From ed30097745f052af7b89447c952ad3db26f5bcc9 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Wed, 3 Feb 2021 00:04:38 +0000 Subject: [PATCH] First draft for a prosody role --- roles/prosody/defaults/main.yml | 57 ++++++++ roles/prosody/handlers/main.yml | 5 + roles/prosody/tasks/main.yml | 21 +++ roles/prosody/templates/nginx.j2 | 18 +++ roles/prosody/templates/prosody.cfg.lua.j2 | 160 +++++++++++++++++++++ 5 files changed, 261 insertions(+) create mode 100644 roles/prosody/defaults/main.yml create mode 100644 roles/prosody/handlers/main.yml create mode 100644 roles/prosody/tasks/main.yml create mode 100644 roles/prosody/templates/nginx.j2 create mode 100644 roles/prosody/templates/prosody.cfg.lua.j2 diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml new file mode 100644 index 0000000..ebd029b --- /dev/null +++ b/roles/prosody/defaults/main.yml @@ -0,0 +1,57 @@ +--- +prosody_domain: "jabber.ccchb.de" +prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem" +prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem" +prosody_allow_registration: false +prosody_modules: + - roster + - saslauth + - tls + - dialback + - disco + - private + - bookmarks + - vcard + - proxy65 + - legacyauth + - version + - uptime + - time + - ping + - pep + - register + - adhoc + - admin_adhoc + - posix + - bosh + - websocket + - groups + - announce + - watchregistrations + - blocking + - smacks + - carbons + - cloud_notify + - csi + - mam + - filter_chatstates + - throttle_presence + - http_upload + - turncredentials + - vcard_legacy + +prosody_nginx_install: true +prosody_nginx_conf: | + listen [::]:443 ssl http2; + listen 443 ssl http2; + + server_name {{ prosody_domain }}; + + root /var/www/html; + + ssl_certificate {{ prosody_ssl_cert }}; + ssl_certificate_key {{ prosody_ssl_key }}; + ssl_trusted_certificate /etc/letsencrypt/live/{{ prosody_domain }}/chain.pem; + + include snippets/certbot.conf; +... diff --git a/roles/prosody/handlers/main.yml b/roles/prosody/handlers/main.yml new file mode 100644 index 0000000..4e0a6ca --- /dev/null +++ b/roles/prosody/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: reload nginx + systemd: + name: nginx + state: reloaded diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml new file mode 100644 index 0000000..fffe4b6 --- /dev/null +++ b/roles/prosody/tasks/main.yml @@ -0,0 +1,21 @@ +--- +- name: Install prosody http site + template: + src: nginx.j2 + dest: "/etc/nginx/sites-available/{{ prosody_domain }}" + when: prosody_nginx_install + +- name: Enable prosody http site + notify: reload nginx + file: + src: /etc/nginx/sites-available/{{ prosody_domain }} + dest: /etc/nginx/sites-enabled/{{ prosody_domain }} + state: link + when: prosody_nginx_install + +- name: Configure prosody + template: + src: prosody.cfg.lua.j2 + dest: /etc/prosody/prosody_test.cfg.lua + +... diff --git a/roles/prosody/templates/nginx.j2 b/roles/prosody/templates/nginx.j2 new file mode 100644 index 0000000..bf6f639 --- /dev/null +++ b/roles/prosody/templates/nginx.j2 @@ -0,0 +1,18 @@ +# {{ ansible_managed }} + +server { + {{ prosody_nginx_conf }} + + location /http-bind { + proxy_pass http://127.0.0.1:5280/http-bind; + } + + location /xmpp-websocket { + proxy_pass http://127.0.0.1:5280/xmpp-websocket; + } + + location /upload { + proxy_set_header Host {{ prosody_domain }}; + proxy_pass http://127.0.0.1:5280/upload; + } +} diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 new file mode 100644 index 0000000..6ac7996 --- /dev/null +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -0,0 +1,160 @@ +-- Prosody XMPP Server Configuration +-- {{ ansible_managed }} + +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see http://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" } + +-- Enable use of libevent for better performance under high load +-- For more information see: http://prosody.im/doc/libevent +use_libevent = false; + +plugin_paths = { "/opt/prosody-modules" } + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation on modules can be found at: http://prosody.im/doc/modules +modules_enabled = { + {% for module in prosody_modules %} + "{{ module }}"; + {% endfor %} +}; + +-- These modules are auto-loaded, should you +-- (for some mad reason) want to disable +-- them then uncomment them below +modules_disabled = { + -- "presence"; -- Route user/contact status information + -- "message"; -- Route messages + -- "iq"; -- Route info queries + -- "offline"; -- Store offline messages +}; + +-- Disable account creation by default, for security +-- For more information see http://prosody.im/doc/creating_accounts +allow_registration = {{ prosody_allow_registration }}; + +-- These are the SSL/TLS-related settings. If you don't want +-- to use SSL/TLS, you may comment or remove this +-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION *** +ssl = { + protocol = "sslv23"; + key = "{{ prosody_ssl_key }}"; + certificate = "{{ prosody_ssl_cert }}"; + dhparam = "/etc/prosody/certs/dh-2048.pem"; + options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; + ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; +} +legacy_ssl_ports = { 5223 } +http_external_url = "https://{{ prosody_domain }}/" + +-- Only allow encrypted streams? Encryption is already used when +-- available. These options will cause Prosody to deny connections that +-- are not encrypted. Note that some servers do not support s2s +-- encryption or have it disabled, including gmail.com and Google Apps +-- domains. + +--c2s_require_encryption = false +--s2s_require_encryption = false + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +authentication = "internal_hashed" + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See http://prosody.im/doc/storage for more info. + +--storage = "sql" -- Default is "internal" + +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } + + +-- STUN/TURN +--turncredentials_host = "jabber.emma.ccchb.de" +turncredentials_host = "einstein.cskreie.de" +turncredentials_secret = "gabbagabbahey" + + +-- HTTP-UPLOAD +http_upload_file_size_limit = 10485760 -- 10M +http_max_content_size = 20971520 -- 20M +http_upload_quota = 104857600 -- 100M +http_upload_expire_after = 2592000 -- 30d + +-- Logging configuration +-- For advanced logging see http://prosody.im/doc/logging +-- Hint: If you create a new log file or rename them, don't forget +-- to update the logrotate config at /etc/logrotate.d/prosody +log = { + -- Log all error messages to prosody.err + error = "/var/log/prosody/prosody.err"; + -- Log everything of level "info" and higher (that is, all except "debug" messages) + -- to prosody.log + -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging + -- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging + --"*syslog"; -- Uncomment this for logging to syslog +} + +-- Pidfile, used by prosodyctl and the init.d script +pidfile = "/var/run/prosody/prosody.pid"; + +----------- Virtual hosts ----------- +-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. +-- Settings under each VirtualHost entry apply *only* to that host. + +VirtualHost "localhost" + +VirtualHost "{{ prosody_domain }}" + enabled = true -- Remove this line to enable this host + + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). + -- Note that old-style SSL on port 5223 only supports one certificate, and will always + -- use the global one. + ssl = { + protocol = "sslv23"; + key = "{{ prosody_ssl_key }}"; + certificate = "{{ prosody_ssl_cert }}"; + dhparam = "/etc/prosody/certs/dh-2048.pem"; + options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; + ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; + } + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see http://prosody.im/doc/components + +---Set up a MUC (multi-user chat) room server on conference.example.com: +Component "muc.{{ prosody_domain }}" "muc" +modules_enabled = { + "vcard_muc", "muc_mam", +} +-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: +--Component "proxy.example.com" "proxy65" + +---Set up an external component (default component port is 5347) +-- +-- External components allow adding various services, such as gateways/ +-- transports to other networks like ICQ, MSN and Yahoo. For more info +-- see: http://prosody.im/doc/components#adding_an_external_component +-- +--Component "gateway.example.com" +-- component_secret = "password" +