2022-09-06 21:37:22 +02:00
12 changed files with 114 additions and 72 deletions
--- a/2
+++ b/2
@ -8,7 +8,7 @@
 Vagrant.configure("2") do |config|
  #config.ssh.insert_key = false
  config.vm.define "prosody" do |prosody|
-    prosody.vm.box = "generic/debian10"
+    prosody.vm.box = "generic/debian11"
    prosody.vm.provider :libvirt do |libvirt|
      libvirt.memory = 256
    end
--- a/defaults/bosh.yml
+++ b/defaults/bosh.yml
@ -1,8 +1,6 @@
 ## BOSH
 prosody_bosh_enabled: 'true' # used in configure.yml
-prosody_bosh_ports: '5281, 5280 '
 prosody_bosh_max_inactivity: '60'
 prosody_bosh_secure: 'true'
-prosody_bosh_cross_domain: 'true'
 prosody_ssl_key: '/path/to/key'
 prosody_ssl_cert: '/path/to/cert'
--- a/defaults/http_file_share.yml
+++ b/defaults/http_file_share.yml
@ -2,10 +2,25 @@
 prosody_http_file_share_enabled: 'true'

 prosody_http_file_share_component: 'upload.example.org'
-prosody_http_file_share_size_limit: "10*1024*1024"
-prosody_http_file_share_daily_quota: "100*1024*1024 -- 100 MiB per day per user"
-prosody_http_file_share_global_quota: "1024*1024*1024 -- 1 GiB total"
-prosody_http_file_share_expires_after: "7 * 86400 -- 1 week"
-prosody_http_file_share_allowed_file_types: "{} -- Access control"
-prosody_http_file_share_safe_file_types: '{"image/*","video/*","audio/*","text/plain"} -- Safe to show in-line in e.g. browsers'
-prosody_http_file_share_access: "{} -- Access control"
+prosody_http_file_share_options:
+  - name: 'http_file_share_size_limit'
+    value: '10*1024*1024'
+    description: '10MB file upload limit'
+  - name: 'http_file_share_daily_quota'
+    value: '100*1024*1024'
+    description: '100 MiB per day per user'
+  - name: 'http_file_share_global_quota'
+    value: '1024*1024*1024'
+    description: '1 GiB total'
+  - name: 'http_file_share_expires_after'
+    value: '7 * 86400'
+    description: '1 week'
+  - name: 'http_file_share_allowed_file_types'
+    value: '{}'
+    description: 'Access control'
+  - name: 'http_file_share_safe_file_types'
+    value: '{"image/*","video/*","audio/*","text/plain"}'
+    description: 'Safe to show in-line in e.g. browsers'
+  - name: 'http_file_share_access'
+    value: '{}'
+    description: 'Access control'
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -8,13 +8,12 @@ prosody_contact_info: "'support@example.org'"
 prosody_abuse_info: "'abuse@example.org'"
 prosody_core_modules_path: "/usr/lib/prosody/modules/"
 prosody_community_modules_path: "/usr/lib/prosody-modules"
-prosody_custom_script_path: '/etc/prosody/custom_scripts'
+prosody_installer_plugin_path: '/etc/prosody/custom_scripts'
 prosody_statistics: ''
 prosody_direct_tls_ports: 5223
 prosody_c2s_direct_tls_ports: 5223
 prosody_s2s_direct_tls_ports: 5269

-
 firewall_module_enabled: 'true'

 ## Firewall: list here what you want to block
@ -42,6 +41,16 @@ prosody_storage: 'internal'
 prosody_network_backend: "epoll"
 prosody_http_host: "example.org"
 prosody_http_external_url: "https://example.org"
+prosody_http_interfaces: '*'
+prosody_http_ports: '5281, 5280 '
+prosody_http_paths:
+  - name: 'files'
+    path: '/files/'
+  - name: 'bosh'
+    path: '/http-bind'
+  - name: 'file_share'
+    path: '/upload'
+prosody_archive_expires_after: '1w'

 #If using sql storage
 prosody_sql_driver: 'SQLite3' #  postgresql sqlite3 or mysql
--- a/defaults/mod.yml
+++ b/defaults/mod.yml
@ -110,6 +110,10 @@ prosody_modules:
  - name: 'admin_adhoc'
    description: 'Allows administration via an XMPP client that supports ad-hoc commands'
    module_enabled: 'true'
+  
+  - name: 'admin_shell'
+    description: 'Allows administration via command shell'
+    module_enabled: 'true'

  - name: 'bosh'
    description: 'Enable BOSH clients'
@ -120,7 +124,6 @@ prosody_modules:
    module_enabled: 'true'
    extra_options:
      - 'consider_websocket_secure = true'
-      - 'cross_domain_websocket = true'

  - name: 'posix'
    description: 'POSIX functionality, sends server to background, enables syslog, etc.'
@ -128,18 +131,7 @@ prosody_modules:

  - name: 'limits'
    description: 'Enable bandwidth limiting for XMPP connections.'
-    module_enabled: 'false'
-    extra_options:
-      - 'limits = {'
-      -   'c2s = {'
-      -      'rate = "10kb/s";'
-      -      'burst = "2s";'
-      -      '};'
-      -      's2sin = {'
-      -        'rate = "30kb/s";'
-      -      'burst = "2s";'
-      -      '};'
-      -    '}'
+    module_enabled: 'true'

  - name: 'groups'
    description: 'Shared roster support.'
@ -181,7 +173,6 @@ prosody_modules:
    module_enabled: 'true'
    extra_options:
      - 'max_archive_query_results = 50;'
-      - 'archive_expires_after = "6m"; -- six months'
      - 'default_archive_policy = true; -- default'
      - 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'

@ -239,20 +230,19 @@ prosody_modules:
      - 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };'
      - '};'

-  - name: 'turncredentials'
-    description: 'Setup turnserver for viop'
+  - name: 'turn_external'
+    description: 'Audio/video call relay (STUN/TURN)'
    module_enabled: 'false'
    extra_options:
-      - 'turncredentials_secret = mysecret'
-      - 'turncredentials_host = turn.example.com'
-      - 'turncredentials_port = 3478'
-      - 'turncredentials_ttl = 86400;'
+      - 'turn_external_host = mysecret'
+      - 'turn_external_host = turn.example.com'
+      - 'turn_external_port = 3478'

  - name: 'firewall'
    description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.'
    module_enabled: '{{ firewall_module_enabled }}'
    extra_options:
-      - 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw", "{{ prosody_custom_script_path }}/invite_from_muc.pfw" }'
+      - 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_installer_plugin_path }}/servers_blocklist.pfw", "{{ prosody_installer_plugin_path }}/users_blocklist.pfw", "{{ prosody_installer_plugin_path }}/invite_from_muc.pfw" }'
 # spam-blocking.pfw is the default Prosody one, needed by the two following

  - name: 'http_altconnect'
--- a/tasks/firewall.yml
+++ b/tasks/firewall.yml
@ -2,7 +2,7 @@

 - name: '[Firewall] - Make sure that script directory exists'
  file:
-    path: "{{ prosody_custom_script_path }}"
+    path: "{{ prosody_installer_plugin_path }}"
    state: directory
    owner: root
    group: prosody
@ -11,7 +11,7 @@
 - name: '[Firewall] - Deploy Firewall scripts'
  template:
    src: "etc/prosody/custom_scripts/{{ item }}.j2"
-    dest: "{{ prosody_custom_script_path }}/{{ item }}"
+    dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
    owner: root
    group: prosody
    mode: 0644
@ -24,7 +24,7 @@
 - name: '[Firewall] - Deploy Firewall lists'
  template:
    src: "etc/prosody/custom_scripts/{{ item }}.j2"
-    dest: "{{ prosody_custom_script_path }}/{{ item }}"
+    dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
    owner: root
    group: prosody
    mode: 0644
--- a/templates/etc/prosody/conf.d/bosh.cfg.lua.j2
+++ b/templates/etc/prosody/conf.d/bosh.cfg.lua.j2
@ -1,10 +1,8 @@
 -- {{ ansible_managed }}

 --BOSH setting
-bosh_ports = { {{ prosody_bosh_ports }} }
 bosh_max_inactivity = {{ prosody_bosh_max_inactivity }}
 consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side
-cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser)

 ssl = {
    key = "{{ prosody_ssl_key }}";
--- a/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2
+++ b/templates/etc/prosody/conf.d/custom_component.cfg.lua.j2
@ -1,5 +1,10 @@
 -- {{ ansible_managed }}

+------ Components ------
+-- You can specify components to add hosts that provide special services,
+-- like multi-user conferences, and transports.
+-- For more information on components, see https://prosody.im/doc/components
+
 Component "{{ item.name }}"
  component_secret = "{{ item.secret }}"

--- a/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2
+++ b/templates/etc/prosody/conf.d/http_file_share.cfg.lua.j2
@ -3,10 +3,6 @@
 -- Component config for http_file_share
 Component "{{ prosody_http_file_share_component }}" "http_file_share"

-http_file_share_size_limit = {{ prosody_http_file_share_size_limit }}
-http_file_share_daily_quota = {{ prosody_http_file_share_daily_quota }}
-http_file_share_global_quota = {{ prosody_http_file_share_global_quota }}
-http_file_share_expires_after = {{ prosody_http_file_share_expires_after }}
-http_file_share_allowed_file_types = {{ prosody_http_file_share_allowed_file_types }}
-http_file_share_safe_file_types = {{ prosody_http_file_share_safe_file_types }}
-http_file_share_access = {{ prosody_http_file_share_access }}
+{% for item in prosody_http_file_share_options %}
+{{ item.name }} = {{ item.value }} -- {{ item.description }}
+{% endfor %}
--- a/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2
+++ b/templates/etc/prosody/custom_scripts/servers_blocklist.pfw.j2
@ -3,7 +3,7 @@
 # rules will be checked against the blocklist.txt file
 # Check mod_firewall/scripts/spam-blocking.pfw

-%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt
+%LIST blocklist: file:{{ prosody_installer_plugin_path }}/servers_blocklist.txt

 ::user/spam_handle_unknown_custom

--- a/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2
+++ b/templates/etc/prosody/custom_scripts/users_blocklist.pfw.j2
@ -3,7 +3,7 @@
 # rules will be checked against the blocklist.txt file
 # Check mod_firewall/scripts/spam-blocking.pfw

-%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt
+%LIST blocklist: file:{{ prosody_installer_plugin_path }}/users_blocklist.txt

 ::user/spam_handle_unknown_custom

--- a/templates/etc/prosody/prosody.cfg.lua.j2
+++ b/templates/etc/prosody/prosody.cfg.lua.j2
@ -3,7 +3,7 @@
 -- Prosody Example Configuration File
 --
 -- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
+-- website at https://prosody.im/doc/configure
 --
 -- Tip: You can check that the syntax of this file is correct
 -- when you have finished by running this command:
@ -21,7 +21,7 @@

 -- This is a (by default, empty) list of accounts that are admins
 -- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
+-- (see https://prosody.im/doc/creating_accounts for info)
 -- Example: admins = { "user1@example.com", "user2@example.net" }
 admins = { {{ prosody_admins }} }

@ -35,24 +35,34 @@ contact_info = { {{ prosody_contact_info }} }

 http_host = "{{ prosody_http_host }}"
 http_external_url = "{{ prosody_http_external_url }}"
+http_ports = "{{ prosody_http_ports }}"
+http_interfaces = { "{{ prosody_http_interfaces }}" }
+http_paths = {
+{% for item in prosody_http_paths %}
+  {{ item.name }} = "{{ item.path }}";
+{% endfor %}
+  }
+
+-- See https://prosody.im/doc/configure
 c2s_direct_tls_ports = { {{ prosody_c2s_direct_tls_ports }} }
 s2s_direct_tls_ports = { {{ prosody_s2s_direct_tls_ports }} }

 -- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
+-- For more information see: https://prosody.im/doc/libevent
 network_backend = "{{ prosody_network_backend }}"

-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
+-- These paths are searched in the order specified, and before the default path
 plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" }

-- Single directory for custom prosody plugins and/or Lua libraries installation
-- This path takes priority over plugin_paths, when prosody is searching for modules
-installer_plugin_path = "{{ prosody_custom_script_path }}"
+-- Prosody Plugin Installer
+-- CHeck https://prosody.im/doc/plugin_installer
+-- By default plugins are installed into a directory custom_plugins under the data path. It can be customized by setting
+plugin_server = "https://modules.prosody.im/rocks/"
+installer_plugin_path = "{{ prosody_installer_plugin_path }}"
+-- This path MUST be readable by the user Prosody runs as, and should be writable for prosodyctl install to work.
+-- The installer path does not need to be added to plugin_paths.

 -- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
 -- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
 modules_enabled = {

@ -61,7 +71,7 @@ modules_enabled = {
    "{{ item.name }}"; -- {{ item.description }}
 {% endif %}
 {% endfor %}
-};
+}

 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
@ -75,9 +85,22 @@ modules_disabled = {
 };

 -- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
+-- For more information see https://prosody.im/doc/creating_accounts
 allow_registration = {{ prosody_allow_registration }};

+-- Rate limits
+-- Enable rate limits for incoming client and server connections. These help
+-- protect from excessive resource consumption and denial-of-service attacks.
+
+limits = {
+	c2s = {
+		rate = "10kb/s";
+	};
+	s2sin = {
+		rate = "30kb/s";
+	};
+}
+
 -- Debian:
 --   Please, don't change this option since /var/run/prosody/
 --   is one of the few directories Prosody is allowed to write to
@ -89,6 +112,7 @@ pidfile = "/var/run/prosody/prosody.pid";

 c2s_require_encryption = {{ prosody_c2s_encryption }}

+-- See https://prosody.im/doc/modules/mod_c2s
 c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256kb

 -- Force servers to use encrypted connections? This option will
@ -96,33 +120,35 @@ c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256

 s2s_require_encryption = {{ prosody_s2s_encryption }}

-- Force certificate authentication for server-to-server connections?
+-- Server-to-server authentication
+-- Require valid certificates for server-to-server connections?
+-- If false, other methods such as dialback (DNS) may be used instead.

 s2s_secure_auth = {{ prosody_s2s_auth }}

 -- Some servers have invalid or self-signed certificates. You can list
 -- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.
+-- certificates. They will be authenticated using other methods instead,
+-- even when s2s_secure_auth is enabled.
 {% if prosody_insecure_domains is defined %}
 s2s_insecure_domains = { "{{ prosody_insecure_domains }}" }
 {% endif %}

-- Even if you leave s2s_secure_auth disabled, you can still require valid
+-- Even if you disable s2s_secure_auth, you can still require valid
 -- certificates for some domains by specifying a list here.

 --s2s_secure_domains = { "{{ prosody_secure_domains }}" }

+-- See https://prosody.im/doc/s2s
 s2s_stanza_size_limit = {{ prosody_s2s_stanza_size_limit }} -- 512 * 1000 -- 512kb

-
+-- Storage
 -- Select the storage backend to use. By default Prosody uses flat files
 -- in its configured data directory, but it also supports more backends
 -- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
+-- additional dependencies. See https://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
+--storage = "sql" -- Default is "internal"

 storage = "{{ prosody_storage }}"
 {% if prosody_storage == 'sql' %}
@ -138,13 +164,21 @@ sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_database
 {% endif %}
 {% endif %}

+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "{{ prosody_archive_expires_after }}" -- Remove archived messages after X weeks or months
+
 -- You can also configure messages to be stored in-memory only. For more
 -- archiving options, see https://prosody.im/doc/modules/mod_mam

 -- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
+-- For advanced logging see https://prosody.im/doc/logging
 log = {
-    -- Log files (change 'info' to 'debug' for debug logs):
+    -- Log files:
    {{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging
    error = "{{ prosody_err_log }}";
    -- "*syslog"; -- Uncomment this for logging to syslog
@ -169,9 +203,6 @@ statistics = "{{ prosody_statistics }}"
 -- Location of directory to find certificates in (relative to main config file):
 certificates = "{{ prosody_certificates }}"

-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "certs/localhost.crt"
-
 {% if prosody_component_interface is defined %}
 {% for item in prosody_component_interface %}
 -- Prosody external component ports