diff --git a/playbooks/01-primary-ns.yaml b/playbooks/01-primary-ns.yaml index 117894d..c3fd1ea 100644 --- a/playbooks/01-primary-ns.yaml +++ b/playbooks/01-primary-ns.yaml @@ -38,4 +38,4 @@ - name: Reload bind9 service ansible.builtin.service: name: bind9 - state: reloaded + state: restarted diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml new file mode 100644 index 0000000..8ed79b0 --- /dev/null +++ b/playbooks/02-xmpp-server.yaml @@ -0,0 +1,78 @@ +- name: Configuration of jabber server + hosts: chatservers + + tasks: + - name: Use variables + ansible.builtin.include_vars: vars.yml + + - name: Configure ejabber apt sources + ansible.builtin.blockinfile: + path: /etc/apt/sources.list.d/process-one-stable.sources + create: true + block: | + Enabled: yes + Types: deb + URIs: https://repo.process-one.net/deb + Suites: stable + Components: main + Architectures: amd64 + Signed-By: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Create keyrings folder + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Adding process-one (ejabberd) gpg key to apt keyring + ansible.builtin.get_url: + url: https://repo.process-one.net/ejabberd.gpg + dest: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Installing required packages + ansible.builtin.package: + name: + - composer + - php-fpm + - php-curl + - php-mbstring + - php-imagick + - php-gd + - php-pgsql + - php-xml + - postgresql + - nginx + - certbot + - ejabberd + - git + - python3-certbot-nginx + - python3-psycopg2 + state: present + + - name: "Ensure movim database is present and accessible" + ansible.builtin.include_tasks: + file: tasks/chat/database.yml + + - name: "Ensure movim version is installed - v{{ movim.version }}" + ansible.builtin.include_tasks: + file: tasks/chat/movim.yml + + - name: "Ensure X509 certificates are properly installed" + ansible.builtin.include_tasks: + file: tasks/chat/x509.yml + + - name: "Ensure nginx is configured" + ansible.builtin.include_tasks: + file: tasks/chat/nginx.yml + + - name: "Ensure ejabberd is configured" + ansible.builtin.include_tasks: + file: tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml new file mode 100644 index 0000000..bfb8610 --- /dev/null +++ b/playbooks/tasks/chat/database.yml @@ -0,0 +1,22 @@ +--- +- name: Ensure databases user exist + community.postgresql.postgresql_user: + user: "{{ item }}" + password: "{{ item }}" + state: present + become_user: "{{ postgres.user }}" + become: true + with_items: + - movim + - ejabberd + +- name: Ensure databases exist + community.postgresql.postgresql_db: + name: "{{ item }}" + owner: "{{ item }}" + state: present + become_user: "{{ postgres.user }}" + become: true + with_items: + - movim + - ejabberd diff --git a/playbooks/tasks/chat/ejabberd.yml b/playbooks/tasks/chat/ejabberd.yml new file mode 100644 index 0000000..95555cc --- /dev/null +++ b/playbooks/tasks/chat/ejabberd.yml @@ -0,0 +1,22 @@ +--- +- name: Create ejabberd configuration file + ansible.builtin.copy: + src: tasks/chat/files/ejabberd.yml + dest: /opt/ejabberd/conf/ejabberd.yml + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "644" + +- name: Create ejabberd upload directory + ansible.builtin.file: + path: /opt/ejabberd/upload + state: directory + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "755" + +- name: Restart ejabberd service + ansible.builtin.service: + name: ejabberd + state: restarted + diff --git a/playbooks/tasks/chat/files/ejabberd.yml b/playbooks/tasks/chat/files/ejabberd.yml new file mode 100644 index 0000000..0085df2 --- /dev/null +++ b/playbooks/tasks/chat/files/ejabberd.yml @@ -0,0 +1,303 @@ +loglevel: warning + +log_rotate_count: 0 + +hosts: + - trans13nrv.eu.org + +fqdn: xmpp.trans13nrv.eu.org + +certfiles: + - "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + - "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem" + +update_sql_schema: true +new_sql_schema: true +sql_type: pgsql +sql_server: localhost +sql_database: ejabberd +sql_username: ejabberd +sql_password: ejabberd +auth_method: [sql] + +default_db: sql + +acme: + auto: false + +language: fr + +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls: true + - + port: 5223 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + - + port: 5269 + ip: "137.74.82.131" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "137.74.82.131" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" +# - +# port: 5280 +# module: ejabberd_http +# tls: false +# protocol_options: 'TLS_OPTIONS' +# request_handlers: {} +# /.well-known/acme-challenge: ejabberd_acme +# /admin: ejabberd_web_admin + - + port: 3478 + ip: "137.74.82.131" + transport: udp + module: ejabberd_stun + use_turn: true + turn_ipv4_address: "137.74.82.131" + - + port: 1883 + ip: "137.74.82.131" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "stupeflo@trans13nrv.eu.org" + - "llowin@trans13nrv.eu.org" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_admin_update_sql: {} + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + name: "HTTP File Upload" + access: local + max_size: 104857600 # 100 MiB. + file_mode: "0640" + dir_mode: "2750" + docroot: "/opt/ejabberd/upload/@HOST@" + put_url: "https://@HOST@:8443/upload" + thumbnail: false + hosts: + - upload.trans13nrv.eu.org + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + host: muc.trans13nrv.eu.org + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 1000 + default_node_config: + max_items: 1000 + plugins: + - "flat" + - "pep" + host: pubsub.trans13nrv.eu.org + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_register: + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml new file mode 100644 index 0000000..571ce0f --- /dev/null +++ b/playbooks/tasks/chat/movim.yml @@ -0,0 +1,163 @@ +--- +- name: Check Whether movim is present + ansible.builtin.stat: + path: "{{ movim.path }}" + register: "movim_dir" + +- name: Check whether movim is installed + ansible.builtin.set_fact: + movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}" + +- name: Guess current version + block: + - name: Check movim installed tag + when: movim_is_installed + register: "movim_installed_tag" + ansible.builtin.shell: + argv: + - git + - describe + - --tags + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + + - name: Register current movim version + ansible.builtin.set_fact: + movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}" + +- name: Installing + when: not movim_is_installed + block: + - name: Cloning + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "v{{ movim.version }}" + + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" + +- name: Updating + when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver") + block: + - name: Fetching + ansible.builtin.shell: + argv: + - git + - fetch + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + - name: Checking Out + ansible.builtin.shell: + argv: + - git + - checkout + - "v{{ movim.version }}" + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Installing or updating Movim dependanciens + community.general.composer: + working_dir: "{{ movim.path }}" + command: install + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim execution environment + ansible.builtin.blockinfile: + path: "{{ movim.path }}/.env" + block: | + # Database configuration + DB_DRIVER=pgsql + DB_HOST=127.0.0.1 + DB_PORT=5432 + DB_DATABASE=movim + DB_USERNAME=movim + DB_PASSWORD=movim + + # Daemon configuration + DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance + DAEMON_PORT=8080 # Port on which the daemon will listen + DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP + DAEMON_DEBUG=false + DAEMON_VERBOSE=false + + owner: "{{ www.user }}" + group: "{{ www.group }}" + create: true + mode: "600" + +- name: Migrating Database + community.general.composer: + command: "movim:migrate" + working_dir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim demon service + ansible.builtin.blockinfile: + path: /etc/systemd/system/movim.service + block: | + [Unit] + Description=Movim daemon + After=nginx.service network.target local-fs.target + + [Service] + User=www-data + Type=simple + Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ + Environment=WS_PORT=8080 + EnvironmentFile=-/etc/default/movim + ExecStart=/usr/bin/php daemon.php start + WorkingDirectory={{ movim.path }} + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid + Restart=on-failure + RestartSec=10 + + [Install] + WantedBy=multi-user.target + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + create: true + +- name: Ensure demon cache directories exists + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ www.user }}" + group: "{{ www.group }}" + mode: "755" + state: directory + with_items: + - "{{ movim.path }}/cache" + - "{{ movim.path }}/public/cache" + +- name: Reload SystemD daemon + ansible.builtin.shell: + argv: + - systemctl + - daemon-reload + +- name: Enable and restarted Movim Damon Service + when: not movim_is_installed + ansible.builtin.systemd_service: + service: movim.service + enabled: true + state: restarted + +- name: Enable and start Movim Damon Service + ansible.builtin.systemd_service: + service: movim.service + state: restarted + when: movim_is_installed diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml new file mode 100644 index 0000000..4e3e9f6 --- /dev/null +++ b/playbooks/tasks/chat/nginx.yml @@ -0,0 +1,43 @@ +--- +- name: Create auto redirect to TLS for movim + ansible.builtin.blockinfile: + path: "{{ nginx.paths.sites_available }}/redirect_to_https" + block: | + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + create: true + +- name: Create movim website + ansible.builtin.template: + dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + src: tasks/chat/templates/movim.j2 + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + +- name: Enable movim website + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + +- name: Enable auto redirect to TLS + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + src: "{{ nginx.paths.sites_available }}/redirect_to_https" + +- name: Set access logs to off + ansible.builtin.blockinfile: + path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" + block: | + access_log off; + create: true + +- name: Reload nginx service + ansible.builtin.systemd_service: + name: nginx + state: restarted diff --git a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 new file mode 100644 index 0000000..635d205 --- /dev/null +++ b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 @@ -0,0 +1,275 @@ +loglevel: {{ service.log.level | default("none") }} +log_rotate_count: {{ service.log.rotate | default("0") }} + +hosts: +{%- for domain in service.domains %} + - {{ domain }} +{%- endfor %} + +certfiles: + - {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }} +{%- if service.certificate.keyfile %} + - service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem") +{%- endif %} +# - /etc/letsencrypt/live/localhost/privkey.pem + +# TLS configuration +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + protocol_options: 'TLS_OPTIONS' + - + port: 5223 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + protocol_options: 'TLS_OPTIONS' + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + ## /upload: mod_http_upload + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /admin: ejabberd_web_admin + /.well-known/acme-challenge: ejabberd_acme + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + ## mod_http_upload: + ## put_url: https://@HOST@:5443/upload + ## custom_headers: + ## "Access-Control-Allow-Origin": "https://@HOST@" + ## "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + ## "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + ## mod_mam: + ## ## Mnesia is limited to 2GB, better to use an SQL backend + ## ## For small servers SQLite is a good fit and is very easy + ## ## to configure. Uncomment this when you have SQL configured: + ## ## db_type: sql + ## assume_mam_usage: true + ## default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 new file mode 100644 index 0000000..2c4cd8b --- /dev/null +++ b/playbooks/tasks/chat/templates/movim.j2 @@ -0,0 +1,53 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ movim.domain }}; + ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + # Where Movim public directory is setup + root {{ movim.path }}/public; + + index index.php; + + # Ask nginx to cache every URL starting with "/picture" + location /picture { + set $no_cache 0; # Enable cache only there + try_files $uri $uri/ /index.php$is_args$args; + } + + location / { + set $no_cache 1; + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + add_header X-Cache $upstream_cache_status; + + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie"; + fastcgi_cache_valid any 7d; + fastcgi_cache_bypass $no_cache; + fastcgi_no_cache $no_cache; + + # Pass everything to PHP FastCGI, at the discretion of the administrator + include fastcgi.conf; + } + + location /ws/ { + proxy_pass http://127.0.0.1:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + proxy_read_timeout 1800s; + proxy_send_timeout 1800s; + } +} \ No newline at end of file diff --git a/playbooks/tasks/chat/x509.yml b/playbooks/tasks/chat/x509.yml new file mode 100644 index 0000000..ff8be84 --- /dev/null +++ b/playbooks/tasks/chat/x509.yml @@ -0,0 +1,55 @@ +--- +- name: Disable movim website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + state: absent + +- name: Disable auto redirect to TLS + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + state: absent + +- name: Enable default website + ansible.builtin.file: + dest: "{{ nginx.paths.sites_enabled }}/default" + src: "{{ nginx.paths.sites_available }}/default" + state: link + +- name: Install X509 certificates for movim + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - "{{ movim.domain }}" + creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem" + +- name: Install X509 certificates for ejabberd hosts + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - trans13nrv.eu.org + - -d + - xmpp.trans13nrv.eu.org + - -d + - muc.trans13nrv.eu.org + - -d + - "pubsub.trans13nrv.eu.org" + - -d + - upload.trans13nrv.eu.org + creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + +- name: Disable default website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/default" + state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 1f0b904..d7fad54 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,31 +1,43 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024051400 ; Serial + 2024052340 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire 1h ) ; Negative Cache TTL ; name servers - NS ns1 + NS ns1 ns1 A 137.74.82.130 ; mailing -@ MX 10 mail.hebergemoi.fr. +@ MX 10 mail.hebergemoi.fr. ;;; XMPP ;;; -; server IP / name -;_jabber A 0.0.0.1 -;xmpp CNAME _jabber +; server IP +jabber A 137.74.82.131 +@ A 137.74.82.131 ; ports -;_xmpp-server._tcp IN SRV 0 0 5269 _jabber -;_xmpp-client._tcp IN SRV 0 0 5222 _jabber +_xmpp-server._tcp IN SRV 5 0 5269 xmpp +_xmpps-server._tcp IN SRV 5 0 5270 xmpp +_xmpp-client._tcp IN SRV 5 0 5222 xmpp +_xmpps-client._tcp IN SRV 5 0 5223 xmpp -; multi-user-chat -;muc CNAME _jabber +_stun._udp IN SRV 5 0 3478 turn +_stun._tcp IN SRV 5 0 3478 turn +_stuns._tcp IN SRV 5 0 5349 turn +_turn._udp IN SRV 5 0 3478 turn +_turn._tcp IN SRV 5 0 3478 turn +_turns._tcp IN SRV 5 0 5349 turn -; web UI -;chat CNAME _jabber \ No newline at end of file +; Aliases +xmpp CNAME jabber ; XMPP Service +turn CNAME jabber ; VOIP service +chat CNAME jabber ; Web Frontend +muc CNAME jabber ; Multi-User chat +upload CNAME jabber ; Upload over XMPP +pubsub CNAME jabber ; Pub-Sub over XMPP +proxy CNAME jabber ; Proxy for file transfer over XMPP diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 196086c..f8c7687 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -9,4 +9,22 @@ dns: - zone: domain_name: trans13nrv.eu.org root: - user: root \ No newline at end of file + user: root + group: root +www: + user: www-data + group: www-data +movim: + version: "0.24.1" + path: /var/www/chat.trans13nrv.eu.org + domain: chat.trans13nrv.eu.org +postgres: + user: postgres +nginx: + paths: + sites_enabled: /etc/nginx/sites-enabled + sites_available: /etc/nginx/sites-available + conf_d: /etc/nginx/conf.d +ejabberd: + user: ejabberd + group: ejabberd \ No newline at end of file