home-server/roles/dmz_prosody_front/tasks/main.yml

---
# The home-server project produces a multi-purpose setup using Ansible.
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.

### UPSTREAM BEGIN ⇒ ###
- name: pull prerequisites from upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
  vars:
    msg: Prosody
### ⇐ UPSTREAM BEGIN ###

- name: install software
  package:
    name: "{{item}}"
    state: present
  with_items:
    - prosody
    - postgresql-libs
    - lua52-sec
    - lua52-bitop
    - lua52-dbi

- name: install AUR software
  include_role:
    name: aur.inc
    allow_duplicates: true
  vars:
    packages:
      - lua52-event
      - lua52-lpty
      - prosody-mod-auth-imap-hg
      - prosody-mod-auto-accept-subscriptions-hg
      - prosody-mod-filter-chatstates-hg
      - prosody-mod-http-upload-external-hg
      - prosody-mod-offline-email-hg
      - prosody-mod-smacks
      - prosody-mod-throttle_presence
    aur_user: git
    #  - prosody-mod-log-auth
    #  - prosody-mod-mam-archive
    #  - prosody-mod-mam-muc

### UPSTREAM END ⇒ ###
- name: merge upstream
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
  vars:
    msg: Prosody
### ⇐ UPSTREAM END ###

- name: set ownership of prosody’s working directory
  file:
    path: /var/lib/prosody
    state: directory
    owner: prosody
    group: jabber
    mode: 0751

- name: create a directory for HTTP files
  file:
    path: /var/lib/prosody/httpd
    state: directory
    owner: prosody
    group: jabber
    mode: 0750

- name: create a directory for HTTP uploads
  file:
    path: /var/lib/prosody/http_upload
    state: directory
    owner: http
    group: jabber
    mode: 06770

- name: prepare overriding prosody settings
  file:
    name: /etc/systemd/system/prosody.service.d
    state: directory
    mode: 0755

- name: secure prosody systemd settings
  copy:
    content: |
      [Service]
      User=prosody
      Group=jabber
      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
      PrivateTmp=true
      PrivateDevices=true
      ProtectSystem=full
      ProtectHome=true
      NoNewPrivileges=true
    dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
    mode: 0644
  notify:
    - restart prosody.service

- name: set XMPP admins
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^admins\s*='
    line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
  notify:
    - restart prosody.service

- name: enable libevent
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^-*use_libevent\s*='
    line: 'use_libevent = true;'
  notify:
    - restart prosody.service

- name: enable some modules
  replace:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^(\s*)-+("{{item}}";.*)$'
    replace: '\1\2'
  with_items:
    - blocklist
    - bosh
    - carbons
    - groups
    - http_files
    - mam
    - saslauth
    - websocket
  notify:
    - restart prosody.service

- name: enable additional modules
  blockinfile:
    path: /etc/prosody/prosody.cfg.lua
    marker: '  -- {mark} Additional modules'
    block: |
      "auto_accept_subscriptions"; -- friends automatically accepted
      "csi"; -- filter activity depending on mobile state
      "filter_chatstates"; -- csi: filter chat states when inactive
      "http_upload_external"; -- share files in MUCs
      "lastactivity"; -- query users’ idle time
      --"log_auth"; -- log authentication failures for fail2ban
      "mam_adhoc"; -- manage mam from the client
      --"mam_archive"; -- allow mam-enabled clients to read MUC logs
      --"mam_muc"; -- record MUC messages using mam
      "offline_email"; -- get missed messages by email
      "pubsub"; -- publish-suscribe / lien social
      "smacks"; -- ignore temporary disconnects
      "throttle_presence"; -- csi: limit presence updates when inactive
    insertafter: '^\s*modules_enabled\s*=\s*{'
  notify:
    - restart prosody.service

- name: set IMAP authentication
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*authentication\s*='
    line: 'authentication = "imap"'
  notify:
    - restart prosody.service

- name: remove authentication script
  file:
    state: absent
    dest: /etc/prosody/external_auth.sh

- name: set SQL storage
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*(?:--)?storage\s*='
    line: 'storage = "sql" -- Default is "internal"'
  notify:
    - restart prosody.service

- name: enable PostgreSQL access
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
    line: >
      sql = {
      driver = "PostgreSQL",
      database = "{{prosody_db}}",
      username = "{{prosody_db_user}}",
      password = "{{prosody_db_password}}",
      host = "/run/shared_sockets"}

- name: restrict syslog (“debug” may contain passwords!)
  lineinfile:
    path: /etc/prosody/prosody.cfg.lua
    regexp: '^(\s*(?:--\s*)?)"*syslog"'
    backrefs: true
    line: '\1{ to = "syslog", levels = { min = "info" } };'

- name: custom extra configuration
  blockinfile:
    path: /etc/prosody/prosody.cfg.lua
    marker: '-- {mark} Additional configuration'
    block: |
      -- configure IMAP authentication
      auth_imap_verify_certificate = false
      -- hide OS type from mod_version output
      hide_os_type = true
      -- limit registration
      allow_registration = true
      whitelist_registration_only = true
      registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
      -- configure HTTP
      http_files_dir = "/var/lib/prosody/httpd"
      http_paths = {
        websocket = "{{http_pfx_prosody}}websocket";
        bosh = "{{http_pfx_prosody}}bind";
        files = "{{http_pfx_prosody}}shared";
        upload = "{{http_pfx_prosody}}upload";
      }
      http_default_host = "{{net_soa}}"
      http_external_url = "https://{{net_soa}}"
      -- configure uploads
      http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
      http_upload_external_secret = "{{xmpp_upload_secret}}"
      http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
      --http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
      -- configure websockets (ws:localhost:5280/websocket)
      cross_domain_websocket = true
      consider_websocket_secure = true
      -- configure BOSH (http://localhost:5280/bind)
      cross_domain_bosh = true
      consider_bosh_secure = true
      -- configure MAM
      default_archive_policy = "roster"
      archive_expires_after = "1m"
      archive_cleanup_interval = 24 * 60 * 60 -- once a day
      muc_log_by_default = true
      max_history_messages = 500
      -- configure email sending
      smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
      -- setup the virtual host
      VirtualHost "{{net_soa}}"
      -- declare publish-suscribe
      Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
      -- declare Multi-User Chat
      Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
    insertbefore: '^--+ Virtual hosts'
  notify:
    - restart prosody.service

- name: use http_upload_external’s PHP handler
  template:
    src: templates/xep0363_http_upload.php.j2
    dest: /srv/webapps/xep0363_http_upload.php
    group: http
    mode: 0755

- name: configure nginx for prosody
  copy:
    content: |
      location {{http_pfx_prosody}} {
        proxy_pass http://localhost:5280;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_buffering off;
        tcp_nodelay on;
      }
      location {{http_pfx_prosody}}websocket {
        proxy_pass http://localhost:5280;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 30m;
        proxy_buffering off;
        tcp_nodelay on;
      }
      location {{http_pfx_prosody}}upload {
        rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
      }
    dest: /etc/nginx/inc.d/prosody.https.inc
    mode: 0440
    owner: http
    group: http
  notify:
    - restart nginx.service

- name: enable prosody
  systemd:
    daemon_reload: true
    name: prosody.service
    enabled: true

### LOCAL COMMIT ⇒ ###
- name: commit local changes
  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
  vars:
    msg: Prosody
### ⇐ LOCAL COMMIT ###
- meta: flush_handlers
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								---
 								# The home-server project produces a multi-purpose setup using Ansible.
 								# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
 								# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
 								### UPSTREAM BEGIN ⇒ ###
 								- name: pull prerequisites from upstream
 								  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
 								  vars:
 								    msg: Prosody
 								### ⇐ UPSTREAM BEGIN ###
 								- name: install software
 								  package:
 								    name: "{{item}}"
 								    state: present
 								  with_items:
 								    - prosody
 								    - postgresql-libs
-												prosody switched to lua5.2 and natively includes csi

											
										
										
											2018-12-15 20:56:35 +01:00
+								    - lua52-sec
 								    - lua52-bitop
 								    - lua52-dbi
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
 								- name: install AUR software
 								  include_role:
 								    name: aur.inc
 								    allow_duplicates: true
 								  vars:
-												aur: allow pre-build commands

											
										
										
											2021-05-08 17:08:22 +02:00
+								    packages:
 								      - lua52-event
 								      - lua52-lpty
 								      - prosody-mod-auth-imap-hg
 								      - prosody-mod-auto-accept-subscriptions-hg
 								      - prosody-mod-filter-chatstates-hg
 								      - prosody-mod-http-upload-external-hg
 								      - prosody-mod-offline-email-hg
 								      - prosody-mod-smacks
 								      - prosody-mod-throttle_presence
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								    aur_user: git
-												aur: allow pre-build commands

											
										
										
											2021-05-08 17:08:22 +02:00
+								    #  - prosody-mod-log-auth
 								    #  - prosody-mod-mam-archive
 								    #  - prosody-mod-mam-muc
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
 								### UPSTREAM END ⇒ ###
 								- name: merge upstream
 								  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
 								  vars:
 								    msg: Prosody
 								### ⇐ UPSTREAM END ###
 								- name: set ownership of prosody’s working directory
 								  file:
 								    path: /var/lib/prosody
 								    state: directory
 								    owner: prosody
 								    group: jabber
 								    mode: 0751
 								- name: create a directory for HTTP files
 								  file:
 								    path: /var/lib/prosody/httpd
 								    state: directory
 								    owner: prosody
 								    group: jabber
 								    mode: 0750
 								- name: create a directory for HTTP uploads
 								  file:
 								    path: /var/lib/prosody/http_upload
 								    state: directory
 								    owner: http
 								    group: jabber
 								    mode: 06770
 								- name: prepare overriding prosody settings
 								  file:
 								    name: /etc/systemd/system/prosody.service.d
 								    state: directory
 								    mode: 0755
 								- name: secure prosody systemd settings
 								  copy:
 								    content: |
 								      [Service]
 								      User=prosody
 								      Group=jabber
 								      CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
 								      PrivateTmp=true
 								      PrivateDevices=true
 								      ProtectSystem=full
 								      ProtectHome=true
 								      NoNewPrivileges=true
 								    dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
 								    mode: 0644
 								  notify:
 								    - restart prosody.service
 								- name: set XMPP admins
 								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^admins\s*='
 								    line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
 								  notify:
 								    - restart prosody.service
 								- name: enable libevent
 								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^-*use_libevent\s*='
 								    line: 'use_libevent = true;'
 								  notify:
 								    - restart prosody.service
 								- name: enable some modules
 								  replace:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^(\s*)-+("{{item}}";.*)$'
 								    replace: '\1\2'
 								  with_items:
 								    - blocklist
 								    - bosh
 								    - carbons
 								    - groups
 								    - http_files
 								    - mam
 								    - saslauth
 								    - websocket
 								  notify:
 								    - restart prosody.service
 								- name: enable additional modules
 								  blockinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    marker: '  -- {mark} Additional modules'
 								    block: |
 								      "auto_accept_subscriptions"; -- friends automatically accepted
 								      "csi"; -- filter activity depending on mobile state
 								      "filter_chatstates"; -- csi: filter chat states when inactive
 								      "http_upload_external"; -- share files in MUCs
 								      "lastactivity"; -- query users’ idle time
 								      --"log_auth"; -- log authentication failures for fail2ban
 								      "mam_adhoc"; -- manage mam from the client
 								      --"mam_archive"; -- allow mam-enabled clients to read MUC logs
 								      --"mam_muc"; -- record MUC messages using mam
 								      "offline_email"; -- get missed messages by email
 								      "pubsub"; -- publish-suscribe / lien social
 								      "smacks"; -- ignore temporary disconnects
 								      "throttle_presence"; -- csi: limit presence updates when inactive
 								    insertafter: '^\s*modules_enabled\s*=\s*{'
 								  notify:
 								    - restart prosody.service
-												prosody: IMAP authentication

											
										
										
											2020-04-16 17:27:36 +02:00
+								- name: set IMAP authentication
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^\s*authentication\s*='
-												prosody: IMAP authentication

											
										
										
											2020-04-16 17:27:36 +02:00
+								    line: 'authentication = "imap"'
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								  notify:
 								    - restart prosody.service
-												prosody: IMAP authentication

											
										
										
											2020-04-16 17:27:36 +02:00
+								- name: remove authentication script
 								  file:
 								    state: absent
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								    dest: /etc/prosody/external_auth.sh
 								- name: set SQL storage
 								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^\s*(?:--)?storage\s*='
 								    line: 'storage = "sql" -- Default is "internal"'
 								  notify:
 								    - restart prosody.service
 								- name: enable PostgreSQL access
 								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
 								    line: >
 								      sql = {
 								      driver = "PostgreSQL",
 								      database = "{{prosody_db}}",
 								      username = "{{prosody_db_user}}",
 								      password = "{{prosody_db_password}}",
 								      host = "/run/shared_sockets"}
-												prosody: IMAP authentication

											
										
										
											2020-04-16 17:27:36 +02:00
+								- name: restrict syslog (“debug” may contain passwords!)
 								  lineinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    regexp: '^(\s*(?:--\s*)?)"*syslog"'
 								    backrefs: true
 								    line: '\1{ to = "syslog", levels = { min = "info" } };'
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								- name: custom extra configuration
 								  blockinfile:
 								    path: /etc/prosody/prosody.cfg.lua
 								    marker: '-- {mark} Additional configuration'
 								    block: |
-												prosody: IMAP authentication

											
										
										
											2020-04-16 17:27:36 +02:00
+								      -- configure IMAP authentication
 								      auth_imap_verify_certificate = false
-yr-old; first commit

											
										
										
											2018-09-03 20:06:05 +02:00
+								      -- hide OS type from mod_version output
 								      hide_os_type = true
 								      -- limit registration
 								      allow_registration = true
 								      whitelist_registration_only = true
 								      registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
 								      -- configure HTTP
 								      http_files_dir = "/var/lib/prosody/httpd"
 								      http_paths = {
 								        websocket = "{{http_pfx_prosody}}websocket";
 								        bosh = "{{http_pfx_prosody}}bind";
 								        files = "{{http_pfx_prosody}}shared";
 								        upload = "{{http_pfx_prosody}}upload";
 								      }
 								      http_default_host = "{{net_soa}}"
 								      http_external_url = "https://{{net_soa}}"
 								      -- configure uploads
 								      http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
 								      http_upload_external_secret = "{{xmpp_upload_secret}}"
 								      http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
 								      --http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
 								      -- configure websockets (ws:localhost:5280/websocket)
 								      cross_domain_websocket = true
 								      consider_websocket_secure = true
 								      -- configure BOSH (http://localhost:5280/bind)
 								      cross_domain_bosh = true
 								      consider_bosh_secure = true
 								      -- configure MAM
 								      default_archive_policy = "roster"
 								      archive_expires_after = "1m"
 								      archive_cleanup_interval = 24 * 60 * 60 -- once a day
 								      muc_log_by_default = true
 								      max_history_messages = 500
 								      -- configure email sending
 								      smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
 								      -- setup the virtual host
 								      VirtualHost "{{net_soa}}"
 								      -- declare publish-suscribe
 								      Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
 								      -- declare Multi-User Chat
 								      Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
 								    insertbefore: '^--+ Virtual hosts'
 								  notify:
 								    - restart prosody.service
 								- name: use http_upload_external’s PHP handler
 								  template:
 								    src: templates/xep0363_http_upload.php.j2
 								    dest: /srv/webapps/xep0363_http_upload.php
 								    group: http
 								    mode: 0755
 								- name: configure nginx for prosody
 								  copy:
 								    content: |
 								      location {{http_pfx_prosody}} {
 								        proxy_pass http://localhost:5280;
 								        proxy_http_version 1.1;
 								        proxy_set_header Host $host;
 								        proxy_buffering off;
 								        tcp_nodelay on;
 								      }
 								      location {{http_pfx_prosody}}websocket {
 								        proxy_pass http://localhost:5280;
 								        proxy_http_version 1.1;
 								        proxy_set_header Host $host;
 								        proxy_set_header Upgrade $http_upgrade;
 								        proxy_set_header Connection "upgrade";
 								        proxy_read_timeout 30m;
 								        proxy_buffering off;
 								        tcp_nodelay on;
 								      }
 								      location {{http_pfx_prosody}}upload {
 								        rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
 								      }
 								    dest: /etc/nginx/inc.d/prosody.https.inc
 								    mode: 0440
 								    owner: http
 								    group: http
 								  notify:
 								    - restart nginx.service
 								- name: enable prosody
 								  systemd:
 								    daemon_reload: true
 								    name: prosody.service
 								    enabled: true
 								### LOCAL COMMIT ⇒ ###
 								- name: commit local changes
 								  include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
 								  vars:
 								    msg: Prosody
 								### ⇐ LOCAL COMMIT ###
 								- meta: flush_handlers