From: Ralf Jung Date: Sun, 15 Apr 2018 15:32:35 +0000 (+0200) Subject: add prosody config X-Git-Url: https://git.ralfj.de/ansible.git/commitdiff_plain/a7dc7d2358f720bc87db3a9a82738d04cddded89?ds=inline;hp=d472ee9713d21c5d718b320cc65cabe63aab0249 add prosody config --- diff --git a/jabber.yml b/jabber.yml new file mode 100644 index 0000000..665c29d --- /dev/null +++ b/jabber.yml @@ -0,0 +1,3 @@ +- hosts: prosody + roles: + - prosody diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml new file mode 100644 index 0000000..9fc3074 --- /dev/null +++ b/roles/prosody/defaults/main.yml @@ -0,0 +1,4 @@ +prosody: + paths: + modules: /var/lib/prosody/modules + dh2048: /etc/ssl/dh2048.pem diff --git a/roles/prosody/handlers/main.yml b/roles/prosody/handlers/main.yml new file mode 100644 index 0000000..9a9db71 --- /dev/null +++ b/roles/prosody/handlers/main.yml @@ -0,0 +1,4 @@ +- name: prosody + service: name=prosody state=restarted enabled=yes +- name: apache + service: name=apache2 state=restarted enabled=yes diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml new file mode 100644 index 0000000..96ed980 --- /dev/null +++ b/roles/prosody/tasks/main.yml @@ -0,0 +1,21 @@ +# install +- name: install prosody + apt: name=prosody state=latest default_release={{ansible_distribution_release}}-backports +- name: fetch prosody modules + hg: + dest: "{{ prosody.paths.modules }}" + repo: 'https://hg.prosody.im/prosody-modules/' + version: default + notify: prosody +# configure +- name: configure prosody + template: + dest: /etc/prosody/prosody.cfg.lua + src: templates/prosody.cfg.lua + notify: prosody +- name: configure apache + when: inventory_hostname in groups['apache'] + template: + dest: /etc/apache2/sites-available/{{ prosody.host }}.conf + src: templates/apache-site.conf + notify: apache diff --git a/roles/prosody/templates/apache-site.conf b/roles/prosody/templates/apache-site.conf new file mode 100644 index 0000000..e54d558 --- /dev/null +++ b/roles/prosody/templates/apache-site.conf @@ -0,0 +1,10 @@ +Use HTTP2HTTPS {{ prosody.host }} + + ServerName {{ prosody.host }} + Use SSL letsencrypt/live + + # Reverse proxy configuration + ProxyPass /.well-known/acme-challenge/ ! + ProxyPass / http://127.0.0.1:5280/ + ProxyPassReverse / http://127.0.0.1:5280/ + diff --git a/roles/prosody/templates/prosody.cfg.lua b/roles/prosody/templates/prosody.cfg.lua new file mode 100644 index 0000000..86c4449 --- /dev/null +++ b/roles/prosody/templates/prosody.cfg.lua @@ -0,0 +1,250 @@ +-- Prosody Configuration File +-- +-- Information on configuring Prosody can be found on our +-- website at https://prosody.im/doc/configure +-- +-- Tip: You can check that the syntax of this file is correct +-- when you have finished by running this command: +-- prosodyctl check config +-- If there are any errors, it will let you know what and where +-- they are, otherwise it will keep quiet. +-- +-- The only thing left to do is rename this file to remove the .dist ending, and fill in the +-- blanks. Good luck, and happy Jabbering! + + +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { + {% for item in prosody.admins %} + "{{ item }}", + {% endfor %} +} + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +--use_libevent = true + +-- Prosody will always look in its source directory for modules, but +-- this option allows you to specify additional locations where Prosody +-- will look for modules first. For community modules, see https://modules.prosody.im/ +plugin_paths = { "{{ prosody.paths.modules }}" } + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard"; -- Allow users to set vCards + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; -- Allow users to register on this server using a client and change passwords + "mam"; -- Store messages in an archive and allow users to access it + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"websocket"; -- XMPP over WebSockets + --"http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + --"limits"; -- Enable bandwidth limiting for XMPP connections + --"groups"; -- Shared roster support + --"server_contact_info"; -- Publish contact information for this service + "announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + "watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use + + -- Community modules + "smacks"; -- XEP-0198: Stream Management + "csi"; "filter_chatstates"; "throttle_presence"; -- XEP-0352: Client State Indication + "http_upload"; -- XEP-0363: HTTP File Upload + "register_web"; -- what it says on the tin +}; + +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { + -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections + -- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. +}; +-- Disable account creation by default, for security +-- For more information see https://prosody.im/doc/creating_accounts +allow_registration = false + +-- Debian: +-- send the server to background. +-- +daemonize = true + +-- Debian: +-- Please, don't change this option since /var/run/prosody/ +-- is one of the few directories Prosody is allowed to write to +-- +pidfile = "/var/run/prosody/prosody.pid" + +-- These are the SSL/TLS-related settings. If you don't want +-- to use SSL/TLS, you may comment or remove this +ssl = { + key = "/etc/ssl/private/letsencrypt/live.key"; + certificate = "/etc/ssl/mycerts/letsencrypt/live.crt+chain"; + ciphers = "ALL:!EXPORT:!LOW:!MEDIUM:!aNULL:!3DES"; + dhparam = "{{ prosody.paths.dh2048 }}"; +} +-- support legacy clients +legacy_ssl_ports = { 5223 } + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = true + +-- Force servers to use encrypted connections? This option will +-- prevent servers from authenticating unless they are using encryption. +-- Note that this is different from authentication + +s2s_require_encryption = true + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see https://prosody.im/doc/s2s#security + +s2s_secure_auth = false + +-- Some servers have invalid or self-signed certificates. You can list +-- remote domains here that will not be required to authenticate using +-- certificates. They will be authenticated using DNS instead, even +-- when s2s_secure_auth is enabled. +-- However, if require_encryption is enabled, these hosts will still have +-- to use (unauthenticated) encryption. + +s2s_insecure_domains = { "gmail.com"; "googlemail.com" } + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +-- s2s_secure_domains = { "jabber.org" } + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +authentication = "internal_hashed" + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See https://prosody.im/doc/storage for more info. + +--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the +-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work) + +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } + + +-- Archiving configuration +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "1w" -- Remove archived messages after 1 week + +-- You can also configure messages to be stored in-memory only. For more +-- archiving options, see https://prosody.im/doc/modules/mod_mam + + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +-- +-- Debian: +-- Logs info and higher to /var/log +-- Logs errors to syslog also +log = { + -- Log files (change 'info' to 'debug' for debug logs): + warn = "/var/log/prosody/prosody.log"; + error = "/var/log/prosody/prosody.err"; + -- Syslog: + { levels = { "error" }; to = "syslog"; }; +} + +-- Registration notification +registration_watchers = admins + +-- Set up HTTP +http_default_host = "{{ prosody.host }}" + +http_upload_file_size_limit = 5 * 1024 * 1024 +http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds +http_upload_quota = 50 * 1024 * 1024 + +----------- Virtual hosts ----------- +-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. +-- Settings under each VirtualHost entry apply *only* to that host. + +VirtualHost "{{ prosody.host }}" + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + +---Set up a MUC (multi-user chat) room server on conference.example.com: +Component "conference.{{ prosody.host }}" "muc" + +-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: +Component "proxy.{{ prosody.host }}" "proxy65" + +---Set up an external component (default component port is 5347) +-- +-- External components allow adding various services, such as gateways/ +-- transports to other networks like ICQ, MSN and Yahoo. For more info +-- see: https://prosody.im/doc/components#adding_an_external_component +-- +--Component "gateway.example.com" +-- component_secret = "password" + +------ Additional config files ------ +-- For organizational purposes you may prefer to add VirtualHost and +-- Component definitions in their own config files. This line includes +-- all config files in /etc/prosody/conf.d/ + +--Include "conf.d/*.cfg.lua" diff --git a/site.yml b/site.yml index 43a2bb2..a9e8916 100644 --- a/site.yml +++ b/site.yml @@ -2,3 +2,4 @@ - import_playbook: upgrade.yml - import_playbook: email.yml - import_playbook: web.yml +- import_playbook: jabber.yml