trans13nrv/infrastructure
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: trans13nrv:1229621854ffa389bb16d278bea01e7973c5534f
Branches Tags
trans13nrv:main
trans13nrv:chat-server
...
compare: trans13nrv:5046eae5f51fdce6ee16683dacd90a6dd9c88007
Branches Tags
trans13nrv:main
trans13nrv:chat-server

7 commits
1229621854 ... 5046eae5f5

Author SHA1 Message Date
Floréal Toumikian
5046eae5f5
Added: ejabberd config (WIP) 2024-05-24 18:19:15 +02:00
Floréal Toumikian
afde58b884
Added: DNS zone entries related to XMPP service 2024-05-23 11:56:05 +02:00
Floréal Toumikian
db7fa4b8f7
Added: Nginx configuration & signed X509 certs installation 2024-05-21 14:30:56 +02:00
Floréal Toumikian
e0314da734
Enhancement: Better task structures 2024-05-21 10:42:33 +02:00
Frédéric CAMPO
ff049868e2
First try for ejabberd configuration 2024-05-20 15:04:05 +02:00
Floréal Toumikian
f632971d1c
Added: Chat Server web fronted app installed 2024-05-19 19:37:17 +02:00
Floréal Toumikian
ab7e5d9a47
Added: Playbook for chat server 2024-05-19 17:24:21 +02:00
12 changed files with 1058 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

2
playbooks/01-primary-ns.yaml
View file

@ -38,4 +38,4 @@
- name: Reload bind9 service
ansible.builtin.service:
name: bind9
state: reloaded
state: restarted

78
playbooks/02-xmpp-server.yaml Normal file
View file

@ -0,0 +1,78 @@
- name: Configuration of jabber server
hosts: chatservers
tasks:
- name: Use variables
ansible.builtin.include_vars: vars.yml
- name: Configure ejabber apt sources
ansible.builtin.blockinfile:
path: /etc/apt/sources.list.d/process-one-stable.sources
create: true
block: |
Enabled: yes
Types: deb
URIs: https://repo.process-one.net/deb
Suites: stable
Components: main
Architectures: amd64
Signed-By: /etc/apt/keyrings/ejabberd.gpg
owner: "{{ root.user }}"
group: "{{ root.group }}"
mode: "755"
- name: Create keyrings folder
ansible.builtin.file:
path: /etc/apt/keyrings
state: directory
owner: "{{ root.user }}"
group: "{{ root.group }}"
mode: "755"
- name: Adding process-one (ejabberd) gpg key to apt keyring
ansible.builtin.get_url:
url: https://repo.process-one.net/ejabberd.gpg
dest: /etc/apt/keyrings/ejabberd.gpg
owner: "{{ root.user }}"
group: "{{ root.group }}"
mode: "755"
- name: Installing required packages
ansible.builtin.package:
name:
- composer
- php-fpm
- php-curl
- php-mbstring
- php-imagick
- php-gd
- php-pgsql
- php-xml
- postgresql
- nginx
- certbot
- ejabberd
- git
- python3-certbot-nginx
- python3-psycopg2
state: present
- name: "Ensure movim database is present and accessible"
ansible.builtin.include_tasks:
file: tasks/chat/database.yml
- name: "Ensure movim version is installed - v{{ movim.version }}"
ansible.builtin.include_tasks:
file: tasks/chat/movim.yml
- name: "Ensure X509 certificates are properly installed"
ansible.builtin.include_tasks:
file: tasks/chat/x509.yml
- name: "Ensure nginx is configured"
ansible.builtin.include_tasks:
file: tasks/chat/nginx.yml
- name: "Ensure ejabberd is configured"
ansible.builtin.include_tasks:
file: tasks/chat/ejabberd.yml

22
playbooks/tasks/chat/database.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Ensure databases user exist
community.postgresql.postgresql_user:
user: "{{ item }}"
password: "{{ item }}"
state: present
become_user: "{{ postgres.user }}"
become: true
with_items:
- movim
- ejabberd
- name: Ensure databases exist
community.postgresql.postgresql_db:
name: "{{ item }}"
owner: "{{ item }}"
state: present
become_user: "{{ postgres.user }}"
become: true
with_items:
- movim
- ejabberd

22
playbooks/tasks/chat/ejabberd.yml Normal file
View file

@ -0,0 +1,22 @@
---
- name: Create ejabberd configuration file
ansible.builtin.copy:
src: tasks/chat/files/ejabberd.yml
dest: /opt/ejabberd/conf/ejabberd.yml
owner: "{{ ejabberd.user }}"
group: "{{ ejabberd.group }}"
mode: "644"
- name: Create ejabberd upload directory
ansible.builtin.file:
path: /opt/ejabberd/upload
state: directory
owner: "{{ ejabberd.user }}"
group: "{{ ejabberd.group }}"
mode: "755"
- name: Restart ejabberd service
ansible.builtin.service:
name: ejabberd
state: restarted

303
playbooks/tasks/chat/files/ejabberd.yml Normal file
View file

@ -0,0 +1,303 @@
loglevel: warning
log_rotate_count: 0
hosts:
- trans13nrv.eu.org
fqdn: xmpp.trans13nrv.eu.org
certfiles:
- "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem"
- "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem"
update_sql_schema: true
new_sql_schema: true
sql_type: pgsql
sql_server: localhost
sql_database: ejabberd
sql_username: ejabberd
sql_password: ejabberd
auth_method: [sql]
default_db: sql
acme:
auto: false
language: fr
define_macro:
'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
'TLS_OPTIONS':
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
- "cipher_server_preference"
- "no_compression"
# 'DH_FILE': "/path/to/dhparams.pem"
# generated with: openssl dhparam -out dhparams.pem 2048
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
# c2s_dhfile: 'DH_FILE'
# s2s_dhfile: 'DH_FILE'
listen:
-
port: 5222
ip: "137.74.82.131"
module: ejabberd_c2s
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
starttls: true
-
port: 5223
ip: "137.74.82.131"
module: ejabberd_c2s
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
tls: true
-
port: 5269
ip: "137.74.82.131"
module: ejabberd_s2s_in
max_stanza_size: 524288
-
port: 5443
ip: "137.74.82.131"
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
request_handlers:
/api: mod_http_api
/bosh: mod_bosh
## /captcha: ejabberd_captcha
/upload: mod_http_upload
/ws: ejabberd_http_ws
custom_headers:
"Access-Control-Allow-Origin": "*"
"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
"Access-Control-Allow-Headers": "Authorization"
"Access-Control-Allow-Credentials": "true"
# -
# port: 5280
# module: ejabberd_http
# tls: false
# protocol_options: 'TLS_OPTIONS'
# request_handlers: {}
# /.well-known/acme-challenge: ejabberd_acme
# /admin: ejabberd_web_admin
-
port: 3478
ip: "137.74.82.131"
transport: udp
module: ejabberd_stun
use_turn: true
turn_ipv4_address: "137.74.82.131"
-
port: 1883
ip: "137.74.82.131"
module: mod_mqtt
backlog: 1000
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms:
- "digest-md5"
- "X-OAUTH2"
s2s_use_starttls: required
## Store the plain passwords or hashed for SCRAM:
auth_password_format: scram
## Full path to a script that generates the image.
## captcha_cmd: "/usr/share/ejabberd/captcha.sh"
acl:
admin:
user:
- "stupeflo@trans13nrv.eu.org"
- "llowin@trans13nrv.eu.org"
local:
user_regexp: ""
loopback:
ip:
- 127.0.0.0/8
- ::1/128
access_rules:
local:
allow: local
c2s:
deny: blocked
allow: all
announce:
allow: admin
configure:
allow: admin
muc_create:
allow: local
pubsub_createnode:
allow: local
trusted_network:
allow: loopback
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
access:
allow:
- acl: loopback
- acl: admin
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
ip: 127.0.0.1/8
what:
- status
- connected_users_number
shaper:
normal:
rate: 3000
burst_size: 20000
fast: 200000
shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
5000: admin
100: all
c2s_shaper:
none: admin
normal: all
s2s_shaper: fast
modules:
mod_admin_update_sql: {}
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_avatar: {}
mod_blocking: {}
mod_bosh: {}
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
## mod_delegation: {} # for xep0356
mod_disco: {}
mod_fail2ban: {}
mod_http_api: {}
mod_http_upload:
name: "HTTP File Upload"
access: local
max_size: 104857600 # 100 MiB.
file_mode: "0640"
dir_mode: "2750"
docroot: "/opt/ejabberd/upload/@HOST@"
put_url: "https://@HOST@:8443/upload"
thumbnail: false
hosts:
- upload.trans13nrv.eu.org
mod_last: {}
mod_mam:
## Mnesia is limited to 2GB, better to use an SQL backend
## For small servers SQLite is a good fit and is very easy
## to configure. Uncomment this when you have SQL configured:
db_type: sql
assume_mam_usage: true
default: always
mod_mqtt: {}
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
default_room_options:
mam: true
host: muc.trans13nrv.eu.org
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_pres_counter:
count: 5
interval: 60
mod_privacy: {}
mod_private: {}
## mod_proxy65:
## access: local
## max_connections: 5
mod_pubsub:
access_createnode: pubsub_createnode
ignore_pep_from_offline: false
last_item_cache: false
max_items_node: 1000
default_node_config:
max_items: 1000
plugins:
- "flat"
- "pep"
host: pubsub.trans13nrv.eu.org
force_node_config:
"eu.siacs.conversations.axolotl.*":
access_model: open
## Avoid buggy clients to make their bookmarks public
storage:bookmarks:
access_model: whitelist
mod_push: {}
mod_push_keepalive: {}
## mod_register:
## ## Only accept registration requests from the "trusted"
## ## network (see access_rules section above).
## ## Think twice before enabling registration from any
## ## address. See the Jabber SPAM Manifesto for details:
## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
## ip_access: trusted_network
mod_register:
ip_access: trusted_network
mod_roster:
versioning: true
mod_s2s_dialback: {}
mod_shared_roster: {}
mod_sic: {}
mod_stream_mgmt:
resend_on_timeout: if_offline
mod_stun_disco: {}
mod_vcard:
search: false
mod_vcard_xupdate: {}
mod_version: {}
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8

163
playbooks/tasks/chat/movim.yml Normal file
View file

@ -0,0 +1,163 @@
---
- name: Check Whether movim is present
ansible.builtin.stat:
path: "{{ movim.path }}"
register: "movim_dir"
- name: Check whether movim is installed
ansible.builtin.set_fact:
movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}"
- name: Guess current version
block:
- name: Check movim installed tag
when: movim_is_installed
register: "movim_installed_tag"
ansible.builtin.shell:
argv:
- git
- describe
- --tags
chdir: "{{ movim.path }}"
become: true
become_user: "{{ www.user }}"
- name: Register current movim version
ansible.builtin.set_fact:
movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}"
- name: Installing
when: not movim_is_installed
block:
- name: Cloning
ansible.builtin.git:
repo: https://github.com/movim/movim.git
dest: "{{ movim.path }}"
version: "v{{ movim.version }}"
- name: Setting Mode and Ownershp
ansible.builtin.file:
path: "{{ movim.path }}"
state: directory
owner: "{{ www.user }}"
group: "{{ www.group }}"
recurse: true
mode: "755"
- name: Updating
when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver")
block:
- name: Fetching
ansible.builtin.shell:
argv:
- git
- fetch
chdir: "{{ movim.path }}"
become: true
become_user: "{{ www.user }}"
- name: Checking Out
ansible.builtin.shell:
argv:
- git
- checkout
- "v{{ movim.version }}"
chdir: "{{ movim.path }}"
become: true
become_user: "{{ www.user }}"
- name: Installing or updating Movim dependanciens
community.general.composer:
working_dir: "{{ movim.path }}"
command: install
become: true
become_user: "{{ www.user }}"
- name: Setting-Up Movim execution environment
ansible.builtin.blockinfile:
path: "{{ movim.path }}/.env"
block: |
# Database configuration
DB_DRIVER=pgsql
DB_HOST=127.0.0.1
DB_PORT=5432
DB_DATABASE=movim
DB_USERNAME=movim
DB_PASSWORD=movim
# Daemon configuration
DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance
DAEMON_PORT=8080 # Port on which the daemon will listen
DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP
DAEMON_DEBUG=false
DAEMON_VERBOSE=false
owner: "{{ www.user }}"
group: "{{ www.group }}"
create: true
mode: "600"
- name: Migrating Database
community.general.composer:
command: "movim:migrate"
working_dir: "{{ movim.path }}"
become: true
become_user: "{{ www.user }}"
- name: Setting-Up Movim demon service
ansible.builtin.blockinfile:
path: /etc/systemd/system/movim.service
block: |
[Unit]
Description=Movim daemon
After=nginx.service network.target local-fs.target
[Service]
User=www-data
Type=simple
Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/
Environment=WS_PORT=8080
EnvironmentFile=-/etc/default/movim
ExecStart=/usr/bin/php daemon.php start
WorkingDirectory={{ movim.path }}
StandardOutput=syslog
SyslogIdentifier=movim
PIDFile=/run/movim.pid
Restart=on-failure
RestartSec=10
[Install]
WantedBy=multi-user.target
owner: "{{ root.user }}"
group: "{{ root.group }}"
mode: "644"
create: true
- name: Ensure demon cache directories exists
ansible.builtin.file:
path: "{{ item }}"
owner: "{{ www.user }}"
group: "{{ www.group }}"
mode: "755"
state: directory
with_items:
- "{{ movim.path }}/cache"
- "{{ movim.path }}/public/cache"
- name: Reload SystemD daemon
ansible.builtin.shell:
argv:
- systemctl
- daemon-reload
- name: Enable and restarted Movim Damon Service
when: not movim_is_installed
ansible.builtin.systemd_service:
service: movim.service
enabled: true
state: restarted
- name: Enable and start Movim Damon Service
ansible.builtin.systemd_service:
service: movim.service
state: restarted
when: movim_is_installed

43
playbooks/tasks/chat/nginx.yml Normal file
View file

@ -0,0 +1,43 @@
---
- name: Create auto redirect to TLS for movim
ansible.builtin.blockinfile:
path: "{{ nginx.paths.sites_available }}/redirect_to_https"
block: |
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
create: true
- name: Create movim website
ansible.builtin.template:
dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
src: tasks/chat/templates/movim.j2
owner: "{{ root.user }}"
group: "{{ root.group }}"
mode: "644"
- name: Enable movim website
ansible.builtin.file:
state: link
dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
- name: Enable auto redirect to TLS
ansible.builtin.file:
state: link
dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
src: "{{ nginx.paths.sites_available }}/redirect_to_https"
- name: Set access logs to off
ansible.builtin.blockinfile:
path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf"
block: |
access_log off;
create: true
- name: Reload nginx service
ansible.builtin.systemd_service:
name: nginx
state: restarted

275
playbooks/tasks/chat/templates/ejabberd.yaml.j2 Normal file
View file

@ -0,0 +1,275 @@
loglevel: {{ service.log.level | default("none") }}
log_rotate_count: {{ service.log.rotate | default("0") }}
hosts:
{%- for domain in service.domains %}
- {{ domain }}
{%- endfor %}
certfiles:
- {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }}
{%- if service.certificate.keyfile %}
- service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem")
{%- endif %}
# - /etc/letsencrypt/live/localhost/privkey.pem
# TLS configuration
define_macro:
'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
'TLS_OPTIONS':
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_1"
- "cipher_server_preference"
- "no_compression"
# 'DH_FILE': "/path/to/dhparams.pem"
# generated with: openssl dhparam -out dhparams.pem 2048
c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
# c2s_dhfile: 'DH_FILE'
# s2s_dhfile: 'DH_FILE'
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
starttls_required: true
protocol_options: 'TLS_OPTIONS'
-
port: 5223
ip: "::"
module: ejabberd_c2s
max_stanza_size: 262144
shaper: c2s_shaper
access: c2s
tls: true
protocol_options: 'TLS_OPTIONS'
-
port: 5269
ip: "::"
module: ejabberd_s2s_in
max_stanza_size: 524288
-
port: 5443
ip: "::"
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
request_handlers:
/api: mod_http_api
/bosh: mod_bosh
## /captcha: ejabberd_captcha
## /upload: mod_http_upload
/ws: ejabberd_http_ws
-
port: 5280
ip: "::"
module: ejabberd_http
tls: true
protocol_options: 'TLS_OPTIONS'
request_handlers:
/admin: ejabberd_web_admin
/.well-known/acme-challenge: ejabberd_acme
-
port: 3478
ip: "::"
transport: udp
module: ejabberd_stun
use_turn: true
## The server's public IPv4 address:
# turn_ipv4_address: "203.0.113.3"
## The server's public IPv6 address:
# turn_ipv6_address: "2001:db8::3"
-
port: 1883
ip: "::"
module: mod_mqtt
backlog: 1000
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms:
- "digest-md5"
- "X-OAUTH2"
s2s_use_starttls: required
## Store the plain passwords or hashed for SCRAM:
auth_password_format: scram
## Full path to a script that generates the image.
## captcha_cmd: "/usr/share/ejabberd/captcha.sh"
acl:
admin:
user:
- ""
local:
user_regexp: ""
loopback:
ip:
- 127.0.0.0/8
- ::1/128
access_rules:
local:
allow: local
c2s:
deny: blocked
allow: all
announce:
allow: admin
configure:
allow: admin
muc_create:
allow: local
pubsub_createnode:
allow: local
trusted_network:
allow: loopback
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
"admin access":
who:
access:
allow:
- acl: loopback
- acl: admin
oauth:
scope: "ejabberd:admin"
access:
allow:
- acl: loopback
- acl: admin
what:
- "*"
- "!stop"
- "!start"
"public commands":
who:
ip: 127.0.0.1/8
what:
- status
- connected_users_number
shaper:
normal:
rate: 3000
burst_size: 20000
fast: 200000
shaper_rules:
max_user_sessions: 10
max_user_offline_messages:
5000: admin
100: all
c2s_shaper:
none: admin
normal: all
s2s_shaper: fast
modules:
mod_adhoc: {}
mod_admin_extra: {}
mod_announce:
access: announce
mod_avatar: {}
mod_blocking: {}
mod_bosh: {}
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {}
## mod_delegation: {} # for xep0356
mod_disco: {}
mod_fail2ban: {}
mod_http_api: {}
## mod_http_upload:
## put_url: https://@HOST@:5443/upload
## custom_headers:
## "Access-Control-Allow-Origin": "https://@HOST@"
## "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
## "Access-Control-Allow-Headers": "Content-Type"
mod_last: {}
## mod_mam:
## ## Mnesia is limited to 2GB, better to use an SQL backend
## ## For small servers SQLite is a good fit and is very easy
## ## to configure. Uncomment this when you have SQL configured:
## ## db_type: sql
## assume_mam_usage: true
## default: always
mod_mqtt: {}
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
default_room_options:
mam: true
mod_muc_admin: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
mod_pres_counter:
count: 5
interval: 60
mod_privacy: {}
mod_private: {}
## mod_proxy65:
## access: local
## max_connections: 5
mod_pubsub:
access_createnode: pubsub_createnode
plugins:
- flat
- pep
force_node_config:
"eu.siacs.conversations.axolotl.*":
access_model: open
## Avoid buggy clients to make their bookmarks public
storage:bookmarks:
access_model: whitelist
mod_push: {}
mod_push_keepalive: {}
## mod_register:
## ## Only accept registration requests from the "trusted"
## ## network (see access_rules section above).
## ## Think twice before enabling registration from any
## ## address. See the Jabber SPAM Manifesto for details:
## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
## ip_access: trusted_network
mod_roster:
versioning: true
mod_s2s_dialback: {}
mod_shared_roster: {}
mod_sic: {}
mod_stream_mgmt:
resend_on_timeout: if_offline
mod_stun_disco: {}
mod_vcard:
search: false
mod_vcard_xupdate: {}
mod_version: {}
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8

53
playbooks/tasks/chat/templates/movim.j2 Normal file
View file

@ -0,0 +1,53 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ movim.domain }};
ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
# Where Movim public directory is setup
root {{ movim.path }}/public;
index index.php;
# Ask nginx to cache every URL starting with "/picture"
location /picture {
set $no_cache 0; # Enable cache only there
try_files $uri $uri/ /index.php$is_args$args;
}
location / {
set $no_cache 1;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
add_header X-Cache $upstream_cache_status;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
fastcgi_cache_valid any 7d;
fastcgi_cache_bypass $no_cache;
fastcgi_no_cache $no_cache;
# Pass everything to PHP FastCGI, at the discretion of the administrator
include fastcgi.conf;
}
location /ws/ {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
proxy_read_timeout 1800s;
proxy_send_timeout 1800s;
}
}

55
playbooks/tasks/chat/x509.yml Normal file
View file

@ -0,0 +1,55 @@
---
- name: Disable movim website
ansible.builtin.file:
path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
state: absent
- name: Disable auto redirect to TLS
ansible.builtin.file:
path: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
state: absent
- name: Enable default website
ansible.builtin.file:
dest: "{{ nginx.paths.sites_enabled }}/default"
src: "{{ nginx.paths.sites_available }}/default"
state: link
- name: Install X509 certificates for movim
ansible.builtin.command:
argv:
- certbot
- certonly
- --agree-tos
- -m
- psotmaster@trans13nrv.eu.org
- --nginx
- -d
- "{{ movim.domain }}"
creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem"
- name: Install X509 certificates for ejabberd hosts
ansible.builtin.command:
argv:
- certbot
- certonly
- --agree-tos
- -m
- psotmaster@trans13nrv.eu.org
- --nginx
- -d
- trans13nrv.eu.org
- -d
- xmpp.trans13nrv.eu.org
- -d
- muc.trans13nrv.eu.org
- -d
- "pubsub.trans13nrv.eu.org"
- -d
- upload.trans13nrv.eu.org
creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem"
- name: Disable default website
ansible.builtin.file:
path: "{{ nginx.paths.sites_enabled }}/default"
state: absent

32
playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone
View file

@ -1,7 +1,7 @@
$ORIGIN trans13nrv.eu.org.
$TTL 300s
@ SOA ns1 postmaster (
2024051400 ; Serial
2024052340 ; Serial
8h ; Refresh
30m ; Retry
1w ; Expire
@ -16,16 +16,28 @@ ns1 A 137.74.82.130
@ MX 10 mail.hebergemoi.fr.
;;; XMPP ;;;
; server IP / name
;_jabber A 0.0.0.1
;xmpp CNAME _jabber
; server IP
jabber A 137.74.82.131
@ A 137.74.82.131
; ports
;_xmpp-server._tcp IN SRV 0 0 5269 _jabber
;_xmpp-client._tcp IN SRV 0 0 5222 _jabber
_xmpp-server._tcp IN SRV 5 0 5269 xmpp
_xmpps-server._tcp IN SRV 5 0 5270 xmpp
_xmpp-client._tcp IN SRV 5 0 5222 xmpp
_xmpps-client._tcp IN SRV 5 0 5223 xmpp
; multi-user-chat
;muc CNAME _jabber
_stun._udp IN SRV 5 0 3478 turn
_stun._tcp IN SRV 5 0 3478 turn
_stuns._tcp IN SRV 5 0 5349 turn
_turn._udp IN SRV 5 0 3478 turn
_turn._tcp IN SRV 5 0 3478 turn
_turns._tcp IN SRV 5 0 5349 turn
; web UI
;chat CNAME _jabber
; Aliases
xmpp CNAME jabber ; XMPP Service
turn CNAME jabber ; VOIP service
chat CNAME jabber ; Web Frontend
muc CNAME jabber ; Multi-User chat
upload CNAME jabber ; Upload over XMPP
pubsub CNAME jabber ; Pub-Sub over XMPP
proxy CNAME jabber ; Proxy for file transfer over XMPP

18
playbooks/vars.yml
View file

@ -10,3 +10,21 @@ dns:
domain_name: trans13nrv.eu.org
root:
user: root
group: root
www:
user: www-data
group: www-data
movim:
version: "0.24.1"
path: /var/www/chat.trans13nrv.eu.org
domain: chat.trans13nrv.eu.org
postgres:
user: postgres
nginx:
paths:
sites_enabled: /etc/nginx/sites-enabled
sites_available: /etc/nginx/sites-available
conf_d: /etc/nginx/conf.d
ejabberd:
user: ejabberd
group: ejabberd