Add user account for humm

README.md

@@ -1,7 +1,3 @@
 # ansible
 
-CCC HB Ansible
-
-## Deployment
-
-    ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml 
+CCC HB Ansible

bhyve.yml

@@ -1,9 +1,19 @@
 ---
+- hosts:
+  - localhost
+
+  become: yes
+
+  tasks:
+    - name: Install passlib
+      package:
+        name: py38-netaddr
+        state: present
+
 - hosts:
     - emma
 
   become: yes
-  tags: bhyve
 
   roles:
     - bhyve

debian.yml

@@ -3,3 +3,4 @@
   become: yes
   roles:
     - debian
+    - { role: user_mgmt, tags: [user_mgmt]}

group_vars/all.yml

@@ -10,16 +10,14 @@ user_mgmt_default:
   genofire:
     ssh_key:
       present:
-        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIOr9wE3i1+Cl/06WOf0/6OjxsOnN7veV3LZcWgtHkcS  genofire@fireYubi"
-      absent:
-        - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de"
-        - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey"
+      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZm0TZPBzgXrY1vrLoYviNRb/oGZQDQk9vrppPK84sN55ZPlr9VvP+JYE7Qkx8teRuH9ulxqX40+dxKaiAXMUl4HU57KPLjwCb7SnBNIFTv6ZHGxPS8ZgUzKJr4Agph51oenNEO3RziEqAo3EwK67SGnjeIYQQKcjpfwd08+PYMOjv42zSYQ9umooj5LooOvbxoogZ3VpboXv6DeyA4rev1M9RgnMWaWVF2LxJjQ3jVr7xh1vZktVGKuVk/XXKD6WVAuwmGMVEouQzjtG9kepWd8FUYe+fgj5mtdqfeQP9CypxvOcb7jT20wO1Abpp5udS9iPDQHg+lafklIAeKG3qgxxhBDH3otXtnWcoeXUmDpBI8HU/8d/yrGaLHYRfy3HHiSGFq3lBgoxi83QIOl9ELeKWMJC0fWKBApm0NU0flgwfy2j7GRyXmlM7tVFyuj5RTAZNQfgD9g054di9WbtUs7sm/9r3/rQe2+3neE3Jskt4xvZK0xbc4dZSZGn4E2JDWjENqPBvQ2dU5lsjpUKTZWAnxVGPe//BErsDxNLIHWz8emG71r3Q2yud4KPdAR9CgeC8g1bwlCI6JDFZutKBzIlE3QQ4ryKJEioiUL89xi6G+nNB7W5ABsQN0ZtWvZl8TG4Wh00B+oBXzgRER5Y9SdAYcrwWxlGVxxQyElUNrw== genofire-yubikey"
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH8LdgjUiL/MFmA2wM98QAbUEyY/8ixnpettC6kQxKWu genofire@emma.ccchb.de"
+      absent: []
   fritz:
     ssh_key:
       present:
       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net"
       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH"
-      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSZUs/SgJRKK+NgmifBt8xehIbrpdQtpT9MeRkdwdHU fritz@m1air"
       absent: []
   deelkar:
     ssh_key:
@@ -31,8 +29,3 @@ user_mgmt_default:
       present:
       - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSHkU00aO4U98ikMiiiWiEeRj/597UzFcFctwY8iwLy humm@fluorine"
       absent: []
-  blazr:
-    ssh_key:
-      present:
-      - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDbxgesllBFfJUfwYX58rZln0ZpOq/Jyp361OmKohiQFHUyWK6wlPqDmfhqJuLPkAZQOjmK25gvLQXJ19+y1arjtGgbgf2nrjkCJ1l/2SHIa088DVYvZDLly+cSDMOUwgM1bzlKrHYK5asFihM+XJDV2oKUBIWaVNLHK99hpmiDXQ== jollyjinx@planetexpress.local"
-      absent: []

group_vars/debian

@@ -1,5 +1,5 @@
 ---
-ansible_python_interpreter: /usr/bin/python3
+ansible_python_interpreter: /usr/bin/python3.7
 
 dns: 213.133.98.98 8.8.8.8
 ipv6_subnet: '2a01:4f8:150:926f::'
@@ -8,6 +8,6 @@ ipv4_subnet: 10.0.0.0
 ipv6: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)+1) }}/127'
 ipv6route: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)) }}'
 
-#ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}'
+ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}'
 ipv4: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}/31'
 ipv4route: '{{ ipv4_subnet | ipmath(2 * vm_index) }}'

group_vars/freebsd

@@ -1,5 +1,5 @@
 ---
-ansible_python_interpreter: /usr/local/bin/python3.9
+ansible_python_interpreter: /usr/local/bin/python3.8
 s6_etc_dir: /etc/s6-rc
 s6_live_dir: /run/s6-rc
 s6_scan_dir: /run/service

host_vars/emma.ccchb.de

@@ -32,12 +32,14 @@ haproxy_http:
     addr: '2a01:4f8:150:926f::11'
   - host: 'kasse.z1.ccchb.de'
     addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.zweigstelle.space'
+    addr: '2a01:4f8:150:926f::11'
   - host: 'jabber.ccchb.de'
     addr: '2a01:4f8:150:926f::13'
   - host: 'matrix.ccchb.de'
     addr: '2a01:4f8:150:926f::13'
-  - host: 'auth.ccchb.de'
-    addr: '2a01:4f8:150:926f::11'
+  - host: 'element.ccchb.de'
+    addr: '2a01:4f8:150:926f::13'
 
 haproxy_sni:
   - host: 'ccchb.de'
@@ -58,10 +60,14 @@ haproxy_sni:
     addr: '2a01:4f8:150:926f::11'
   - host: 'kasse.z1.ccchb.de'
     addr: '2a01:4f8:150:926f::11'
+  - host: 'kasse.zweigstelle.space'
+    addr: '2a01:4f8:150:926f::11'
   - host: 'jabber.ccchb.de'
     addr: '2a01:4f8:150:926f::13'
-  - host: 'auth.ccchb.de'
-    addr: '2a01:4f8:150:926f::11'
+  - host: 'matrix.ccchb.de'
+    addr: '2a01:4f8:150:926f::13'
+  - host: 'element.ccchb.de'
+    addr: '2a01:4f8:150:926f::13'
 
 bhyve_ipv4: 10.0.0.0
 bhyve_ipv6: 2a01:4f8:150:926f::4
@@ -91,7 +97,7 @@ bhyve_guests:
 
   - name: dn42
     index: 1
-    enabled: false
+    enabled: true
     ram: 1G
     cpus: 1
     image: debian-10.5.0-amd64-netinst.iso
@@ -122,7 +128,7 @@ bhyve_guests:
 
   - name: geno-playground
     index: 3
-    enabled: false
+    enabled: true
     ram: 4G
     cpus: 4
     password: foobar
@@ -169,7 +175,7 @@ bhyve_guests:
   - name: wiki
     index: 6
     enabled: true
-    ram: 2G
+    ram: 1G
     cpus: 1
     image: debian-10.5.0-amd64-netinst.iso
     password: foobar
@@ -213,19 +219,3 @@ bhyve_guests:
           volsize: 128g
           volblocksize: 64k
           primarycache: metadata
-
-  - name: frab
-    index: 9
-    enabled: false
-    ram: 1G
-    cpus: 1
-    image: ubuntu-22.04.1-live-server-amd64.iso
-    password: foobar
-    order:
-      - DISKS
-    disks:
-      - name: disk
-        properties:
-          volsize: 128g
-          volblocksize: 64k
-          primarycache: metadata

host_vars/frab.emma.ccchb.de.yml

@@ -1,15 +0,0 @@
-vm_index: 9
-
-user_mgmt:
-  crest:
-    state: present
-    groups: sudo
-  fritz:
-    state: present
-    groups: sudo
-  humm:
-    state: present
-    groups: sudo
-  blazr:
-    state: present
-    groups: sudo

host_vars/gitea.emma.ccchb.de.yml

@@ -1,6 +1,6 @@
 vm_index: 2
 
-gitea_version: "1.21.2"
+gitea_version: "1.13.0"
 gitea_app_name: "dev.ccchb.de"
 
 # technical:
@@ -14,7 +14,7 @@ gitea_systemd_cap_net_bind_service: true
 gitea_http_letsencrypt_mail: "webmaster@ccchb.de"
 
 gitea_ssh_domain: "dev.ccchb.de"
-gitea_ssh_listen: "::"
+gitea_ssh_listen: "[::]" 
 gitea_ssh_port: 2222
 gitea_start_ssh: true
 
@@ -29,9 +29,6 @@ gitea_require_signin: false
 gitea_register_email_confirm: true
 gitea_enable_captcha: true
 
-gitea_disable_registration: false
-gitea_only_allow_external_registration: true
-
 # privacy:
 gitea_offline_mode: true
 gitea_disable_gravatar: true
@@ -48,6 +45,3 @@ user_mgmt:
   humm:
     state: present
     groups: sudo
-  fritz:
-    state: present
-    groups: sudo

hosts/10_frab

@@ -1,2 +0,0 @@
-[frab]
-frab.emma.ccchb.de

jabber.yml

@@ -1,8 +0,0 @@
----
-- hosts:
-    - jabber
-  become: yes
-  tags: [jabber]
-  roles:
-    - certbot
-    - prosody

library/sysrc

@@ -1,4 +1,4 @@
-#!/usr/local/bin/python3
+#!/usr/local/bin/python3.7
 # -*- coding: utf-8 -*-
 #
 # (c) 2014, David Lundgren <dlundgren@syberisle.net>

mail.yml

@@ -7,7 +7,7 @@
   tasks:
     - name: Install passlib
       package:
-        name: py39-passlib
+        name: py38-passlib
         state: present
 
 - hosts:

roles/gitea

@@ -1 +1 @@
-Subproject commit 751d0d724ba63c6251fafad9e80a480d6bc5043f
+Subproject commit 1aa082a2101c69f8cfc13a31604991b0c3dfa8e5

roles/gitea-ccchb/files/templates/base/head.tmpl

@@ -0,0 +1,172 @@
+<!DOCTYPE html>
+<html lang="{{.Language}}" class="theme-{{.SignedUser.Theme}}">
+<head data-suburl="{{AppSubUrl}}">
+	<meta charset="utf-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1">
+	<meta http-equiv="x-ua-compatible" content="ie=edge">
+	<title>{{if .Title}}{{.Title | RenderEmojiPlain}} - {{end}} {{if .Repository.Name}}{{.Repository.Name}} - {{end}}{{AppName}} </title>
+	<link rel="manifest" href="{{AppSubUrl}}/manifest.json" crossorigin="use-credentials">
+	<meta name="theme-color" content="{{ThemeColorMetaTag}}">
+	<meta name="author" content="{{if .Repository}}{{.Owner.Name}}{{else}}{{MetaAuthor}}{{end}}" />
+	<meta name="description" content="{{if .Repository}}{{.Repository.Name}}{{if .Repository.Description}} - {{.Repository.Description}}{{end}}{{else}}{{MetaDescription}}{{end}}" />
+	<meta name="keywords" content="{{MetaKeywords}}">
+	<meta name="referrer" content="no-referrer" />
+	<meta name="_csrf" content="{{.CsrfToken}}" />
+	{{if .IsSigned}}
+		<meta name="_uid" content="{{.SignedUser.ID}}" />
+	{{end}}
+	{{if .ContextUser}}
+		<meta name="_context_uid" content="{{.ContextUser.ID}}" />
+	{{end}}
+	{{if .SearchLimit}}
+		<meta name="_search_limit" content="{{.SearchLimit}}" />
+	{{end}}
+{{if .GoGetImport}}
+	<meta name="go-import" content="{{.GoGetImport}} git {{.CloneLink.HTTPS}}">
+	<meta name="go-source" content="{{.GoGetImport}} _ {{.GoDocDirectory}} {{.GoDocFile}}">
+{{end}}
+	<script>
+	{{SafeJS `/*
+	@licstart  The following is the entire license notice for the
+        JavaScript code in this page.
+
+	Copyright (c) 2016 The Gitea Authors
+	Copyright (c) 2015 The Gogs Authors
+
+	Permission is hereby granted, free of charge, to any person obtaining a copy
+	of this software and associated documentation files (the "Software"), to deal
+	in the Software without restriction, including without limitation the rights
+	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+	copies of the Software, and to permit persons to whom the Software is
+	furnished to do so, subject to the following conditions:
+
+	The above copyright notice and this permission notice shall be included in
+	all copies or substantial portions of the Software.
+
+	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+	THE SOFTWARE.
+	---
+	Licensing information for additional javascript libraries can be found at:
+	  {{StaticUrlPrefix}}/vendor/librejs.html
+
+	@licend  The above is the entire license notice
+        for the JavaScript code in this page.
+	*/`}}
+	</script>
+	<script>
+		window.config = {
+			AppVer: '{{AppVer}}',
+			AppSubUrl: '{{AppSubUrl}}',
+			StaticUrlPrefix: '{{StaticUrlPrefix}}',
+			UseServiceWorker: {{UseServiceWorker}},
+			csrf: '{{.CsrfToken}}',
+			HighlightJS: {{if .RequireHighlightJS}}true{{else}}false{{end}},
+			Minicolors: {{if .RequireMinicolors}}true{{else}}false{{end}},
+			SimpleMDE: {{if .RequireSimpleMDE}}true{{else}}false{{end}},
+			Tribute: {{if .RequireTribute}}true{{else}}false{{end}},
+			U2F: {{if .RequireU2F}}true{{else}}false{{end}},
+			Heatmap: {{if .EnableHeatmap}}true{{else}}false{{end}},
+			heatmapUser: {{if .HeatmapUser}}'{{.HeatmapUser}}'{{else}}null{{end}},
+			NotificationSettings: {
+				MinTimeout: {{NotificationSettings.MinTimeout}},
+				TimeoutStep:  {{NotificationSettings.TimeoutStep}},
+				MaxTimeout: {{NotificationSettings.MaxTimeout}},
+				EventSourceUpdateTime: {{NotificationSettings.EventSourceUpdateTime}},
+			},
+      {{if .RequireTribute}}
+			tributeValues: [
+				{{ range .Assignees }}
+				{key: '{{.Name}} {{.FullName}}', value: '{{.Name}}',
+				name: '{{.Name}}', fullname: '{{.FullName}}', avatar: '{{.RelAvatarLink}}'},
+				{{ end }}
+			],
+			{{end}}
+		};
+	</script>
+	<link rel="shortcut icon" href="{{StaticUrlPrefix}}/img/favicon.png">
+	<link rel="mask-icon" href="{{StaticUrlPrefix}}/img/gitea-safari.svg" color="#609926">
+	<link rel="fluid-icon" href="{{StaticUrlPrefix}}/img/gitea-lg.png" title="{{AppName}}">
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/assets/font-awesome/css/font-awesome.min.css">
+{{if .RequireSimpleMDE}}
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/simplemde/simplemde.min.css">
+{{end}}
+
+{{if .RequireTribute}}
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/tribute/tribute.css">
+{{end}}
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/fomantic/semantic.min.css?v={{MD5 AppVer}}">
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/index.css?v={{MD5 AppVer}}">
+	<noscript>
+		<style>
+			.dropdown:hover > .menu { display: block; }
+			.ui.secondary.menu .dropdown.item > .menu { margin-top: 0; }
+		</style>
+	</noscript>
+{{if .RequireMinicolors}}
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/vendor/plugins/jquery.minicolors/jquery.minicolors.css">
+{{end}}
+	<style class="list-search-style"></style>
+{{if .PageIsUserProfile}}
+	<meta property="og:title" content="{{.Owner.Name}}" />
+	<meta property="og:type" content="profile" />
+	<meta property="og:image" content="{{.Owner.AvatarLink}}" />
+	<meta property="og:url" content="{{.Owner.HTMLURL}}" />
+	{{if .Owner.Description}}
+		<meta property="og:description" content="{{.Owner.Description}}">
+	{{end}}
+{{else if .Repository}}
+	{{if .Issue}}
+		<meta property="og:title" content="{{.Issue.Title}}" />
+		<meta property="og:url" content="{{.Issue.HTMLURL}}" />
+		{{if .Issue.Content}}
+			<meta property="og:description" content="{{.Issue.Content}}" />
+		{{end}}
+	{{else}}
+		<meta property="og:title" content="{{.Repository.Name}}" />
+		<meta property="og:url" content="{{.Repository.HTMLURL}}" />
+		{{if .Repository.Description}}
+			<meta property="og:description" content="{{.Repository.Description}}" />
+		{{end}}
+	{{end}}
+	<meta property="og:type" content="object" />
+	<meta property="og:image" content="{{.Repository.Owner.AvatarLink}}" />
+{{else}}
+	<meta property="og:title" content="{{AppName}}">
+	<meta property="og:type" content="website" />
+	<meta property="og:image" content="{{StaticUrlPrefix}}/img/gitea-lg.png" />
+	<meta property="og:url" content="{{AppUrl}}" />
+	<meta property="og:description" content="{{MetaDescription}}">
+{{end}}
+<meta property="og:site_name" content="{{AppName}}" />
+{{if .IsSigned }}
+	{{ if ne .SignedUser.Theme "gitea" }}
+		<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/theme-{{.SignedUser.Theme}}.css?v={{MD5 AppVer}}">
+	{{end}}
+{{else if ne DefaultTheme "gitea"}}
+	<link rel="stylesheet" href="{{StaticUrlPrefix}}/css/theme-{{DefaultTheme}}.css?v={{MD5 AppVer}}">
+{{end}}
+{{template "custom/header" .}}
+</head>
+<body>
+	{{template "custom/body_outer_pre" .}}
+
+	<div class="full height">
+		<noscript>{{.i18n.Tr "enable_javascript"}}</noscript>
+
+		{{template "custom/body_inner_pre" .}}
+
+		{{if not .PageIsInstall}}
+			<div class="ui top secondary stackable main menu following bar light inverted">
+				{{template "base/head_navbar" .}}
+			</div><!-- end bar -->
+		{{end}}
+{{/*
+	</div>
+</body>
+</html>
+*/}}

roles/prosody/defaults/main.yml

@@ -1,12 +1,44 @@
 ---
 prosody_domain: "jabber.ccchb.de"
-prosody_ssl_cert: "/etc/prosody/certs/fullchain.pem"
-prosody_ssl_key: "/etc/prosody/certs/privkey.pem"
+prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem"
+prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem"
 prosody_allow_registration: false
-
-prosody_http_url: "https://jabber.ccchb.de/"
-prosody_turn_server: "einstein.cskreie.de"
-prosody_turn_secret: "gabbagabbahey"
+prosody_modules:
+  - roster
+  - saslauth
+  - tls
+  - dialback
+  - disco
+  - private
+  - bookmarks
+  - vcard
+  - proxy65
+  - legacyauth
+  - version
+  - uptime
+  - time
+  - ping
+  - pep
+  - register
+  - adhoc
+  - admin_adhoc
+  - posix
+  - bosh
+  - websocket
+  - groups
+  - announce
+  - watchregistrations
+  - blocking
+  - smacks
+  - carbons
+  - cloud_notify
+  - csi
+  - mam
+  - filter_chatstates
+  - throttle_presence
+  - http_upload
+  - turncredentials
+  - vcard_legacy
 
 prosody_nginx_install: true
 prosody_nginx_conf: |

roles/prosody/tasks/main.yml

@@ -16,6 +16,6 @@
 - name: Configure prosody
   template:
     src: prosody.cfg.lua.j2
-    dest: /etc/prosody/prosody.cfg.lua
+    dest: /etc/prosody/prosody_test.cfg.lua
 
 ...

roles/prosody/templates/nginx.j2

@@ -15,8 +15,4 @@ server {
 		proxy_set_header Host {{ prosody_domain }};
 		proxy_pass http://127.0.0.1:5280/upload;
 	}
-	
-	location /file_share {
-		proxy_pass http://127.0.0.1:5280/file_share;
-	}
 }

roles/prosody/templates/prosody.cfg.lua.j2

@@ -1,73 +1,126 @@
+-- Prosody XMPP Server Configuration
 -- {{ ansible_managed }}
 
+---------- Server-wide settings ----------
+-- Settings in this section apply to the whole server and are the default settings
+-- for any virtual hosts
+
+-- This is a (by default, empty) list of accounts that are admins
+-- for the server. Note that you must create the accounts separately
+-- (see http://prosody.im/doc/creating_accounts for info)
+-- Example: admins = { "user1@example.com", "user2@example.net" }
 admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }
 
-use_libevent = true;
+-- Enable use of libevent for better performance under high load
+-- For more information see: http://prosody.im/doc/libevent
+use_libevent = false;
+
+plugin_paths = { "/opt/prosody-modules" }
+
+-- This is the list of modules Prosody will load on startup.
+-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
+-- Documentation on modules can be found at: http://prosody.im/doc/modules
 modules_enabled = {
-	-- Generally required
-	"roster";
-	"saslauth";
-	"tls";
-	"dialback";
-	"disco";
-	"posix";
-	"private";
-
-	-- Nice to have
-	"version";
-	"uptime";
-	"time";
-	"ping";
-	"pep";
-	"register";
-
-	-- Admin interfaces
-	"admin_adhoc";
-	"admin_shell";
-
-	-- HTTP modules
-	"bosh";
-	"http_files";
-	"http_file_share";
-
-	-- Other specific functionality
-	"groups";
-	"watchregistrations";
-	"turn_external";
-	"carbons";
-	"blocklist";
-	"mam";
-	"csi_simple";
-	"vcard_legacy";
-	"proxy65";
+	{% for module in prosody_modules %}
+	"{{ module }}";
+	{% endfor %}
 };
 
-allow_registration = {% if prosody_allow_registration then "True" else "False" %};
+-- These modules are auto-loaded, should you
+-- (for some mad reason) want to disable
+-- them then uncomment them below
+modules_disabled = {
+	-- "presence"; -- Route user/contact status information
+	-- "message"; -- Route messages
+	-- "iq"; -- Route info queries
+	-- "offline"; -- Store offline messages
+};
 
-c2s_require_encryption = true
-s2s_secure_auth = false
+-- Disable account creation by default, for security
+-- For more information see http://prosody.im/doc/creating_accounts
+allow_registration = {{ prosody_allow_registration }};
 
--- PID file, necessary for prosodyctl
-pidfile = "/var/run/prosody/prosody.pid"
+-- These are the SSL/TLS-related settings. If you don't want
+-- to use SSL/TLS, you may comment or remove this
+-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION ***
+ssl = {
+	protocol = "sslv23";
+	key = "{{ prosody_ssl_key }}";
+	certificate = "{{ prosody_ssl_cert }}";
+	dhparam = "/etc/prosody/certs/dh-2048.pem";
+	options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
+        ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
+}
+legacy_ssl_ports = { 5223 }
+http_external_url = "https://{{ prosody_domain }}/"
+
+-- Only allow encrypted streams? Encryption is already used when
+-- available. These options will cause Prosody to deny connections that
+-- are not encrypted. Note that some servers do not support s2s
+-- encryption or have it disabled, including gmail.com and Google Apps
+-- domains.
+
+--c2s_require_encryption = false
+--s2s_require_encryption = false
+
+-- Select the authentication backend to use. The 'internal' providers
+-- use Prosody's configured data storage to store the authentication data.
+-- To allow Prosody to offer secure authentication mechanisms to clients, the
+-- default provider stores passwords in plaintext. If you do not trust your
+-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
+-- for information about using the hashed backend.
 
 authentication = "internal_hashed"
 
+-- Select the storage backend to use. By default Prosody uses flat files
+-- in its configured data directory, but it also supports more backends
+-- through modules. An "sql" backend is included by default, but requires
+-- additional dependencies. See http://prosody.im/doc/storage for more info.
+
+--storage = "sql" -- Default is "internal"
+
+-- For the "sql" backend, you can uncomment *one* of the below to configure:
+--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
+--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
+
+
+-- STUN/TURN
+--turncredentials_host = "jabber.emma.ccchb.de"
+turncredentials_host = "einstein.cskreie.de"
+turncredentials_secret = "gabbagabbahey"
+
+
+-- HTTP-UPLOAD
+http_upload_file_size_limit = 10485760 -- 10M
+http_max_content_size = 20971520 -- 20M
+http_upload_quota =  104857600 -- 100M
+http_upload_expire_after = 2592000 -- 30d
+
+-- Logging configuration
+-- For advanced logging see http://prosody.im/doc/logging
+-- Hint: If you create a new log file or rename them, don't forget 
+-- to update the logrotate config at /etc/logrotate.d/prosody
 log = {
+        -- Log all error messages to prosody.err
 	error = "/var/log/prosody/prosody.err";
+        -- Log everything of level "info" and higher (that is, all except "debug" messages)
+        -- to prosody.log
+        -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
+        -- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
+        --"*syslog"; -- Uncomment this for logging to syslog
 }
 
--- TODO: Fix escaping
-http_external_url = "{{ prosody_http_url }}"
-trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", }
-
--- TURN Server
-turn_external_host = "{{ prosody_turn_server }}"
-turn_external_secret = "{{ prosody_turn_secret }}"
+-- Pidfile, used by prosodyctl and the init.d script
+pidfile = "/var/run/prosody/prosody.pid";
 
+----------- Virtual hosts -----------
+-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
+-- Settings under each VirtualHost entry apply *only* to that host.
 
 VirtualHost "localhost"
 
-VirtualHost "jabber.ccchb.de"
+VirtualHost "{{ prosody_domain }}"
 	enabled = true -- Remove this line to enable this host
 
 	-- Assign this host a certificate for TLS, otherwise it would use the one
@@ -75,18 +128,33 @@ VirtualHost "jabber.ccchb.de"
 	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
 	-- use the global one.
 	ssl = {
-		protocol = "tlsv1_2+";
+		protocol = "sslv23";
 		key = "{{ prosody_ssl_key }}";
 		certificate = "{{ prosody_ssl_cert }}";
-		dhparam = "/etc/prosody/certs/dh-2048.pem";
-		-- TODO: Evaluate allowed ciphers
-		ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
+	       dhparam = "/etc/prosody/certs/dh-2048.pem";
+	       options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
+        	ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
 	}
 
-Component "muc.jabber.ccchb.de" "muc"
-	modules_enabled = {
-		"vcard_muc",
-		"muc_mam"
-	}
+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see http://prosody.im/doc/components
+
+---Set up a MUC (multi-user chat) room server on conference.example.com:
+Component "muc.{{ prosody_domain }}" "muc"
+modules_enabled = {
+  "vcard_muc", "muc_mam",
+}
+-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
+--Component "proxy.example.com" "proxy65"
+
+---Set up an external component (default component port is 5347)
+--
+-- External components allow adding various services, such as gateways/
+-- transports to other networks like ICQ, MSN and Yahoo. For more info
+-- see: http://prosody.im/doc/components#adding_an_external_component
+--
+--Component "gateway.example.com"
+--	component_secret = "password"
 
-Component "upload.jabber.ccchb.de" "http_file_share"

site.yml

@@ -7,4 +7,3 @@
 - import_playbook: mail.yml
 - import_playbook: restic.yml
 - import_playbook: wiki.yml
-- import_playbook: users.yml

users.yml

@@ -1,6 +0,0 @@
----
-- hosts: debian frab
-  become: yes
-  tags: [user_mgmt]
-  roles:
-    - user_mgmt