331 lines
9.6 KiB
YAML
331 lines
9.6 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: Prosody
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software
|
||
package:
|
||
name: "{{item}}"
|
||
state: present
|
||
with_items:
|
||
- prosody
|
||
- postgresql-libs
|
||
- lua51-sec
|
||
- lua51-bitop
|
||
- lua51-dbi
|
||
|
||
- name: install AUR software
|
||
include_role:
|
||
name: aur.inc
|
||
allow_duplicates: true
|
||
vars:
|
||
pkg_names: |
|
||
[
|
||
"lua51-event",
|
||
"lua51-lpty",
|
||
"prosody-mod-auth-external-hg",
|
||
"prosody-mod-auto-accept-subscriptions-hg",
|
||
"prosody-mod-csi-hg",
|
||
"prosody-mod-filter-chatstates-hg",
|
||
"prosody-mod-http-upload-external-hg",
|
||
"prosody-mod-offline-email-hg",
|
||
"prosody-mod-smacks",
|
||
"prosody-mod-throttle_presence"
|
||
]
|
||
aur_user: git
|
||
# "prosody-mod-log-auth",
|
||
# "prosody-mod-mam-archive",
|
||
# "prosody-mod-mam-muc",
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: Prosody
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: set ownership of prosody’s working directory
|
||
file:
|
||
path: /var/lib/prosody
|
||
state: directory
|
||
owner: prosody
|
||
group: jabber
|
||
mode: 0751
|
||
|
||
- name: create a directory for HTTP files
|
||
file:
|
||
path: /var/lib/prosody/httpd
|
||
state: directory
|
||
owner: prosody
|
||
group: jabber
|
||
mode: 0750
|
||
|
||
- name: create a directory for HTTP uploads
|
||
file:
|
||
path: /var/lib/prosody/http_upload
|
||
state: directory
|
||
owner: http
|
||
group: jabber
|
||
mode: 06770
|
||
|
||
- name: prepare overriding prosody settings
|
||
file:
|
||
name: /etc/systemd/system/prosody.service.d
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: secure prosody systemd settings
|
||
copy:
|
||
content: |
|
||
[Service]
|
||
User=prosody
|
||
Group=jabber
|
||
CapabilityBoundingSet=CAP_AUDIT_WRITE CAP_LEASE CAP_SYS_CHROOT
|
||
PrivateTmp=true
|
||
PrivateDevices=true
|
||
ProtectSystem=full
|
||
ProtectHome=true
|
||
NoNewPrivileges=true
|
||
dest: /etc/systemd/system/prosody.service.d/secure-{{nickname}}.conf
|
||
mode: 0644
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: set XMPP admins
|
||
lineinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^admins\s*='
|
||
line: 'admins = { ''{{xmpp_admins | replace(" ", "'', ''")}}'' }'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: enable libevent
|
||
lineinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^-*use_libevent\s*='
|
||
line: 'use_libevent = true;'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: enable some modules
|
||
replace:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^(\s*)-+("{{item}}";.*)$'
|
||
replace: '\1\2'
|
||
with_items:
|
||
- blocklist
|
||
- bosh
|
||
- carbons
|
||
- groups
|
||
- http_files
|
||
- mam
|
||
- saslauth
|
||
- websocket
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: enable additional modules
|
||
blockinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
marker: ' -- {mark} Additional modules'
|
||
block: |
|
||
"auto_accept_subscriptions"; -- friends automatically accepted
|
||
"csi"; -- filter activity depending on mobile state
|
||
"filter_chatstates"; -- csi: filter chat states when inactive
|
||
"http_upload_external"; -- share files in MUCs
|
||
"lastactivity"; -- query users’ idle time
|
||
--"log_auth"; -- log authentication failures for fail2ban
|
||
"mam_adhoc"; -- manage mam from the client
|
||
--"mam_archive"; -- allow mam-enabled clients to read MUC logs
|
||
--"mam_muc"; -- record MUC messages using mam
|
||
"offline_email"; -- get missed messages by email
|
||
"pubsub"; -- publish-suscribe / lien social
|
||
"smacks"; -- ignore temporary disconnects
|
||
"throttle_presence"; -- csi: limit presence updates when inactive
|
||
insertafter: '^\s*modules_enabled\s*=\s*{'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: set BASH authentication
|
||
lineinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^\s*authentication\s*='
|
||
line: 'authentication = "external"'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: send authentication script
|
||
copy:
|
||
content: |
|
||
#!/bin/bash
|
||
function ldap_esc() {
|
||
printf %s "$1" | (LANG=C
|
||
grep -o . | while IFS='' read -r c; do
|
||
[[ "$c" =~ [-.A-Za-z0-9] ]] && printf %s "$c" || printf \\%02x "'$c"
|
||
done)
|
||
}
|
||
function do_auth() {
|
||
local u d p
|
||
IFS=: read u d p <<<"$1"
|
||
ldapwhoami -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' \
|
||
-D "uid=$(ldap_esc "$u"),ou=Users,{{ldap_root}}" -w "$p"
|
||
}
|
||
function do_isuser() {
|
||
local u d
|
||
IFS=: read u d <<<"$1"
|
||
ldapsearch -H 'ldapi://%2Frun%2Fshared_sockets%2Fldapi/' -A -s sub -x \
|
||
-b 'ou=Users,{{ldap_root}}' "(uid=$(ldap_esc "$u"))" | grep ^uid:
|
||
}
|
||
function do_setpass() {
|
||
false
|
||
}
|
||
while true; do
|
||
IFS=: read fct params || { sleep 1s; continue; }
|
||
case "$fct" in
|
||
auth) do_auth "$params" ;;
|
||
isuser) do_isuser "$params" ;;
|
||
setpass) do_setpass "$params" ;;
|
||
*) false ;;
|
||
esac >/dev/null
|
||
if [ $? -eq 0 ]; then
|
||
echo "$fct:${params%%:*} YES" | systemd-cat -t "prosody_auth" -p notice
|
||
echo 1
|
||
else
|
||
echo "$fct:${params%%:*} NO" | systemd-cat -t "prosody_auth" -p notice
|
||
echo 0
|
||
fi
|
||
done
|
||
dest: /etc/prosody/external_auth.sh
|
||
owner: prosody
|
||
mode: 0500
|
||
|
||
- name: set SQL storage
|
||
lineinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^\s*(?:--)?storage\s*='
|
||
line: 'storage = "sql" -- Default is "internal"'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: enable PostgreSQL access
|
||
lineinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
regexp: '^\s*(?:--)?sql\s*=.*PostgreSQL'
|
||
line: >
|
||
sql = {
|
||
driver = "PostgreSQL",
|
||
database = "{{prosody_db}}",
|
||
username = "{{prosody_db_user}}",
|
||
password = "{{prosody_db_password}}",
|
||
host = "/run/shared_sockets"}
|
||
|
||
- name: custom extra configuration
|
||
blockinfile:
|
||
path: /etc/prosody/prosody.cfg.lua
|
||
marker: '-- {mark} Additional configuration'
|
||
block: |
|
||
-- configure bash authentication
|
||
external_auth_command = "/etc/prosody/external_auth.sh"
|
||
-- hide OS type from mod_version output
|
||
hide_os_type = true
|
||
-- limit registration
|
||
allow_registration = true
|
||
whitelist_registration_only = true
|
||
registration_whitelist = { '{{xmpp_registration_hosts | replace(" ", "', '")}}' }
|
||
-- configure HTTP
|
||
http_files_dir = "/var/lib/prosody/httpd"
|
||
http_paths = {
|
||
websocket = "{{http_pfx_prosody}}websocket";
|
||
bosh = "{{http_pfx_prosody}}bind";
|
||
files = "{{http_pfx_prosody}}shared";
|
||
upload = "{{http_pfx_prosody}}upload";
|
||
}
|
||
http_default_host = "{{net_soa}}"
|
||
http_external_url = "https://{{net_soa}}"
|
||
-- configure uploads
|
||
http_upload_external_base_url = "https://{{net_soa}}/xmpp-upload/"
|
||
http_upload_external_secret = "{{xmpp_upload_secret}}"
|
||
http_upload_file_size_limit = 5 * 1024 * 1024 -- 5MB in bytes
|
||
--http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
||
-- configure websockets (ws:localhost:5280/websocket)
|
||
cross_domain_websocket = true
|
||
consider_websocket_secure = true
|
||
-- configure BOSH (http://localhost:5280/bind)
|
||
cross_domain_bosh = true
|
||
consider_bosh_secure = true
|
||
-- configure MAM
|
||
default_archive_policy = "roster"
|
||
archive_expires_after = "1m"
|
||
archive_cleanup_interval = 24 * 60 * 60 -- once a day
|
||
muc_log_by_default = true
|
||
max_history_messages = 500
|
||
-- configure email sending
|
||
smtp_from = "xmpp-offline-do-not-reply@{{net_soa}}"
|
||
-- setup the virtual host
|
||
VirtualHost "{{net_soa}}"
|
||
-- declare publish-suscribe
|
||
Component "{{net_subdom_pubsub}}.{{net_soa}}" "pubsub"
|
||
-- declare Multi-User Chat
|
||
Component "{{net_subdom_muc}}.{{net_soa}}" "muc"
|
||
insertbefore: '^--+ Virtual hosts'
|
||
notify:
|
||
- restart prosody.service
|
||
|
||
- name: use http_upload_external’s PHP handler
|
||
template:
|
||
src: templates/xep0363_http_upload.php.j2
|
||
dest: /srv/webapps/xep0363_http_upload.php
|
||
group: http
|
||
mode: 0755
|
||
|
||
- name: configure nginx for prosody
|
||
copy:
|
||
content: |
|
||
location {{http_pfx_prosody}} {
|
||
proxy_pass http://localhost:5280;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Host $host;
|
||
proxy_buffering off;
|
||
tcp_nodelay on;
|
||
}
|
||
location {{http_pfx_prosody}}websocket {
|
||
proxy_pass http://localhost:5280;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Host $host;
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection "upgrade";
|
||
proxy_read_timeout 30m;
|
||
proxy_buffering off;
|
||
tcp_nodelay on;
|
||
}
|
||
location {{http_pfx_prosody}}upload {
|
||
rewrite ^({{http_pfx_prosody}}upload)(/.*)?$ /php.../srv/webapps/xep0363_http_upload.php/...$1/.../...$2 last;
|
||
}
|
||
dest: /etc/nginx/inc.d/prosody.https.inc
|
||
mode: 0440
|
||
owner: http
|
||
group: http
|
||
notify:
|
||
- restart nginx.service
|
||
|
||
- name: enable prosody
|
||
systemd:
|
||
daemon_reload: true
|
||
name: prosody.service
|
||
enabled: true
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: Prosody
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|