--- # The home-server project produces a multi-purpose setup using Ansible. # Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license. # Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing. ### UPSTREAM BEGIN ⇒ ### - name: pull prerequisites from upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml vars: msg: Prosody ### ⇐ UPSTREAM BEGIN ### - name: install software package: name: "{{item}}" state: present with_items: - prosody - postgresql-libs - lua52-sec - lua52-bitop - lua52-dbi - name: install AUR software include_role: name: aur.inc allow_duplicates: true vars: packages: - lua52-event - lua52-lpty - prosody-mod-auth-imap-hg - prosody-mod-auto-accept-subscriptions-hg - prosody-mod-filter-chatstates-hg - prosody-mod-http-upload-external-hg - prosody-mod-offline-email-hg - prosody-mod-smacks - prosody-mod-throttle_presence aur_user: git # - prosody-mod-log-auth # - prosody-mod-mam-archive # - prosody-mod-mam-muc ### UPSTREAM END ⇒ ### - name: merge upstream include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml vars: msg: Prosody ### ⇐ UPSTREAM END ### - name: set ownership of prosody’s working directory file: path: /var/lib/prosody state: directory owner: prosody group: jabber mode: 0751 - name: create a directory for HTTP files file: path: /var/lib/prosody/httpd state: directory owner: prosody group: jabber mode: 0750 - name: create a directory for HTTP uploads file: path: /var/lib/prosody/http_upload state: directory owner: http group: jabber mode: 06770 - name: prepare overriding prosody settings file: name: /etc/systemd/system/prosody.service.d state: directory mode: 0755 - name: secure prosody systemd settings copy: content: | [Service] User=prosody Group=jabber CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT PrivateTmp=true PrivateDevices=true ProtectSystem=full ProtectHome=true NoNewPrivileges=true dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf mode: 0644 notify: - restart prosody.service - name: set XMPP admins lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^admins\s*=' line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }' notify: - restart prosody.service - name: enable libevent lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^-*use_libevent\s*=' line: 'use_libevent = true;' notify: - restart prosody.service - name: enable some modules replace: path: /etc/prosody/prosody.cfg.lua regexp: '^(\s*)-+("{{item}}";.*)$' replace: '\1\2' with_items: - blocklist - bosh - carbons - groups - http_files - mam - saslauth - websocket notify: - restart prosody.service - name: enable additional modules blockinfile: path: /etc/prosody/prosody.cfg.lua marker: ' -- {mark} Additional modules' block: | "auto_accept_subscriptions"; -- friends automatically accepted "csi"; -- filter activity depending on mobile state "filter_chatstates"; -- csi: filter chat states when inactive "http_upload_external"; -- share files in MUCs "lastactivity"; -- query users’ idle time --"log_auth"; -- log authentication failures for fail2ban "mam_adhoc"; -- manage mam from the client --"mam_archive"; -- allow mam-enabled clients to read MUC logs --"mam_muc"; -- record MUC messages using mam "offline_email"; -- get missed messages by email "pubsub"; -- publish-suscribe / lien social "smacks"; -- ignore temporary disconnects "throttle_presence"; -- csi: limit presence updates when inactive insertafter: '^\s*modules_enabled\s*=\s*{' notify: - restart prosody.service - name: set IMAP authentication lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^\s*authentication\s*=' line: 'authentication = "imap"' notify: - restart prosody.service - name: remove authentication script file: state: absent dest: /etc/prosody/external_auth.sh - name: set SQL storage lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^\s*(?:--)?storage\s*=' line: 'storage = "sql" -- Default is "internal"' notify: - restart prosody.service - name: enable PostgreSQL access lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL' line: > sql = { driver = "PostgreSQL", database = "{{prosody_db}}", username = "{{prosody_db_user}}", password = "{{prosody_db_password}}", host = "/run/shared_sockets"} - name: restrict syslog (“debug” may contain passwords!) lineinfile: path: /etc/prosody/prosody.cfg.lua regexp: '^(\s*(?:--\s*)?)"*syslog"' backrefs: true line: '\1{ to = "syslog", levels = { min = "info" } };' - name: custom extra configuration blockinfile: path: /etc/prosody/prosody.cfg.lua marker: '-- {mark} Additional configuration' block: | -- configure IMAP authentication auth_imap_verify_certificate = false -- hide OS type from mod_version output hide_os_type = true -- limit registration allow_registration = true whitelist_registration_only = true registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' } -- configure HTTP http_files_dir = "/var/lib/prosody/httpd" http_paths = { websocket = "{{http_pfx_prosody}}websocket"; bosh = "{{http_pfx_prosody}}bind"; files = "{{http_pfx_prosody}}shared"; upload = "{{http_pfx_prosody}}upload"; } http_default_host = "{{net_soa}}" http_external_url = "https://{{net_soa}}" -- configure uploads http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/" http_upload_external_secret = "{{xmpp_upload_secret}}" http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes --http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds -- configure websockets (ws:localhost:5280/websocket) cross_domain_websocket = true consider_websocket_secure = true -- configure BOSH (http://localhost:5280/bind) cross_domain_bosh = true consider_bosh_secure = true -- configure MAM default_archive_policy = "roster" archive_expires_after = "1m" archive_cleanup_interval = 24 * 60 * 60 -- once a day muc_log_by_default = true max_history_messages = 500 -- configure email sending smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}" -- setup the virtual host VirtualHost "{{net_soa}}" -- declare publish-suscribe Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub" -- declare Multi-User Chat Component "{{net_subdom_muc}}.{{net_soa}}" "muc" insertbefore: '^--+ Virtual hosts' notify: - restart prosody.service - name: use http_upload_external’s PHP handler template: src: templates/xep0363_http_upload.php.j2 dest: /srv/webapps/xep0363_http_upload.php group: http mode: 0755 - name: configure nginx for prosody copy: content: | location {{http_pfx_prosody}} { proxy_pass http://localhost:5280; proxy_http_version 1.1; proxy_set_header Host $host; proxy_buffering off; tcp_nodelay on; } location {{http_pfx_prosody}}websocket { proxy_pass http://localhost:5280; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 30m; proxy_buffering off; tcp_nodelay on; } location {{http_pfx_prosody}}upload { rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last; } dest: /etc/nginx/inc.d/prosody.https.inc mode: 0440 owner: http group: http notify: - restart nginx.service - name: enable prosody systemd: daemon_reload: true name: prosody.service enabled: true ### LOCAL COMMIT ⇒ ### - name: commit local changes include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml vars: msg: Prosody ### ⇐ LOCAL COMMIT ### - meta: flush_handlers