Migration commit; fresh start
This commit is contained in:
parent
54b69b6008
commit
e432dedde4
39 changed files with 1234 additions and 3 deletions
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
.vagrant
|
||||
.vagrant/*
|
||||
*log
|
3
CHANGELOG.md
Normal file
3
CHANGELOG.md
Normal file
|
@ -0,0 +1,3 @@
|
|||
# Prosody role - Changelog
|
||||
|
||||
- 14.02.2021 - Public release of this role
|
26
DNS_configuration.md
Normal file
26
DNS_configuration.md
Normal file
|
@ -0,0 +1,26 @@
|
|||
# DNS Configuration
|
||||
|
||||
It is important that you carefully read [https://prosody.im/doc/dns](https://prosody.im/doc/dns) to set up your server DNS.
|
||||
|
||||
Go on your DNS provider, and set your DNS records like this:
|
||||
|
||||
_xmpp-client._tcp.server.org. 18000 SRV 0 5 5222 xmpp.server.org.
|
||||
_xmpp-server._tcp.server.org. 18000 SRV 0 5 5269 xmpp.server.org.
|
||||
_xmpps-client._tcp.server.org. 18000 SRV 0 5 5223 xmpp.server.org.
|
||||
server.org. 3600 A YOUR_IP_ADDRESS
|
||||
www.server.org. 3600 A YOUR_IP_ADDRESS
|
||||
muc.server.org. 3600 A YOUR_IP_ADDRESS
|
||||
pub.server.org. 3600 A YOUR_IP_ADDRESS
|
||||
proxy.server.org. 3600 A YOUR_IP_ADDRESS
|
||||
|
||||
Where:
|
||||
- **YOUR_IP_ADDRESS** is your server IP address, something in this form 51.25.62.125
|
||||
- **server.org** is your domain
|
||||
- **xmpp.server.org** is your xmpp target domain
|
||||
- **3600**, **18000** are the TTL (time-to-live)
|
||||
- **0** is the priority
|
||||
- **5** is the weight
|
||||
- **5222**, **5269**, **5223** are the ports the services are running on, clients will typically connect to 5222, and servers to 5269.
|
||||
- **muc** is the name you set for your muc server
|
||||
- **pub** is the name you set for your pubsub server
|
||||
- **proxy** is the name you set for your proxy server
|
2
LICENSE
2
LICENSE
|
@ -1,4 +1,4 @@
|
|||
MIT License Copyright (c) <year> <copyright holders>
|
||||
MIT License Copyright (c) 2021 "Stichting Disroot.org"
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
|
17
Playbooks/prosody.yml
Normal file
17
Playbooks/prosody.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
|
||||
- hosts: prosody
|
||||
roles:
|
||||
- prosody
|
||||
|
||||
vars_files:
|
||||
- ../defaults/main.yml
|
||||
- ../defaults/bosh.yml
|
||||
- ../defaults/custom_components.yml
|
||||
- ../defaults/saslauth.yml
|
||||
- ../defaults/mod.yml
|
||||
- ../defaults/muc.yml
|
||||
- ../defaults/proxy.yml
|
||||
- ../defaults/pubsub.yml
|
||||
- ../defaults/http_upload.yml
|
||||
- ../defaults/vhost.yml
|
25
README.MD
Normal file
25
README.MD
Normal file
|
@ -0,0 +1,25 @@
|
|||
# Prosody - Ansible Role
|
||||
This role deploys [prosody](https://prosody.im) XMPP server with all needed dependencies and prosody community modules.
|
||||
|
||||
You can deploy a test instance using `Vagrantfile` attached to the role. This role is released under MIT Licence. We do not give no warranty for this software.
|
||||
|
||||
# Run in production
|
||||
To run this role in production, do not forget to set your DNS as explained [here](./DNS_configuration.md) and to change all vars from files in `default/` to what you need.
|
||||
|
||||
The role's defaults should be already dpeloying fully funcitonal and modern XMPP Server. It allows to add/remove any additional module (whether core or community).
|
||||
|
||||
# Run test in Vagrant
|
||||
To have it work using vagrant:
|
||||
- `cd prosody` where `prosody`is the name of this repo.
|
||||
- `vagrant up` to build up the Virtual Environment.
|
||||
- and `ansible-playbook -b Playbooks/prosody.yml` to deploy Prosody on the Virtual Environment.
|
||||
|
||||
# Setup turnserver for viop
|
||||
If you want to use viop, you need to set `turncredentials` to `true` in `default/mod.yml`. This feature depends on a third party service that needs to be installed seperatelly: coturn. To see how to set it, check [Prosody's documentation](https://prosody.im/doc/coturn)
|
||||
|
||||
# Add LDAP authentication and vhosts
|
||||
To add LDAP authentication, edit `defaults/vhost.yml`, change `auth_method` from `internal_hashed` to `ldap` and change the LDAP vars in `prosody_ldap_config`.
|
||||
|
||||
This role supports multiple vhosts.
|
||||
|
||||
|
|
@ -1,2 +0,0 @@
|
|||
# prosody
|
||||
|
20
Vagrantfile
vendored
Normal file
20
Vagrantfile
vendored
Normal file
|
@ -0,0 +1,20 @@
|
|||
# -*- mode: ruby -*-
|
||||
# vi: set ft=ruby :
|
||||
|
||||
# All Vagrant configuration is done below. The "2" in Vagrant.configure
|
||||
# configures the configuration version (we support older styles for
|
||||
# backwards compatibility). Please don't change it unless you know what
|
||||
# you're doing.
|
||||
Vagrant.configure("2") do |config|
|
||||
#config.ssh.insert_key = false
|
||||
config.vm.define "prosody" do |prosody|
|
||||
prosody.vm.box = "generic/debian10"
|
||||
prosody.vm.provider :libvirt do |libvirt|
|
||||
libvirt.memory = 256
|
||||
end
|
||||
prosody.vm.network "forwarded_port", guest: 80, host: 8884, host_ip: "192.168.33.5"
|
||||
prosody.vm.network "forwarded_port", guest: 443, host: 4444, host_ip: "192.168.33.5"
|
||||
prosody.vm.network "forwarded_port", guest: 8080, host: 8081, host_ip: "192.168.33.5"
|
||||
prosody.vm.network "private_network", ip: "192.168.33.5"
|
||||
end
|
||||
end
|
8
defaults/bosh.yml
Normal file
8
defaults/bosh.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
## BOSH
|
||||
prosody_bosh_enabled: 'true' # used in configure.yml
|
||||
prosody_bosh_ports: '5281, 5280 '
|
||||
prosody_bosh_max_inactivity: '60'
|
||||
prosody_bosh_secure: 'true'
|
||||
prosody_bosh_cross_domain: 'true'
|
||||
prosody_ssl_key: '/path/to/key'
|
||||
prosody_ssl_cert: '/path/to/cert'
|
7
defaults/custom_components.yml
Normal file
7
defaults/custom_components.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
# prosody_custom_components
|
||||
prosody_custom_components_enabled: 'false'
|
||||
|
||||
prosody_custom_components:
|
||||
- name: "component.example.org"
|
||||
secret: "changeme"
|
||||
ssl: false
|
8
defaults/http_upload.yml
Normal file
8
defaults/http_upload.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
## http_upload
|
||||
prosody_http_upload_enabled: 'false'
|
||||
|
||||
# prosody_http_upload_component: upload.example.org
|
||||
# prosody_http_upload_file_size_limit = 10485760 -- 10MB
|
||||
# prosody_http_upload_expire_after = 15780000 -- 6 month in seconds
|
||||
# prosody_http_upload_path = "/srv/prosody/files"
|
||||
# prosody_http_upload_quota = 1234 --bytes, maximum size of all uploaded files per user
|
56
defaults/main.yml
Normal file
56
defaults/main.yml
Normal file
|
@ -0,0 +1,56 @@
|
|||
---
|
||||
container_distribution: 'stretch'
|
||||
backports_uri: http://ftp.nl.debian.org/debian/
|
||||
backports_components: "{{ container_distribution }}-backports main contrib non-free"
|
||||
|
||||
prosody_admins: "'admin@example.org'"
|
||||
prosody_contact_info: "'support@example.org'"
|
||||
prosody_abuse_info: "'abuse@example.org'"
|
||||
prosody_core_modules_path: "/usr/lib/prosody/modules/"
|
||||
prosody_community_modules_path: "/usr/lib/prosody-modules"
|
||||
prosody_custom_script_path: '/etc/prosody/custom_scripts'
|
||||
prosody_statistics: ''
|
||||
|
||||
firewall_module_enabled: 'true'
|
||||
|
||||
## Firewall: list here what you want to block
|
||||
firewall_servers_blocked:
|
||||
- server1.org
|
||||
- server2.org
|
||||
|
||||
firewall_users_blocked:
|
||||
- user@server.org
|
||||
- user2@server.org
|
||||
|
||||
|
||||
#PROSODY CONFIG
|
||||
prosody_allow_registration: 'false'
|
||||
prosody_certificates: 'certs'
|
||||
server_name: 'example.org'
|
||||
prosody_c2s_encryption: 'true'
|
||||
prosody_s2s_auth: 'false'
|
||||
prosody_s2s_encryption: 'true'
|
||||
prosody_insecure_domains: 'server_insecure_address.com'
|
||||
prosody_secure_domains: 'server_secure_address.com'
|
||||
prosody_stanza_size_limit: '10000000'
|
||||
prosody_storage: 'internal'
|
||||
prosody_network_backend: "epoll"
|
||||
prosody_http_host: "example.org"
|
||||
prosody_http_external_url: "https://example.org"
|
||||
|
||||
#If using sql storage
|
||||
prosody_sql_driver: 'SQLite3'
|
||||
prosody_sql_databasename: 'prosody'
|
||||
prosody_sql_username: 'admin'
|
||||
prosody_sql_passwd: 'changeme'
|
||||
prosody_sql_host: 'localhost'
|
||||
|
||||
prosody_loglevel: 'info'
|
||||
prosody_log_path: '/var/log/prosody/prosody.log'
|
||||
prosody_err_log: '/var/log/prosody/prosody.err'
|
||||
|
||||
#PROSODY EXTERNAL COMPONENT
|
||||
## uncomment if you want component to listen on external interface
|
||||
#prosody_external_interface:
|
||||
# - component_ports: '5347'
|
||||
# component_interface: 'example.org'
|
276
defaults/mod.yml
Normal file
276
defaults/mod.yml
Normal file
|
@ -0,0 +1,276 @@
|
|||
prosody_modules:
|
||||
- name: 'roster'
|
||||
description: 'Allow users to have a roster.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'saslauth'
|
||||
description: 'Authentication for clients and servers. Recommended if you want to log in.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'tls'
|
||||
description: 'Add support for secure TLS on c2s/s2s connections'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'dialback'
|
||||
description: 's2s dialback support'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'compat_dialback'
|
||||
description: 'This module provides a workaround for servers that do not set the to attribute on stream headers, which is required per RFC6120'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'disco'
|
||||
description: 'Service discovery'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'private'
|
||||
description: 'Private XML storage'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'vcard4'
|
||||
description: 'User profiles (stored in PEP)'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'vcard_legacy'
|
||||
description: 'Conversion between legacy vCard and PEP Avatar'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'version'
|
||||
description: 'Replies to server version requests'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'uptime'
|
||||
description: 'Report how long server has been running'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'time'
|
||||
description: 'Let others know the time here on this server'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'ping'
|
||||
description: 'Replies to XMPP pings with pongs'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'pep'
|
||||
description: 'Enables users to publish their mood, activity, playing music and more'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'carbons'
|
||||
description: 'Keep multiple clients in sync'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'register'
|
||||
description: 'Allow users to register on this server using a client and change passwords'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'carbons_adhoc' # not sure it is needed Zash says if you dont knwo what it is probably you dont need it
|
||||
description: 'carbons for legacy clients'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'carbons_copies' # not sure it is needed Zash says if you dont knwo what it is probably you dont need it
|
||||
description: 'carbons for legacy clients'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'smacks'
|
||||
description: 'Allows to resume a disconnected session and prevents message loss'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'default_bookmarks'
|
||||
description: 'Add a default bookmarks to new users'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'default_bookmarks = { jid = "room@muc.server.com", name = "Shared room" };'
|
||||
|
||||
- name: 'cloud_notify'
|
||||
description: 'Allows clients to register an “app server”.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'push_notification_important_body = "Important message";'
|
||||
- 'push_notification_with_body = false -- Whether or not to send the message body to remote pubsub node'
|
||||
- 'push_notification_with_sender = false -- Whether or not to send the message sender to remote pubsub node'
|
||||
- 'push_max_errors = 5 -- persistent push errors are tolerated before notifications for the identifier in question are disabled'
|
||||
- 'push_max_devices = 3 -- number of allowed devices per user'
|
||||
|
||||
- name: 'csi'
|
||||
description: 'Implements Client State Indication'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'csi_simple'
|
||||
description: 'Buffer unimportant traffic to inactive devices'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'throttle_presence'
|
||||
description: 'Cuts down on presence traffic when clients indicate they are inactive'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'filter_chatstates'
|
||||
description: 'https://modules.prosody.im/mod_filter_chatstates.html'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'admin_adhoc'
|
||||
description: 'Allows administration via an XMPP client that supports ad-hoc commands'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'bosh'
|
||||
description: 'Enable BOSH clients'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'websocket'
|
||||
description: 'Supports for XMPP connections over Websockets'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'consider_websocket_secure = true'
|
||||
- 'cross_domain_websocket = true'
|
||||
|
||||
- name: 'posix'
|
||||
description: 'POSIX functionality, sends server to background, enables syslog, etc.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'daemonize = true'
|
||||
|
||||
- name: 'limits'
|
||||
description: 'Enable bandwidth limiting for XMPP connections.'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'groups'
|
||||
description: 'Shared roster support.'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'announce'
|
||||
description: 'Send announcement to all online users'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'welcome'
|
||||
description: 'Welcome users who register accounts'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'watchregistrations'
|
||||
description: 'Alert admins of registrations'
|
||||
module_enabled: 'false'
|
||||
|
||||
- name: 'motd'
|
||||
description: 'Send a message to users when they log in'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'legacyauth'
|
||||
description: 'Legacy authentication. Only used by some old clients and bots.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'log_auth'
|
||||
description: 'Log failed authentication attempts with their IP address'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'register_redirect'
|
||||
description: 'Registration Redirect.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'registrarion_url = "https://registration.example.com"'
|
||||
- 'registration_text = "Your custom instructions banner here"'
|
||||
|
||||
- name: 'mam'
|
||||
description: 'Implementation of XEP-0313: Message Archive Management https://modules.prosody.im/mod_mam.html'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'max_archive_query_results = 50;'
|
||||
- 'archive_expires_after = "6m"; -- six months'
|
||||
- 'default_archive_policy = true; -- default'
|
||||
- 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
|
||||
|
||||
- name: 'blocklist'
|
||||
description: 'ability to block users'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'uptime_presence'
|
||||
description: 'responds to a presence probe with timestamp from when the server was started'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'bookmarks'
|
||||
description: 'This module fetches users’ bookmarks from Private XML and pushes them to PEP on login'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'admin_blocklist'
|
||||
description: 'Uses the blocklists set by admins for blocking s2s connections'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'presence_cache'
|
||||
description: 'This module stores a timestamp of the latest presence received from users contacts'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'presence_cache_size = 99'
|
||||
|
||||
- name: 'nodeinfo2'
|
||||
description: 'This module exposes a nodeinfo2 .well-known URL for use e.g. from the-federation.info.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'nodeinfo2_expose_users = false -- if you don’t want to expose statistics about the amount of users you host'
|
||||
- 'nodeinfo2_expose_posts = false -- if you don’t want to expose statistics about the amount of messages being exchanged by your users'
|
||||
|
||||
- name: 'lastlog'
|
||||
description: 'Simple module that stores the timestamp of when a user logs in.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'lastlog_ip_address = false'
|
||||
- 'lastlog_stamp_offline = false'
|
||||
|
||||
- name: 'http'
|
||||
description: 'Prosody contains a mini built-in HTTP server, which is used for BOSH and other modules.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'watch_spam_reports'
|
||||
description: 'This module sends a message to the server admins for incoming spam reports.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'spam_reporting'
|
||||
description: 'When someone reports spam or abuse, a line about this is logged and an event is fired so that other modules can act on the report.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'server_contact_info'
|
||||
description: 'Provides contact addresses.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'contact_info = {'
|
||||
- 'admin = { "mailto:{{ prosody_admins }}", "xmpp:{{ prosody_admins }}" };'
|
||||
- 'abuse = { "mailto:{{ prosody_abuse_info }}", "xmpp:{{ prosody_abuse_info }}" };'
|
||||
- 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };'
|
||||
- '};'
|
||||
|
||||
- name: 'turncredentials'
|
||||
description: 'Setup turnserver for viop'
|
||||
module_enabled: 'false'
|
||||
extra_options:
|
||||
- 'turncredentials_secret = mysecret'
|
||||
- 'turncredentials_host = turn.example.com'
|
||||
- 'turncredentials_port = 3478'
|
||||
- 'turncredentials_ttl = 86400;'
|
||||
|
||||
- name: 'firewall'
|
||||
description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.'
|
||||
module_enabled: '{{ firewall_module_enabled }}'
|
||||
extra_options:
|
||||
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw" }'
|
||||
# spam-blocking.pfw is the default Prosody one, needed by the two following
|
||||
|
||||
- name: 'http_altconnect'
|
||||
description: 'This module helps make BOSH and WebSocket connection endpoints discoverable via the HTTP'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'http_upload'
|
||||
description: 'Upload files via http'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'http_upload_file_size_limit = 1024*1024 --bytes'
|
||||
- 'http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds'
|
||||
- 'http_upload_path = "/srv/prosody/files"'
|
||||
- 'http_upload_quota = 1234 -- bytes, maximum size of all uploaded files per user'
|
||||
|
||||
- name: 'admin_blocklist'
|
||||
description: 'This module uses the blocklists set by admins for blocking s2s connections'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'statistics'
|
||||
description: 'Provide statistic feed for monitoring'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'checkcerts'
|
||||
description: 'Checks your certificate to see if it is about to expire soon'
|
||||
module_enabled: 'false'
|
54
defaults/muc.yml
Normal file
54
defaults/muc.yml
Normal file
|
@ -0,0 +1,54 @@
|
|||
## MUC
|
||||
prosody_muc_enabled: 'true'
|
||||
prosody_muc:
|
||||
- url: 'chat.example.org'
|
||||
name: 'Example.org chatroom server'
|
||||
restrict: 'false'
|
||||
|
||||
prosody_muc_modules:
|
||||
- name: 'swedishchef'
|
||||
description: 'This module does some conversions on message bodys passed through it causing them to look like our beloved swedish chef had typed them.'
|
||||
module_enabled: 'false'
|
||||
extra_options:
|
||||
- 'swedishchef_trigger = "!chef"; -- optional, converts only when the message starts with "!chef"'
|
||||
|
||||
- name: 'muc_badge'
|
||||
description: 'Add badges to muc room.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'bob'
|
||||
description: 'This module extracts cid: URIs and replies with its content.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'muc_limits'
|
||||
description: 'This module allows you to control the maximum rate of ‘events’ in a MUC room.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'muc_event_rate = 0.5 -- The maximum number of events per second.'
|
||||
- 'muc_burst_factor = 6 -- Allow temporary bursts of this multiple.'
|
||||
- 'muc_max_nick_length = 64 -- The maximum allowed length of user nicknames'
|
||||
|
||||
- name: 'muc_mam'
|
||||
description: 'Message Archive Management for MUC'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'muc_log_by_default = true; -- Enable logging by default (can be disabled in room config)'
|
||||
- 'muc_log_all_rooms = false; -- set to true to force logging of all rooms'
|
||||
- 'max_history_messages = 20; -- This is the largest number of messages that are allowed to be retrieved when joining a room.'
|
||||
- 'muc_log_presences = false; -- Archiving of joins and parts.'
|
||||
- 'muc_log_expires_after = "6m" -- 6 months'
|
||||
- 'muc_log_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
|
||||
|
||||
- name: 'vcard_muc'
|
||||
description: 'This module adds the ability to set vCard for MUC rooms.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'muc_moderation'
|
||||
description: 'This module adds the ability to moderate a muc.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'muc_webchat_url'
|
||||
description: 'Allows to make the webchat url discoverable via the XMPP service discovery protocol.'
|
||||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'muc_webchat_baseurl = "https://webchat.example.org/#converse/room?jid={jid}"'
|
5
defaults/proxy.yml
Normal file
5
defaults/proxy.yml
Normal file
|
@ -0,0 +1,5 @@
|
|||
## proxy
|
||||
prosody_proxy65_enabled: 'true'
|
||||
prosody_proxy65_url: 'proxy.example.com' # used in proxy65.cfg.lua.j2
|
||||
prosody_proxy65_address: 'example.com'
|
||||
prosody_proxy65_acl: 'example.com'
|
21
defaults/pubsub.yml
Normal file
21
defaults/pubsub.yml
Normal file
|
@ -0,0 +1,21 @@
|
|||
## PUBSUB
|
||||
prosody_pubsub_enabled: 'true'
|
||||
prosody_pubsub:
|
||||
prosody_pubsub_url: 'pubsub.example.org'
|
||||
|
||||
prosody_pubsub_modules:
|
||||
- name: 'pubsub_feeds'
|
||||
description: 'This module allows Prosody to fetch Atom and RSS feeds for you'
|
||||
module_enabled: 'true'
|
||||
extra_options: ''
|
||||
feeds:
|
||||
- 'planet_jabber = "http://planet.jabber.org/atom.xml";'
|
||||
- 'prosody_blog = "http://blog.prosody.im/feed/atom.xml";'
|
||||
|
||||
- name: 'pubsub_text_interface'
|
||||
description: 'This module lets you manage subscriptions to pubsub nodes via simple chat messages.'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'pubsub_hub'
|
||||
description: 'This module implements a PubSubHubbub (PuSH) hub'
|
||||
module_enabled: 'true'
|
8
defaults/saslauth.yml
Normal file
8
defaults/saslauth.yml
Normal file
|
@ -0,0 +1,8 @@
|
|||
## SASLAUTH
|
||||
prosody_saslauth: 'false'
|
||||
ldap_host: ''
|
||||
readonly_ldap_dn: ''
|
||||
readonly_ldap_pw: ''
|
||||
readonly_ldap_search_base: ''
|
||||
saslauth_ldap_auth: ''
|
||||
saslauth_ldap_filter: ''
|
20
defaults/vhost.yml
Normal file
20
defaults/vhost.yml
Normal file
|
@ -0,0 +1,20 @@
|
|||
## VHOSTS
|
||||
prosody_vhost:
|
||||
- name: 'example.org'
|
||||
enabled: 'true'
|
||||
carbon_defaults: 'true'
|
||||
auth_method: 'internal_hashed'
|
||||
prosody_ldap_config: # Change the folowing only if you chose auth_method: 'ldap'
|
||||
- ldap_server: "ldap.example.org"
|
||||
ldap_rootdn: "uid=postfix,ou=services,dc=example,dc=org"
|
||||
ldap_password: "changeme"
|
||||
ldap_basedn: "ou=users,dc=example,dc=org"
|
||||
ldap_filter: ''
|
||||
ldap_tls: "false"
|
||||
ldap_mode: "bind"
|
||||
prosody_cyrus_config: # Change the folowing only if you chose auth_method: 'cyrus'
|
||||
- cyrus_service_name: "xmpp"
|
||||
cyrus_server_fqdn: "your_hostname"
|
||||
cyrus_service_realm: "(auto)"
|
||||
cyrus_require_provisioning: "false"
|
||||
cyrus_application_name: "prosody"
|
11
handlers/main.yml
Normal file
11
handlers/main.yml
Normal file
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
|
||||
- name: restart prosody
|
||||
systemd:
|
||||
name: prosody
|
||||
state: restarted
|
||||
|
||||
- name: restart saslauth
|
||||
systemd:
|
||||
name: saslauthd
|
||||
state: restarted
|
73
tasks/configure.yml
Normal file
73
tasks/configure.yml
Normal file
|
@ -0,0 +1,73 @@
|
|||
---
|
||||
|
||||
- name: '[Configure] - Create conf.d dir'
|
||||
file:
|
||||
path: /etc/prosody/conf.d
|
||||
state: directory
|
||||
|
||||
- name: '[Configure] - Deploy main Prosody config'
|
||||
template:
|
||||
src: etc/prosody/prosody.cfg.lua.j2
|
||||
dest: /etc/prosody/prosody.cfg.lua
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy vhost etc'
|
||||
template:
|
||||
src: etc/prosody/conf.d/vhosts.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/{{ item.name }}.cfg.lua
|
||||
with_items: "{{ prosody_vhost }}"
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy MUC configuration'
|
||||
template:
|
||||
src: etc/prosody/conf.d/muc.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/muc.cfg.lua
|
||||
when: prosody_muc_enabled == 'true'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy BOSH configuration'
|
||||
template:
|
||||
src: etc/prosody/conf.d/bosh.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/bosh.cfg.lua
|
||||
when: prosody_bosh_enabled == 'true'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy proxy65'
|
||||
template:
|
||||
src: etc/prosody/conf.d/proxy65.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/proxy65.cfg.lua
|
||||
when: prosody_proxy65_enabled == 'true'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy pubsub'
|
||||
template:
|
||||
src: etc/prosody/conf.d/pubsub.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/pubsub.cfg.lua
|
||||
when: prosody_pubsub_enabled == 'true'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy http_upload'
|
||||
template:
|
||||
src: etc/prosody/conf.d/http_upload.cfg.lua.j2
|
||||
dest: /etc/prosody/conf.d/http_upload.cfg.lua
|
||||
when: prosody_http_upload_enabled == 'true'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Configure] - Deploy additional component_ports'
|
||||
template:
|
||||
src: etc/prosody/conf.d/custom_component.cfg.lua.j2
|
||||
dest: '/etc/prosody/conf.d/{{ item.name }}.cfg.lua'
|
||||
when: prosody_custom_components_enabled == 'true'
|
||||
with_items: '{{ prosody_custom_components }}'
|
||||
notify:
|
||||
restart prosody
|
35
tasks/firewall.yml
Normal file
35
tasks/firewall.yml
Normal file
|
@ -0,0 +1,35 @@
|
|||
---
|
||||
|
||||
- name: '[Firewall] - Make sure that script directory exists'
|
||||
file:
|
||||
path: "{{ prosody_custom_script_path }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: prosody
|
||||
mode: 0755
|
||||
|
||||
- name: '[Firewall] - Deploy Firewall scripts'
|
||||
template:
|
||||
src: "etc/prosody/custom_scripts/{{ item }}.j2"
|
||||
dest: "{{ prosody_custom_script_path }}/{{ item }}"
|
||||
owner: root
|
||||
group: prosody
|
||||
mode: 0644
|
||||
with_items:
|
||||
- 'servers_blocklist.pfw'
|
||||
- 'users_blocklist.pfw'
|
||||
notify:
|
||||
restart prosody
|
||||
|
||||
- name: '[Firewall] - Deploy Firewall lists'
|
||||
template:
|
||||
src: "etc/prosody/custom_scripts/{{ item }}.j2"
|
||||
dest: "{{ prosody_custom_script_path }}/{{ item }}"
|
||||
owner: root
|
||||
group: prosody
|
||||
mode: 0644
|
||||
with_items:
|
||||
- 'servers_blocklist.txt'
|
||||
- 'users_blocklist.txt'
|
||||
notify:
|
||||
restart prosody
|
41
tasks/install.yml
Normal file
41
tasks/install.yml
Normal file
|
@ -0,0 +1,41 @@
|
|||
---
|
||||
|
||||
- name: '[APT] - Add repository key'
|
||||
apt_key:
|
||||
url: 'https://prosody.im/files/prosody-debian-packages.key'
|
||||
state: 'present'
|
||||
|
||||
- name: '[APT] - Add prosody repository'
|
||||
apt_repository:
|
||||
repo: 'deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main'
|
||||
filename: 'prosody'
|
||||
state: present
|
||||
update_cache: 'yes'
|
||||
|
||||
- name: '[APT] - Install prosody'
|
||||
apt:
|
||||
name:
|
||||
- 'lua-cyrussasl'
|
||||
- 'lua-dbi-common'
|
||||
- 'lua-dbi-mysql'
|
||||
- 'lua-event'
|
||||
- 'lua-ldap'
|
||||
- 'lua-sec'
|
||||
- 'lua-socket'
|
||||
- 'lua-zlib'
|
||||
- 'luarocks'
|
||||
- 'lua5.2'
|
||||
- 'mercurial'
|
||||
- 'prosody-trunk'
|
||||
- 'prosody-migrator-trunk'
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
state: 'latest'
|
||||
|
||||
- name: '[HG] - Clone prosody modules'
|
||||
hg:
|
||||
repo: https://hg.prosody.im/prosody-modules/
|
||||
dest: "{{ prosody_community_modules_path }}"
|
||||
update: yes
|
||||
notify:
|
||||
restart prosody
|
15
tasks/main.yml
Normal file
15
tasks/main.yml
Normal file
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
|
||||
- name: Include install
|
||||
include: install.yml
|
||||
|
||||
- name: Include config
|
||||
include: configure.yml
|
||||
|
||||
- name: Include Firewall
|
||||
include: firewall.yml
|
||||
when: firewall_module_enabled == 'true'
|
||||
|
||||
- name: include saslauth
|
||||
include: saslauthd.yml
|
||||
when: prosody_saslauth == 'true'
|
48
tasks/saslauthd.yml
Normal file
48
tasks/saslauthd.yml
Normal file
|
@ -0,0 +1,48 @@
|
|||
---
|
||||
|
||||
- name: '[Saslauth] - Install pkg'
|
||||
apt:
|
||||
name:
|
||||
- 'sasl2-bin'
|
||||
- 'libsasl2-modules-ldap'
|
||||
- 'libsasl2-modules-db'
|
||||
- 'libsasl2-modules'
|
||||
- 'libsasl2-2'
|
||||
- 'libauthen-sasl-perl'
|
||||
update_cache: yes
|
||||
cache_valid_time: 3600
|
||||
|
||||
- name: '[Saslauth] - Create dir'
|
||||
file:
|
||||
path: /etc/sasl
|
||||
state: directory
|
||||
|
||||
- name: '[Saslauth] - Deploy configs'
|
||||
template:
|
||||
src: etc/saslauthd.conf.j2
|
||||
dest: /etc/saslauthd.conf
|
||||
owner: root
|
||||
group: sasl
|
||||
mode: 0644
|
||||
notify:
|
||||
restart saslauth
|
||||
|
||||
- name: '[Saslauth] - Deploy configs'
|
||||
template:
|
||||
src: etc/sasl/prosody.conf.j2
|
||||
dest: /etc/sasl/prosody.conf
|
||||
owner: root
|
||||
group: sasl
|
||||
mode: 0644
|
||||
notify:
|
||||
restart saslauth
|
||||
|
||||
- name: '[Saslauth] - Deploy saslauthd'
|
||||
template:
|
||||
src: etc/default/saslauthd.j2
|
||||
dest: /etc/default/saslauthd
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify:
|
||||
restart saslauth
|
63
templates/etc/default/saslauthd.j2
Normal file
63
templates/etc/default/saslauthd.j2
Normal file
|
@ -0,0 +1,63 @@
|
|||
#
|
||||
# Settings for saslauthd daemon
|
||||
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
|
||||
#
|
||||
|
||||
# Should saslauthd run automatically on startup? (default: no)
|
||||
START=yes
|
||||
|
||||
# Description of this saslauthd instance. Recommended.
|
||||
# (suggestion: SASL Authentication Daemon)
|
||||
DESC="SASL Authentication Daemon"
|
||||
|
||||
# Short name of this saslauthd instance. Strongly recommended.
|
||||
# (suggestion: saslauthd)
|
||||
NAME="saslauthd"
|
||||
|
||||
# Which authentication mechanisms should saslauthd use? (default: pam)
|
||||
#
|
||||
# Available options in this Debian package:
|
||||
# getpwent -- use the getpwent() library function
|
||||
# kerberos5 -- use Kerberos 5
|
||||
# pam -- use PAM
|
||||
# rimap -- use a remote IMAP server
|
||||
# shadow -- use the local shadow password file
|
||||
# sasldb -- use the local sasldb database file
|
||||
# ldap -- use LDAP (configuration is in /etc/saslauthd.conf)
|
||||
#
|
||||
# Only one option may be used at a time. See the saslauthd man page
|
||||
# for more information.
|
||||
#
|
||||
# Example: MECHANISMS="pam"
|
||||
MECHANISMS="ldap"
|
||||
|
||||
# Additional options for this mechanism. (default: none)
|
||||
# See the saslauthd man page for information about mech-specific options.
|
||||
MECH_OPTIONS="/etc/saslauthd.conf"
|
||||
|
||||
# How many saslauthd processes should we run? (default: 5)
|
||||
# A value of 0 will fork a new process for each connection.
|
||||
THREADS=5
|
||||
|
||||
# Other options (default: -c -m /var/run/saslauthd)
|
||||
# Note: You MUST specify the -m option or saslauthd won't run!
|
||||
#
|
||||
# WARNING: DO NOT SPECIFY THE -d OPTION.
|
||||
# The -d option will cause saslauthd to run in the foreground instead of as
|
||||
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
|
||||
# to run saslauthd in debug mode, please run it by hand to be safe.
|
||||
#
|
||||
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
|
||||
# See the saslauthd man page and the output of 'saslauthd -h' for general
|
||||
# information about these options.
|
||||
#
|
||||
# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
|
||||
# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
|
||||
#
|
||||
# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
|
||||
# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
|
||||
# then your Postfix is running in a chroot.
|
||||
# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
|
||||
# running in a chroot.
|
||||
OPTIONS="-c -m /var/run/saslauthd"
|
||||
|
12
templates/etc/prosody/conf.d/bosh.cfg.lua.j2
Normal file
12
templates/etc/prosody/conf.d/bosh.cfg.lua.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
--BOSH setting
|
||||
bosh_ports = { {{ prosody_bosh_ports }} }
|
||||
bosh_max_inactivity = {{ prosody_bosh_max_inactivity }}
|
||||
consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side
|
||||
cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser)
|
||||
|
||||
ssl = {
|
||||
key = "{{ prosody_ssl_key }}";
|
||||
certificate = "{{ prosody_ssl_cert }}";
|
||||
}
|
12
templates/etc/prosody/conf.d/custom_component.cfg.lua.j2
Normal file
12
templates/etc/prosody/conf.d/custom_component.cfg.lua.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
Component "{{ item.name }}"
|
||||
component_secret = "{{ item.secret }}"
|
||||
|
||||
{% if item.ssl %}
|
||||
-- SSL Settings
|
||||
ssl = {
|
||||
key = "/etc/prosody/{{ prosody_certificates }}/{{ item.name }}/privkey.pem";
|
||||
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ item.name }}/fullchain.pem";
|
||||
}
|
||||
{% endif %}
|
10
templates/etc/prosody/conf.d/http_upload.cfg.lua.j2
Normal file
10
templates/etc/prosody/conf.d/http_upload.cfg.lua.j2
Normal file
|
@ -0,0 +1,10 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
-- Component config for http_upload
|
||||
Component "{{ prosody_http_upload_component }}" "http_upload"
|
||||
http_host = "{{ prosody_http_host }}"
|
||||
|
||||
http_upload_file_size_limit = {{ prosody_http_upload_file_size_limit }} -- 10MB
|
||||
http_upload_expire_after = {{ prosody_http_upload_expire_after }} -- 6 month in seconds
|
||||
http_upload_path = {{ prosody_http_upload_path }}
|
||||
http_upload_quota = {{ prosody_http_upload_quota }}
|
36
templates/etc/prosody/conf.d/muc.cfg.lua.j2
Normal file
36
templates/etc/prosody/conf.d/muc.cfg.lua.j2
Normal file
|
@ -0,0 +1,36 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
-----Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||
{% if prosody_muc is defined %}
|
||||
{% for item in prosody_muc %}
|
||||
Component "{{ item.url }}" "muc"
|
||||
name = "{{ item.name }}"
|
||||
restrict_room_creation = {{ item.restrict }}
|
||||
|
||||
modules_enabled = {
|
||||
|
||||
{% for item in prosody_muc_modules %}
|
||||
{% if item.module_enabled == 'true' %}
|
||||
"{{ item.name }}"; -- {{ item.description }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
-- Additional module Settings
|
||||
{% for module in prosody_muc_modules %}
|
||||
{% if module.extra_options is defined and module.module_enabled == 'true' %}
|
||||
|
||||
-- {{ module.name }}
|
||||
{% for item in module.extra_options %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
-- SSL Settings
|
||||
ssl = {
|
||||
key = "/etc/prosody/{{ prosody_certificates }}/{{ item.url }}/privkey.pem";
|
||||
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ item.url }}/fullchain.pem";
|
||||
}
|
||||
{% endfor %}
|
||||
{% endif %}
|
12
templates/etc/prosody/conf.d/proxy65.cfg.lua.j2
Normal file
12
templates/etc/prosody/conf.d/proxy65.cfg.lua.j2
Normal file
|
@ -0,0 +1,12 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
-- Component config for SOCKS proxy
|
||||
Component "{{ prosody_proxy65_url }}" "proxy65"
|
||||
proxy65_address = "{{ prosody_proxy65_address }}"
|
||||
proxy65_acl = { "{{ prosody_proxy65_acl }}" }
|
||||
|
||||
-- SSL Settings
|
||||
ssl = {
|
||||
key = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_proxy65_url }}/privkey.pem";
|
||||
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_proxy65_url }}/fullchain.pem";
|
||||
}
|
38
templates/etc/prosody/conf.d/pubsub.cfg.lua.j2
Normal file
38
templates/etc/prosody/conf.d/pubsub.cfg.lua.j2
Normal file
|
@ -0,0 +1,38 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
-- Set up PubSub
|
||||
{% if prosody_pubsub is defined %}
|
||||
Component "{{ prosody_pubsub_url }}" "pubsub"
|
||||
|
||||
modules_enabled = {
|
||||
{% for item in prosody_pubsub_modules %}
|
||||
{% if item.module_enabled == 'true' %}
|
||||
"{{ item.name }}"; -- {{ item.description }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
-- Additional module Settings
|
||||
{% for module in prosody_pubsub_modules %}
|
||||
{% if module.extra_options is defined and module.module_enabled == 'true' %}
|
||||
|
||||
-- {{ module.name }}
|
||||
{% if module.name == 'pubsub_feeds' %}
|
||||
feed = {
|
||||
{% for item in module.feeds %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
||||
}
|
||||
{% endif %}
|
||||
{% for item in module.extra_options %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
-- SSL Settings
|
||||
ssl = {
|
||||
key = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_pubsub_url }}/privkey.pem";
|
||||
certificate = "/etc/prosody/{{ prosody_certificates }}/{{ prosody_pubsub_url }}/fullchain.pem";
|
||||
}
|
34
templates/etc/prosody/conf.d/vhosts.cfg.lua.j2
Normal file
34
templates/etc/prosody/conf.d/vhosts.cfg.lua.j2
Normal file
|
@ -0,0 +1,34 @@
|
|||
----------- Virtual hosts -----------
|
||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||
|
||||
VirtualHost "{{ item.name }}"
|
||||
enabled = {{ item.enabled }}
|
||||
carbon_copies_default = {{ item.carbon_defaults }}
|
||||
authentication = "{{ item.auth_method }}"
|
||||
|
||||
{% if item.auth_method == 'cyrus' %}
|
||||
--Cyrus config
|
||||
{% for option in item.prosody_cyrus_config %}
|
||||
cyrus_service_name = "{{ option.cyrus_service_name }}"
|
||||
cyrus_server_fqdn = "{{ option.cyrus_server_fqdn }}"
|
||||
cyrus_service_realm = "{{ option.cyrus_service_realm }}"
|
||||
cyrus_require_provisioning = "{{ option.cyrus_require_provisioning }}"
|
||||
cyrus_application_name = "{{ option.cyrus_application_name }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% if item.auth_method == 'ldap' %}
|
||||
--LDAP config
|
||||
{% for option in item.prosody_ldap_config %}
|
||||
ldap_server = "{{ option.ldap_server }}"
|
||||
ldap_rootdn = "{{ option.ldap_rootdn }}"
|
||||
ldap_password = "{{ option.ldap_password }}"
|
||||
ldap_base = "{{ option.ldap_basedn }}"
|
||||
{% if option.ldap_filter is defined %}
|
||||
ldap_filter = "{{ option.ldap_filter }}"
|
||||
{% endif %}
|
||||
ldap_tls = "{{ option.ldap_tls }}"
|
||||
ldap_mode = "{{ option.ldap_mode }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -0,0 +1,13 @@
|
|||
# This script depends on spam-blocking.pfw also being loaded
|
||||
# Any traffic that is not explicitly blocked or allowed by other
|
||||
# rules will be checked against the blocklist.txt file
|
||||
# Check mod_firewall/scripts/spam-blocking.pfw
|
||||
|
||||
%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt
|
||||
|
||||
::user/spam_handle_unknown_custom
|
||||
|
||||
# replace the above line by ::deliver if not using spam-blocking.
|
||||
|
||||
CHECK LIST: blocklist contains $<@from|host>
|
||||
BOUNCE=policy-violation (Your server is blocked due to spam)
|
|
@ -0,0 +1,4 @@
|
|||
# Just list the servers you want to block, one server per line.
|
||||
{% for item in firewall_servers_blocked %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
13
templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2
Normal file
13
templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2
Normal file
|
@ -0,0 +1,13 @@
|
|||
# This script depends on spam-blocking.pfw also being loaded
|
||||
# Any traffic that is not explicitly blocked or allowed by other
|
||||
# rules will be checked against the blocklist.txt file
|
||||
# Check mod_firewall/scripts/spam-blocking.pfw
|
||||
|
||||
%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt
|
||||
|
||||
::user/spam_handle_unknown_custom
|
||||
|
||||
# replace the above line by ::deliver if not using spam-blocking.
|
||||
|
||||
CHECK LIST: blocklist contains $<@from|bare>
|
||||
BOUNCE=policy-violation (Your server is blocked due to spam)
|
|
@ -0,0 +1,4 @@
|
|||
# Just list the users you want to block, one user per line.
|
||||
{% for item in firewall_servers_blocked %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
191
templates/etc/prosody/prosody.cfg.lua.j2
Normal file
191
templates/etc/prosody/prosody.cfg.lua.j2
Normal file
|
@ -0,0 +1,191 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at http://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
-- prosodyctl check config
|
||||
-- If there are any errors, it will let you know what and where
|
||||
-- they are, otherwise it will keep quiet.
|
||||
--
|
||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
||||
-- blanks. Good luck, and happy Jabbering!
|
||||
|
||||
|
||||
---------- Server-wide settings ----------
|
||||
-- Settings in this section apply to the whole server and are the default settings
|
||||
-- for any virtual hosts
|
||||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see http://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { {{ prosody_admins }} }
|
||||
|
||||
{% for item in prosody_modules %}
|
||||
{% if item.name == 'server_contact_info' %}
|
||||
{% if item.module_enabled == 'false' %}
|
||||
contact_info = { {{ prosody_contact_info }} }
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
http_host = "{{ prosody_http_host }}"
|
||||
http_external_url = "{{ prosody_http_external_url }}"
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: http://prosody.im/doc/libevent
|
||||
network_backend = "{{ prosody_network_backend }}"
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" }
|
||||
|
||||
-- Single directory for custom prosody plugins and/or Lua libraries installation
|
||||
-- This path takes priority over plugin_paths, when prosody is searching for modules
|
||||
installer_plugin_path = "{{ prosody_custom_script_path }}"
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
{% for item in prosody_modules %}
|
||||
{% if item.module_enabled == 'true' %}
|
||||
"{{ item.name }}"; -- {{ item.description }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
modules_disabled = {
|
||||
|
||||
{% for item in prosody_modules %}
|
||||
{% if item.module_enabled == 'false' %}
|
||||
"{{ item.name }}"; -- {{ item.description }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
};
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see http://prosody.im/doc/creating_accounts
|
||||
allow_registration = {{ prosody_allow_registration }};
|
||||
|
||||
-- Debian:
|
||||
-- Please, don't change this option since /var/run/prosody/
|
||||
-- is one of the few directories Prosody is allowed to write to
|
||||
-- Required for init scripts and prosodyctl
|
||||
pidfile = "/var/run/prosody/prosody.pid";
|
||||
|
||||
-- Force clients to use encrypted connections? This option will
|
||||
-- prevent clients from authenticating unless they are using encryption.
|
||||
|
||||
c2s_require_encryption = {{ prosody_c2s_encryption }}
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
-- prevent servers from authenticating unless they are using encryption.
|
||||
|
||||
s2s_require_encryption = {{ prosody_s2s_encryption }}
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
|
||||
s2s_secure_auth = {{ prosody_s2s_auth }}
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
{% if prosody_insecure_domains is defined %}
|
||||
s2s_insecure_domains = { "{{ prosody_insecure_domains }}" }
|
||||
{% endif %}
|
||||
|
||||
-- Even if you leave s2s_secure_auth disabled, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "{{ prosody_secure_domains }}" }
|
||||
|
||||
s2s_stanza_size_limit = {{ prosody_stanza_size_limit }} -- 512 * 1000 -- 512kb
|
||||
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See http://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
|
||||
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
|
||||
|
||||
storage = "{{ prosody_storage }}"
|
||||
{% if prosody_storage == 'sql' %}
|
||||
|
||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||
{% if prosody_sql_driver == 'SQLite3' %}
|
||||
sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_databasename }}" }
|
||||
{% else %}
|
||||
sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_databasename }}", username = "{{ prosody_sql_username }}", password = "{{ prosody_sql_passwd }}", host = "{{ prosody_sql_host }}" }
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see http://prosody.im/doc/logging
|
||||
log = {
|
||||
-- Log files (change 'info' to 'debug' for debug logs):
|
||||
{{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging
|
||||
error = "{{ prosody_err_log }}";
|
||||
-- "*syslog"; -- Uncomment this for logging to syslog
|
||||
-- "*console"; -- Log to the console, useful for debugging with daemonize=false
|
||||
}
|
||||
|
||||
-- Uncomment to enable statistics
|
||||
-- For more info see https://prosody.im/doc/statistics
|
||||
{% if prosody_statistics|length %}
|
||||
statistics = "{{ prosody_statistics }}"
|
||||
{% else %}
|
||||
-- statistics = "internal"
|
||||
{% endif %}
|
||||
|
||||
-- Certificates
|
||||
-- Every virtual host and component needs a certificate so that clients and
|
||||
-- servers can securely verify its identity. Prosody will automatically load
|
||||
-- certificates/keys from the directory specified here.
|
||||
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||
|
||||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "{{ prosody_certificates }}"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "certs/localhost.crt"
|
||||
|
||||
{% if prosody_component_interface is defined %}
|
||||
{% for item in prosody_component_interface %}
|
||||
-- Prosody external component ports
|
||||
component_ports = { {{ item.component_ports }} }
|
||||
component_interface = "{{ item.component_interface }}"
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
-- Additional module Settings
|
||||
{% for module in prosody_modules %}
|
||||
{% if module.extra_options is defined and module.module_enabled == 'true' %}
|
||||
|
||||
-- {{ module.name }}
|
||||
{% for item in module.extra_options %}
|
||||
{{ item }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
--
|
||||
|
||||
Include "conf.d/*.cfg.lua"
|
3
templates/etc/sasl/prosody.conf.j2
Normal file
3
templates/etc/sasl/prosody.conf.j2
Normal file
|
@ -0,0 +1,3 @@
|
|||
pwcheck_method: saslauthd
|
||||
mech_list: PLAIN
|
||||
|
8
templates/etc/saslauthd.conf.j2
Normal file
8
templates/etc/saslauthd.conf.j2
Normal file
|
@ -0,0 +1,8 @@
|
|||
ldap_servers: {{ ldap_host }}
|
||||
ldap_bind_dn: {{ readonly_ldap_dn }}
|
||||
ldap_bind_pw: {{ readonly_ldap_pw }}
|
||||
ldap_search_base: {{ readonly_ldap_search_base }}
|
||||
ldap_auth_method: {{ saslauth_ldap_auth }}
|
||||
ldap_use_sasl: no
|
||||
ldap_start_tls: no
|
||||
ldap_filter: {{ saslauth_ldap_filter }}
|
Loading…
Reference in a new issue