Migration commit; fresh start

This commit is contained in:
muppeth 2021-03-14 11:00:16 +01:00
parent 54b69b6008
commit e432dedde4
Signed by: muppeth
GPG key ID: 0EBC7B9848D04031
39 changed files with 1234 additions and 3 deletions

3
.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
.vagrant
.vagrant/*
*log

3
CHANGELOG.md Normal file
View file

@ -0,0 +1,3 @@
# Prosody role - Changelog
- 14.02.2021 - Public release of this role

26
DNS_configuration.md Normal file
View file

@ -0,0 +1,26 @@
# DNS Configuration
It is important that you carefully read [https://prosody.im/doc/dns](https://prosody.im/doc/dns) to set up your server DNS.
Go on your DNS provider, and set your DNS records like this:
_xmpp-client._tcp.server.org. 18000 SRV 0 5 5222 xmpp.server.org.
_xmpp-server._tcp.server.org. 18000 SRV 0 5 5269 xmpp.server.org.
_xmpps-client._tcp.server.org. 18000 SRV 0 5 5223 xmpp.server.org.
server.org. 3600 A YOUR_IP_ADDRESS
www.server.org. 3600 A YOUR_IP_ADDRESS
muc.server.org. 3600 A YOUR_IP_ADDRESS
pub.server.org. 3600 A YOUR_IP_ADDRESS
proxy.server.org. 3600 A YOUR_IP_ADDRESS
Where:
- **YOUR_IP_ADDRESS** is your server IP address, something in this form 51.25.62.125
- **server.org** is your domain
- **xmpp.server.org** is your xmpp target domain
- **3600**, **18000** are the TTL (time-to-live)
- **0** is the priority
- **5** is the weight
- **5222**, **5269**, **5223** are the ports the services are running on, clients will typically connect to 5222, and servers to 5269.
- **muc** is the name you set for your muc server
- **pub** is the name you set for your pubsub server
- **proxy** is the name you set for your proxy server

View file

@ -1,4 +1,4 @@
MIT License Copyright (c) <year> <copyright holders>
MIT License Copyright (c) 2021 "Stichting Disroot.org"
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

17
Playbooks/prosody.yml Normal file
View file

@ -0,0 +1,17 @@
---
- hosts: prosody
roles:
- prosody
vars_files:
- ../defaults/main.yml
- ../defaults/bosh.yml
- ../defaults/custom_components.yml
- ../defaults/saslauth.yml
- ../defaults/mod.yml
- ../defaults/muc.yml
- ../defaults/proxy.yml
- ../defaults/pubsub.yml
- ../defaults/http_upload.yml
- ../defaults/vhost.yml

25
README.MD Normal file
View file

@ -0,0 +1,25 @@
# Prosody - Ansible Role
This role deploys [prosody](https://prosody.im) XMPP server with all needed dependencies and prosody community modules.
You can deploy a test instance using `Vagrantfile` attached to the role. This role is released under MIT Licence. We do not give no warranty for this software.
# Run in production
To run this role in production, do not forget to set your DNS as explained [here](./DNS_configuration.md) and to change all vars from files in `default/` to what you need.
The role's defaults should be already dpeloying fully funcitonal and modern XMPP Server. It allows to add/remove any additional module (whether core or community).
# Run test in Vagrant
To have it work using vagrant:
- `cd prosody` where `prosody`is the name of this repo.
- `vagrant up` to build up the Virtual Environment.
- and `ansible-playbook -b Playbooks/prosody.yml` to deploy Prosody on the Virtual Environment.
# Setup turnserver for viop
If you want to use viop, you need to set `turncredentials` to `true` in `default/mod.yml`. This feature depends on a third party service that needs to be installed seperatelly: coturn. To see how to set it, check [Prosody's documentation](https://prosody.im/doc/coturn)
# Add LDAP authentication and vhosts
To add LDAP authentication, edit `defaults/vhost.yml`, change `auth_method` from `internal_hashed` to `ldap` and change the LDAP vars in `prosody_ldap_config`.
This role supports multiple vhosts.

View file

@ -1,2 +0,0 @@
# prosody

20
Vagrantfile vendored Normal file
View file

@ -0,0 +1,20 @@
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
#config.ssh.insert_key = false
config.vm.define "prosody" do |prosody|
prosody.vm.box = "generic/debian10"
prosody.vm.provider :libvirt do |libvirt|
libvirt.memory = 256
end
prosody.vm.network "forwarded_port", guest: 80, host: 8884, host_ip: "192.168.33.5"
prosody.vm.network "forwarded_port", guest: 443, host: 4444, host_ip: "192.168.33.5"
prosody.vm.network "forwarded_port", guest: 8080, host: 8081, host_ip: "192.168.33.5"
prosody.vm.network "private_network", ip: "192.168.33.5"
end
end

8
defaults/bosh.yml Normal file
View file

@ -0,0 +1,8 @@
## BOSH
prosody_bosh_enabled: 'true' # used in configure.yml
prosody_bosh_ports: '5281, 5280 '
prosody_bosh_max_inactivity: '60'
prosody_bosh_secure: 'true'
prosody_bosh_cross_domain: 'true'
prosody_ssl_key: '/path/to/key'
prosody_ssl_cert: '/path/to/cert'

View file

@ -0,0 +1,7 @@
# prosody_custom_components
prosody_custom_components_enabled: 'false'
prosody_custom_components:
- name: "component.example.org"
secret: "changeme"
ssl: false

8
defaults/http_upload.yml Normal file
View file

@ -0,0 +1,8 @@
## http_upload
prosody_http_upload_enabled: 'false'
# prosody_http_upload_component: upload.example.org
# prosody_http_upload_file_size_limit = 10485760 -- 10MB
# prosody_http_upload_expire_after = 15780000 -- 6 month in seconds
# prosody_http_upload_path = "/srv/prosody/files"
# prosody_http_upload_quota = 1234 --bytes, maximum size of all uploaded files per user

56
defaults/main.yml Normal file
View file

@ -0,0 +1,56 @@
---
container_distribution: 'stretch'
backports_uri: http://ftp.nl.debian.org/debian/
backports_components: "{{ container_distribution }}-backports main contrib non-free"
prosody_admins: "'admin@example.org'"
prosody_contact_info: "'support@example.org'"
prosody_abuse_info: "'abuse@example.org'"
prosody_core_modules_path: "/usr/lib/prosody/modules/"
prosody_community_modules_path: "/usr/lib/prosody-modules"
prosody_custom_script_path: '/etc/prosody/custom_scripts'
prosody_statistics: ''
firewall_module_enabled: 'true'
## Firewall: list here what you want to block
firewall_servers_blocked:
- server1.org
- server2.org
firewall_users_blocked:
- user@server.org
- user2@server.org
#PROSODY CONFIG
prosody_allow_registration: 'false'
prosody_certificates: 'certs'
server_name: 'example.org'
prosody_c2s_encryption: 'true'
prosody_s2s_auth: 'false'
prosody_s2s_encryption: 'true'
prosody_insecure_domains: 'server_insecure_address.com'
prosody_secure_domains: 'server_secure_address.com'
prosody_stanza_size_limit: '10000000'
prosody_storage: 'internal'
prosody_network_backend: "epoll"
prosody_http_host: "example.org"
prosody_http_external_url: "https://example.org"
#If using sql storage
prosody_sql_driver: 'SQLite3'
prosody_sql_databasename: 'prosody'
prosody_sql_username: 'admin'
prosody_sql_passwd: 'changeme'
prosody_sql_host: 'localhost'
prosody_loglevel: 'info'
prosody_log_path: '/var/log/prosody/prosody.log'
prosody_err_log: '/var/log/prosody/prosody.err'
#PROSODY EXTERNAL COMPONENT
## uncomment if you want component to listen on external interface
#prosody_external_interface:
# - component_ports: '5347'
# component_interface: 'example.org'

276
defaults/mod.yml Normal file
View file

@ -0,0 +1,276 @@
prosody_modules:
- name: 'roster'
description: 'Allow users to have a roster.'
module_enabled: 'true'
- name: 'saslauth'
description: 'Authentication for clients and servers. Recommended if you want to log in.'
module_enabled: 'true'
- name: 'tls'
description: 'Add support for secure TLS on c2s/s2s connections'
module_enabled: 'true'
- name: 'dialback'
description: 's2s dialback support'
module_enabled: 'true'
- name: 'compat_dialback'
description: 'This module provides a workaround for servers that do not set the to attribute on stream headers, which is required per RFC6120'
module_enabled: 'true'
- name: 'disco'
description: 'Service discovery'
module_enabled: 'true'
- name: 'private'
description: 'Private XML storage'
module_enabled: 'true'
- name: 'vcard4'
description: 'User profiles (stored in PEP)'
module_enabled: 'true'
- name: 'vcard_legacy'
description: 'Conversion between legacy vCard and PEP Avatar'
module_enabled: 'true'
- name: 'version'
description: 'Replies to server version requests'
module_enabled: 'true'
- name: 'uptime'
description: 'Report how long server has been running'
module_enabled: 'true'
- name: 'time'
description: 'Let others know the time here on this server'
module_enabled: 'true'
- name: 'ping'
description: 'Replies to XMPP pings with pongs'
module_enabled: 'true'
- name: 'pep'
description: 'Enables users to publish their mood, activity, playing music and more'
module_enabled: 'true'
- name: 'carbons'
description: 'Keep multiple clients in sync'
module_enabled: 'true'
- name: 'register'
description: 'Allow users to register on this server using a client and change passwords'
module_enabled: 'false'
- name: 'carbons_adhoc' # not sure it is needed Zash says if you dont knwo what it is probably you dont need it
description: 'carbons for legacy clients'
module_enabled: 'false'
- name: 'carbons_copies' # not sure it is needed Zash says if you dont knwo what it is probably you dont need it
description: 'carbons for legacy clients'
module_enabled: 'false'
- name: 'smacks'
description: 'Allows to resume a disconnected session and prevents message loss'
module_enabled: 'true'
- name: 'default_bookmarks'
description: 'Add a default bookmarks to new users'
module_enabled: 'true'
extra_options:
- 'default_bookmarks = { jid = "room@muc.server.com", name = "Shared room" };'
- name: 'cloud_notify'
description: 'Allows clients to register an “app server”.'
module_enabled: 'true'
extra_options:
- 'push_notification_important_body = "Important message";'
- 'push_notification_with_body = false -- Whether or not to send the message body to remote pubsub node'
- 'push_notification_with_sender = false -- Whether or not to send the message sender to remote pubsub node'
- 'push_max_errors = 5 -- persistent push errors are tolerated before notifications for the identifier in question are disabled'
- 'push_max_devices = 3 -- number of allowed devices per user'
- name: 'csi'
description: 'Implements Client State Indication'
module_enabled: 'true'
- name: 'csi_simple'
description: 'Buffer unimportant traffic to inactive devices'
module_enabled: 'true'
- name: 'throttle_presence'
description: 'Cuts down on presence traffic when clients indicate they are inactive'
module_enabled: 'false'
- name: 'filter_chatstates'
description: 'https://modules.prosody.im/mod_filter_chatstates.html'
module_enabled: 'true'
- name: 'admin_adhoc'
description: 'Allows administration via an XMPP client that supports ad-hoc commands'
module_enabled: 'true'
- name: 'bosh'
description: 'Enable BOSH clients'
module_enabled: 'true'
- name: 'websocket'
description: 'Supports for XMPP connections over Websockets'
module_enabled: 'true'
extra_options:
- 'consider_websocket_secure = true'
- 'cross_domain_websocket = true'
- name: 'posix'
description: 'POSIX functionality, sends server to background, enables syslog, etc.'
module_enabled: 'true'
extra_options:
- 'daemonize = true'
- name: 'limits'
description: 'Enable bandwidth limiting for XMPP connections.'
module_enabled: 'false'
- name: 'groups'
description: 'Shared roster support.'
module_enabled: 'false'
- name: 'announce'
description: 'Send announcement to all online users'
module_enabled: 'true'
- name: 'welcome'
description: 'Welcome users who register accounts'
module_enabled: 'true'
- name: 'watchregistrations'
description: 'Alert admins of registrations'
module_enabled: 'false'
- name: 'motd'
description: 'Send a message to users when they log in'
module_enabled: 'true'
- name: 'legacyauth'
description: 'Legacy authentication. Only used by some old clients and bots.'
module_enabled: 'true'
- name: 'log_auth'
description: 'Log failed authentication attempts with their IP address'
module_enabled: 'true'
- name: 'register_redirect'
description: 'Registration Redirect.'
module_enabled: 'true'
extra_options:
- 'registrarion_url = "https://registration.example.com"'
- 'registration_text = "Your custom instructions banner here"'
- name: 'mam'
description: 'Implementation of XEP-0313: Message Archive Management https://modules.prosody.im/mod_mam.html'
module_enabled: 'true'
extra_options:
- 'max_archive_query_results = 50;'
- 'archive_expires_after = "6m"; -- six months'
- 'default_archive_policy = true; -- default'
- 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
- name: 'blocklist'
description: 'ability to block users'
module_enabled: 'true'
- name: 'uptime_presence'
description: 'responds to a presence probe with timestamp from when the server was started'
module_enabled: 'true'
- name: 'bookmarks'
description: 'This module fetches users bookmarks from Private XML and pushes them to PEP on login'
module_enabled: 'true'
- name: 'admin_blocklist'
description: 'Uses the blocklists set by admins for blocking s2s connections'
module_enabled: 'true'
- name: 'presence_cache'
description: 'This module stores a timestamp of the latest presence received from users contacts'
module_enabled: 'true'
extra_options:
- 'presence_cache_size = 99'
- name: 'nodeinfo2'
description: 'This module exposes a nodeinfo2 .well-known URL for use e.g. from the-federation.info.'
module_enabled: 'true'
extra_options:
- 'nodeinfo2_expose_users = false -- if you dont want to expose statistics about the amount of users you host'
- 'nodeinfo2_expose_posts = false -- if you dont want to expose statistics about the amount of messages being exchanged by your users'
- name: 'lastlog'
description: 'Simple module that stores the timestamp of when a user logs in.'
module_enabled: 'true'
extra_options:
- 'lastlog_ip_address = false'
- 'lastlog_stamp_offline = false'
- name: 'http'
description: 'Prosody contains a mini built-in HTTP server, which is used for BOSH and other modules.'
module_enabled: 'true'
- name: 'watch_spam_reports'
description: 'This module sends a message to the server admins for incoming spam reports.'
module_enabled: 'true'
- name: 'spam_reporting'
description: 'When someone reports spam or abuse, a line about this is logged and an event is fired so that other modules can act on the report.'
module_enabled: 'true'
- name: 'server_contact_info'
description: 'Provides contact addresses.'
module_enabled: 'true'
extra_options:
- 'contact_info = {'
- 'admin = { "mailto:{{ prosody_admins }}", "xmpp:{{ prosody_admins }}" };'
- 'abuse = { "mailto:{{ prosody_abuse_info }}", "xmpp:{{ prosody_abuse_info }}" };'
- 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };'
- '};'
- name: 'turncredentials'
description: 'Setup turnserver for viop'
module_enabled: 'false'
extra_options:
- 'turncredentials_secret = mysecret'
- 'turncredentials_host = turn.example.com'
- 'turncredentials_port = 3478'
- 'turncredentials_ttl = 86400;'
- name: 'firewall'
description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.'
module_enabled: '{{ firewall_module_enabled }}'
extra_options:
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw" }'
# spam-blocking.pfw is the default Prosody one, needed by the two following
- name: 'http_altconnect'
description: 'This module helps make BOSH and WebSocket connection endpoints discoverable via the HTTP'
module_enabled: 'true'
- name: 'http_upload'
description: 'Upload files via http'
module_enabled: 'true'
extra_options:
- 'http_upload_file_size_limit = 1024*1024 --bytes'
- 'http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds'
- 'http_upload_path = "/srv/prosody/files"'
- 'http_upload_quota = 1234 -- bytes, maximum size of all uploaded files per user'
- name: 'admin_blocklist'
description: 'This module uses the blocklists set by admins for blocking s2s connections'
module_enabled: 'true'
- name: 'statistics'
description: 'Provide statistic feed for monitoring'
module_enabled: 'true'
- name: 'checkcerts'
description: 'Checks your certificate to see if it is about to expire soon'
module_enabled: 'false'

54
defaults/muc.yml Normal file
View file

@ -0,0 +1,54 @@
## MUC
prosody_muc_enabled: 'true'
prosody_muc:
- url: 'chat.example.org'
name: 'Example.org chatroom server'
restrict: 'false'
prosody_muc_modules:
- name: 'swedishchef'
description: 'This module does some conversions on message bodys passed through it causing them to look like our beloved swedish chef had typed them.'
module_enabled: 'false'
extra_options:
- 'swedishchef_trigger = "!chef"; -- optional, converts only when the message starts with "!chef"'
- name: 'muc_badge'
description: 'Add badges to muc room.'
module_enabled: 'true'
- name: 'bob'
description: 'This module extracts cid: URIs and replies with its content.'
module_enabled: 'true'
- name: 'muc_limits'
description: 'This module allows you to control the maximum rate of events in a MUC room.'
module_enabled: 'true'
extra_options:
- 'muc_event_rate = 0.5 -- The maximum number of events per second.'
- 'muc_burst_factor = 6 -- Allow temporary bursts of this multiple.'
- 'muc_max_nick_length = 64 -- The maximum allowed length of user nicknames'
- name: 'muc_mam'
description: 'Message Archive Management for MUC'
module_enabled: 'true'
extra_options:
- 'muc_log_by_default = true; -- Enable logging by default (can be disabled in room config)'
- 'muc_log_all_rooms = false; -- set to true to force logging of all rooms'
- 'max_history_messages = 20; -- This is the largest number of messages that are allowed to be retrieved when joining a room.'
- 'muc_log_presences = false; -- Archiving of joins and parts.'
- 'muc_log_expires_after = "6m" -- 6 months'
- 'muc_log_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
- name: 'vcard_muc'
description: 'This module adds the ability to set vCard for MUC rooms.'
module_enabled: 'true'
- name: 'muc_moderation'
description: 'This module adds the ability to moderate a muc.'
module_enabled: 'true'
- name: 'muc_webchat_url'
description: 'Allows to make the webchat url discoverable via the XMPP service discovery protocol.'
module_enabled: 'true'
extra_options:
- 'muc_webchat_baseurl = "https://webchat.example.org/#converse/room?jid={jid}"'

5
defaults/proxy.yml Normal file
View file

@ -0,0 +1,5 @@
## proxy
prosody_proxy65_enabled: 'true'
prosody_proxy65_url: 'proxy.example.com' # used in proxy65.cfg.lua.j2
prosody_proxy65_address: 'example.com'
prosody_proxy65_acl: 'example.com'

21
defaults/pubsub.yml Normal file
View file

@ -0,0 +1,21 @@
## PUBSUB
prosody_pubsub_enabled: 'true'
prosody_pubsub:
prosody_pubsub_url: 'pubsub.example.org'
prosody_pubsub_modules:
- name: 'pubsub_feeds'
description: 'This module allows Prosody to fetch Atom and RSS feeds for you'
module_enabled: 'true'
extra_options: ''
feeds:
- 'planet_jabber = "http://planet.jabber.org/atom.xml";'
- 'prosody_blog = "http://blog.prosody.im/feed/atom.xml";'
- name: 'pubsub_text_interface'
description: 'This module lets you manage subscriptions to pubsub nodes via simple chat messages.'
module_enabled: 'true'
- name: 'pubsub_hub'
description: 'This module implements a PubSubHubbub (PuSH) hub'
module_enabled: 'true'

8
defaults/saslauth.yml Normal file
View file

@ -0,0 +1,8 @@
## SASLAUTH
prosody_saslauth: 'false'
ldap_host: ''
readonly_ldap_dn: ''
readonly_ldap_pw: ''
readonly_ldap_search_base: ''
saslauth_ldap_auth: ''
saslauth_ldap_filter: ''

20
defaults/vhost.yml Normal file
View file

@ -0,0 +1,20 @@
## VHOSTS
prosody_vhost:
- name: 'example.org'
enabled: 'true'
carbon_defaults: 'true'
auth_method: 'internal_hashed'
prosody_ldap_config: # Change the folowing only if you chose auth_method: 'ldap'
- ldap_server: "ldap.example.org"
ldap_rootdn: "uid=postfix,ou=services,dc=example,dc=org"
ldap_password: "changeme"
ldap_basedn: "ou=users,dc=example,dc=org"
ldap_filter: ''
ldap_tls: "false"
ldap_mode: "bind"
prosody_cyrus_config: # Change the folowing only if you chose auth_method: 'cyrus'
- cyrus_service_name: "xmpp"
cyrus_server_fqdn: "your_hostname"
cyrus_service_realm: "(auto)"
cyrus_require_provisioning: "false"
cyrus_application_name: "prosody"

11
handlers/main.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: restart prosody
systemd:
name: prosody
state: restarted
- name: restart saslauth
systemd:
name: saslauthd
state: restarted

73
tasks/configure.yml Normal file
View file

@ -0,0 +1,73 @@
---
- name: '[Configure] - Create conf.d dir'
file:
path: /etc/prosody/conf.d
state: directory
- name: '[Configure] - Deploy main Prosody config'
template:
src: etc/prosody/prosody.cfg.lua.j2
dest: /etc/prosody/prosody.cfg.lua
owner: root
group: root
mode: 0644
notify:
restart prosody
- name: '[Configure] - Deploy vhost etc'
template:
src: etc/prosody/conf.d/vhosts.cfg.lua.j2
dest: /etc/prosody/conf.d/{{ item.name }}.cfg.lua
with_items: "{{ prosody_vhost }}"
notify:
restart prosody
- name: '[Configure] - Deploy MUC configuration'
template:
src: etc/prosody/conf.d/muc.cfg.lua.j2
dest: /etc/prosody/conf.d/muc.cfg.lua
when: prosody_muc_enabled == 'true'
notify:
restart prosody
- name: '[Configure] - Deploy BOSH configuration'
template:
src: etc/prosody/conf.d/bosh.cfg.lua.j2
dest: /etc/prosody/conf.d/bosh.cfg.lua
when: prosody_bosh_enabled == 'true'
notify:
restart prosody
- name: '[Configure] - Deploy proxy65'
template:
src: etc/prosody/conf.d/proxy65.cfg.lua.j2
dest: /etc/prosody/conf.d/proxy65.cfg.lua
when: prosody_proxy65_enabled == 'true'
notify:
restart prosody
- name: '[Configure] - Deploy pubsub'
template:
src: etc/prosody/conf.d/pubsub.cfg.lua.j2
dest: /etc/prosody/conf.d/pubsub.cfg.lua
when: prosody_pubsub_enabled == 'true'
notify:
restart prosody
- name: '[Configure] - Deploy http_upload'
template:
src: etc/prosody/conf.d/http_upload.cfg.lua.j2
dest: /etc/prosody/conf.d/http_upload.cfg.lua
when: prosody_http_upload_enabled == 'true'
notify:
restart prosody
- name: '[Configure] - Deploy additional component_ports'
template:
src: etc/prosody/conf.d/custom_component.cfg.lua.j2
dest: '/etc/prosody/conf.d/{{ item.name }}.cfg.lua'
when: prosody_custom_components_enabled == 'true'
with_items: '{{ prosody_custom_components }}'
notify:
restart prosody

35
tasks/firewall.yml Normal file
View file

@ -0,0 +1,35 @@
---
- name: '[Firewall] - Make sure that script directory exists'
file:
path: "{{ prosody_custom_script_path }}"
state: directory
owner: root
group: prosody
mode: 0755
- name: '[Firewall] - Deploy Firewall scripts'
template:
src: "etc/prosody/custom_scripts/{{ item }}.j2"
dest: "{{ prosody_custom_script_path }}/{{ item }}"
owner: root
group: prosody
mode: 0644
with_items:
- 'servers_blocklist.pfw'
- 'users_blocklist.pfw'
notify:
restart prosody
- name: '[Firewall] - Deploy Firewall lists'
template:
src: "etc/prosody/custom_scripts/{{ item }}.j2"
dest: "{{ prosody_custom_script_path }}/{{ item }}"
owner: root
group: prosody
mode: 0644
with_items:
- 'servers_blocklist.txt'
- 'users_blocklist.txt'
notify:
restart prosody

41
tasks/install.yml Normal file
View file

@ -0,0 +1,41 @@
---
- name: '[APT] - Add repository key'
apt_key:
url: 'https://prosody.im/files/prosody-debian-packages.key'
state: 'present'
- name: '[APT] - Add prosody repository'
apt_repository:
repo: 'deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main'
filename: 'prosody'
state: present
update_cache: 'yes'
- name: '[APT] - Install prosody'
apt:
name:
- 'lua-cyrussasl'
- 'lua-dbi-common'
- 'lua-dbi-mysql'
- 'lua-event'
- 'lua-ldap'
- 'lua-sec'
- 'lua-socket'
- 'lua-zlib'
- 'luarocks'
- 'lua5.2'
- 'mercurial'
- 'prosody-trunk'
- 'prosody-migrator-trunk'
update_cache: yes
cache_valid_time: 3600
state: 'latest'
- name: '[HG] - Clone prosody modules'
hg:
repo: https://hg.prosody.im/prosody-modules/
dest: "{{ prosody_community_modules_path }}"
update: yes
notify:
restart prosody

15
tasks/main.yml Normal file
View file

@ -0,0 +1,15 @@
---
- name: Include install
include: install.yml
- name: Include config
include: configure.yml
- name: Include Firewall
include: firewall.yml
when: firewall_module_enabled == 'true'
- name: include saslauth
include: saslauthd.yml
when: prosody_saslauth == 'true'

48
tasks/saslauthd.yml Normal file
View file

@ -0,0 +1,48 @@
---
- name: '[Saslauth] - Install pkg'
apt:
name:
- 'sasl2-bin'
- 'libsasl2-modules-ldap'
- 'libsasl2-modules-db'
- 'libsasl2-modules'
- 'libsasl2-2'
- 'libauthen-sasl-perl'
update_cache: yes
cache_valid_time: 3600
- name: '[Saslauth] - Create dir'
file:
path: /etc/sasl
state: directory
- name: '[Saslauth] - Deploy configs'
template:
src: etc/saslauthd.conf.j2
dest: /etc/saslauthd.conf
owner: root
group: sasl
mode: 0644
notify:
restart saslauth
- name: '[Saslauth] - Deploy configs'
template:
src: etc/sasl/prosody.conf.j2
dest: /etc/sasl/prosody.conf
owner: root
group: sasl
mode: 0644
notify:
restart saslauth
- name: '[Saslauth] - Deploy saslauthd'
template:
src: etc/default/saslauthd.j2
dest: /etc/default/saslauthd
owner: root
group: root
mode: 0644
notify:
restart saslauth

View file

@ -0,0 +1,63 @@
#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#
# Should saslauthd run automatically on startup? (default: no)
START=yes
# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"
# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"
# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam -- use PAM
# rimap -- use a remote IMAP server
# shadow -- use the local shadow password file
# sasldb -- use the local sasldb database file
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="ldap"
# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS="/etc/saslauthd.conf"
# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5
# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
#
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
# then your Postfix is running in a chroot.
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
# running in a chroot.
OPTIONS="-c -m /var/run/saslauthd"

View file

@ -0,0 +1,12 @@
-- {{ ansible_managed }}
--BOSH setting
bosh_ports = { {{ prosody_bosh_ports }} }
bosh_max_inactivity = {{ prosody_bosh_max_inactivity }}
consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side
cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser)
ssl = {
key = "{{ prosody_ssl_key }}";
certificate = "{{ prosody_ssl_cert }}";
}

View file

@ -0,0 +1,12 @@
-- {{ ansible_managed }}
Component "{{ item.name }}"
component_secret = "{{ item.secret }}"
{% if item.ssl %}
-- SSL Settings
ssl = {
key = "/etc/prosody/{{ prosody_certificates }}/{{ item.name }}/privkey.pem";
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ item.name }}/fullchain.pem";
}
{% endif %}

View file

@ -0,0 +1,10 @@
-- {{ ansible_managed }}
-- Component config for http_upload
Component "{{ prosody_http_upload_component }}" "http_upload"
http_host = "{{ prosody_http_host }}"
http_upload_file_size_limit = {{ prosody_http_upload_file_size_limit }} -- 10MB
http_upload_expire_after = {{ prosody_http_upload_expire_after }} -- 6 month in seconds
http_upload_path = {{ prosody_http_upload_path }}
http_upload_quota = {{ prosody_http_upload_quota }}

View file

@ -0,0 +1,36 @@
-- {{ ansible_managed }}
-----Set up a MUC (multi-user chat) room server on conference.example.com:
{% if prosody_muc is defined %}
{% for item in prosody_muc %}
Component "{{ item.url }}" "muc"
name = "{{ item.name }}"
restrict_room_creation = {{ item.restrict }}
modules_enabled = {
{% for item in prosody_muc_modules %}
{% if item.module_enabled == 'true' %}
"{{ item.name }}"; -- {{ item.description }}
{% endif %}
{% endfor %}
};
-- Additional module Settings
{% for module in prosody_muc_modules %}
{% if module.extra_options is defined and module.module_enabled == 'true' %}
-- {{ module.name }}
{% for item in module.extra_options %}
{{ item }}
{% endfor %}
{% endif %}
{% endfor %}
-- SSL Settings
ssl = {
key = "/etc/prosody/{{ prosody_certificates }}/{{ item.url }}/privkey.pem";
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ item.url }}/fullchain.pem";
}
{% endfor %}
{% endif %}

View file

@ -0,0 +1,12 @@
-- {{ ansible_managed }}
-- Component config for SOCKS proxy
Component "{{ prosody_proxy65_url }}" "proxy65"
proxy65_address = "{{ prosody_proxy65_address }}"
proxy65_acl = { "{{ prosody_proxy65_acl }}" }
-- SSL Settings
ssl = {
key = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_proxy65_url }}/privkey.pem";
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_proxy65_url }}/fullchain.pem";
}

View file

@ -0,0 +1,38 @@
-- {{ ansible_managed }}
-- Set up PubSub
{% if prosody_pubsub is defined %}
Component "{{ prosody_pubsub_url }}" "pubsub"
modules_enabled = {
{% for item in prosody_pubsub_modules %}
{% if item.module_enabled == 'true' %}
"{{ item.name }}"; -- {{ item.description }}
{% endif %}
{% endfor %}
}
-- Additional module Settings
{% for module in prosody_pubsub_modules %}
{% if module.extra_options is defined and module.module_enabled == 'true' %}
-- {{ module.name }}
{% if module.name == 'pubsub_feeds' %}
feed = {
{% for item in module.feeds %}
{{ item }}
{% endfor %}
}
{% endif %}
{% for item in module.extra_options %}
{{ item }}
{% endfor %}
{% endif %}
{% endfor %}
{% endif %}
-- SSL Settings
ssl = {
key = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_pubsub_url }}/privkey.pem";
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_pubsub_url }}/fullchain.pem";
}

View file

@ -0,0 +1,34 @@
----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.
VirtualHost "{{ item.name }}"
enabled = {{ item.enabled }}
carbon_copies_default = {{ item.carbon_defaults }}
authentication = "{{ item.auth_method }}"
{% if item.auth_method == 'cyrus' %}
--Cyrus config
{% for option in item.prosody_cyrus_config %}
cyrus_service_name = "{{ option.cyrus_service_name }}"
cyrus_server_fqdn = "{{ option.cyrus_server_fqdn }}"
cyrus_service_realm = "{{ option.cyrus_service_realm }}"
cyrus_require_provisioning = "{{ option.cyrus_require_provisioning }}"
cyrus_application_name = "{{ option.cyrus_application_name }}"
{% endfor %}
{% endif %}
{% if item.auth_method == 'ldap' %}
--LDAP config
{% for option in item.prosody_ldap_config %}
ldap_server = "{{ option.ldap_server }}"
ldap_rootdn = "{{ option.ldap_rootdn }}"
ldap_password = "{{ option.ldap_password }}"
ldap_base = "{{ option.ldap_basedn }}"
{% if option.ldap_filter is defined %}
ldap_filter = "{{ option.ldap_filter }}"
{% endif %}
ldap_tls = "{{ option.ldap_tls }}"
ldap_mode = "{{ option.ldap_mode }}"
{% endfor %}
{% endif %}

View file

@ -0,0 +1,13 @@
# This script depends on spam-blocking.pfw also being loaded
# Any traffic that is not explicitly blocked or allowed by other
# rules will be checked against the blocklist.txt file
# Check mod_firewall/scripts/spam-blocking.pfw
%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt
::user/spam_handle_unknown_custom
# replace the above line by ::deliver if not using spam-blocking.
CHECK LIST: blocklist contains $<@from|host>
BOUNCE=policy-violation (Your server is blocked due to spam)

View file

@ -0,0 +1,4 @@
# Just list the servers you want to block, one server per line.
{% for item in firewall_servers_blocked %}
{{ item }}
{% endfor %}

View file

@ -0,0 +1,13 @@
# This script depends on spam-blocking.pfw also being loaded
# Any traffic that is not explicitly blocked or allowed by other
# rules will be checked against the blocklist.txt file
# Check mod_firewall/scripts/spam-blocking.pfw
%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt
::user/spam_handle_unknown_custom
# replace the above line by ::deliver if not using spam-blocking.
CHECK LIST: blocklist contains $<@from|bare>
BOUNCE=policy-violation (Your server is blocked due to spam)

View file

@ -0,0 +1,4 @@
# Just list the users you want to block, one user per line.
{% for item in firewall_servers_blocked %}
{{ item }}
{% endfor %}

View file

@ -0,0 +1,191 @@
-- {{ ansible_managed }}
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
-- prosodyctl check config
-- If there are any errors, it will let you know what and where
-- they are, otherwise it will keep quiet.
--
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
-- blanks. Good luck, and happy Jabbering!
---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { {{ prosody_admins }} }
{% for item in prosody_modules %}
{% if item.name == 'server_contact_info' %}
{% if item.module_enabled == 'false' %}
contact_info = { {{ prosody_contact_info }} }
{% endif %}
{% endif %}
{% endfor %}
http_host = "{{ prosody_http_host }}"
http_external_url = "{{ prosody_http_external_url }}"
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
network_backend = "{{ prosody_network_backend }}"
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" }
-- Single directory for custom prosody plugins and/or Lua libraries installation
-- This path takes priority over plugin_paths, when prosody is searching for modules
installer_plugin_path = "{{ prosody_custom_script_path }}"
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
{% for item in prosody_modules %}
{% if item.module_enabled == 'true' %}
"{{ item.name }}"; -- {{ item.description }}
{% endif %}
{% endfor %}
};
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
modules_disabled = {
{% for item in prosody_modules %}
{% if item.module_enabled == 'false' %}
"{{ item.name }}"; -- {{ item.description }}
{% endif %}
{% endfor %}
};
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = {{ prosody_allow_registration }};
-- Debian:
-- Please, don't change this option since /var/run/prosody/
-- is one of the few directories Prosody is allowed to write to
-- Required for init scripts and prosodyctl
pidfile = "/var/run/prosody/prosody.pid";
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = {{ prosody_c2s_encryption }}
-- Force servers to use encrypted connections? This option will
-- prevent servers from authenticating unless they are using encryption.
s2s_require_encryption = {{ prosody_s2s_encryption }}
-- Force certificate authentication for server-to-server connections?
s2s_secure_auth = {{ prosody_s2s_auth }}
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.
{% if prosody_insecure_domains is defined %}
s2s_insecure_domains = { "{{ prosody_insecure_domains }}" }
{% endif %}
-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "{{ prosody_secure_domains }}" }
s2s_stanza_size_limit = {{ prosody_stanza_size_limit }} -- 512 * 1000 -- 512kb
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
storage = "{{ prosody_storage }}"
{% if prosody_storage == 'sql' %}
-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
{% if prosody_sql_driver == 'SQLite3' %}
sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_databasename }}" }
{% else %}
sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_databasename }}", username = "{{ prosody_sql_username }}", password = "{{ prosody_sql_passwd }}", host = "{{ prosody_sql_host }}" }
{% endif %}
{% endif %}
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
log = {
-- Log files (change 'info' to 'debug' for debug logs):
{{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging
error = "{{ prosody_err_log }}";
-- "*syslog"; -- Uncomment this for logging to syslog
-- "*console"; -- Log to the console, useful for debugging with daemonize=false
}
-- Uncomment to enable statistics
-- For more info see https://prosody.im/doc/statistics
{% if prosody_statistics|length %}
statistics = "{{ prosody_statistics }}"
{% else %}
-- statistics = "internal"
{% endif %}
-- Certificates
-- Every virtual host and component needs a certificate so that clients and
-- servers can securely verify its identity. Prosody will automatically load
-- certificates/keys from the directory specified here.
-- For more information, including how to use 'prosodyctl' to auto-import certificates
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
-- Location of directory to find certificates in (relative to main config file):
certificates = "{{ prosody_certificates }}"
-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "certs/localhost.crt"
{% if prosody_component_interface is defined %}
{% for item in prosody_component_interface %}
-- Prosody external component ports
component_ports = { {{ item.component_ports }} }
component_interface = "{{ item.component_interface }}"
{% endfor %}
{% endif %}
-- Additional module Settings
{% for module in prosody_modules %}
{% if module.extra_options is defined and module.module_enabled == 'true' %}
-- {{ module.name }}
{% for item in module.extra_options %}
{{ item }}
{% endfor %}
{% endif %}
{% endfor %}
--
Include "conf.d/*.cfg.lua"

View file

@ -0,0 +1,3 @@
pwcheck_method: saslauthd
mech_list: PLAIN

View file

@ -0,0 +1,8 @@
ldap_servers: {{ ldap_host }}
ldap_bind_dn: {{ readonly_ldap_dn }}
ldap_bind_pw: {{ readonly_ldap_pw }}
ldap_search_base: {{ readonly_ldap_search_base }}
ldap_auth_method: {{ saslauth_ldap_auth }}
ldap_use_sasl: no
ldap_start_tls: no
ldap_filter: {{ saslauth_ldap_filter }}