diff --git a/playbooks/01-primary-ns.yaml b/playbooks/01-primary-ns.yaml index c3fd1ea..117894d 100644 --- a/playbooks/01-primary-ns.yaml +++ b/playbooks/01-primary-ns.yaml @@ -38,4 +38,4 @@ - name: Reload bind9 service ansible.builtin.service: name: bind9 - state: restarted + state: reloaded diff --git a/playbooks/02-xmpp-server.yaml b/playbooks/02-xmpp-server.yaml deleted file mode 100644 index 8ed79b0..0000000 --- a/playbooks/02-xmpp-server.yaml +++ /dev/null @@ -1,78 +0,0 @@ -- name: Configuration of jabber server - hosts: chatservers - - tasks: - - name: Use variables - ansible.builtin.include_vars: vars.yml - - - name: Configure ejabber apt sources - ansible.builtin.blockinfile: - path: /etc/apt/sources.list.d/process-one-stable.sources - create: true - block: | - Enabled: yes - Types: deb - URIs: https://repo.process-one.net/deb - Suites: stable - Components: main - Architectures: amd64 - Signed-By: /etc/apt/keyrings/ejabberd.gpg - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "755" - - - name: Create keyrings folder - ansible.builtin.file: - path: /etc/apt/keyrings - state: directory - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "755" - - - name: Adding process-one (ejabberd) gpg key to apt keyring - ansible.builtin.get_url: - url: https://repo.process-one.net/ejabberd.gpg - dest: /etc/apt/keyrings/ejabberd.gpg - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "755" - - - name: Installing required packages - ansible.builtin.package: - name: - - composer - - php-fpm - - php-curl - - php-mbstring - - php-imagick - - php-gd - - php-pgsql - - php-xml - - postgresql - - nginx - - certbot - - ejabberd - - git - - python3-certbot-nginx - - python3-psycopg2 - state: present - - - name: "Ensure movim database is present and accessible" - ansible.builtin.include_tasks: - file: tasks/chat/database.yml - - - name: "Ensure movim version is installed - v{{ movim.version }}" - ansible.builtin.include_tasks: - file: tasks/chat/movim.yml - - - name: "Ensure X509 certificates are properly installed" - ansible.builtin.include_tasks: - file: tasks/chat/x509.yml - - - name: "Ensure nginx is configured" - ansible.builtin.include_tasks: - file: tasks/chat/nginx.yml - - - name: "Ensure ejabberd is configured" - ansible.builtin.include_tasks: - file: tasks/chat/ejabberd.yml diff --git a/playbooks/tasks/chat/database.yml b/playbooks/tasks/chat/database.yml deleted file mode 100644 index bfb8610..0000000 --- a/playbooks/tasks/chat/database.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Ensure databases user exist - community.postgresql.postgresql_user: - user: "{{ item }}" - password: "{{ item }}" - state: present - become_user: "{{ postgres.user }}" - become: true - with_items: - - movim - - ejabberd - -- name: Ensure databases exist - community.postgresql.postgresql_db: - name: "{{ item }}" - owner: "{{ item }}" - state: present - become_user: "{{ postgres.user }}" - become: true - with_items: - - movim - - ejabberd diff --git a/playbooks/tasks/chat/ejabberd.yml b/playbooks/tasks/chat/ejabberd.yml deleted file mode 100644 index 95555cc..0000000 --- a/playbooks/tasks/chat/ejabberd.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: Create ejabberd configuration file - ansible.builtin.copy: - src: tasks/chat/files/ejabberd.yml - dest: /opt/ejabberd/conf/ejabberd.yml - owner: "{{ ejabberd.user }}" - group: "{{ ejabberd.group }}" - mode: "644" - -- name: Create ejabberd upload directory - ansible.builtin.file: - path: /opt/ejabberd/upload - state: directory - owner: "{{ ejabberd.user }}" - group: "{{ ejabberd.group }}" - mode: "755" - -- name: Restart ejabberd service - ansible.builtin.service: - name: ejabberd - state: restarted - diff --git a/playbooks/tasks/chat/files/ejabberd.yml b/playbooks/tasks/chat/files/ejabberd.yml deleted file mode 100644 index 8a9e874..0000000 --- a/playbooks/tasks/chat/files/ejabberd.yml +++ /dev/null @@ -1,310 +0,0 @@ -loglevel: info - -log_rotate_count: 0 - -hosts: - - trans13nrv.eu.org - -fqdn: xmpp.trans13nrv.eu.org - -certfiles: - - "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" - - "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem" - -update_sql_schema: true -new_sql_schema: true -sql_type: pgsql -sql_server: localhost -sql_database: ejabberd -sql_username: ejabberd -sql_password: ejabberd -auth_method: [sql] - -default_db: sql - -acme: - auto: false - -language: fr - -define_macro: - 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" - 'TLS_OPTIONS': - - "no_sslv3" - - "no_tlsv1" - - "no_tlsv1_1" - - "cipher_server_preference" - - "no_compression" - # 'DH_FILE': "/path/to/dhparams.pem" - # generated with: openssl dhparam -out dhparams.pem 2048 - -c2s_ciphers: 'TLS_CIPHERS' -s2s_ciphers: 'TLS_CIPHERS' -c2s_protocol_options: 'TLS_OPTIONS' -s2s_protocol_options: 'TLS_OPTIONS' -# c2s_dhfile: 'DH_FILE' -# s2s_dhfile: 'DH_FILE' - -listen: - - - port: 5222 - ip: "10.246.201.4" - module: ejabberd_c2s - max_stanza_size: 262144 - shaper: c2s_shaper - access: c2s - starttls: true - - - port: 5223 - ip: "10.246.201.4" - module: ejabberd_c2s - max_stanza_size: 262144 - shaper: c2s_shaper - access: c2s - tls: true - - - port: 5269 - ip: "10.246.201.4" - module: ejabberd_s2s_in - max_stanza_size: 524288 - - - port: 5443 - ip: "10.246.201.4" - module: ejabberd_http - tls: true - protocol_options: 'TLS_OPTIONS' - request_handlers: - /api: mod_http_api - /bosh: mod_bosh - ## /captcha: ejabberd_captcha - /upload: mod_http_upload - /ws: ejabberd_http_ws - custom_headers: - "Access-Control-Allow-Origin": "*" - "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" - "Access-Control-Allow-Headers": "content-type" - "Access-Control-Allow-Credentials": "true" - "Access-Control-Max-Age": "86400" -# - -# port: 5280 -# module: ejabberd_http -# tls: false -# protocol_options: 'TLS_OPTIONS' -# request_handlers: {} -# /.well-known/acme-challenge: ejabberd_acme -# /admin: ejabberd_web_admin - - - port: 3478 - ip: "10.246.201.4" - transport: udp - module: ejabberd_stun - use_turn: true - turn_ipv4_address: "137.74.82.131" - - - port: 1883 - ip: "10.246.201.4" - module: mod_mqtt - backlog: 1000 - - -## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text -## password storage (see auth_password_format option). -disable_sasl_mechanisms: - - "digest-md5" - - "X-OAUTH2" - -s2s_use_starttls: required - -## Store the plain passwords or hashed for SCRAM: -auth_password_format: scram - -## Full path to a script that generates the image. -## captcha_cmd: "/usr/share/ejabberd/captcha.sh" - -acl: - admin: - user: - - "stupeflo@trans13nrv.eu.org" - - "llowin@trans13nrv.eu.org" - - "saram@trans13nrv.eu.org" - - "margot@trans13nrv.eu.org" - - local: - user_regexp: "" - server: - - "trans13nrv.eu.org" - loopback: - ip: - - 127.0.0.0/8 - - ::1/128 - -access_rules: - local: - allow: local - c2s: - deny: blocked - allow: all - announce: - allow: admin - configure: - allow: admin - muc_create: - allow: local - pubsub_createnode: - allow: local - trusted_network: - allow: loopback - -api_permissions: - "console commands": - from: - - ejabberd_ctl - who: all - what: "*" - "admin access": - who: - access: - allow: - - acl: loopback - - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - - acl: loopback - - acl: admin - what: - - "*" - - "!stop" - - "!start" - "public commands": - who: - ip: 127.0.0.1/8 - what: - - status - - connected_users_number - -shaper: - normal: - rate: 3000 - burst_size: 20000 - fast: 200000 - -shaper_rules: - max_user_sessions: 10 - max_user_offline_messages: - 5000: admin - 100: all - c2s_shaper: - none: admin - normal: all - s2s_shaper: fast - -modules: - mod_admin_update_sql: {} - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_avatar: {} - mod_blocking: {} - mod_bosh: {} - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - ## mod_delegation: {} # for xep0356 - mod_disco: {} - mod_fail2ban: {} - mod_http_api: {} - mod_http_upload: - name: "HTTP File Upload" - access: local - max_size: 104857600 # 100 MiB. - file_mode: "0640" - dir_mode: "2750" - docroot: "/opt/ejabberd/upload/@HOST@" - put_url: "https://@HOST@:5443/upload" - thumbnail: false - custom_headers: - "Access-Control-Allow-Origin": "https://domain.tld" - "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" - "Access-Control-Allow-Headers": "Content-Type" - mod_last: {} - mod_mam: - ## Mnesia is limited to 2GB, better to use an SQL backend - ## For small servers SQLite is a good fit and is very easy - ## to configure. Uncomment this when you have SQL configured: - db_type: sql - assume_mam_usage: true - default: always - mod_mqtt: {} - mod_muc: - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - access_mam: - - allow - default_room_options: - mam: true - host: muc.trans13nrv.eu.org - mod_muc_admin: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_pres_counter: - count: 5 - interval: 60 - mod_privacy: {} - mod_private: {} - ## mod_proxy65: - ## access: local - ## max_connections: 5 - mod_pubsub: - access_createnode: pubsub_createnode - ignore_pep_from_offline: false - last_item_cache: false - max_items_node: 1000 - default_node_config: - max_items: 1000 - plugins: - - "flat" - - "pep" - host: pubsub.trans13nrv.eu.org - force_node_config: - "eu.siacs.conversations.axolotl.*": - access_model: open - ## Avoid buggy clients to make their bookmarks public - storage:bookmarks: - access_model: whitelist - mod_push: {} - mod_push_keepalive: {} - ## mod_register: - ## ## Only accept registration requests from the "trusted" - ## ## network (see access_rules section above). - ## ## Think twice before enabling registration from any - ## ## address. See the Jabber SPAM Manifesto for details: - ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto - ## ip_access: trusted_network - mod_register: - ip_access: trusted_network - mod_roster: - versioning: true - mod_s2s_dialback: {} - mod_shared_roster: {} - mod_sic: {} - mod_stream_mgmt: - resend_on_timeout: if_offline - mod_stun_disco: {} - mod_vcard: - search: false - mod_vcard_xupdate: {} - mod_version: {} - -### Local Variables: -### mode: yaml -### End: -### vim: set filetype=yaml tabstop=8 \ No newline at end of file diff --git a/playbooks/tasks/chat/movim.yml b/playbooks/tasks/chat/movim.yml deleted file mode 100644 index eff6d14..0000000 --- a/playbooks/tasks/chat/movim.yml +++ /dev/null @@ -1,164 +0,0 @@ ---- -- name: Check Whether movim is present - ansible.builtin.stat: - path: "{{ movim.path }}" - register: "movim_dir" - -- name: Check whether movim is installed - ansible.builtin.set_fact: - movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}" - -- name: Guess current version - block: - - name: Check movim installed tag - when: movim_is_installed - register: "movim_installed_tag" - ansible.builtin.shell: - argv: - - git - - describe - - --tags - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - - name: Register current movim version - ansible.builtin.set_fact: - movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}" - -- name: Installing - when: not movim_is_installed - block: - - name: Cloning - ansible.builtin.git: - repo: https://github.com/movim/movim.git - dest: "{{ movim.path }}" - version: "v{{ movim.version }}" - - - name: Setting Mode and Ownershp - ansible.builtin.file: - path: "{{ movim.path }}" - state: directory - owner: "{{ www.user }}" - group: "{{ www.group }}" - recurse: true - mode: "755" - -- name: Updating - when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver") - block: - - name: Fetching - ansible.builtin.shell: - argv: - - git - - fetch - - --tags - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - - name: Checking Out - ansible.builtin.shell: - argv: - - git - - checkout - - "v{{ movim.version }}" - chdir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - -- name: Installing or updating Movim dependanciens - community.general.composer: - working_dir: "{{ movim.path }}" - command: install - become: true - become_user: "{{ www.user }}" - -- name: Setting-Up Movim execution environment - ansible.builtin.blockinfile: - path: "{{ movim.path }}/.env" - block: | - # Database configuration - DB_DRIVER=pgsql - DB_HOST=127.0.0.1 - DB_PORT=5432 - DB_DATABASE=movim - DB_USERNAME=movim - DB_PASSWORD=movim - - # Daemon configuration - DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance - DAEMON_PORT=8080 # Port on which the daemon will listen - DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP - DAEMON_DEBUG=false - DAEMON_VERBOSE=false - - owner: "{{ www.user }}" - group: "{{ www.group }}" - create: true - mode: "600" - -- name: Migrating Database - community.general.composer: - command: "movim:migrate" - working_dir: "{{ movim.path }}" - become: true - become_user: "{{ www.user }}" - -- name: Setting-Up Movim demon service - ansible.builtin.blockinfile: - path: /etc/systemd/system/movim.service - block: | - [Unit] - Description=Movim daemon - After=nginx.service network.target local-fs.target - - [Service] - User=www-data - Type=simple - Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/ - Environment=WS_PORT=8080 - EnvironmentFile=-/etc/default/movim - ExecStart=/usr/bin/php daemon.php start - WorkingDirectory={{ movim.path }} - StandardOutput=syslog - SyslogIdentifier=movim - PIDFile=/run/movim.pid - Restart=on-failure - RestartSec=10 - - [Install] - WantedBy=multi-user.target - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "644" - create: true - -- name: Ensure demon cache directories exists - ansible.builtin.file: - path: "{{ item }}" - owner: "{{ www.user }}" - group: "{{ www.group }}" - mode: "755" - state: directory - with_items: - - "{{ movim.path }}/cache" - - "{{ movim.path }}/public/cache" - -- name: Reload SystemD daemon - ansible.builtin.shell: - argv: - - systemctl - - daemon-reload - -- name: Enable and restarted Movim Damon Service - when: not movim_is_installed - ansible.builtin.systemd_service: - service: movim.service - enabled: true - state: restarted - -- name: Enable and start Movim Damon Service - ansible.builtin.systemd_service: - service: movim.service - state: restarted - when: movim_is_installed diff --git a/playbooks/tasks/chat/nginx.yml b/playbooks/tasks/chat/nginx.yml deleted file mode 100644 index 4e3e9f6..0000000 --- a/playbooks/tasks/chat/nginx.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: Create auto redirect to TLS for movim - ansible.builtin.blockinfile: - path: "{{ nginx.paths.sites_available }}/redirect_to_https" - block: | - server { - listen 80 default_server; - server_name _; - return 301 https://$host$request_uri; - } - create: true - -- name: Create movim website - ansible.builtin.template: - dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" - src: tasks/chat/templates/movim.j2 - owner: "{{ root.user }}" - group: "{{ root.group }}" - mode: "644" - -- name: Enable movim website - ansible.builtin.file: - state: link - dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" - src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}" - -- name: Enable auto redirect to TLS - ansible.builtin.file: - state: link - dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https" - src: "{{ nginx.paths.sites_available }}/redirect_to_https" - -- name: Set access logs to off - ansible.builtin.blockinfile: - path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf" - block: | - access_log off; - create: true - -- name: Reload nginx service - ansible.builtin.systemd_service: - name: nginx - state: restarted diff --git a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 b/playbooks/tasks/chat/templates/ejabberd.yaml.j2 deleted file mode 100644 index 635d205..0000000 --- a/playbooks/tasks/chat/templates/ejabberd.yaml.j2 +++ /dev/null @@ -1,275 +0,0 @@ -loglevel: {{ service.log.level | default("none") }} -log_rotate_count: {{ service.log.rotate | default("0") }} - -hosts: -{%- for domain in service.domains %} - - {{ domain }} -{%- endfor %} - -certfiles: - - {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }} -{%- if service.certificate.keyfile %} - - service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem") -{%- endif %} -# - /etc/letsencrypt/live/localhost/privkey.pem - -# TLS configuration -define_macro: - 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" - 'TLS_OPTIONS': - - "no_sslv3" - - "no_tlsv1" - - "no_tlsv1_1" - - "cipher_server_preference" - - "no_compression" - # 'DH_FILE': "/path/to/dhparams.pem" - # generated with: openssl dhparam -out dhparams.pem 2048 - -c2s_ciphers: 'TLS_CIPHERS' -s2s_ciphers: 'TLS_CIPHERS' -c2s_protocol_options: 'TLS_OPTIONS' -s2s_protocol_options: 'TLS_OPTIONS' -# c2s_dhfile: 'DH_FILE' -# s2s_dhfile: 'DH_FILE' - -listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - max_stanza_size: 262144 - shaper: c2s_shaper - access: c2s - starttls_required: true - protocol_options: 'TLS_OPTIONS' - - - port: 5223 - ip: "::" - module: ejabberd_c2s - max_stanza_size: 262144 - shaper: c2s_shaper - access: c2s - tls: true - protocol_options: 'TLS_OPTIONS' - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - max_stanza_size: 524288 - - - port: 5443 - ip: "::" - module: ejabberd_http - tls: true - protocol_options: 'TLS_OPTIONS' - request_handlers: - /api: mod_http_api - /bosh: mod_bosh - ## /captcha: ejabberd_captcha - ## /upload: mod_http_upload - /ws: ejabberd_http_ws - - - port: 5280 - ip: "::" - module: ejabberd_http - tls: true - protocol_options: 'TLS_OPTIONS' - request_handlers: - /admin: ejabberd_web_admin - /.well-known/acme-challenge: ejabberd_acme - - - port: 3478 - ip: "::" - transport: udp - module: ejabberd_stun - use_turn: true - ## The server's public IPv4 address: - # turn_ipv4_address: "203.0.113.3" - ## The server's public IPv6 address: - # turn_ipv6_address: "2001:db8::3" - - - port: 1883 - ip: "::" - module: mod_mqtt - backlog: 1000 - - -## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text -## password storage (see auth_password_format option). -disable_sasl_mechanisms: - - "digest-md5" - - "X-OAUTH2" - -s2s_use_starttls: required - -## Store the plain passwords or hashed for SCRAM: -auth_password_format: scram - -## Full path to a script that generates the image. -## captcha_cmd: "/usr/share/ejabberd/captcha.sh" - -acl: - admin: - user: - - "" - - local: - user_regexp: "" - loopback: - ip: - - 127.0.0.0/8 - - ::1/128 - -access_rules: - local: - allow: local - c2s: - deny: blocked - allow: all - announce: - allow: admin - configure: - allow: admin - muc_create: - allow: local - pubsub_createnode: - allow: local - trusted_network: - allow: loopback - -api_permissions: - "console commands": - from: - - ejabberd_ctl - who: all - what: "*" - "admin access": - who: - access: - allow: - - acl: loopback - - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - - acl: loopback - - acl: admin - what: - - "*" - - "!stop" - - "!start" - "public commands": - who: - ip: 127.0.0.1/8 - what: - - status - - connected_users_number - -shaper: - normal: - rate: 3000 - burst_size: 20000 - fast: 200000 - -shaper_rules: - max_user_sessions: 10 - max_user_offline_messages: - 5000: admin - 100: all - c2s_shaper: - none: admin - normal: all - s2s_shaper: fast - -modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_avatar: {} - mod_blocking: {} - mod_bosh: {} - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - ## mod_delegation: {} # for xep0356 - mod_disco: {} - mod_fail2ban: {} - mod_http_api: {} - ## mod_http_upload: - ## put_url: https://@HOST@:5443/upload - ## custom_headers: - ## "Access-Control-Allow-Origin": "https://@HOST@" - ## "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" - ## "Access-Control-Allow-Headers": "Content-Type" - mod_last: {} - ## mod_mam: - ## ## Mnesia is limited to 2GB, better to use an SQL backend - ## ## For small servers SQLite is a good fit and is very easy - ## ## to configure. Uncomment this when you have SQL configured: - ## ## db_type: sql - ## assume_mam_usage: true - ## default: always - mod_mqtt: {} - mod_muc: - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - access_mam: - - allow - default_room_options: - mam: true - mod_muc_admin: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_pres_counter: - count: 5 - interval: 60 - mod_privacy: {} - mod_private: {} - ## mod_proxy65: - ## access: local - ## max_connections: 5 - mod_pubsub: - access_createnode: pubsub_createnode - plugins: - - flat - - pep - force_node_config: - "eu.siacs.conversations.axolotl.*": - access_model: open - ## Avoid buggy clients to make their bookmarks public - storage:bookmarks: - access_model: whitelist - mod_push: {} - mod_push_keepalive: {} - ## mod_register: - ## ## Only accept registration requests from the "trusted" - ## ## network (see access_rules section above). - ## ## Think twice before enabling registration from any - ## ## address. See the Jabber SPAM Manifesto for details: - ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto - ## ip_access: trusted_network - mod_roster: - versioning: true - mod_s2s_dialback: {} - mod_shared_roster: {} - mod_sic: {} - mod_stream_mgmt: - resend_on_timeout: if_offline - mod_stun_disco: {} - mod_vcard: - search: false - mod_vcard_xupdate: {} - mod_version: {} - -### Local Variables: -### mode: yaml -### End: -### vim: set filetype=yaml tabstop=8 diff --git a/playbooks/tasks/chat/templates/movim.j2 b/playbooks/tasks/chat/templates/movim.j2 deleted file mode 100644 index 2c4cd8b..0000000 --- a/playbooks/tasks/chat/templates/movim.j2 +++ /dev/null @@ -1,53 +0,0 @@ -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - - server_name {{ movim.domain }}; - ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers HIGH:!aNULL:!MD5; - - # Where Movim public directory is setup - root {{ movim.path }}/public; - - index index.php; - - # Ask nginx to cache every URL starting with "/picture" - location /picture { - set $no_cache 0; # Enable cache only there - try_files $uri $uri/ /index.php$is_args$args; - } - - location / { - set $no_cache 1; - try_files $uri $uri/ /index.php$is_args$args; - } - - location ~ \.php$ { - add_header X-Cache $upstream_cache_status; - - fastcgi_pass unix:/run/php/php8.2-fpm.sock; - fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie"; - fastcgi_cache_valid any 7d; - fastcgi_cache_bypass $no_cache; - fastcgi_no_cache $no_cache; - - # Pass everything to PHP FastCGI, at the discretion of the administrator - include fastcgi.conf; - } - - location /ws/ { - proxy_pass http://127.0.0.1:8080/; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "Upgrade"; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto https; - proxy_redirect off; - proxy_read_timeout 1800s; - proxy_send_timeout 1800s; - } -} \ No newline at end of file diff --git a/playbooks/tasks/chat/x509.yml b/playbooks/tasks/chat/x509.yml deleted file mode 100644 index ff8be84..0000000 --- a/playbooks/tasks/chat/x509.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -- name: Disable movim website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}" - state: absent - -- name: Disable auto redirect to TLS - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/redirect_to_https" - state: absent - -- name: Enable default website - ansible.builtin.file: - dest: "{{ nginx.paths.sites_enabled }}/default" - src: "{{ nginx.paths.sites_available }}/default" - state: link - -- name: Install X509 certificates for movim - ansible.builtin.command: - argv: - - certbot - - certonly - - --agree-tos - - -m - - psotmaster@trans13nrv.eu.org - - --nginx - - -d - - "{{ movim.domain }}" - creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem" - -- name: Install X509 certificates for ejabberd hosts - ansible.builtin.command: - argv: - - certbot - - certonly - - --agree-tos - - -m - - psotmaster@trans13nrv.eu.org - - --nginx - - -d - - trans13nrv.eu.org - - -d - - xmpp.trans13nrv.eu.org - - -d - - muc.trans13nrv.eu.org - - -d - - "pubsub.trans13nrv.eu.org" - - -d - - upload.trans13nrv.eu.org - creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem" - -- name: Disable default website - ansible.builtin.file: - path: "{{ nginx.paths.sites_enabled }}/default" - state: absent diff --git a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone index d7fad54..59cd19a 100644 --- a/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone +++ b/playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone @@ -1,43 +1,31 @@ $ORIGIN trans13nrv.eu.org. $TTL 300s @ SOA ns1 postmaster ( - 2024052340 ; Serial + 2024121101 ; Serial 8h ; Refresh 30m ; Retry 1w ; Expire 1h ) ; Negative Cache TTL ; name servers - NS ns1 + NS ns1 -ns1 A 137.74.82.130 +ns1 A 91.134.159.68 ; mailing -@ MX 10 mail.hebergemoi.fr. +@ MX 10 mail.hebergemoi.fr. ;;; XMPP ;;; -; server IP -jabber A 137.74.82.131 -@ A 137.74.82.131 +; server IP / name +;_jabber A 0.0.0.1 +;xmpp CNAME _jabber ; ports -_xmpp-server._tcp IN SRV 5 0 5269 xmpp -_xmpps-server._tcp IN SRV 5 0 5270 xmpp -_xmpp-client._tcp IN SRV 5 0 5222 xmpp -_xmpps-client._tcp IN SRV 5 0 5223 xmpp +;_xmpp-server._tcp IN SRV 0 0 5269 _jabber +;_xmpp-client._tcp IN SRV 0 0 5222 _jabber -_stun._udp IN SRV 5 0 3478 turn -_stun._tcp IN SRV 5 0 3478 turn -_stuns._tcp IN SRV 5 0 5349 turn -_turn._udp IN SRV 5 0 3478 turn -_turn._tcp IN SRV 5 0 3478 turn -_turns._tcp IN SRV 5 0 5349 turn +; multi-user-chat +;muc CNAME _jabber -; Aliases -xmpp CNAME jabber ; XMPP Service -turn CNAME jabber ; VOIP service -chat CNAME jabber ; Web Frontend -muc CNAME jabber ; Multi-User chat -upload CNAME jabber ; Upload over XMPP -pubsub CNAME jabber ; Pub-Sub over XMPP -proxy CNAME jabber ; Proxy for file transfer over XMPP +; web UI +;chat CNAME _jabber diff --git a/playbooks/vars.yml b/playbooks/vars.yml index c5f584d..196086c 100644 --- a/playbooks/vars.yml +++ b/playbooks/vars.yml @@ -9,22 +9,4 @@ dns: - zone: domain_name: trans13nrv.eu.org root: - user: root - group: root -www: - user: www-data - group: www-data -movim: - version: "0.26" - path: /var/www/chat.trans13nrv.eu.org - domain: chat.trans13nrv.eu.org -postgres: - user: postgres -nginx: - paths: - sites_enabled: /etc/nginx/sites-enabled - sites_available: /etc/nginx/sites-available - conf_d: /etc/nginx/conf.d -ejabberd: - user: ejabberd - group: ejabberd \ No newline at end of file + user: root \ No newline at end of file