diff --git a/Vagrantfile b/Vagrantfile index 1c44734..15689ae 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -8,7 +8,7 @@ Vagrant.configure("2") do |config| #config.ssh.insert_key = false config.vm.define "prosody" do |prosody| - prosody.vm.box = "generic/debian10" + prosody.vm.box = "generic/debian11" prosody.vm.provider :libvirt do |libvirt| libvirt.memory = 256 end diff --git a/defaults/bosh.yml b/defaults/bosh.yml index eff3f7f..ebf5225 100644 --- a/defaults/bosh.yml +++ b/defaults/bosh.yml @@ -1,8 +1,6 @@ ## BOSH prosody_bosh_enabled: 'true' # used in configure.yml -prosody_bosh_ports: '5281, 5280 ' prosody_bosh_max_inactivity: '60' prosody_bosh_secure: 'true' -prosody_bosh_cross_domain: 'true' prosody_ssl_key: '/path/to/key' prosody_ssl_cert: '/path/to/cert' diff --git a/defaults/http_file_share.yml b/defaults/http_file_share.yml index c370794..fbc090d 100644 --- a/defaults/http_file_share.yml +++ b/defaults/http_file_share.yml @@ -2,10 +2,25 @@ prosody_http_file_share_enabled: 'true' prosody_http_file_share_component: 'upload.example.org' -prosody_http_file_share_size_limit: "10*1024*1024" -prosody_http_file_share_daily_quota: "100*1024*1024 -- 100 MiB per day per user" -prosody_http_file_share_global_quota: "1024*1024*1024 -- 1 GiB total" -prosody_http_file_share_expires_after: "7 * 86400 -- 1 week" -prosody_http_file_share_allowed_file_types: "{} -- Access control" -prosody_http_file_share_safe_file_types: '{"image/*","video/*","audio/*","text/plain"} -- Safe to show in-line in e.g. browsers' -prosody_http_file_share_access: "{} -- Access control" +prosody_http_file_share_options: + - name: 'http_file_share_size_limit' + value: '10*1024*1024' + description: '10MB file upload limit' + - name: 'http_file_share_daily_quota' + value: '100*1024*1024' + description: '100 MiB per day per user' + - name: 'http_file_share_global_quota' + value: '1024*1024*1024' + description: '1 GiB total' + - name: 'http_file_share_expires_after' + value: '7 * 86400' + description: '1 week' + - name: 'http_file_share_allowed_file_types' + value: '{}' + description: 'Access control' + - name: 'http_file_share_safe_file_types' + value: '{"image/*","video/*","audio/*","text/plain"}' + description: 'Safe to show in-line in e.g. browsers' + - name: 'http_file_share_access' + value: '{}' + description: 'Access control' diff --git a/defaults/main.yml b/defaults/main.yml index e8b82bd..dc8a1da 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -8,13 +8,12 @@ prosody_contact_info: "'support@example.org'" prosody_abuse_info: "'abuse@example.org'" prosody_core_modules_path: "/usr/lib/prosody/modules/" prosody_community_modules_path: "/usr/lib/prosody-modules" -prosody_custom_script_path: '/etc/prosody/custom_scripts' +prosody_installer_plugin_path: '/etc/prosody/custom_scripts' prosody_statistics: '' prosody_direct_tls_ports: 5223 prosody_c2s_direct_tls_ports: 5223 prosody_s2s_direct_tls_ports: 5269 - firewall_module_enabled: 'true' ## Firewall: list here what you want to block @@ -42,6 +41,16 @@ prosody_storage: 'internal' prosody_network_backend: "epoll" prosody_http_host: "example.org" prosody_http_external_url: "https://example.org" +prosody_http_interfaces: '*' +prosody_http_ports: '5281, 5280 ' +prosody_http_paths: + - name: 'files' + path: '/files/' + - name: 'bosh' + path: '/http-bind' + - name: 'file_share' + path: '/upload' +prosody_archive_expires_after: '1w' #If using sql storage prosody_sql_driver: 'SQLite3' # postgresql sqlite3 or mysql diff --git a/defaults/mod.yml b/defaults/mod.yml index 8a65ad3..afa901b 100644 --- a/defaults/mod.yml +++ b/defaults/mod.yml @@ -110,6 +110,10 @@ prosody_modules: - name: 'admin_adhoc' description: 'Allows administration via an XMPP client that supports ad-hoc commands' module_enabled: 'true' + + - name: 'admin_shell' + description: 'Allows administration via command shell' + module_enabled: 'true' - name: 'bosh' description: 'Enable BOSH clients' @@ -120,7 +124,6 @@ prosody_modules: module_enabled: 'true' extra_options: - 'consider_websocket_secure = true' - - 'cross_domain_websocket = true' - name: 'posix' description: 'POSIX functionality, sends server to background, enables syslog, etc.' @@ -128,18 +131,7 @@ prosody_modules: - name: 'limits' description: 'Enable bandwidth limiting for XMPP connections.' - module_enabled: 'false' - extra_options: - - 'limits = {' - - 'c2s = {' - - 'rate = "10kb/s";' - - 'burst = "2s";' - - '};' - - 's2sin = {' - - 'rate = "30kb/s";' - - 'burst = "2s";' - - '};' - - '}' + module_enabled: 'true' - name: 'groups' description: 'Shared roster support.' @@ -181,7 +173,6 @@ prosody_modules: module_enabled: 'true' extra_options: - 'max_archive_query_results = 50;' - - 'archive_expires_after = "6m"; -- six months' - 'default_archive_policy = true; -- default' - 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.' @@ -239,20 +230,19 @@ prosody_modules: - 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };' - '};' - - name: 'turncredentials' - description: 'Setup turnserver for viop' + - name: 'turn_external' + description: 'Audio/video call relay (STUN/TURN)' module_enabled: 'false' extra_options: - - 'turncredentials_secret = mysecret' - - 'turncredentials_host = turn.example.com' - - 'turncredentials_port = 3478' - - 'turncredentials_ttl = 86400;' + - 'turn_external_host = mysecret' + - 'turn_external_host = turn.example.com' + - 'turn_external_port = 3478' - name: 'firewall' description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.' module_enabled: '{{ firewall_module_enabled }}' extra_options: - - 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw", "{{ prosody_custom_script_path }}/invite_from_muc.pfw" }' + - 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_installer_plugin_path }}/servers_blocklist.pfw", "{{ prosody_installer_plugin_path }}/users_blocklist.pfw", "{{ prosody_installer_plugin_path }}/invite_from_muc.pfw" }' # spam-blocking.pfw is the default Prosody one, needed by the two following - name: 'http_altconnect' diff --git a/tasks/firewall.yml b/tasks/firewall.yml index fea7f6e..7862a0c 100644 --- a/tasks/firewall.yml +++ b/tasks/firewall.yml @@ -2,7 +2,7 @@ - name: '[Firewall] - Make sure that script directory exists' file: - path: "{{ prosody_custom_script_path }}" + path: "{{ prosody_installer_plugin_path }}" state: directory owner: root group: prosody @@ -11,7 +11,7 @@ - name: '[Firewall] - Deploy Firewall scripts' template: src: "etc/prosody/custom_scripts/{{ item }}.j2" - dest: "{{ prosody_custom_script_path }}/{{ item }}" + dest: "{{ prosody_installer_plugin_path }}/{{ item }}" owner: root group: prosody mode: 0644 @@ -24,7 +24,7 @@ - name: '[Firewall] - Deploy Firewall lists' template: src: "etc/prosody/custom_scripts/{{ item }}.j2" - dest: "{{ prosody_custom_script_path }}/{{ item }}" + dest: "{{ prosody_installer_plugin_path }}/{{ item }}" owner: root group: prosody mode: 0644 diff --git a/templates/etc/prosody/conf.d/bosh.cfg.lua.j2 b/templates/etc/prosody/conf.d/bosh.cfg.lua.j2 index 93baba3..28c7a41 100644 --- a/templates/etc/prosody/conf.d/bosh.cfg.lua.j2 +++ b/templates/etc/prosody/conf.d/bosh.cfg.lua.j2 @@ -1,10 +1,8 @@ -- {{ ansible_managed }} --BOSH setting -bosh_ports = { {{ prosody_bosh_ports }} } bosh_max_inactivity = {{ prosody_bosh_max_inactivity }} consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side -cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser) ssl = { key = "{{ prosody_ssl_key }}"; diff --git a/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2 b/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2 index 30250e7..7d78079 100644 --- a/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2 +++ b/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2 @@ -1,5 +1,10 @@ -- {{ ansible_managed }} +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + Component "{{ item.name }}" component_secret = "{{ item.secret }}" diff --git a/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2 b/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2 index d160d17..aa59607 100644 --- a/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2 +++ b/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2 @@ -3,10 +3,6 @@ -- Component config for http_file_share Component "{{ prosody_http_file_share_component }}" "http_file_share" -http_file_share_size_limit = {{ prosody_http_file_share_size_limit }} -http_file_share_daily_quota = {{ prosody_http_file_share_daily_quota }} -http_file_share_global_quota = {{ prosody_http_file_share_global_quota }} -http_file_share_expires_after = {{ prosody_http_file_share_expires_after }} -http_file_share_allowed_file_types = {{ prosody_http_file_share_allowed_file_types }} -http_file_share_safe_file_types = {{ prosody_http_file_share_safe_file_types }} -http_file_share_access = {{ prosody_http_file_share_access }} +{% for item in prosody_http_file_share_options %} +{{ item.name }} = {{ item.value }} -- {{ item.description }} +{% endfor %} diff --git a/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2 b/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2 index a752363..4418f94 100644 --- a/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2 +++ b/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2 @@ -3,7 +3,7 @@ # rules will be checked against the blocklist.txt file # Check mod_firewall/scripts/spam-blocking.pfw -%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt +%LIST blocklist: file:{{ prosody_installer_plugin_path }}/servers_blocklist.txt ::user/spam_handle_unknown_custom diff --git a/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2 b/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2 index 49f5219..babffda 100644 --- a/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2 +++ b/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2 @@ -3,7 +3,7 @@ # rules will be checked against the blocklist.txt file # Check mod_firewall/scripts/spam-blocking.pfw -%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt +%LIST blocklist: file:{{ prosody_installer_plugin_path }}/users_blocklist.txt ::user/spam_handle_unknown_custom diff --git a/templates/etc/prosody/prosody.cfg.lua.j2 b/templates/etc/prosody/prosody.cfg.lua.j2 index 38d0fd0..dd187b1 100644 --- a/templates/etc/prosody/prosody.cfg.lua.j2 +++ b/templates/etc/prosody/prosody.cfg.lua.j2 @@ -3,7 +3,7 @@ -- Prosody Example Configuration File -- -- Information on configuring Prosody can be found on our --- website at http://prosody.im/doc/configure +-- website at https://prosody.im/doc/configure -- -- Tip: You can check that the syntax of this file is correct -- when you have finished by running this command: @@ -21,7 +21,7 @@ -- This is a (by default, empty) list of accounts that are admins -- for the server. Note that you must create the accounts separately --- (see http://prosody.im/doc/creating_accounts for info) +-- (see https://prosody.im/doc/creating_accounts for info) -- Example: admins = { "user1@example.com", "user2@example.net" } admins = { {{ prosody_admins }} } @@ -35,24 +35,34 @@ contact_info = { {{ prosody_contact_info }} } http_host = "{{ prosody_http_host }}" http_external_url = "{{ prosody_http_external_url }}" +http_ports = "{{ prosody_http_ports }}" +http_interfaces = { "{{ prosody_http_interfaces }}" } +http_paths = { +{% for item in prosody_http_paths %} + {{ item.name }} = "{{ item.path }}"; +{% endfor %} + } + +-- See https://prosody.im/doc/configure c2s_direct_tls_ports = { {{ prosody_c2s_direct_tls_ports }} } s2s_direct_tls_ports = { {{ prosody_s2s_direct_tls_ports }} } -- Enable use of libevent for better performance under high load --- For more information see: http://prosody.im/doc/libevent +-- For more information see: https://prosody.im/doc/libevent network_backend = "{{ prosody_network_backend }}" --- Prosody will always look in its source directory for modules, but --- this option allows you to specify additional locations where Prosody --- will look for modules first. For community modules, see https://modules.prosody.im/ +-- These paths are searched in the order specified, and before the default path plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" } --- Single directory for custom prosody plugins and/or Lua libraries installation --- This path takes priority over plugin_paths, when prosody is searching for modules -installer_plugin_path = "{{ prosody_custom_script_path }}" +-- Prosody Plugin Installer +-- CHeck https://prosody.im/doc/plugin_installer +-- By default plugins are installed into a directory custom_plugins under the data path. It can be customized by setting +plugin_server = "https://modules.prosody.im/rocks/" +installer_plugin_path = "{{ prosody_installer_plugin_path }}" +-- This path MUST be readable by the user Prosody runs as, and should be writable for prosodyctl install to work. +-- The installer path does not need to be added to plugin_paths. -- This is the list of modules Prosody will load on startup. --- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. -- Documentation for bundled modules can be found at: https://prosody.im/doc/modules modules_enabled = { @@ -61,7 +71,7 @@ modules_enabled = { "{{ item.name }}"; -- {{ item.description }} {% endif %} {% endfor %} -}; +} -- These modules are auto-loaded, but should you want -- to disable them then uncomment them here: @@ -75,9 +85,22 @@ modules_disabled = { }; -- Disable account creation by default, for security --- For more information see http://prosody.im/doc/creating_accounts +-- For more information see https://prosody.im/doc/creating_accounts allow_registration = {{ prosody_allow_registration }}; +-- Rate limits +-- Enable rate limits for incoming client and server connections. These help +-- protect from excessive resource consumption and denial-of-service attacks. + +limits = { + c2s = { + rate = "10kb/s"; + }; + s2sin = { + rate = "30kb/s"; + }; +} + -- Debian: -- Please, don't change this option since /var/run/prosody/ -- is one of the few directories Prosody is allowed to write to @@ -89,6 +112,7 @@ pidfile = "/var/run/prosody/prosody.pid"; c2s_require_encryption = {{ prosody_c2s_encryption }} +-- See https://prosody.im/doc/modules/mod_c2s c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256kb -- Force servers to use encrypted connections? This option will @@ -96,33 +120,35 @@ c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256 s2s_require_encryption = {{ prosody_s2s_encryption }} --- Force certificate authentication for server-to-server connections? +-- Server-to-server authentication +-- Require valid certificates for server-to-server connections? +-- If false, other methods such as dialback (DNS) may be used instead. s2s_secure_auth = {{ prosody_s2s_auth }} -- Some servers have invalid or self-signed certificates. You can list -- remote domains here that will not be required to authenticate using --- certificates. They will be authenticated using DNS instead, even --- when s2s_secure_auth is enabled. +-- certificates. They will be authenticated using other methods instead, +-- even when s2s_secure_auth is enabled. {% if prosody_insecure_domains is defined %} s2s_insecure_domains = { "{{ prosody_insecure_domains }}" } {% endif %} --- Even if you leave s2s_secure_auth disabled, you can still require valid +-- Even if you disable s2s_secure_auth, you can still require valid -- certificates for some domains by specifying a list here. --s2s_secure_domains = { "{{ prosody_secure_domains }}" } +-- See https://prosody.im/doc/s2s s2s_stanza_size_limit = {{ prosody_s2s_stanza_size_limit }} -- 512 * 1000 -- 512kb - +-- Storage -- Select the storage backend to use. By default Prosody uses flat files -- in its configured data directory, but it also supports more backends -- through modules. An "sql" backend is included by default, but requires --- additional dependencies. See http://prosody.im/doc/storage for more info. +-- additional dependencies. See https://prosody.im/doc/storage for more info. ---storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the --- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work) +--storage = "sql" -- Default is "internal" storage = "{{ prosody_storage }}" {% if prosody_storage == 'sql' %} @@ -138,13 +164,21 @@ sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_database {% endif %} {% endif %} +-- Archiving configuration +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "{{ prosody_archive_expires_after }}" -- Remove archived messages after X weeks or months + -- You can also configure messages to be stored in-memory only. For more -- archiving options, see https://prosody.im/doc/modules/mod_mam -- Logging configuration --- For advanced logging see http://prosody.im/doc/logging +-- For advanced logging see https://prosody.im/doc/logging log = { - -- Log files (change 'info' to 'debug' for debug logs): + -- Log files: {{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging error = "{{ prosody_err_log }}"; -- "*syslog"; -- Uncomment this for logging to syslog @@ -169,9 +203,6 @@ statistics = "{{ prosody_statistics }}" -- Location of directory to find certificates in (relative to main config file): certificates = "{{ prosody_certificates }}" --- HTTPS currently only supports a single certificate, specify it here: ---https_certificate = "certs/localhost.crt" - {% if prosody_component_interface is defined %} {% for item in prosody_component_interface %} -- Prosody external component ports