From 91ba353d27e9a6aa3dfbaed5a39c9e47ebaeb097 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20CAMPO?= Date: Fri, 17 May 2024 19:50:55 +0200 Subject: [PATCH 01/15] Examples files for instance creation and profile edition --- playbooks/99-test.yml | 127 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 127 insertions(+) create mode 100644 playbooks/99-test.yml diff --git a/playbooks/99-test.yml b/playbooks/99-test.yml new file mode 100644 index 0000000..5c3c17c --- /dev/null +++ b/playbooks/99-test.yml @@ -0,0 +1,127 @@ + - name: "LOCALHOST: adding new config to default profile of {{ incus.project.name | default('pxe') }} project" + hebergemoi.incus.incus_profile: + merge_profile: true + name: "{{ incus.profile.name | default('pxe') }}" + project: "{{ incus.project.name | default('pxe') }}" + state: present + config: + boot.autostart: "false" + security.secureboot: "false" + devices: + root: + path: / + size: 10GiB + type: disk + pool: default + eth0: + type: nic + network: "{{ incus.bridge.name | default('pxebr1') }}" + name: eth0 + + - name: "LOCALHOST: create {{ incus.instance.server.name | default('pxeServer') }} container" + hebergemoi.incus.incus_container: + name: "{{ incus.instance.server.name | default('pxeServer') }}" + project: "{{ incus.project.name | default('pxe') }}" + state: started + ephemeral: "true" + wait_for_ipv4_addresses: "true" + devices: + eth0: + type: nic + network: "{{ incus.bridge.name | default('pxebr1') }}" + ipv4.address: "{{ incus.instance.server.addr_v4 | default('10.35.182.2') }}" + source: + type: image + alias: debian/bookworm + protocol: simplestreams + profiles: ["{{ incus.profile.name | default('pxe') }}"] + + - name: "LOCALHOST: refresh ansible_facts" + setup: + - name: "LOCALHOST: refresh inventory" + meta: refresh_inventory + +- hosts: "{{ hostvars.localhost.incus.instance.server.name | default('pxeServer') }}" + tasks: + - name: "{{ hostvars.localhost.incus.instance.server.name | default('pxeServer') }}: include config vars" + ansible.builtin.include_vars: + dir: ../config + extensions: + - "yml" + - "yaml" + ignore_unknown_extensions: true + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: install packages" + ansible.builtin.package: + name: + - make + - gcc + - binutils + - git + - perl + - liblzma-dev + - mtools + - mkisofs + - syslinux + - isolinux + - nginx + - dnsmasq + state: present + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: clone ipxe repository" + ansible.builtin.git: + repo: https://github.com/ipxe/ipxe.git + dest: /opt/ipxe + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: make ipxe binary" + community.general.make: + chdir: /opt/ipxe/src + target: bin-x86_64-efi/ipxe.efi + jobs: 4 + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: create {{ incus.instance.server.services.dnsmasq.tftp_root }} directory" + ansible.builtin.file: + path: "{{ incus.instance.server.services.dnsmasq.tftp_root | default('/srv/tftp') }}" + state: directory + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: copy ipxe binary into tftp directory service" + ansible.builtin.copy: + remote_src: true + src: /opt/ipxe/src/bin-x86_64-efi/ipxe.efi + dest: "{{ incus.instance.server.services.dnsmasq.tftp_root | default('/srv/tftp') }}/ipxe.efi" + owner: dnsmasq + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: configure dnsmasq tftp service" + ansible.builtin.template: + src: templates/dnsmasq/tftp.conf.j2 + dest: /etc/dnsmasq.d/tftp.conf + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: configure dnsmasq dhcp service if enabled" + ansible.builtin.template: + src: templates/dnsmasq/dhcp.conf.j2 + dest: /etc/dnsmasq.d/dhcp.conf + when: incus.instance.server.services.dnsmasq.dhcp + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: remove dnsmasq dhcp service file if disabled" + ansible.builtin.file: + state: absent + path: /etc/dnsmasq.d/dhcp.conf + when: not incus.instance.server.services.dnsmasq.dhcp + + - name: "{{ incus.instance.server.name | default('pxeServer') }}: activate dnsmasq systemd service" + ansible.builtin.systemd: + name: dnsmasq + state: started + +- hosts: localhost + tasks: + - name: "LOCALHOST: create empty virtual machine {{ incus.instance.client.name | default('vmTest') }} for pxebooting" + hebergemoi.incus.incus_container: + type: virtual-machine + name: "{{ incus.instance.client.name | default('vmTest') }}" + project: "{{ incus.project.name | default('pxe') }}" + ephemeral: "true" + state: started + source: + type: none + profiles: ["{{ incus.profile.name | default('pxe') }}"] From ab7e5d9a4735e5cefee83a0deb275812522037e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Sun, 19 May 2024 11:02:30 +0200 Subject: [PATCH 02/15] Added: Playbook for chat server --- playbooks/02-xmpp-server.yaml | 82 +++++++++++++++++++ .../tasks/ns/files/db.trans13nrv.eu.org.zone | 15 ++-- playbooks/vars.yml | 9 +- 3 files changed, 96 insertions(+), 10 deletions(-) create mode 100644 playbooks/02-xmpp-server.yaml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml new file mode 100644 index 0000000..9a6649c --- /dev/null +++ b/playbooks/02-xmpp-server.yaml @@ -0,0 +1,82 @@ +- name: Configuration of jabber server + hosts: chatservers + + tasks: + - name: Use variables + ansible.builtin.include_vars: vars.yml + + - name: Configure ejabber apt sources + ansible.builtin.blockinfile: + path: /etc/apt/sources.list.d/process-one-stable.sources + create: true + block: | + Enabled: yes + Types: deb + URIs: https://repo.process-one.net/deb + Suites: stable + Components: main + Architectures: amd64 + Signed-By: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Create keyrings folder + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Adding process-one (ejabberd) gpg key to apt keyring + ansible.builtin.get_url: + url: https://repo.process-one.net/ejabberd.gpg + dest: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Installing required packages + ansible.builtin.package: + name: + - composer + - php-fpm + - php-curl + - php-mbstring + - php-imagick + - php-gd + - php-pgsql + - php-xml + - postgresql + - nginx + - ejabberd + - git + state: present + + - name: Cloning Movim + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "{{ movim.version }}" + + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" + + - name: Installing Movim dependanciens + community.general.composer: + working_dir: "{{ movim.path }}" + command: install + become: true + become_user: "{{ www.user }}" + + - name: Cleaning up + ansible.builtin.package: + name: git + state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 1f0b904..2507ead 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,7 +1,7 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024051400 ; Serial + 2024051700 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire @@ -17,15 +17,12 @@ ns1 A 137.74.82.130 ;;; XMPP ;;; ; server IP / name -;_jabber A 0.0.0.1 -;xmpp CNAME _jabber +jabber A 137.74.82.131 +xmpp CNAME jabber ; ports -;_xmpp-server._tcp IN SRV 0 0 5269 _jabber -;_xmpp-client._tcp IN SRV 0 0 5222 _jabber - -; multi-user-chat -;muc CNAME _jabber +_xmpp-server._tcp IN SRV 0 0 5269 jabber +_xmpp-client._tcp IN SRV 0 0 5222 jabber ; web UI -;chat CNAME _jabber \ No newline at end of file +chat CNAME jabber diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 196086c..13a6d30 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -9,4 +9,11 @@ dns: - zone: domain_name: trans13nrv.eu.org root: - user: root \ No newline at end of file + user: root + group: root +www: + user: www-data + group: www-data +movim: + version: v0.24.1 + path: /var/www/chat.trans13nrv.eu.org \ No newline at end of file From f632971d1c6a0909f1fa1e58159372df06400309 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Sun, 19 May 2024 19:37:17 +0200 Subject: [PATCH 03/15] Added: Chat Server web fronted app installed --- playbooks/02-xmpp-server.yaml | 141 +++++++++++++++++++++++++++++----- playbooks/vars.yml | 4 +- 2 files changed, 126 insertions(+), 19 deletions(-) diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index 9a6649c..dd94b39 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -52,22 +52,44 @@ - nginx - ejabberd - git + - python3-certbot-nginx + - python3-psycopg2 state: present - - name: Cloning Movim - ansible.builtin.git: - repo: https://github.com/movim/movim.git - dest: "{{ movim.path }}" - version: "{{ movim.version }}" - - - name: Setting Mode and Ownershp - ansible.builtin.file: - path: "{{ movim.path }}" - state: directory - owner: "{{ www.user }}" - group: "{{ www.group }}" - recurse: true - mode: "755" + - name: Installing Movim App + block: + - name: Cloning + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "{{ movim.version }}" + rescue: + - name: Fetching + ansible.builtin.command: + argv: + - git + - fetch + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + - name: Checking Out + ansible.builtin.command: + argv: + - git + - checkout + - "{{ movim.version }}" + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + always: + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" - name: Installing Movim dependanciens community.general.composer: @@ -76,7 +98,90 @@ become: true become_user: "{{ www.user }}" - - name: Cleaning up - ansible.builtin.package: - name: git - state: absent + - name: Create Database User + community.postgresql.postgresql_user: + user: movim + password: movim + state: present + become_user: "{{ postgres.user }}" + become: true + + - name: Create Database + community.postgresql.postgresql_db: + name: movim + owner: movim + state: present + become_user: "{{ postgres.user }}" + become: true + + - name: Setting-Up Movim execution environment + ansible.builtin.blockinfile: + path: "{{ movim.path }}/.env" + block: | + # Database configuration + DB_DRIVER=pgsql + DB_HOST=127.0.0.1 + DB_PORT=5432 + DB_DATABASE=movim + DB_USERNAME=movim + DB_PASSWORD=movim + + # Daemon configuration + DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance + DAEMON_PORT=8080 # Port on which the daemon will listen + DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP + DAEMON_DEBUG=false + DAEMON_VERBOSE=false + + owner: "{{ www.user }}" + group: "{{ www.group }}" + create: true + mode: "600" + + - name: Migrating Database + community.general.composer: + command: "movim:migrate" + working_dir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + + - name: Setting-Up Movim demon service + ansible.builtin.blockinfile: + path: /etc/systemd/system/movim.service + block: | + [Unit] + Description=Movim daemon + After=nginx.service network.target local-fs.target + + [Service] + User=www-data + Type=simple + Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ + Environment=WS_PORT=8080 + EnvironmentFile=-/etc/default/movim + ExecStart=/usr/bin/php daemon.php start + WorkingDirectory={{ movim.path }} + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid + Restart=on-failure + RestartSec=10 + + [Install] + WantedBy=multi-user.target + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + create: true + + - name: Reload SystemD daemon + ansible.builtin.command: + argv: + - systemctl + - daemon-reload + + - name: Enable and start Movim Damon Service + ansible.builtin.systemd_service: + service: movim.service + enabled: true + state: started diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 13a6d30..68d6ad4 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -16,4 +16,6 @@ www: group: www-data movim: version: v0.24.1 - path: /var/www/chat.trans13nrv.eu.org \ No newline at end of file + path: /var/www/chat.trans13nrv.eu.org +postgres: + user: postgres \ No newline at end of file From ff049868e2661d5012436a42fb6f2be466857ad6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20CAMPO?= Date: Mon, 20 May 2024 15:04:05 +0200 Subject: [PATCH 04/15] First try for ejabberd configuration --- playbooks/tasks/ejabberd/ejabberd.yaml | 3 + .../tasks/ejabberd/templates/ejabberd.yaml.j2 | 275 ++++++++++++++++++ 2 files changed, 278 insertions(+) create mode 100644 playbooks/tasks/ejabberd/ejabberd.yaml create mode 100644 playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 diff --git a/playbooks/tasks/ejabberd/ejabberd.yaml b/playbooks/tasks/ejabberd/ejabberd.yaml new file mode 100644 index 0000000..eed46eb --- /dev/null +++ b/playbooks/tasks/ejabberd/ejabberd.yaml @@ -0,0 +1,3 @@ +--- +- name: Use variables + ansible.builtin.include_vars: vars.yml diff --git a/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 b/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 new file mode 100644 index 0000000..6c1e931 --- /dev/null +++ b/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 @@ -0,0 +1,275 @@ +loglevel: {{ service.log.level | default("none") }} +log_rotate_count: {{ service.log.rotate | default("0") }} + +hosts: +{%- for domain in service.domains %} + - {{ domain }} +{%- endfor %} + +certfiles: + - {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }} +{%- if service.certificate.keyfile %} + - service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem") +{%- endif %} +# - /etc/letsencrypt/live/localhost/privkey.pem + +# TLS configuration +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + protocol_options: 'TLS_OPTIONS' + - + port: 5223 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + protocol_options: 'TLS_OPTIONS' + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + ## /upload: mod_http_upload + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /admin: ejabberd_web_admin + /.well-known/acme-challenge: ejabberd_acme + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + ## mod_http_upload: + ## put_url: https://@HOST@:5443/upload + ## custom_headers: + ## "Access-Control-Allow-Origin": "https://@HOST@" + ## "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + ## "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + ## mod_mam: + ## ## Mnesia is limited to 2GB, better to use an SQL backend + ## ## For small servers SQLite is a good fit and is very easy + ## ## to configure. Uncomment this when you have SQL configured: + ## ## db_type: sql + ## assume_mam_usage: true + ## default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 From e0314da734d91e7f8ffa6e1feb1760d4b68cc221 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Mon, 20 May 2024 15:12:19 +0200 Subject: [PATCH 05/15] Enhancement: Better task structures --- playbooks/02-xmpp-server.yaml | 141 ++-------------- playbooks/tasks/chat/database.yml | 16 ++ .../ejabberd.yaml => chat/ejabberd.yml} | 0 playbooks/tasks/chat/movim.yml | 152 ++++++++++++++++++ playbooks/tasks/chat/nginx.yml | 0 .../templates/ejabberd.yaml.j2 | 0 playbooks/tasks/chat/tls.yml | 0 playbooks/vars.yml | 2 +- 8 files changed, 185 insertions(+), 126 deletions(-) create mode 100644 playbooks/tasks/chat/database.yml rename playbooks/tasks/{ejabberd/ejabberd.yaml => chat/ejabberd.yml} (100%) create mode 100644 playbooks/tasks/chat/movim.yml create mode 100644 playbooks/tasks/chat/nginx.yml rename playbooks/tasks/{ejabberd => chat}/templates/ejabberd.yaml.j2 (100%) create mode 100644 playbooks/tasks/chat/tls.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index dd94b39..4b95d8a 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -50,138 +50,29 @@ - php-xml - postgresql - nginx + - certbot - ejabberd - git - python3-certbot-nginx - python3-psycopg2 state: present - - name: Installing Movim App - block: - - name: Cloning - ansible.builtin.git: - repo: https://github.com/movim/movim.git - dest: "{{ movim.path }}" - version: "{{ movim.version }}" - rescue: - - name: Fetching - ansible.builtin.command: - argv: - - git - - fetch - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - name: Checking Out - ansible.builtin.command: - argv: - - git - - checkout - - "{{ movim.version }}" - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - always: - - name: Setting Mode and Ownershp - ansible.builtin.file: - path: "{{ movim.path }}" - state: directory - owner: "{{ www.user }}" - group: "{{ www.group }}" - recurse: true - mode: "755" + - name: "Ensure movim database is present and accessible" + ansible.builtin.include_tasks: + file: tasks/chat/database.yml - - name: Installing Movim dependanciens - community.general.composer: - working_dir: "{{ movim.path }}" - command: install - become: true - become_user: "{{ www.user }}" + - name: "Ensure movim version is installed - v{{ movim.version }}" + ansible.builtin.include_tasks: + file: tasks/chat/movim.yml - - name: Create Database User - community.postgresql.postgresql_user: - user: movim - password: movim - state: present - become_user: "{{ postgres.user }}" - become: true + - name: "Ensure ejabberd is configured" + ansible.builtin.include_tasks: + file: tasks/chat/ejabberd.yml - - name: Create Database - community.postgresql.postgresql_db: - name: movim - owner: movim - state: present - become_user: "{{ postgres.user }}" - become: true + - name: "Ensure nginx is configured" + ansible.builtin.include_tasks: + file: tasks/chat/nginx.yml - - name: Setting-Up Movim execution environment - ansible.builtin.blockinfile: - path: "{{ movim.path }}/.env" - block: | - # Database configuration - DB_DRIVER=pgsql - DB_HOST=127.0.0.1 - DB_PORT=5432 - DB_DATABASE=movim - DB_USERNAME=movim - DB_PASSWORD=movim - - # Daemon configuration - DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance - DAEMON_PORT=8080 # Port on which the daemon will listen - DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP - DAEMON_DEBUG=false - DAEMON_VERBOSE=false - - owner: "{{ www.user }}" - group: "{{ www.group }}" - create: true - mode: "600" - - - name: Migrating Database - community.general.composer: - command: "movim:migrate" - working_dir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - - name: Setting-Up Movim demon service - ansible.builtin.blockinfile: - path: /etc/systemd/system/movim.service - block: | - [Unit] - Description=Movim daemon - After=nginx.service network.target local-fs.target - - [Service] - User=www-data - Type=simple - Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ - Environment=WS_PORT=8080 - EnvironmentFile=-/etc/default/movim - ExecStart=/usr/bin/php daemon.php start - WorkingDirectory={{ movim.path }} - StandardOutput=syslog - SyslogIdentifier=movim - PIDFile=/run/movim.pid - Restart=on-failure - RestartSec=10 - - [Install] - WantedBy=multi-user.target - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "644" - create: true - - - name: Reload SystemD daemon - ansible.builtin.command: - argv: - - systemctl - - daemon-reload - - - name: Enable and start Movim Damon Service - ansible.builtin.systemd_service: - service: movim.service - enabled: true - state: started + - name: "Ensure X512 certs are presents" + ansible.builtin.include_tasks: + file: tasks/chat/tls.yml \ No newline at end of file diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml new file mode 100644 index 0000000..8ee7471 --- /dev/null +++ b/playbooks/tasks/chat/database.yml @@ -0,0 +1,16 @@ +--- +- name: Ensure database user Exists + community.postgresql.postgresql_user: + user: movim + password: movim + state: present + become_user: "{{ postgres.user }}" + become: true + +- name: Ensure database exists + community.postgresql.postgresql_db: + name: movim + owner: movim + state: present + become_user: "{{ postgres.user }}" + become: true diff --git a/playbooks/tasks/ejabberd/ejabberd.yaml b/playbooks/tasks/chat/ejabberd.yml similarity index 100% rename from playbooks/tasks/ejabberd/ejabberd.yaml rename to playbooks/tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml new file mode 100644 index 0000000..5e1a2d3 --- /dev/null +++ b/playbooks/tasks/chat/movim.yml @@ -0,0 +1,152 @@ +--- +- name: Check Whether movim is present + ansible.builtin.stat: + path: "{{ movim.path }}" + register: "movim_dir" + +- name: Check whether movim is installed + ansible.builtin.set_fact: + movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}" + +- name: Guess current version + block: + - name: Check movim installed tag + when: movim_is_installed + register: "movim_installed_tag" + ansible.builtin.shell: + argv: + - git + - describe + - --tags + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + + - name: Register current movim version + ansible.builtin.set_fact: + movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}" + +- name: Installing + when: not movim_is_installed + block: + - name: Cloning + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "v{{ movim.version }}" + + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" + +- name: Updating + when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver") + block: + - name: Fetching + ansible.builtin.shell: + argv: + - git + - fetch + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + - name: Checking Out + ansible.builtin.shell: + argv: + - git + - checkout + - "v{{ movim.version }}" + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Installing or updating Movim dependanciens + community.general.composer: + working_dir: "{{ movim.path }}" + command: install + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim execution environment + ansible.builtin.blockinfile: + path: "{{ movim.path }}/.env" + block: | + # Database configuration + DB_DRIVER=pgsql + DB_HOST=127.0.0.1 + DB_PORT=5432 + DB_DATABASE=movim + DB_USERNAME=movim + DB_PASSWORD=movim + + # Daemon configuration + DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance + DAEMON_PORT=8080 # Port on which the daemon will listen + DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP + DAEMON_DEBUG=false + DAEMON_VERBOSE=false + + owner: "{{ www.user }}" + group: "{{ www.group }}" + create: true + mode: "600" + +- name: Migrating Database + community.general.composer: + command: "movim:migrate" + working_dir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim demon service + ansible.builtin.blockinfile: + path: /etc/systemd/system/movim.service + block: | + [Unit] + Description=Movim daemon + After=nginx.service network.target local-fs.target + + [Service] + User=www-data + Type=simple + Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ + Environment=WS_PORT=8080 + EnvironmentFile=-/etc/default/movim + ExecStart=/usr/bin/php daemon.php start + WorkingDirectory={{ movim.path }} + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid + Restart=on-failure + RestartSec=10 + + [Install] + WantedBy=multi-user.target + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + create: true + +- name: Reload SystemD daemon + ansible.builtin.shell: + argv: + - systemctl + - daemon-reload + +- name: Enable and start Movim Damon Service + when: not movim_is_installed + ansible.builtin.systemd_service: + service: movim.service + enabled: true + state: started + +- name: Enable and start Movim Damon Service + ansible.builtin.systemd_service: + service: movim.service + state: restarted + when: movim_is_installed diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 similarity index 100% rename from playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 rename to playbooks/tasks/chat/templates/ejabberd.yaml.j2 diff --git a/playbooks/tasks/chat/tls.yml b/playbooks/tasks/chat/tls.yml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 68d6ad4..e47a21a 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -15,7 +15,7 @@ www: user: www-data group: www-data movim: - version: v0.24.1 + version: "0.24.1" path: /var/www/chat.trans13nrv.eu.org postgres: user: postgres \ No newline at end of file From db7fa4b8f758659f47740b1e6c8f3092708ce147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Tue, 21 May 2024 14:30:56 +0200 Subject: [PATCH 06/15] Added: Nginx configuration & signed X509 certs installation --- playbooks/02-xmpp-server.yaml | 6 -- playbooks/tasks/chat/movim.yml | 11 ++++ playbooks/tasks/chat/nginx.yml | 76 +++++++++++++++++++++++++ playbooks/tasks/chat/templates/movim.j2 | 53 +++++++++++++++++ playbooks/tasks/chat/tls.yml | 0 playbooks/vars.yml | 8 ++- 6 files changed, 147 insertions(+), 7 deletions(-) create mode 100644 playbooks/tasks/chat/templates/movim.j2 delete mode 100644 playbooks/tasks/chat/tls.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index 4b95d8a..ddc45b2 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -60,11 +60,9 @@ - name: "Ensure movim database is present and accessible" ansible.builtin.include_tasks: file: tasks/chat/database.yml - - name: "Ensure movim version is installed - v{{ movim.version }}" ansible.builtin.include_tasks: file: tasks/chat/movim.yml - - name: "Ensure ejabberd is configured" ansible.builtin.include_tasks: file: tasks/chat/ejabberd.yml @@ -72,7 +70,3 @@ - name: "Ensure nginx is configured" ansible.builtin.include_tasks: file: tasks/chat/nginx.yml - - - name: "Ensure X512 certs are presents" - ansible.builtin.include_tasks: - file: tasks/chat/tls.yml \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml index 5e1a2d3..e3978a9 100644 --- a/playbooks/tasks/chat/movim.yml +++ b/playbooks/tasks/chat/movim.yml @@ -132,6 +132,17 @@ mode: "644" create: true +- name: Ensure demon caches directory exists + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ www.user }}" + group: "{{ www.group }}" + mode: "755" + state: directory + with_items: + - "{{ movim.path }}/cache" + - "{{ movim.path }}/public/cache" + - name: Reload SystemD daemon ansible.builtin.shell: argv: diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml index e69de29..94ca5c2 100644 --- a/playbooks/tasks/chat/nginx.yml +++ b/playbooks/tasks/chat/nginx.yml @@ -0,0 +1,76 @@ +--- +- name: disable access logs + ansible.builtin.blockinfile: + path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" + block: | + access_log off; + create: true + +- name: Create auto redirect to TLS + ansible.builtin.blockinfile: + path: "{{ nginx.paths.sites_available }}/redirect_to_https" + block: | + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + create: true + +- name: Disable movim website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + state: absent + +- name: Disable auto redirect to TLS + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + state: absent + +- name: Enable default website + ansible.builtin.file: + dest: "{{ nginx.paths.sites_enabled }}/default" + src: "{{ nginx.paths.sites_available }}/default" + state: link + +- name: Install X509 certificates + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m psotmaster@trans13nrv.eu.org + - --nginx + - -d + - "{{ movim.domain }}" + creates: "/etc/letsencrypt/live/{{ movim.domain }}/privkey.pem" + +- name: Disable default website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/default" + state: absent + +- name: Create movim website + ansible.builtin.template: + dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + src: tasks/chat/templates/movim.j2 + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + +- name: Enable movim website + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + +- name: Enable auto redirect to TLS + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + src: "{{ nginx.paths.sites_available }}/redirect_to_https" + +- name: Reload nginx service + ansible.builtin.systemd_service: + name: nginx + state: reloaded \ No newline at end of file diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 new file mode 100644 index 0000000..110a782 --- /dev/null +++ b/playbooks/tasks/chat/templates/movim.j2 @@ -0,0 +1,53 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ movim.domain }}; + ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + # Where Movim public directory is setup + root {{ movim.path }}/public; + + index index.php; + + # Ask nginx to cache every URL starting with "/picture" + location /picture { + set $no_cache 0; # Enable cache only there + try_files $uri $uri/ /index.php$is_args$args; + } + + location / { + set $no_cache 1; + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + add_header X-Cache $upstream_cache_status; + + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie"; + fastcgi_cache_valid any 7d; + fastcgi_cache_bypass $no_cache; + fastcgi_no_cache $no_cache; + + # Pass everything to PHP FastCGI, at the discretion of the administrator + include fastcgi.conf; + } + + location /ws/ { + proxy_pass http://127.0.0.1:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + proxy_read_timeout 1800s; + proxy_send_timeout 1800s; + } +} \ No newline at end of file diff --git a/playbooks/tasks/chat/tls.yml b/playbooks/tasks/chat/tls.yml deleted file mode 100644 index e69de29..0000000 diff --git a/playbooks/vars.yml b/playbooks/vars.yml index e47a21a..cc54b8d 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -17,5 +17,11 @@ www: movim: version: "0.24.1" path: /var/www/chat.trans13nrv.eu.org + domain: chat.trans13nrv.eu.org postgres: - user: postgres \ No newline at end of file + user: postgres +nginx: + paths: + sites_enabled: /etc/nginx/sites-enabled + sites_available: /etc/nginx/sites-available + conf_d: /etc/nginx/conf.d \ No newline at end of file From afde58b884cb7929c4add36dd0025550065807d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Thu, 23 May 2024 11:56:05 +0200 Subject: [PATCH 07/15] Added: DNS zone entries related to XMPP service --- playbooks/01-primary-ns.yaml | 2 +- .../tasks/ns/files/db.trans13nrv.eu.org.zone | 34 +++++++++++++------ 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/playbooks/01-primary-ns.yaml b/playbooks/01-primary-ns.yaml index 117894d..c3fd1ea 100644 --- a/playbooks/01-primary-ns.yaml +++ b/playbooks/01-primary-ns.yaml @@ -38,4 +38,4 @@ - name: Reload bind9 service ansible.builtin.service: name: bind9 - state: reloaded + state: restarted diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 2507ead..7e7a350 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,28 +1,42 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024051700 ; Serial + 2024052300 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire 1h ) ; Negative Cache TTL ; name servers - NS ns1 + NS ns1 ns1 A 137.74.82.130 ; mailing -@ MX 10 mail.hebergemoi.fr. +@ MX 10 mail.hebergemoi.fr. ;;; XMPP ;;; -; server IP / name -jabber A 137.74.82.131 -xmpp CNAME jabber +; server IP +jabber A 137.74.82.131 ; ports -_xmpp-server._tcp IN SRV 0 0 5269 jabber -_xmpp-client._tcp IN SRV 0 0 5222 jabber +_xmpp-server._tcp IN SRV 5 0 5269 xmpp +_xmpps-server._tcp IN SRV 5 0 5270 xmpp +_xmpp-client._tcp IN SRV 5 0 5222 xmpp +_xmpps-client._tcp IN SRV 5 0 5223 xmpp -; web UI -chat CNAME jabber +_stun._udp IN SRV 5 0 3478 turn +_stun._tcp IN SRV 5 0 3478 turn +_stuns._tcp IN SRV 5 0 5349 turn +_turn._udp IN SRV 5 0 3478 turn +_turn._tcp IN SRV 5 0 3478 turn +_turns._tcp IN SRV 5 0 5349 turn + +; Aliases +xmpp CNAME jabber ; XMPP Service +turn CNAME jabber ; VOIP service +chat CNAME jabber ; Web Frontend +muc CNAME jabber ; Multi-User chat +upload CNAME jabbbr ; Upload over XMPP +pubsub CNAME jabber ; Pub-Sub over XMPP +proxy CNAME jabber ; Proxy for file transfer over XMPP From 5046eae5f51fdce6ee16683dacd90a6dd9c88007 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Thu, 23 May 2024 19:13:11 +0200 Subject: [PATCH 08/15] Added: ejabberd config (WIP) --- playbooks/02-xmpp-server.yaml | 10 +- playbooks/tasks/chat/database.yml | 18 +- playbooks/tasks/chat/ejabberd.yml | 23 +- playbooks/tasks/chat/files/ejabberd.yml | 303 ++++++++++++++++++ playbooks/tasks/chat/movim.yml | 6 +- playbooks/tasks/chat/nginx.yml | 51 +-- .../tasks/chat/templates/ejabberd.yaml.j2 | 2 +- playbooks/tasks/chat/templates/movim.j2 | 2 +- playbooks/tasks/chat/x509.yml | 55 ++++ .../tasks/ns/files/db.trans13nrv.eu.org.zone | 5 +- playbooks/vars.yml | 5 +- 11 files changed, 420 insertions(+), 60 deletions(-) create mode 100644 playbooks/tasks/chat/files/ejabberd.yml create mode 100644 playbooks/tasks/chat/x509.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index ddc45b2..8ed79b0 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -60,13 +60,19 @@ - name: "Ensure movim database is present and accessible" ansible.builtin.include_tasks: file: tasks/chat/database.yml + - name: "Ensure movim version is installed - v{{ movim.version }}" ansible.builtin.include_tasks: file: tasks/chat/movim.yml - - name: "Ensure ejabberd is configured" + + - name: "Ensure X509 certificates are properly installed" ansible.builtin.include_tasks: - file: tasks/chat/ejabberd.yml + file: tasks/chat/x509.yml - name: "Ensure nginx is configured" ansible.builtin.include_tasks: file: tasks/chat/nginx.yml + + - name: "Ensure ejabberd is configured" + ansible.builtin.include_tasks: + file: tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml index 8ee7471..bfb8610 100644 --- a/playbooks/tasks/chat/database.yml +++ b/playbooks/tasks/chat/database.yml @@ -1,16 +1,22 @@ --- -- name: Ensure database user Exists +- name: Ensure databases user exist community.postgresql.postgresql_user: - user: movim - password: movim + user: "{{ item }}" + password: "{{ item }}" state: present become_user: "{{ postgres.user }}" become: true + with_items: + - movim + - ejabberd -- name: Ensure database exists +- name: Ensure databases exist community.postgresql.postgresql_db: - name: movim - owner: movim + name: "{{ item }}" + owner: "{{ item }}" state: present become_user: "{{ postgres.user }}" become: true + with_items: + - movim + - ejabberd diff --git a/playbooks/tasks/chat/ejabberd.yml b/playbooks/tasks/chat/ejabberd.yml index eed46eb..95555cc 100644 --- a/playbooks/tasks/chat/ejabberd.yml +++ b/playbooks/tasks/chat/ejabberd.yml @@ -1,3 +1,22 @@ --- -- name: Use variables - ansible.builtin.include_vars: vars.yml +- name: Create ejabberd configuration file + ansible.builtin.copy: + src: tasks/chat/files/ejabberd.yml + dest: /opt/ejabberd/conf/ejabberd.yml + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "644" + +- name: Create ejabberd upload directory + ansible.builtin.file: + path: /opt/ejabberd/upload + state: directory + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "755" + +- name: Restart ejabberd service + ansible.builtin.service: + name: ejabberd + state: restarted + diff --git a/playbooks/tasks/chat/files/ejabberd.yml b/playbooks/tasks/chat/files/ejabberd.yml new file mode 100644 index 0000000..0085df2 --- /dev/null +++ b/playbooks/tasks/chat/files/ejabberd.yml @@ -0,0 +1,303 @@ +loglevel: warning + +log_rotate_count: 0 + +hosts: + - trans13nrv.eu.org + +fqdn: xmpp.trans13nrv.eu.org + +certfiles: + - "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + - "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem" + +update_sql_schema: true +new_sql_schema: true +sql_type: pgsql +sql_server: localhost +sql_database: ejabberd +sql_username: ejabberd +sql_password: ejabberd +auth_method: [sql] + +default_db: sql + +acme: + auto: false + +language: fr + +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls: true + - + port: 5223 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + - + port: 5269 + ip: "137.74.82.131" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "137.74.82.131" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" +# - +# port: 5280 +# module: ejabberd_http +# tls: false +# protocol_options: 'TLS_OPTIONS' +# request_handlers: {} +# /.well-known/acme-challenge: ejabberd_acme +# /admin: ejabberd_web_admin + - + port: 3478 + ip: "137.74.82.131" + transport: udp + module: ejabberd_stun + use_turn: true + turn_ipv4_address: "137.74.82.131" + - + port: 1883 + ip: "137.74.82.131" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "stupeflo@trans13nrv.eu.org" + - "llowin@trans13nrv.eu.org" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_admin_update_sql: {} + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + name: "HTTP File Upload" + access: local + max_size: 104857600 # 100 MiB. + file_mode: "0640" + dir_mode: "2750" + docroot: "/opt/ejabberd/upload/@HOST@" + put_url: "https://@HOST@:8443/upload" + thumbnail: false + hosts: + - upload.trans13nrv.eu.org + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + host: muc.trans13nrv.eu.org + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 1000 + default_node_config: + max_items: 1000 + plugins: + - "flat" + - "pep" + host: pubsub.trans13nrv.eu.org + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_register: + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml index e3978a9..571ce0f 100644 --- a/playbooks/tasks/chat/movim.yml +++ b/playbooks/tasks/chat/movim.yml @@ -132,7 +132,7 @@ mode: "644" create: true -- name: Ensure demon caches directory exists +- name: Ensure demon cache directories exists ansible.builtin.file: path: "{{ item }}" owner: "{{ www.user }}" @@ -149,12 +149,12 @@ - systemctl - daemon-reload -- name: Enable and start Movim Damon Service +- name: Enable and restarted Movim Damon Service when: not movim_is_installed ansible.builtin.systemd_service: service: movim.service enabled: true - state: started + state: restarted - name: Enable and start Movim Damon Service ansible.builtin.systemd_service: diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml index 94ca5c2..4e3e9f6 100644 --- a/playbooks/tasks/chat/nginx.yml +++ b/playbooks/tasks/chat/nginx.yml @@ -1,12 +1,5 @@ --- -- name: disable access logs - ansible.builtin.blockinfile: - path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" - block: | - access_log off; - create: true - -- name: Create auto redirect to TLS +- name: Create auto redirect to TLS for movim ansible.builtin.blockinfile: path: "{{ nginx.paths.sites_available }}/redirect_to_https" block: | @@ -17,39 +10,6 @@ } create: true -- name: Disable movim website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" - state: absent - -- name: Disable auto redirect to TLS - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" - state: absent - -- name: Enable default website - ansible.builtin.file: - dest: "{{ nginx.paths.sites_enabled }}/default" - src: "{{ nginx.paths.sites_available }}/default" - state: link - -- name: Install X509 certificates - ansible.builtin.command: - argv: - - certbot - - certonly - - --agree-tos - - -m psotmaster@trans13nrv.eu.org - - --nginx - - -d - - "{{ movim.domain }}" - creates: "/etc/letsencrypt/live/{{ movim.domain }}/privkey.pem" - -- name: Disable default website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/default" - state: absent - - name: Create movim website ansible.builtin.template: dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" @@ -70,7 +30,14 @@ dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" src: "{{ nginx.paths.sites_available }}/redirect_to_https" +- name: Set access logs to off + ansible.builtin.blockinfile: + path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" + block: | + access_log off; + create: true + - name: Reload nginx service ansible.builtin.systemd_service: name: nginx - state: reloaded \ No newline at end of file + state: restarted diff --git a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 index 6c1e931..635d205 100644 --- a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 +++ b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 @@ -209,7 +209,7 @@ modules: ## ## Mnesia is limited to 2GB, better to use an SQL backend ## ## For small servers SQLite is a good fit and is very easy ## ## to configure. Uncomment this when you have SQL configured: - ## ## db_type: sql + ## ## db_type: sql ## assume_mam_usage: true ## default: always mod_mqtt: {} diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 index 110a782..2c4cd8b 100644 --- a/playbooks/tasks/chat/templates/movim.j2 +++ b/playbooks/tasks/chat/templates/movim.j2 @@ -5,7 +5,7 @@ server { server_name {{ movim.domain }}; ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # Where Movim public directory is setup diff --git a/playbooks/tasks/chat/x509.yml b/playbooks/tasks/chat/x509.yml new file mode 100644 index 0000000..ff8be84 --- /dev/null +++ b/playbooks/tasks/chat/x509.yml @@ -0,0 +1,55 @@ +--- +- name: Disable movim website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + state: absent + +- name: Disable auto redirect to TLS + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + state: absent + +- name: Enable default website + ansible.builtin.file: + dest: "{{ nginx.paths.sites_enabled }}/default" + src: "{{ nginx.paths.sites_available }}/default" + state: link + +- name: Install X509 certificates for movim + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - "{{ movim.domain }}" + creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem" + +- name: Install X509 certificates for ejabberd hosts + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - trans13nrv.eu.org + - -d + - xmpp.trans13nrv.eu.org + - -d + - muc.trans13nrv.eu.org + - -d + - "pubsub.trans13nrv.eu.org" + - -d + - upload.trans13nrv.eu.org + creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + +- name: Disable default website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/default" + state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 7e7a350..d7fad54 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,7 +1,7 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024052300 ; Serial + 2024052340 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire @@ -18,6 +18,7 @@ ns1 A 137.74.82.130 ;;; XMPP ;;; ; server IP jabber A 137.74.82.131 +@ A 137.74.82.131 ; ports _xmpp-server._tcp IN SRV 5 0 5269 xmpp @@ -37,6 +38,6 @@ xmpp CNAME jabber ; XMPP Service turn CNAME jabber ; VOIP service chat CNAME jabber ; Web Frontend muc CNAME jabber ; Multi-User chat -upload CNAME jabbbr ; Upload over XMPP +upload CNAME jabber ; Upload over XMPP pubsub CNAME jabber ; Pub-Sub over XMPP proxy CNAME jabber ; Proxy for file transfer over XMPP diff --git a/playbooks/vars.yml b/playbooks/vars.yml index cc54b8d..f8c7687 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -24,4 +24,7 @@ nginx: paths: sites_enabled: /etc/nginx/sites-enabled sites_available: /etc/nginx/sites-available - conf_d: /etc/nginx/conf.d \ No newline at end of file + conf_d: /etc/nginx/conf.d +ejabberd: + user: ejabberd + group: ejabberd \ No newline at end of file From dd1ad2beb783d9407c040a3d53562d81dea5fbf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Sun, 19 May 2024 11:02:30 +0200 Subject: [PATCH 09/15] Added: Playbook for chat server --- playbooks/02-xmpp-server.yaml | 82 +++++++++++++++++++ .../tasks/ns/files/db.trans13nrv.eu.org.zone | 15 ++-- playbooks/vars.yml | 9 +- 3 files changed, 96 insertions(+), 10 deletions(-) create mode 100644 playbooks/02-xmpp-server.yaml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml new file mode 100644 index 0000000..9a6649c --- /dev/null +++ b/playbooks/02-xmpp-server.yaml @@ -0,0 +1,82 @@ +- name: Configuration of jabber server + hosts: chatservers + + tasks: + - name: Use variables + ansible.builtin.include_vars: vars.yml + + - name: Configure ejabber apt sources + ansible.builtin.blockinfile: + path: /etc/apt/sources.list.d/process-one-stable.sources + create: true + block: | + Enabled: yes + Types: deb + URIs: https://repo.process-one.net/deb + Suites: stable + Components: main + Architectures: amd64 + Signed-By: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Create keyrings folder + ansible.builtin.file: + path: /etc/apt/keyrings + state: directory + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Adding process-one (ejabberd) gpg key to apt keyring + ansible.builtin.get_url: + url: https://repo.process-one.net/ejabberd.gpg + dest: /etc/apt/keyrings/ejabberd.gpg + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "755" + + - name: Installing required packages + ansible.builtin.package: + name: + - composer + - php-fpm + - php-curl + - php-mbstring + - php-imagick + - php-gd + - php-pgsql + - php-xml + - postgresql + - nginx + - ejabberd + - git + state: present + + - name: Cloning Movim + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "{{ movim.version }}" + + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" + + - name: Installing Movim dependanciens + community.general.composer: + working_dir: "{{ movim.path }}" + command: install + become: true + become_user: "{{ www.user }}" + + - name: Cleaning up + ansible.builtin.package: + name: git + state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 1f0b904..2507ead 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,7 +1,7 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024051400 ; Serial + 2024051700 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire @@ -17,15 +17,12 @@ ns1 A 137.74.82.130 ;;; XMPP ;;; ; server IP / name -;_jabber A 0.0.0.1 -;xmpp CNAME _jabber +jabber A 137.74.82.131 +xmpp CNAME jabber ; ports -;_xmpp-server._tcp IN SRV 0 0 5269 _jabber -;_xmpp-client._tcp IN SRV 0 0 5222 _jabber - -; multi-user-chat -;muc CNAME _jabber +_xmpp-server._tcp IN SRV 0 0 5269 jabber +_xmpp-client._tcp IN SRV 0 0 5222 jabber ; web UI -;chat CNAME _jabber \ No newline at end of file +chat CNAME jabber diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 196086c..13a6d30 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -9,4 +9,11 @@ dns: - zone: domain_name: trans13nrv.eu.org root: - user: root \ No newline at end of file + user: root + group: root +www: + user: www-data + group: www-data +movim: + version: v0.24.1 + path: /var/www/chat.trans13nrv.eu.org \ No newline at end of file From 516bb508deb9fcf1dc09063a1a0494dff6aee909 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Sun, 19 May 2024 19:37:17 +0200 Subject: [PATCH 10/15] Added: Chat Server web fronted app installed --- playbooks/02-xmpp-server.yaml | 141 +++++++++++++++++++++++++++++----- playbooks/vars.yml | 4 +- 2 files changed, 126 insertions(+), 19 deletions(-) diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index 9a6649c..dd94b39 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -52,22 +52,44 @@ - nginx - ejabberd - git + - python3-certbot-nginx + - python3-psycopg2 state: present - - name: Cloning Movim - ansible.builtin.git: - repo: https://github.com/movim/movim.git - dest: "{{ movim.path }}" - version: "{{ movim.version }}" - - - name: Setting Mode and Ownershp - ansible.builtin.file: - path: "{{ movim.path }}" - state: directory - owner: "{{ www.user }}" - group: "{{ www.group }}" - recurse: true - mode: "755" + - name: Installing Movim App + block: + - name: Cloning + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "{{ movim.version }}" + rescue: + - name: Fetching + ansible.builtin.command: + argv: + - git + - fetch + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + - name: Checking Out + ansible.builtin.command: + argv: + - git + - checkout + - "{{ movim.version }}" + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + always: + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" - name: Installing Movim dependanciens community.general.composer: @@ -76,7 +98,90 @@ become: true become_user: "{{ www.user }}" - - name: Cleaning up - ansible.builtin.package: - name: git - state: absent + - name: Create Database User + community.postgresql.postgresql_user: + user: movim + password: movim + state: present + become_user: "{{ postgres.user }}" + become: true + + - name: Create Database + community.postgresql.postgresql_db: + name: movim + owner: movim + state: present + become_user: "{{ postgres.user }}" + become: true + + - name: Setting-Up Movim execution environment + ansible.builtin.blockinfile: + path: "{{ movim.path }}/.env" + block: | + # Database configuration + DB_DRIVER=pgsql + DB_HOST=127.0.0.1 + DB_PORT=5432 + DB_DATABASE=movim + DB_USERNAME=movim + DB_PASSWORD=movim + + # Daemon configuration + DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance + DAEMON_PORT=8080 # Port on which the daemon will listen + DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP + DAEMON_DEBUG=false + DAEMON_VERBOSE=false + + owner: "{{ www.user }}" + group: "{{ www.group }}" + create: true + mode: "600" + + - name: Migrating Database + community.general.composer: + command: "movim:migrate" + working_dir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + + - name: Setting-Up Movim demon service + ansible.builtin.blockinfile: + path: /etc/systemd/system/movim.service + block: | + [Unit] + Description=Movim daemon + After=nginx.service network.target local-fs.target + + [Service] + User=www-data + Type=simple + Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ + Environment=WS_PORT=8080 + EnvironmentFile=-/etc/default/movim + ExecStart=/usr/bin/php daemon.php start + WorkingDirectory={{ movim.path }} + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid + Restart=on-failure + RestartSec=10 + + [Install] + WantedBy=multi-user.target + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + create: true + + - name: Reload SystemD daemon + ansible.builtin.command: + argv: + - systemctl + - daemon-reload + + - name: Enable and start Movim Damon Service + ansible.builtin.systemd_service: + service: movim.service + enabled: true + state: started diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 13a6d30..68d6ad4 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -16,4 +16,6 @@ www: group: www-data movim: version: v0.24.1 - path: /var/www/chat.trans13nrv.eu.org \ No newline at end of file + path: /var/www/chat.trans13nrv.eu.org +postgres: + user: postgres \ No newline at end of file From 3ee2c682b3216c838734c1e57437d710e24f6937 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20CAMPO?= Date: Mon, 20 May 2024 15:04:05 +0200 Subject: [PATCH 11/15] First try for ejabberd configuration --- playbooks/tasks/ejabberd/ejabberd.yaml | 3 + .../tasks/ejabberd/templates/ejabberd.yaml.j2 | 275 ++++++++++++++++++ 2 files changed, 278 insertions(+) create mode 100644 playbooks/tasks/ejabberd/ejabberd.yaml create mode 100644 playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 diff --git a/playbooks/tasks/ejabberd/ejabberd.yaml b/playbooks/tasks/ejabberd/ejabberd.yaml new file mode 100644 index 0000000..eed46eb --- /dev/null +++ b/playbooks/tasks/ejabberd/ejabberd.yaml @@ -0,0 +1,3 @@ +--- +- name: Use variables + ansible.builtin.include_vars: vars.yml diff --git a/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 b/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 new file mode 100644 index 0000000..6c1e931 --- /dev/null +++ b/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 @@ -0,0 +1,275 @@ +loglevel: {{ service.log.level | default("none") }} +log_rotate_count: {{ service.log.rotate | default("0") }} + +hosts: +{%- for domain in service.domains %} + - {{ domain }} +{%- endfor %} + +certfiles: + - {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }} +{%- if service.certificate.keyfile %} + - service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem") +{%- endif %} +# - /etc/letsencrypt/live/localhost/privkey.pem + +# TLS configuration +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + protocol_options: 'TLS_OPTIONS' + - + port: 5223 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + protocol_options: 'TLS_OPTIONS' + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + ## /upload: mod_http_upload + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /admin: ejabberd_web_admin + /.well-known/acme-challenge: ejabberd_acme + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + ## mod_http_upload: + ## put_url: https://@HOST@:5443/upload + ## custom_headers: + ## "Access-Control-Allow-Origin": "https://@HOST@" + ## "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + ## "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + ## mod_mam: + ## ## Mnesia is limited to 2GB, better to use an SQL backend + ## ## For small servers SQLite is a good fit and is very easy + ## ## to configure. Uncomment this when you have SQL configured: + ## ## db_type: sql + ## assume_mam_usage: true + ## default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 From b1b8fc733f9d8d7c1130d01d091e2b6899ced946 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Mon, 20 May 2024 15:12:19 +0200 Subject: [PATCH 12/15] Enhancement: Better task structures --- playbooks/02-xmpp-server.yaml | 141 ++-------------- playbooks/tasks/chat/database.yml | 16 ++ .../ejabberd.yaml => chat/ejabberd.yml} | 0 playbooks/tasks/chat/movim.yml | 152 ++++++++++++++++++ playbooks/tasks/chat/nginx.yml | 0 .../templates/ejabberd.yaml.j2 | 0 playbooks/tasks/chat/tls.yml | 0 playbooks/vars.yml | 2 +- 8 files changed, 185 insertions(+), 126 deletions(-) create mode 100644 playbooks/tasks/chat/database.yml rename playbooks/tasks/{ejabberd/ejabberd.yaml => chat/ejabberd.yml} (100%) create mode 100644 playbooks/tasks/chat/movim.yml create mode 100644 playbooks/tasks/chat/nginx.yml rename playbooks/tasks/{ejabberd => chat}/templates/ejabberd.yaml.j2 (100%) create mode 100644 playbooks/tasks/chat/tls.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index dd94b39..4b95d8a 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -50,138 +50,29 @@ - php-xml - postgresql - nginx + - certbot - ejabberd - git - python3-certbot-nginx - python3-psycopg2 state: present - - name: Installing Movim App - block: - - name: Cloning - ansible.builtin.git: - repo: https://github.com/movim/movim.git - dest: "{{ movim.path }}" - version: "{{ movim.version }}" - rescue: - - name: Fetching - ansible.builtin.command: - argv: - - git - - fetch - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - name: Checking Out - ansible.builtin.command: - argv: - - git - - checkout - - "{{ movim.version }}" - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - always: - - name: Setting Mode and Ownershp - ansible.builtin.file: - path: "{{ movim.path }}" - state: directory - owner: "{{ www.user }}" - group: "{{ www.group }}" - recurse: true - mode: "755" + - name: "Ensure movim database is present and accessible" + ansible.builtin.include_tasks: + file: tasks/chat/database.yml - - name: Installing Movim dependanciens - community.general.composer: - working_dir: "{{ movim.path }}" - command: install - become: true - become_user: "{{ www.user }}" + - name: "Ensure movim version is installed - v{{ movim.version }}" + ansible.builtin.include_tasks: + file: tasks/chat/movim.yml - - name: Create Database User - community.postgresql.postgresql_user: - user: movim - password: movim - state: present - become_user: "{{ postgres.user }}" - become: true + - name: "Ensure ejabberd is configured" + ansible.builtin.include_tasks: + file: tasks/chat/ejabberd.yml - - name: Create Database - community.postgresql.postgresql_db: - name: movim - owner: movim - state: present - become_user: "{{ postgres.user }}" - become: true + - name: "Ensure nginx is configured" + ansible.builtin.include_tasks: + file: tasks/chat/nginx.yml - - name: Setting-Up Movim execution environment - ansible.builtin.blockinfile: - path: "{{ movim.path }}/.env" - block: | - # Database configuration - DB_DRIVER=pgsql - DB_HOST=127.0.0.1 - DB_PORT=5432 - DB_DATABASE=movim - DB_USERNAME=movim - DB_PASSWORD=movim - - # Daemon configuration - DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance - DAEMON_PORT=8080 # Port on which the daemon will listen - DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP - DAEMON_DEBUG=false - DAEMON_VERBOSE=false - - owner: "{{ www.user }}" - group: "{{ www.group }}" - create: true - mode: "600" - - - name: Migrating Database - community.general.composer: - command: "movim:migrate" - working_dir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - - name: Setting-Up Movim demon service - ansible.builtin.blockinfile: - path: /etc/systemd/system/movim.service - block: | - [Unit] - Description=Movim daemon - After=nginx.service network.target local-fs.target - - [Service] - User=www-data - Type=simple - Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ - Environment=WS_PORT=8080 - EnvironmentFile=-/etc/default/movim - ExecStart=/usr/bin/php daemon.php start - WorkingDirectory={{ movim.path }} - StandardOutput=syslog - SyslogIdentifier=movim - PIDFile=/run/movim.pid - Restart=on-failure - RestartSec=10 - - [Install] - WantedBy=multi-user.target - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "644" - create: true - - - name: Reload SystemD daemon - ansible.builtin.command: - argv: - - systemctl - - daemon-reload - - - name: Enable and start Movim Damon Service - ansible.builtin.systemd_service: - service: movim.service - enabled: true - state: started + - name: "Ensure X512 certs are presents" + ansible.builtin.include_tasks: + file: tasks/chat/tls.yml \ No newline at end of file diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml new file mode 100644 index 0000000..8ee7471 --- /dev/null +++ b/playbooks/tasks/chat/database.yml @@ -0,0 +1,16 @@ +--- +- name: Ensure database user Exists + community.postgresql.postgresql_user: + user: movim + password: movim + state: present + become_user: "{{ postgres.user }}" + become: true + +- name: Ensure database exists + community.postgresql.postgresql_db: + name: movim + owner: movim + state: present + become_user: "{{ postgres.user }}" + become: true diff --git a/playbooks/tasks/ejabberd/ejabberd.yaml b/playbooks/tasks/chat/ejabberd.yml similarity index 100% rename from playbooks/tasks/ejabberd/ejabberd.yaml rename to playbooks/tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml new file mode 100644 index 0000000..5e1a2d3 --- /dev/null +++ b/playbooks/tasks/chat/movim.yml @@ -0,0 +1,152 @@ +--- +- name: Check Whether movim is present + ansible.builtin.stat: + path: "{{ movim.path }}" + register: "movim_dir" + +- name: Check whether movim is installed + ansible.builtin.set_fact: + movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}" + +- name: Guess current version + block: + - name: Check movim installed tag + when: movim_is_installed + register: "movim_installed_tag" + ansible.builtin.shell: + argv: + - git + - describe + - --tags + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + + - name: Register current movim version + ansible.builtin.set_fact: + movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}" + +- name: Installing + when: not movim_is_installed + block: + - name: Cloning + ansible.builtin.git: + repo: https://github.com/movim/movim.git + dest: "{{ movim.path }}" + version: "v{{ movim.version }}" + + - name: Setting Mode and Ownershp + ansible.builtin.file: + path: "{{ movim.path }}" + state: directory + owner: "{{ www.user }}" + group: "{{ www.group }}" + recurse: true + mode: "755" + +- name: Updating + when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver") + block: + - name: Fetching + ansible.builtin.shell: + argv: + - git + - fetch + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + - name: Checking Out + ansible.builtin.shell: + argv: + - git + - checkout + - "v{{ movim.version }}" + chdir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Installing or updating Movim dependanciens + community.general.composer: + working_dir: "{{ movim.path }}" + command: install + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim execution environment + ansible.builtin.blockinfile: + path: "{{ movim.path }}/.env" + block: | + # Database configuration + DB_DRIVER=pgsql + DB_HOST=127.0.0.1 + DB_PORT=5432 + DB_DATABASE=movim + DB_USERNAME=movim + DB_PASSWORD=movim + + # Daemon configuration + DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance + DAEMON_PORT=8080 # Port on which the daemon will listen + DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP + DAEMON_DEBUG=false + DAEMON_VERBOSE=false + + owner: "{{ www.user }}" + group: "{{ www.group }}" + create: true + mode: "600" + +- name: Migrating Database + community.general.composer: + command: "movim:migrate" + working_dir: "{{ movim.path }}" + become: true + become_user: "{{ www.user }}" + +- name: Setting-Up Movim demon service + ansible.builtin.blockinfile: + path: /etc/systemd/system/movim.service + block: | + [Unit] + Description=Movim daemon + After=nginx.service network.target local-fs.target + + [Service] + User=www-data + Type=simple + Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ + Environment=WS_PORT=8080 + EnvironmentFile=-/etc/default/movim + ExecStart=/usr/bin/php daemon.php start + WorkingDirectory={{ movim.path }} + StandardOutput=syslog + SyslogIdentifier=movim + PIDFile=/run/movim.pid + Restart=on-failure + RestartSec=10 + + [Install] + WantedBy=multi-user.target + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + create: true + +- name: Reload SystemD daemon + ansible.builtin.shell: + argv: + - systemctl + - daemon-reload + +- name: Enable and start Movim Damon Service + when: not movim_is_installed + ansible.builtin.systemd_service: + service: movim.service + enabled: true + state: started + +- name: Enable and start Movim Damon Service + ansible.builtin.systemd_service: + service: movim.service + state: restarted + when: movim_is_installed diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 similarity index 100% rename from playbooks/tasks/ejabberd/templates/ejabberd.yaml.j2 rename to playbooks/tasks/chat/templates/ejabberd.yaml.j2 diff --git a/playbooks/tasks/chat/tls.yml b/playbooks/tasks/chat/tls.yml new file mode 100644 index 0000000..e69de29 diff --git a/playbooks/vars.yml b/playbooks/vars.yml index 68d6ad4..e47a21a 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -15,7 +15,7 @@ www: user: www-data group: www-data movim: - version: v0.24.1 + version: "0.24.1" path: /var/www/chat.trans13nrv.eu.org postgres: user: postgres \ No newline at end of file From a407c386e16537a90ce9cbd5e752e81450b8074d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Tue, 21 May 2024 14:30:56 +0200 Subject: [PATCH 13/15] Added: Nginx configuration & signed X509 certs installation --- playbooks/02-xmpp-server.yaml | 6 -- playbooks/tasks/chat/movim.yml | 11 ++++ playbooks/tasks/chat/nginx.yml | 76 +++++++++++++++++++++++++ playbooks/tasks/chat/templates/movim.j2 | 53 +++++++++++++++++ playbooks/tasks/chat/tls.yml | 0 playbooks/vars.yml | 8 ++- 6 files changed, 147 insertions(+), 7 deletions(-) create mode 100644 playbooks/tasks/chat/templates/movim.j2 delete mode 100644 playbooks/tasks/chat/tls.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index 4b95d8a..ddc45b2 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -60,11 +60,9 @@ - name: "Ensure movim database is present and accessible" ansible.builtin.include_tasks: file: tasks/chat/database.yml - - name: "Ensure movim version is installed - v{{ movim.version }}" ansible.builtin.include_tasks: file: tasks/chat/movim.yml - - name: "Ensure ejabberd is configured" ansible.builtin.include_tasks: file: tasks/chat/ejabberd.yml @@ -72,7 +70,3 @@ - name: "Ensure nginx is configured" ansible.builtin.include_tasks: file: tasks/chat/nginx.yml - - - name: "Ensure X512 certs are presents" - ansible.builtin.include_tasks: - file: tasks/chat/tls.yml \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml index 5e1a2d3..e3978a9 100644 --- a/playbooks/tasks/chat/movim.yml +++ b/playbooks/tasks/chat/movim.yml @@ -132,6 +132,17 @@ mode: "644" create: true +- name: Ensure demon caches directory exists + ansible.builtin.file: + path: "{{ item }}" + owner: "{{ www.user }}" + group: "{{ www.group }}" + mode: "755" + state: directory + with_items: + - "{{ movim.path }}/cache" + - "{{ movim.path }}/public/cache" + - name: Reload SystemD daemon ansible.builtin.shell: argv: diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml index e69de29..94ca5c2 100644 --- a/playbooks/tasks/chat/nginx.yml +++ b/playbooks/tasks/chat/nginx.yml @@ -0,0 +1,76 @@ +--- +- name: disable access logs + ansible.builtin.blockinfile: + path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" + block: | + access_log off; + create: true + +- name: Create auto redirect to TLS + ansible.builtin.blockinfile: + path: "{{ nginx.paths.sites_available }}/redirect_to_https" + block: | + server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; + } + create: true + +- name: Disable movim website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + state: absent + +- name: Disable auto redirect to TLS + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + state: absent + +- name: Enable default website + ansible.builtin.file: + dest: "{{ nginx.paths.sites_enabled }}/default" + src: "{{ nginx.paths.sites_available }}/default" + state: link + +- name: Install X509 certificates + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m psotmaster@trans13nrv.eu.org + - --nginx + - -d + - "{{ movim.domain }}" + creates: "/etc/letsencrypt/live/{{ movim.domain }}/privkey.pem" + +- name: Disable default website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/default" + state: absent + +- name: Create movim website + ansible.builtin.template: + dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + src: tasks/chat/templates/movim.j2 + owner: "{{ root.user }}" + group: "{{ root.group }}" + mode: "644" + +- name: Enable movim website + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" + +- name: Enable auto redirect to TLS + ansible.builtin.file: + state: link + dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + src: "{{ nginx.paths.sites_available }}/redirect_to_https" + +- name: Reload nginx service + ansible.builtin.systemd_service: + name: nginx + state: reloaded \ No newline at end of file diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 new file mode 100644 index 0000000..110a782 --- /dev/null +++ b/playbooks/tasks/chat/templates/movim.j2 @@ -0,0 +1,53 @@ +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ movim.domain }}; + ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_ciphers HIGH:!aNULL:!MD5; + + # Where Movim public directory is setup + root {{ movim.path }}/public; + + index index.php; + + # Ask nginx to cache every URL starting with "/picture" + location /picture { + set $no_cache 0; # Enable cache only there + try_files $uri $uri/ /index.php$is_args$args; + } + + location / { + set $no_cache 1; + try_files $uri $uri/ /index.php$is_args$args; + } + + location ~ \.php$ { + add_header X-Cache $upstream_cache_status; + + fastcgi_pass unix:/run/php/php8.2-fpm.sock; + fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie"; + fastcgi_cache_valid any 7d; + fastcgi_cache_bypass $no_cache; + fastcgi_no_cache $no_cache; + + # Pass everything to PHP FastCGI, at the discretion of the administrator + include fastcgi.conf; + } + + location /ws/ { + proxy_pass http://127.0.0.1:8080/; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_redirect off; + proxy_read_timeout 1800s; + proxy_send_timeout 1800s; + } +} \ No newline at end of file diff --git a/playbooks/tasks/chat/tls.yml b/playbooks/tasks/chat/tls.yml deleted file mode 100644 index e69de29..0000000 diff --git a/playbooks/vars.yml b/playbooks/vars.yml index e47a21a..cc54b8d 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -17,5 +17,11 @@ www: movim: version: "0.24.1" path: /var/www/chat.trans13nrv.eu.org + domain: chat.trans13nrv.eu.org postgres: - user: postgres \ No newline at end of file + user: postgres +nginx: + paths: + sites_enabled: /etc/nginx/sites-enabled + sites_available: /etc/nginx/sites-available + conf_d: /etc/nginx/conf.d \ No newline at end of file From 74f64936948bd0a877684ba169501a67bbc817d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Thu, 23 May 2024 11:56:05 +0200 Subject: [PATCH 14/15] Added: DNS zone entries related to XMPP service --- playbooks/01-primary-ns.yaml | 2 +- .../tasks/ns/files/db.trans13nrv.eu.org.zone | 34 +++++++++++++------ 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/playbooks/01-primary-ns.yaml b/playbooks/01-primary-ns.yaml index 117894d..c3fd1ea 100644 --- a/playbooks/01-primary-ns.yaml +++ b/playbooks/01-primary-ns.yaml @@ -38,4 +38,4 @@ - name: Reload bind9 service ansible.builtin.service: name: bind9 - state: reloaded + state: restarted diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 2507ead..7e7a350 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,28 +1,42 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024051700 ; Serial + 2024052300 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire 1h ) ; Negative Cache TTL ; name servers - NS ns1 + NS ns1 ns1 A 137.74.82.130 ; mailing -@ MX 10 mail.hebergemoi.fr. +@ MX 10 mail.hebergemoi.fr. ;;; XMPP ;;; -; server IP / name -jabber A 137.74.82.131 -xmpp CNAME jabber +; server IP +jabber A 137.74.82.131 ; ports -_xmpp-server._tcp IN SRV 0 0 5269 jabber -_xmpp-client._tcp IN SRV 0 0 5222 jabber +_xmpp-server._tcp IN SRV 5 0 5269 xmpp +_xmpps-server._tcp IN SRV 5 0 5270 xmpp +_xmpp-client._tcp IN SRV 5 0 5222 xmpp +_xmpps-client._tcp IN SRV 5 0 5223 xmpp -; web UI -chat CNAME jabber +_stun._udp IN SRV 5 0 3478 turn +_stun._tcp IN SRV 5 0 3478 turn +_stuns._tcp IN SRV 5 0 5349 turn +_turn._udp IN SRV 5 0 3478 turn +_turn._tcp IN SRV 5 0 3478 turn +_turns._tcp IN SRV 5 0 5349 turn + +; Aliases +xmpp CNAME jabber ; XMPP Service +turn CNAME jabber ; VOIP service +chat CNAME jabber ; Web Frontend +muc CNAME jabber ; Multi-User chat +upload CNAME jabbbr ; Upload over XMPP +pubsub CNAME jabber ; Pub-Sub over XMPP +proxy CNAME jabber ; Proxy for file transfer over XMPP From 1229621854ffa389bb16d278bea01e7973c5534f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Flor=C3=A9al=20Toumikian?= Date: Thu, 23 May 2024 19:13:11 +0200 Subject: [PATCH 15/15] Added: ejabberd config (WIP) --- playbooks/02-xmpp-server.yaml | 10 +- playbooks/tasks/chat/database.yml | 18 +- playbooks/tasks/chat/ejabberd.yml | 23 +- playbooks/tasks/chat/files/ejabberd.yml | 303 ++++++++++++++++++ playbooks/tasks/chat/movim.yml | 6 +- playbooks/tasks/chat/nginx.yml | 51 +-- .../tasks/chat/templates/ejabberd.yaml.j2 | 2 +- playbooks/tasks/chat/templates/movim.j2 | 2 +- playbooks/tasks/chat/x509.yml | 55 ++++ .../tasks/ns/files/db.trans13nrv.eu.org.zone | 5 +- playbooks/vars.yml | 5 +- 11 files changed, 420 insertions(+), 60 deletions(-) create mode 100644 playbooks/tasks/chat/files/ejabberd.yml create mode 100644 playbooks/tasks/chat/x509.yml diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml index ddc45b2..8ed79b0 100644 --- a/playbooks/02-xmpp-server.yaml +++ b/playbooks/02-xmpp-server.yaml @@ -60,13 +60,19 @@ - name: "Ensure movim database is present and accessible" ansible.builtin.include_tasks: file: tasks/chat/database.yml + - name: "Ensure movim version is installed - v{{ movim.version }}" ansible.builtin.include_tasks: file: tasks/chat/movim.yml - - name: "Ensure ejabberd is configured" + + - name: "Ensure X509 certificates are properly installed" ansible.builtin.include_tasks: - file: tasks/chat/ejabberd.yml + file: tasks/chat/x509.yml - name: "Ensure nginx is configured" ansible.builtin.include_tasks: file: tasks/chat/nginx.yml + + - name: "Ensure ejabberd is configured" + ansible.builtin.include_tasks: + file: tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml index 8ee7471..bfb8610 100644 --- a/playbooks/tasks/chat/database.yml +++ b/playbooks/tasks/chat/database.yml @@ -1,16 +1,22 @@ --- -- name: Ensure database user Exists +- name: Ensure databases user exist community.postgresql.postgresql_user: - user: movim - password: movim + user: "{{ item }}" + password: "{{ item }}" state: present become_user: "{{ postgres.user }}" become: true + with_items: + - movim + - ejabberd -- name: Ensure database exists +- name: Ensure databases exist community.postgresql.postgresql_db: - name: movim - owner: movim + name: "{{ item }}" + owner: "{{ item }}" state: present become_user: "{{ postgres.user }}" become: true + with_items: + - movim + - ejabberd diff --git a/playbooks/tasks/chat/ejabberd.yml b/playbooks/tasks/chat/ejabberd.yml index eed46eb..95555cc 100644 --- a/playbooks/tasks/chat/ejabberd.yml +++ b/playbooks/tasks/chat/ejabberd.yml @@ -1,3 +1,22 @@ --- -- name: Use variables - ansible.builtin.include_vars: vars.yml +- name: Create ejabberd configuration file + ansible.builtin.copy: + src: tasks/chat/files/ejabberd.yml + dest: /opt/ejabberd/conf/ejabberd.yml + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "644" + +- name: Create ejabberd upload directory + ansible.builtin.file: + path: /opt/ejabberd/upload + state: directory + owner: "{{ ejabberd.user }}" + group: "{{ ejabberd.group }}" + mode: "755" + +- name: Restart ejabberd service + ansible.builtin.service: + name: ejabberd + state: restarted + diff --git a/playbooks/tasks/chat/files/ejabberd.yml b/playbooks/tasks/chat/files/ejabberd.yml new file mode 100644 index 0000000..0085df2 --- /dev/null +++ b/playbooks/tasks/chat/files/ejabberd.yml @@ -0,0 +1,303 @@ +loglevel: warning + +log_rotate_count: 0 + +hosts: + - trans13nrv.eu.org + +fqdn: xmpp.trans13nrv.eu.org + +certfiles: + - "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + - "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem" + +update_sql_schema: true +new_sql_schema: true +sql_type: pgsql +sql_server: localhost +sql_database: ejabberd +sql_username: ejabberd +sql_password: ejabberd +auth_method: [sql] + +default_db: sql + +acme: + auto: false + +language: fr + +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + # 'DH_FILE': "/path/to/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +# c2s_dhfile: 'DH_FILE' +# s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls: true + - + port: 5223 + ip: "137.74.82.131" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + tls: true + - + port: 5269 + ip: "137.74.82.131" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "137.74.82.131" + module: ejabberd_http + tls: true + protocol_options: 'TLS_OPTIONS' + request_handlers: + /api: mod_http_api + /bosh: mod_bosh + ## /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" +# - +# port: 5280 +# module: ejabberd_http +# tls: false +# protocol_options: 'TLS_OPTIONS' +# request_handlers: {} +# /.well-known/acme-challenge: ejabberd_acme +# /admin: ejabberd_web_admin + - + port: 3478 + ip: "137.74.82.131" + transport: udp + module: ejabberd_stun + use_turn: true + turn_ipv4_address: "137.74.82.131" + - + port: 1883 + ip: "137.74.82.131" + module: mod_mqtt + backlog: 1000 + + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "stupeflo@trans13nrv.eu.org" + - "llowin@trans13nrv.eu.org" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 200000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_admin_update_sql: {} + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + name: "HTTP File Upload" + access: local + max_size: 104857600 # 100 MiB. + file_mode: "0640" + dir_mode: "2750" + docroot: "/opt/ejabberd/upload/@HOST@" + put_url: "https://@HOST@:8443/upload" + thumbnail: false + hosts: + - upload.trans13nrv.eu.org + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + host: muc.trans13nrv.eu.org + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: + ## access: local + ## max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 1000 + default_node_config: + max_items: 1000 + plugins: + - "flat" + - "pep" + host: pubsub.trans13nrv.eu.org + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + ## mod_register: + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_register: + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml index e3978a9..571ce0f 100644 --- a/playbooks/tasks/chat/movim.yml +++ b/playbooks/tasks/chat/movim.yml @@ -132,7 +132,7 @@ mode: "644" create: true -- name: Ensure demon caches directory exists +- name: Ensure demon cache directories exists ansible.builtin.file: path: "{{ item }}" owner: "{{ www.user }}" @@ -149,12 +149,12 @@ - systemctl - daemon-reload -- name: Enable and start Movim Damon Service +- name: Enable and restarted Movim Damon Service when: not movim_is_installed ansible.builtin.systemd_service: service: movim.service enabled: true - state: started + state: restarted - name: Enable and start Movim Damon Service ansible.builtin.systemd_service: diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml index 94ca5c2..4e3e9f6 100644 --- a/playbooks/tasks/chat/nginx.yml +++ b/playbooks/tasks/chat/nginx.yml @@ -1,12 +1,5 @@ --- -- name: disable access logs - ansible.builtin.blockinfile: - path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" - block: | - access_log off; - create: true - -- name: Create auto redirect to TLS +- name: Create auto redirect to TLS for movim ansible.builtin.blockinfile: path: "{{ nginx.paths.sites_available }}/redirect_to_https" block: | @@ -17,39 +10,6 @@ } create: true -- name: Disable movim website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" - state: absent - -- name: Disable auto redirect to TLS - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" - state: absent - -- name: Enable default website - ansible.builtin.file: - dest: "{{ nginx.paths.sites_enabled }}/default" - src: "{{ nginx.paths.sites_available }}/default" - state: link - -- name: Install X509 certificates - ansible.builtin.command: - argv: - - certbot - - certonly - - --agree-tos - - -m psotmaster@trans13nrv.eu.org - - --nginx - - -d - - "{{ movim.domain }}" - creates: "/etc/letsencrypt/live/{{ movim.domain }}/privkey.pem" - -- name: Disable default website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/default" - state: absent - - name: Create movim website ansible.builtin.template: dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" @@ -70,7 +30,14 @@ dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" src: "{{ nginx.paths.sites_available }}/redirect_to_https" +- name: Set access logs to off + ansible.builtin.blockinfile: + path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" + block: | + access_log off; + create: true + - name: Reload nginx service ansible.builtin.systemd_service: name: nginx - state: reloaded \ No newline at end of file + state: restarted diff --git a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 index 6c1e931..635d205 100644 --- a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 +++ b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 @@ -209,7 +209,7 @@ modules: ## ## Mnesia is limited to 2GB, better to use an SQL backend ## ## For small servers SQLite is a good fit and is very easy ## ## to configure. Uncomment this when you have SQL configured: - ## ## db_type: sql + ## ## db_type: sql ## assume_mam_usage: true ## default: always mod_mqtt: {} diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 index 110a782..2c4cd8b 100644 --- a/playbooks/tasks/chat/templates/movim.j2 +++ b/playbooks/tasks/chat/templates/movim.j2 @@ -5,7 +5,7 @@ server { server_name {{ movim.domain }}; ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; + ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # Where Movim public directory is setup diff --git a/playbooks/tasks/chat/x509.yml b/playbooks/tasks/chat/x509.yml new file mode 100644 index 0000000..ff8be84 --- /dev/null +++ b/playbooks/tasks/chat/x509.yml @@ -0,0 +1,55 @@ +--- +- name: Disable movim website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" + state: absent + +- name: Disable auto redirect to TLS + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" + state: absent + +- name: Enable default website + ansible.builtin.file: + dest: "{{ nginx.paths.sites_enabled }}/default" + src: "{{ nginx.paths.sites_available }}/default" + state: link + +- name: Install X509 certificates for movim + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - "{{ movim.domain }}" + creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem" + +- name: Install X509 certificates for ejabberd hosts + ansible.builtin.command: + argv: + - certbot + - certonly + - --agree-tos + - -m + - psotmaster@trans13nrv.eu.org + - --nginx + - -d + - trans13nrv.eu.org + - -d + - xmpp.trans13nrv.eu.org + - -d + - muc.trans13nrv.eu.org + - -d + - "pubsub.trans13nrv.eu.org" + - -d + - upload.trans13nrv.eu.org + creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" + +- name: Disable default website + ansible.builtin.file: + path: "{{ nginx.paths.sites_enabled }}/default" + state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index 7e7a350..d7fad54 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,7 +1,7 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024052300 ; Serial + 2024052340 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire @@ -18,6 +18,7 @@ ns1 A 137.74.82.130 ;;; XMPP ;;; ; server IP jabber A 137.74.82.131 +@ A 137.74.82.131 ; ports _xmpp-server._tcp IN SRV 5 0 5269 xmpp @@ -37,6 +38,6 @@ xmpp CNAME jabber ; XMPP Service turn CNAME jabber ; VOIP service chat CNAME jabber ; Web Frontend muc CNAME jabber ; Multi-User chat -upload CNAME jabbbr ; Upload over XMPP +upload CNAME jabber ; Upload over XMPP pubsub CNAME jabber ; Pub-Sub over XMPP proxy CNAME jabber ; Proxy for file transfer over XMPP diff --git a/playbooks/vars.yml b/playbooks/vars.yml index cc54b8d..f8c7687 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -24,4 +24,7 @@ nginx: paths: sites_enabled: /etc/nginx/sites-enabled sites_available: /etc/nginx/sites-available - conf_d: /etc/nginx/conf.d \ No newline at end of file + conf_d: /etc/nginx/conf.d +ejabberd: + user: ejabberd + group: ejabberd \ No newline at end of file