password postgresql_data_bag_item['ejabberd_user_password']
end

hosts = [
  {
    name: "kosmos.org",
    sql_database: "ejabberd",
    ldap_enabled: false,
    append_host_config: <<-EOF
modules:
      mod_muc:
        host: "kosmos.chat"
        access:
          - allow
        access_admin:
          - allow: admin
        access_create: muc_create
        access_persistent: muc_create
        max_user_conferences: 1000
        default_room_options:
          mam: true
                EOF
  },
  {
    name: "5apps.com",
    sql_database: "ejabberd_5apps",
    ldap_enabled: true,
    ldap_password: ejabberd_credentials['5apps_ldap_password'],
    append_host_config: <<-EOF
modules:
      mod_muc:
        host: "muc.@HOST@"
        access:
          - allow: local
        access_admin:
          - allow: admin
        access_create: muc_create
        access_persistent: muc_create
        max_user_conferences: 1000
        default_room_options:
          anonymous: false
          public: true
          members_only: true
          public_list: false
          persistent: true
          mam: true
                EOF
  }
]

ldap_domain = node['kosmos-dirsrv']['master_hostname']
ldap_encryption_type = node.chef_environment == "development" ? "none" : "tls"
ldap_base = "cn=users,dc=kosmos,dc=org"

admin_users = ejabberd_credentials['admins']

hosts.each do |host|
  postgresql_database host[:sql_database] do
    owner 'ejabberd'
    action :create
    notifies :run, "execute[create db schema #{host[:sql_database]}]", :delayed
  end

  execute "create db schema #{host[:sql_database]}" do
    user "ejabberd"
    command "psql #{host[:sql_database]}} < #{Chef::Config[:file_cache_path]}/pg.sql"
    action :nothing
  end

  template "/opt/ejabberd/conf/#{host[:name]}.yml" do
    source    "vhost.yml.erb"
    mode      0640
    owner     'ejabberd'
    group     'ejabberd'
    sensitive true
    variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
              host: host,
              ldap_base: ldap_base,
              ldap_server: ldap_domain,
              ldap_encryption_type: ldap_encryption_type
  end
end

template "/opt/ejabberd/conf/ejabberd.yml" do
  source    "ejabberd.yml.erb"
  mode      0640
  sensitive true
  variables pgsql_password: postgresql_data_bag_item['ejabberd_user_password'],
            hosts: hosts,
            admin_users: admin_users
  notifies :run, "execute[ejabberdctl reload_config]", :delayed
end

execute "ejabberdctl reload_config" do
  command "/opt/ejabberd-#{ejabberd_version}/bin/ejabberdctl reload_config"
  action :nothing
end

file "/etc/init.d/ejabberd" do
  action :delete
end

# Copy the systemd service file
file "/lib/systemd/system/ejabberd.service" do
  content lazy { IO.read("/opt/ejabberd-#{ejabberd_version}/bin/ejabberd.service") }
  action :nothing
  notifies :run, "execute[systemctl daemon-reload]", :immediately
  notifies :restart, "service[ejabberd]", :delayed
end

execute "systemctl daemon-reload" do
  command "systemctl daemon-reload"
  action :nothing
end

# Set permissions for the upload folders
%w(xmpp.kosmos.org xmpp.5apps.com).each do |domain|
  directory "/opt/ejabberd/uploads/#{domain}" do
    owner "ejabberd"
    group "ejabberd"
    mode 0750
    recursive true
  end
end

service "ejabberd" do
  action [:enable, :start]
end

unless node.chef_environment == "development"
  firewall_rule 'ejabberd' do
    port     [5222, 5223, 5269, 5280, 5443]
    protocol :tcp
    command  :allow
  end
end

#
# Tor hidden service
#
# The attributes for the hidden service are set in attributes/default.rb, due
# to the way the tor-full cookbook builds the path to the hidden service dir
include_recipe "tor-full"