331 lines
9.6 KiB
YAML
331 lines
9.6 KiB
YAML
|
---
|
|||
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|||
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|||
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|||
|
|
|||
|
### UPSTREAM BEGIN ⇒ ###
|
|||
|
- name: pull prerequisites from upstream
|
|||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|||
|
vars:
|
|||
|
msg: Prosody
|
|||
|
### ⇐ UPSTREAM BEGIN ###
|
|||
|
|
|||
|
- name: install software
|
|||
|
package:
|
|||
|
name: "{{item}}"
|
|||
|
state: present
|
|||
|
with_items:
|
|||
|
- prosody
|
|||
|
- postgresql-libs
|
|||
|
- lua51-sec
|
|||
|
- lua51-bitop
|
|||
|
- lua51-dbi
|
|||
|
|
|||
|
- name: install AUR software
|
|||
|
include_role:
|
|||
|
name: aur.inc
|
|||
|
allow_duplicates: true
|
|||
|
vars:
|
|||
|
pkg_names: |
|
|||
|
[
|
|||
|
"lua51-event",
|
|||
|
"lua51-lpty",
|
|||
|
"prosody-mod-auth-external-hg",
|
|||
|
"prosody-mod-auto-accept-subscriptions-hg",
|
|||
|
"prosody-mod-csi-hg",
|
|||
|
"prosody-mod-filter-chatstates-hg",
|
|||
|
"prosody-mod-http-upload-external-hg",
|
|||
|
"prosody-mod-offline-email-hg",
|
|||
|
"prosody-mod-smacks",
|
|||
|
"prosody-mod-throttle_presence"
|
|||
|
]
|
|||
|
aur_user: git
|
|||
|
# "prosody-mod-log-auth",
|
|||
|
# "prosody-mod-mam-archive",
|
|||
|
# "prosody-mod-mam-muc",
|
|||
|
|
|||
|
### UPSTREAM END ⇒ ###
|
|||
|
- name: merge upstream
|
|||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|||
|
vars:
|
|||
|
msg: Prosody
|
|||
|
### ⇐ UPSTREAM END ###
|
|||
|
|
|||
|
- name: set ownership of prosody’s working directory
|
|||
|
file:
|
|||
|
path: /var/lib/prosody
|
|||
|
state: directory
|
|||
|
owner: prosody
|
|||
|
group: jabber
|
|||
|
mode: 0751
|
|||
|
|
|||
|
- name: create a directory for HTTP files
|
|||
|
file:
|
|||
|
path: /var/lib/prosody/httpd
|
|||
|
state: directory
|
|||
|
owner: prosody
|
|||
|
group: jabber
|
|||
|
mode: 0750
|
|||
|
|
|||
|
- name: create a directory for HTTP uploads
|
|||
|
file:
|
|||
|
path: /var/lib/prosody/http_upload
|
|||
|
state: directory
|
|||
|
owner: http
|
|||
|
group: jabber
|
|||
|
mode: 06770
|
|||
|
|
|||
|
- name: prepare overriding prosody settings
|
|||
|
file:
|
|||
|
name: /etc/systemd/system/prosody.service.d
|
|||
|
state: directory
|
|||
|
mode: 0755
|
|||
|
|
|||
|
- name: secure prosody systemd settings
|
|||
|
copy:
|
|||
|
content: |
|
|||
|
[Service]
|
|||
|
User=prosody
|
|||
|
Group=jabber
|
|||
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|||
|
PrivateTmp=true
|
|||
|
PrivateDevices=true
|
|||
|
ProtectSystem=full
|
|||
|
ProtectHome=true
|
|||
|
NoNewPrivileges=true
|
|||
|
dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
|
|||
|
mode: 0644
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: set XMPP admins
|
|||
|
lineinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^admins\s*='
|
|||
|
line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: enable libevent
|
|||
|
lineinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^-*use_libevent\s*='
|
|||
|
line: 'use_libevent = true;'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: enable some modules
|
|||
|
replace:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^(\s*)-+("{{item}}";.*)$'
|
|||
|
replace: '\1\2'
|
|||
|
with_items:
|
|||
|
- blocklist
|
|||
|
- bosh
|
|||
|
- carbons
|
|||
|
- groups
|
|||
|
- http_files
|
|||
|
- mam
|
|||
|
- saslauth
|
|||
|
- websocket
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: enable additional modules
|
|||
|
blockinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
marker: ' -- {mark} Additional modules'
|
|||
|
block: |
|
|||
|
"auto_accept_subscriptions"; -- friends automatically accepted
|
|||
|
"csi"; -- filter activity depending on mobile state
|
|||
|
"filter_chatstates"; -- csi: filter chat states when inactive
|
|||
|
"http_upload_external"; -- share files in MUCs
|
|||
|
"lastactivity"; -- query users’ idle time
|
|||
|
--"log_auth"; -- log authentication failures for fail2ban
|
|||
|
"mam_adhoc"; -- manage mam from the client
|
|||
|
--"mam_archive"; -- allow mam-enabled clients to read MUC logs
|
|||
|
--"mam_muc"; -- record MUC messages using mam
|
|||
|
"offline_email"; -- get missed messages by email
|
|||
|
"pubsub"; -- publish-suscribe / lien social
|
|||
|
"smacks"; -- ignore temporary disconnects
|
|||
|
"throttle_presence"; -- csi: limit presence updates when inactive
|
|||
|
insertafter: '^\s*modules_enabled\s*=\s*{'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: set BASH authentication
|
|||
|
lineinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^\s*authentication\s*='
|
|||
|
line: 'authentication = "external"'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: send authentication script
|
|||
|
copy:
|
|||
|
content: |
|
|||
|
#!/bin/bash
|
|||
|
function ldap_esc() {
|
|||
|
printf %s "$1" | (LANG=C
|
|||
|
grep -o . | while IFS='' read -r c; do
|
|||
|
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
|
|||
|
done)
|
|||
|
}
|
|||
|
function do_auth() {
|
|||
|
local u d p
|
|||
|
IFS=: read u d p <<<"$1"
|
|||
|
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
|
|||
|
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
|
|||
|
}
|
|||
|
function do_isuser() {
|
|||
|
local u d
|
|||
|
IFS=: read u d <<<"$1"
|
|||
|
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
|
|||
|
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
|
|||
|
}
|
|||
|
function do_setpass() {
|
|||
|
false
|
|||
|
}
|
|||
|
while true; do
|
|||
|
IFS=: read fct params || { sleep 1s; continue; }
|
|||
|
case "$fct" in
|
|||
|
auth) do_auth "$params" ;;
|
|||
|
isuser) do_isuser "$params" ;;
|
|||
|
setpass) do_setpass "$params" ;;
|
|||
|
*) false ;;
|
|||
|
esac >/dev/null
|
|||
|
if [ $? -eq 0 ]; then
|
|||
|
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
|
|||
|
echo 1
|
|||
|
else
|
|||
|
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
|
|||
|
echo 0
|
|||
|
fi
|
|||
|
done
|
|||
|
dest: /etc/prosody/external_auth.sh
|
|||
|
owner: prosody
|
|||
|
mode: 0500
|
|||
|
|
|||
|
- name: set SQL storage
|
|||
|
lineinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^\s*(?:--)?storage\s*='
|
|||
|
line: 'storage = "sql" -- Default is "internal"'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: enable PostgreSQL access
|
|||
|
lineinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
|
|||
|
line: >
|
|||
|
sql = {
|
|||
|
driver = "PostgreSQL",
|
|||
|
database = "{{prosody_db}}",
|
|||
|
username = "{{prosody_db_user}}",
|
|||
|
password = "{{prosody_db_password}}",
|
|||
|
host = "/run/shared_sockets"}
|
|||
|
|
|||
|
- name: custom extra configuration
|
|||
|
blockinfile:
|
|||
|
path: /etc/prosody/prosody.cfg.lua
|
|||
|
marker: '-- {mark} Additional configuration'
|
|||
|
block: |
|
|||
|
-- configure bash authentication
|
|||
|
external_auth_command = "/etc/prosody/external_auth.sh"
|
|||
|
-- hide OS type from mod_version output
|
|||
|
hide_os_type = true
|
|||
|
-- limit registration
|
|||
|
allow_registration = true
|
|||
|
whitelist_registration_only = true
|
|||
|
registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
|
|||
|
-- configure HTTP
|
|||
|
http_files_dir = "/var/lib/prosody/httpd"
|
|||
|
http_paths = {
|
|||
|
websocket = "{{http_pfx_prosody}}websocket";
|
|||
|
bosh = "{{http_pfx_prosody}}bind";
|
|||
|
files = "{{http_pfx_prosody}}shared";
|
|||
|
upload = "{{http_pfx_prosody}}upload";
|
|||
|
}
|
|||
|
http_default_host = "{{net_soa}}"
|
|||
|
http_external_url = "https://{{net_soa}}"
|
|||
|
-- configure uploads
|
|||
|
http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
|
|||
|
http_upload_external_secret = "{{xmpp_upload_secret}}"
|
|||
|
http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
|
|||
|
--http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
|||
|
-- configure websockets (ws:localhost:5280/websocket)
|
|||
|
cross_domain_websocket = true
|
|||
|
consider_websocket_secure = true
|
|||
|
-- configure BOSH (http://localhost:5280/bind)
|
|||
|
cross_domain_bosh = true
|
|||
|
consider_bosh_secure = true
|
|||
|
-- configure MAM
|
|||
|
default_archive_policy = "roster"
|
|||
|
archive_expires_after = "1m"
|
|||
|
archive_cleanup_interval = 24 * 60 * 60 -- once a day
|
|||
|
muc_log_by_default = true
|
|||
|
max_history_messages = 500
|
|||
|
-- configure email sending
|
|||
|
smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
|
|||
|
-- setup the virtual host
|
|||
|
VirtualHost "{{net_soa}}"
|
|||
|
-- declare publish-suscribe
|
|||
|
Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
|
|||
|
-- declare Multi-User Chat
|
|||
|
Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
|
|||
|
insertbefore: '^--+ Virtual hosts'
|
|||
|
notify:
|
|||
|
- restart prosody.service
|
|||
|
|
|||
|
- name: use http_upload_external’s PHP handler
|
|||
|
template:
|
|||
|
src: templates/xep0363_http_upload.php.j2
|
|||
|
dest: /srv/webapps/xep0363_http_upload.php
|
|||
|
group: http
|
|||
|
mode: 0755
|
|||
|
|
|||
|
- name: configure nginx for prosody
|
|||
|
copy:
|
|||
|
content: |
|
|||
|
location {{http_pfx_prosody}} {
|
|||
|
proxy_pass http://localhost:5280;
|
|||
|
proxy_http_version 1.1;
|
|||
|
proxy_set_header Host $host;
|
|||
|
proxy_buffering off;
|
|||
|
tcp_nodelay on;
|
|||
|
}
|
|||
|
location {{http_pfx_prosody}}websocket {
|
|||
|
proxy_pass http://localhost:5280;
|
|||
|
proxy_http_version 1.1;
|
|||
|
proxy_set_header Host $host;
|
|||
|
proxy_set_header Upgrade $http_upgrade;
|
|||
|
proxy_set_header Connection "upgrade";
|
|||
|
proxy_read_timeout 30m;
|
|||
|
proxy_buffering off;
|
|||
|
tcp_nodelay on;
|
|||
|
}
|
|||
|
location {{http_pfx_prosody}}upload {
|
|||
|
rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
|
|||
|
}
|
|||
|
dest: /etc/nginx/inc.d/prosody.https.inc
|
|||
|
mode: 0440
|
|||
|
owner: http
|
|||
|
group: http
|
|||
|
notify:
|
|||
|
- restart nginx.service
|
|||
|
|
|||
|
- name: enable prosody
|
|||
|
systemd:
|
|||
|
daemon_reload: true
|
|||
|
name: prosody.service
|
|||
|
enabled: true
|
|||
|
|
|||
|
### LOCAL COMMIT ⇒ ###
|
|||
|
- name: commit local changes
|
|||
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|||
|
vars:
|
|||
|
msg: Prosody
|
|||
|
### ⇐ LOCAL COMMIT ###
|
|||
|
- meta: flush_handlers
|