home-server/roles/dmz_prosody_front/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: Prosody
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: "{{item}}"
    state: present
  with_items:
    - prosody
    - postgresql-libs
    - lua51-sec
    - lua51-bitop
    - lua51-dbi

- name: install AUR software
  include_role:
    name: aur.inc
    allow_duplicates: true
  vars:
    pkg_names: |
      [
        "lua51-event",
        "lua51-lpty",
        "prosody-mod-auth-external-hg",
        "prosody-mod-auto-accept-subscriptions-hg",
        "prosody-mod-csi-hg",
        "prosody-mod-filter-chatstates-hg",
        "prosody-mod-http-upload-external-hg",
        "prosody-mod-offline-email-hg",
        "prosody-mod-smacks",
        "prosody-mod-throttle_presence"
      ]
    aur_user: git
    #    "prosody-mod-log-auth",
    #    "prosody-mod-mam-archive",
    #    "prosody-mod-mam-muc",

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: Prosody
### ⇐ UPSTREAM END ###

- name: set ownership of prosody’s working directory
  file:
    path: /var/lib/prosody
    state: directory
    owner: prosody
    group: jabber
    mode: 0751

- name: create a directory for HTTP files
  file:
    path: /var/lib/prosody/httpd
    state: directory
    owner: prosody
    group: jabber
    mode: 0750

- name: create a directory for HTTP uploads
  file:
    path: /var/lib/prosody/http_upload
    state: directory
    owner: http
    group: jabber
    mode: 06770

- name: prepare overriding prosody settings
  file:
    name: /etc/systemd/system/prosody.service.d
    state: directory
    mode: 0755

- name: secure prosody systemd settings
  copy:
    content: |
      [Service]
      User=prosody
      Group=jabber
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
      PrivateTmp=true
      PrivateDevices=true
      ProtectSystem=full
      ProtectHome=true
      NoNewPrivileges=true
    dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
    mode: 0644
  notify:
    - restart prosody.service

- name: set XMPP admins
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^admins\s*='
    line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
  notify:
    - restart prosody.service

- name: enable libevent
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^-*use_libevent\s*='
    line: 'use_libevent = true;'
  notify:
    - restart prosody.service

- name: enable some modules
  replace:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^(\s*)-+("{{item}}";.*)$'
    replace: '\1\2'
  with_items:
    - blocklist
    - bosh
    - carbons
    - groups
    - http_files
    - mam
    - saslauth
    - websocket
  notify:
    - restart prosody.service

- name: enable additional modules
  blockinfile:
    path: /etc/prosody/prosody.cfg.lua
    marker: '  -- {mark} Additional modules'
    block: |
      "auto_accept_subscriptions"; -- friends automatically accepted
      "csi"; -- filter activity depending on mobile state
      "filter_chatstates"; -- csi: filter chat states when inactive
      "http_upload_external"; -- share files in MUCs
      "lastactivity"; -- query users’ idle time
      --"log_auth"; -- log authentication failures for fail2ban
      "mam_adhoc"; -- manage mam from the client
      --"mam_archive"; -- allow mam-enabled clients to read MUC logs
      --"mam_muc"; -- record MUC messages using mam
      "offline_email"; -- get missed messages by email
      "pubsub"; -- publish-suscribe / lien social
      "smacks"; -- ignore temporary disconnects
      "throttle_presence"; -- csi: limit presence updates when inactive
    insertafter: '^\s*modules_enabled\s*=\s*{'
  notify:
    - restart prosody.service

- name: set BASH authentication
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*authentication\s*='
    line: 'authentication = "external"'
  notify:
    - restart prosody.service

- name: send authentication script
  copy:
    content: |
      #!/bin/bash
      function ldap_esc() {
        printf %s "$1" | (LANG=C
          grep -o . | while IFS='' read -r c; do
            [[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
          done)
      }
      function do_auth() {
        local u d p
        IFS=: read u d p <<<"$1"
        ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
          -D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
      }
      function do_isuser() {
        local u d
        IFS=: read u d <<<"$1"
        ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
          -b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
      }
      function do_setpass() {
        false
      }
      while true; do
        IFS=: read fct params || { sleep 1s; continue; }
        case "$fct" in
        auth) do_auth "$params" ;;
        isuser) do_isuser "$params" ;;
        setpass) do_setpass "$params" ;;
        *) false ;;
        esac >/dev/null
        if [ $? -eq 0 ]; then
          echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
          echo 1
        else
          echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
          echo 0
        fi
      done
    dest: /etc/prosody/external_auth.sh
    owner: prosody
    mode: 0500

- name: set SQL storage
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*(?:--)?storage\s*='
    line: 'storage = "sql" -- Default is "internal"'
  notify:
    - restart prosody.service

- name: enable PostgreSQL access
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
    line: >
      sql = {
      driver = "PostgreSQL",
      database = "{{prosody_db}}",
      username = "{{prosody_db_user}}",
      password = "{{prosody_db_password}}",
      host = "/run/shared_sockets"}

- name: custom extra configuration
  blockinfile:
    path: /etc/prosody/prosody.cfg.lua
    marker: '-- {mark} Additional configuration'
    block: |
      -- configure bash authentication
      external_auth_command = "/etc/prosody/external_auth.sh"
      -- hide OS type from mod_version output
      hide_os_type = true
      -- limit registration
      allow_registration = true
      whitelist_registration_only = true
      registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
      -- configure HTTP
      http_files_dir = "/var/lib/prosody/httpd"
      http_paths = {
        websocket = "{{http_pfx_prosody}}websocket";
        bosh = "{{http_pfx_prosody}}bind";
        files = "{{http_pfx_prosody}}shared";
        upload = "{{http_pfx_prosody}}upload";
      }
      http_default_host = "{{net_soa}}"
      http_external_url = "https://{{net_soa}}"
      -- configure uploads
      http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
      http_upload_external_secret = "{{xmpp_upload_secret}}"
      http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
      --http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
      -- configure websockets (ws:localhost:5280/websocket)
      cross_domain_websocket = true
      consider_websocket_secure = true
      -- configure BOSH (http://localhost:5280/bind)
      cross_domain_bosh = true
      consider_bosh_secure = true
      -- configure MAM
      default_archive_policy = "roster"
      archive_expires_after = "1m"
      archive_cleanup_interval = 24 * 60 * 60 -- once a day
      muc_log_by_default = true
      max_history_messages = 500
      -- configure email sending
      smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
      -- setup the virtual host
      VirtualHost "{{net_soa}}"
      -- declare publish-suscribe
      Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
      -- declare Multi-User Chat
      Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
    insertbefore: '^--+ Virtual hosts'
  notify:
    - restart prosody.service

- name: use http_upload_external’s PHP handler
  template:
    src: templates/xep0363_http_upload.php.j2
    dest: /srv/webapps/xep0363_http_upload.php
    group: http
    mode: 0755

- name: configure nginx for prosody
  copy:
    content: |
      location {{http_pfx_prosody}} {
        proxy_pass http://localhost:5280;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_buffering off;
        tcp_nodelay on;
      }
      location {{http_pfx_prosody}}websocket {
        proxy_pass http://localhost:5280;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 30m;
        proxy_buffering off;
        tcp_nodelay on;
      }
      location {{http_pfx_prosody}}upload {
        rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
      }
    dest: /etc/nginx/inc.d/prosody.https.inc
    mode: 0440
    owner: http
    group: http
  notify:
    - restart nginx.service

- name: enable prosody
  systemd:
    daemon_reload: true
    name: prosody.service
    enabled: true

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: Prosody
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers