2018-09-03 20:06:05 +02:00
|
|
|
|
---
|
|
|
|
|
# The home-server project produces a multi-purpose setup using Ansible.
|
|
|
|
|
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
|
|
|
|
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
|
|
|
|
|
|
|
|
|
### UPSTREAM BEGIN ⇒ ###
|
|
|
|
|
- name: pull prerequisites from upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: Prosody
|
|
|
|
|
### ⇐ UPSTREAM BEGIN ###
|
|
|
|
|
|
|
|
|
|
- name: install software
|
|
|
|
|
package:
|
|
|
|
|
name: "{{item}}"
|
|
|
|
|
state: present
|
|
|
|
|
with_items:
|
|
|
|
|
- prosody
|
|
|
|
|
- postgresql-libs
|
2018-12-15 20:56:35 +01:00
|
|
|
|
- lua52-sec
|
|
|
|
|
- lua52-bitop
|
|
|
|
|
- lua52-dbi
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
- name: install AUR software
|
|
|
|
|
include_role:
|
|
|
|
|
name: aur.inc
|
|
|
|
|
allow_duplicates: true
|
|
|
|
|
vars:
|
2021-05-08 17:08:22 +02:00
|
|
|
|
packages:
|
|
|
|
|
- lua52-event
|
|
|
|
|
- lua52-lpty
|
|
|
|
|
- prosody-mod-auth-imap-hg
|
|
|
|
|
- prosody-mod-auto-accept-subscriptions-hg
|
|
|
|
|
- prosody-mod-filter-chatstates-hg
|
|
|
|
|
- prosody-mod-http-upload-external-hg
|
|
|
|
|
- prosody-mod-offline-email-hg
|
|
|
|
|
- prosody-mod-smacks
|
|
|
|
|
- prosody-mod-throttle_presence
|
2018-09-03 20:06:05 +02:00
|
|
|
|
aur_user: git
|
2021-05-08 17:08:22 +02:00
|
|
|
|
# - prosody-mod-log-auth
|
|
|
|
|
# - prosody-mod-mam-archive
|
|
|
|
|
# - prosody-mod-mam-muc
|
2018-09-03 20:06:05 +02:00
|
|
|
|
|
|
|
|
|
### UPSTREAM END ⇒ ###
|
|
|
|
|
- name: merge upstream
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: Prosody
|
|
|
|
|
### ⇐ UPSTREAM END ###
|
|
|
|
|
|
|
|
|
|
- name: set ownership of prosody’s working directory
|
|
|
|
|
file:
|
|
|
|
|
path: /var/lib/prosody
|
|
|
|
|
state: directory
|
|
|
|
|
owner: prosody
|
|
|
|
|
group: jabber
|
|
|
|
|
mode: 0751
|
|
|
|
|
|
|
|
|
|
- name: create a directory for HTTP files
|
|
|
|
|
file:
|
|
|
|
|
path: /var/lib/prosody/httpd
|
|
|
|
|
state: directory
|
|
|
|
|
owner: prosody
|
|
|
|
|
group: jabber
|
|
|
|
|
mode: 0750
|
|
|
|
|
|
|
|
|
|
- name: create a directory for HTTP uploads
|
|
|
|
|
file:
|
|
|
|
|
path: /var/lib/prosody/http_upload
|
|
|
|
|
state: directory
|
|
|
|
|
owner: http
|
|
|
|
|
group: jabber
|
|
|
|
|
mode: 06770
|
|
|
|
|
|
|
|
|
|
- name: prepare overriding prosody settings
|
|
|
|
|
file:
|
|
|
|
|
name: /etc/systemd/system/prosody.service.d
|
|
|
|
|
state: directory
|
|
|
|
|
mode: 0755
|
|
|
|
|
|
|
|
|
|
- name: secure prosody systemd settings
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
[Service]
|
|
|
|
|
User=prosody
|
|
|
|
|
Group=jabber
|
|
|
|
|
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
|
|
|
|
PrivateTmp=true
|
|
|
|
|
PrivateDevices=true
|
|
|
|
|
ProtectSystem=full
|
|
|
|
|
ProtectHome=true
|
|
|
|
|
NoNewPrivileges=true
|
|
|
|
|
dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
|
|
|
|
|
mode: 0644
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: set XMPP admins
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^admins\s*='
|
|
|
|
|
line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: enable libevent
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^-*use_libevent\s*='
|
|
|
|
|
line: 'use_libevent = true;'
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: enable some modules
|
|
|
|
|
replace:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^(\s*)-+("{{item}}";.*)$'
|
|
|
|
|
replace: '\1\2'
|
|
|
|
|
with_items:
|
|
|
|
|
- blocklist
|
|
|
|
|
- bosh
|
|
|
|
|
- carbons
|
|
|
|
|
- groups
|
|
|
|
|
- http_files
|
|
|
|
|
- mam
|
|
|
|
|
- saslauth
|
|
|
|
|
- websocket
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: enable additional modules
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
marker: ' -- {mark} Additional modules'
|
|
|
|
|
block: |
|
|
|
|
|
"auto_accept_subscriptions"; -- friends automatically accepted
|
|
|
|
|
"csi"; -- filter activity depending on mobile state
|
|
|
|
|
"filter_chatstates"; -- csi: filter chat states when inactive
|
|
|
|
|
"http_upload_external"; -- share files in MUCs
|
|
|
|
|
"lastactivity"; -- query users’ idle time
|
|
|
|
|
--"log_auth"; -- log authentication failures for fail2ban
|
|
|
|
|
"mam_adhoc"; -- manage mam from the client
|
|
|
|
|
--"mam_archive"; -- allow mam-enabled clients to read MUC logs
|
|
|
|
|
--"mam_muc"; -- record MUC messages using mam
|
|
|
|
|
"offline_email"; -- get missed messages by email
|
|
|
|
|
"pubsub"; -- publish-suscribe / lien social
|
|
|
|
|
"smacks"; -- ignore temporary disconnects
|
|
|
|
|
"throttle_presence"; -- csi: limit presence updates when inactive
|
|
|
|
|
insertafter: '^\s*modules_enabled\s*=\s*{'
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
2020-04-16 17:27:36 +02:00
|
|
|
|
- name: set IMAP authentication
|
2018-09-03 20:06:05 +02:00
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^\s*authentication\s*='
|
2020-04-16 17:27:36 +02:00
|
|
|
|
line: 'authentication = "imap"'
|
2018-09-03 20:06:05 +02:00
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
2020-04-16 17:27:36 +02:00
|
|
|
|
- name: remove authentication script
|
|
|
|
|
file:
|
|
|
|
|
state: absent
|
2018-09-03 20:06:05 +02:00
|
|
|
|
dest: /etc/prosody/external_auth.sh
|
|
|
|
|
|
|
|
|
|
- name: set SQL storage
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^\s*(?:--)?storage\s*='
|
|
|
|
|
line: 'storage = "sql" -- Default is "internal"'
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: enable PostgreSQL access
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
|
|
|
|
|
line: >
|
|
|
|
|
sql = {
|
|
|
|
|
driver = "PostgreSQL",
|
|
|
|
|
database = "{{prosody_db}}",
|
|
|
|
|
username = "{{prosody_db_user}}",
|
|
|
|
|
password = "{{prosody_db_password}}",
|
|
|
|
|
host = "/run/shared_sockets"}
|
|
|
|
|
|
2020-04-16 17:27:36 +02:00
|
|
|
|
- name: restrict syslog (“debug” may contain passwords!)
|
|
|
|
|
lineinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
regexp: '^(\s*(?:--\s*)?)"*syslog"'
|
|
|
|
|
backrefs: true
|
|
|
|
|
line: '\1{ to = "syslog", levels = { min = "info" } };'
|
|
|
|
|
|
2018-09-03 20:06:05 +02:00
|
|
|
|
- name: custom extra configuration
|
|
|
|
|
blockinfile:
|
|
|
|
|
path: /etc/prosody/prosody.cfg.lua
|
|
|
|
|
marker: '-- {mark} Additional configuration'
|
|
|
|
|
block: |
|
2020-04-16 17:27:36 +02:00
|
|
|
|
-- configure IMAP authentication
|
|
|
|
|
auth_imap_verify_certificate = false
|
2018-09-03 20:06:05 +02:00
|
|
|
|
-- hide OS type from mod_version output
|
|
|
|
|
hide_os_type = true
|
|
|
|
|
-- limit registration
|
|
|
|
|
allow_registration = true
|
|
|
|
|
whitelist_registration_only = true
|
|
|
|
|
registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
|
|
|
|
|
-- configure HTTP
|
|
|
|
|
http_files_dir = "/var/lib/prosody/httpd"
|
|
|
|
|
http_paths = {
|
|
|
|
|
websocket = "{{http_pfx_prosody}}websocket";
|
|
|
|
|
bosh = "{{http_pfx_prosody}}bind";
|
|
|
|
|
files = "{{http_pfx_prosody}}shared";
|
|
|
|
|
upload = "{{http_pfx_prosody}}upload";
|
|
|
|
|
}
|
|
|
|
|
http_default_host = "{{net_soa}}"
|
|
|
|
|
http_external_url = "https://{{net_soa}}"
|
|
|
|
|
-- configure uploads
|
|
|
|
|
http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
|
|
|
|
|
http_upload_external_secret = "{{xmpp_upload_secret}}"
|
|
|
|
|
http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
|
|
|
|
|
--http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
|
|
|
|
-- configure websockets (ws:localhost:5280/websocket)
|
|
|
|
|
cross_domain_websocket = true
|
|
|
|
|
consider_websocket_secure = true
|
|
|
|
|
-- configure BOSH (http://localhost:5280/bind)
|
|
|
|
|
cross_domain_bosh = true
|
|
|
|
|
consider_bosh_secure = true
|
|
|
|
|
-- configure MAM
|
|
|
|
|
default_archive_policy = "roster"
|
|
|
|
|
archive_expires_after = "1m"
|
|
|
|
|
archive_cleanup_interval = 24 * 60 * 60 -- once a day
|
|
|
|
|
muc_log_by_default = true
|
|
|
|
|
max_history_messages = 500
|
|
|
|
|
-- configure email sending
|
|
|
|
|
smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
|
|
|
|
|
-- setup the virtual host
|
|
|
|
|
VirtualHost "{{net_soa}}"
|
|
|
|
|
-- declare publish-suscribe
|
|
|
|
|
Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
|
|
|
|
|
-- declare Multi-User Chat
|
|
|
|
|
Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
|
|
|
|
|
insertbefore: '^--+ Virtual hosts'
|
|
|
|
|
notify:
|
|
|
|
|
- restart prosody.service
|
|
|
|
|
|
|
|
|
|
- name: use http_upload_external’s PHP handler
|
|
|
|
|
template:
|
|
|
|
|
src: templates/xep0363_http_upload.php.j2
|
|
|
|
|
dest: /srv/webapps/xep0363_http_upload.php
|
|
|
|
|
group: http
|
|
|
|
|
mode: 0755
|
|
|
|
|
|
|
|
|
|
- name: configure nginx for prosody
|
|
|
|
|
copy:
|
|
|
|
|
content: |
|
|
|
|
|
location {{http_pfx_prosody}} {
|
|
|
|
|
proxy_pass http://localhost:5280;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
tcp_nodelay on;
|
|
|
|
|
}
|
|
|
|
|
location {{http_pfx_prosody}}websocket {
|
|
|
|
|
proxy_pass http://localhost:5280;
|
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
|
proxy_read_timeout 30m;
|
|
|
|
|
proxy_buffering off;
|
|
|
|
|
tcp_nodelay on;
|
|
|
|
|
}
|
|
|
|
|
location {{http_pfx_prosody}}upload {
|
|
|
|
|
rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
|
|
|
|
|
}
|
|
|
|
|
dest: /etc/nginx/inc.d/prosody.https.inc
|
|
|
|
|
mode: 0440
|
|
|
|
|
owner: http
|
|
|
|
|
group: http
|
|
|
|
|
notify:
|
|
|
|
|
- restart nginx.service
|
|
|
|
|
|
|
|
|
|
- name: enable prosody
|
|
|
|
|
systemd:
|
|
|
|
|
daemon_reload: true
|
|
|
|
|
name: prosody.service
|
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
|
### LOCAL COMMIT ⇒ ###
|
|
|
|
|
- name: commit local changes
|
|
|
|
|
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
|
|
|
|
vars:
|
|
|
|
|
msg: Prosody
|
|
|
|
|
### ⇐ LOCAL COMMIT ###
|
|
|
|
|
- meta: flush_handlers
|