Added: mod_http_upload required header for XEP-0363 copmpliance

playbooks/01-primary-ns.yaml

@@ -38,4 +38,4 @@
     - name: Reload bind9 service
       ansible.builtin.service:
         name: bind9
-        state: reloaded
+        state: restarted

playbooks/02-xmpp-server.yaml

@@ -0,0 +1,78 @@
+- name: Configuration of jabber server
+  hosts: chatservers
+
+  tasks:
+    - name: Use variables
+      ansible.builtin.include_vars: vars.yml
+
+    - name: Configure ejabber apt sources
+      ansible.builtin.blockinfile:
+        path: /etc/apt/sources.list.d/process-one-stable.sources
+        create: true
+        block: |
+          Enabled: yes
+          Types: deb
+          URIs: https://repo.process-one.net/deb
+          Suites: stable
+          Components: main
+          Architectures: amd64
+          Signed-By: /etc/apt/keyrings/ejabberd.gpg
+        owner: "{{ root.user }}"
+        group: "{{ root.group }}"
+        mode: "755"
+
+    - name: Create keyrings folder
+      ansible.builtin.file:
+        path: /etc/apt/keyrings
+        state: directory
+        owner: "{{ root.user }}"
+        group: "{{ root.group }}"
+        mode: "755"
+
+    - name: Adding process-one (ejabberd) gpg key to apt keyring
+      ansible.builtin.get_url:
+        url: https://repo.process-one.net/ejabberd.gpg
+        dest: /etc/apt/keyrings/ejabberd.gpg
+        owner: "{{ root.user }}"
+        group: "{{ root.group }}"
+        mode: "755"
+
+    - name: Installing required packages
+      ansible.builtin.package:
+        name:
+          - composer
+          - php-fpm
+          - php-curl
+          - php-mbstring
+          - php-imagick
+          - php-gd
+          - php-pgsql
+          - php-xml
+          - postgresql
+          - nginx
+          - certbot
+          - ejabberd
+          - git
+          - python3-certbot-nginx
+          - python3-psycopg2
+        state: present
+
+    - name: "Ensure movim database is present and accessible"
+      ansible.builtin.include_tasks:
+        file: tasks/chat/database.yml
+
+    - name: "Ensure movim version is installed - v{{ movim.version }}"
+      ansible.builtin.include_tasks:
+        file: tasks/chat/movim.yml
+
+    - name: "Ensure X509 certificates are properly installed"
+      ansible.builtin.include_tasks:
+        file: tasks/chat/x509.yml
+
+    - name: "Ensure nginx is configured"
+      ansible.builtin.include_tasks:
+        file: tasks/chat/nginx.yml
+
+    - name: "Ensure ejabberd is configured"
+      ansible.builtin.include_tasks:
+        file: tasks/chat/ejabberd.yml

playbooks/tasks/chat/database.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure databases user exist
+  community.postgresql.postgresql_user:
+    user: "{{ item }}"
+    password: "{{ item }}"
+    state: present
+  become_user: "{{ postgres.user }}"
+  become: true
+  with_items:
+    - movim
+    - ejabberd
+
+- name: Ensure databases exist
+  community.postgresql.postgresql_db:
+    name: "{{ item }}"
+    owner: "{{ item }}"
+    state: present
+  become_user: "{{ postgres.user }}"
+  become: true
+  with_items:
+    - movim
+    - ejabberd

playbooks/tasks/chat/ejabberd.yml

@@ -0,0 +1,22 @@
+---
+- name: Create ejabberd configuration file
+  ansible.builtin.copy:
+    src: tasks/chat/files/ejabberd.yml
+    dest: /opt/ejabberd/conf/ejabberd.yml
+    owner: "{{ ejabberd.user }}"
+    group: "{{ ejabberd.group }}"
+    mode: "644"
+
+- name: Create ejabberd upload directory
+  ansible.builtin.file:
+    path: /opt/ejabberd/upload
+    state: directory
+    owner: "{{ ejabberd.user }}"
+    group: "{{ ejabberd.group }}"
+    mode: "755"
+
+- name: Restart ejabberd service
+  ansible.builtin.service:
+    name: ejabberd
+    state: restarted
+

playbooks/tasks/chat/files/ejabberd.yml

@@ -0,0 +1,310 @@
+loglevel: info
+
+log_rotate_count: 0
+
+hosts:
+  - trans13nrv.eu.org
+
+fqdn: xmpp.trans13nrv.eu.org
+
+certfiles:
+  - "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem"
+  - "/etc/letsencrypt/live/trans13nrv.eu.org/fullchain.pem"
+
+update_sql_schema: true
+new_sql_schema: true
+sql_type: pgsql
+sql_server: localhost
+sql_database: ejabberd
+sql_username: ejabberd
+sql_password: ejabberd
+auth_method: [sql]
+
+default_db: sql
+
+acme:
+  auto: false
+
+language: fr
+
+define_macro:
+  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+  'TLS_OPTIONS':
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_1"
+    - "cipher_server_preference"
+    - "no_compression"
+    # 'DH_FILE': "/path/to/dhparams.pem"
+    # generated with: openssl dhparam -out dhparams.pem 2048
+
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+# c2s_dhfile: 'DH_FILE'
+# s2s_dhfile: 'DH_FILE'
+
+listen:
+  -
+    port: 5222
+    ip: "10.246.201.4"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls: true
+  -
+    port: 5223
+    ip: "10.246.201.4"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    tls: true
+  -
+    port: 5269
+    ip: "10.246.201.4"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "10.246.201.4"
+    module: ejabberd_http
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      /api: mod_http_api
+      /bosh: mod_bosh
+      ## /captcha: ejabberd_captcha
+      /upload: mod_http_upload
+      /ws: ejabberd_http_ws
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
+      "Access-Control-Allow-Headers": "content-type"
+      "Access-Control-Allow-Credentials": "true"
+      "Access-Control-Max-Age": "86400"
+#  -
+#    port: 5280
+#    module: ejabberd_http
+#    tls: false
+#    protocol_options: 'TLS_OPTIONS'
+#    request_handlers: {}
+#      /.well-known/acme-challenge: ejabberd_acme
+#      /admin: ejabberd_web_admin
+  -
+    port: 3478
+    ip: "10.246.201.4"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    turn_ipv4_address: "137.74.82.131"
+  -
+    port: 1883
+    ip: "10.246.201.4"
+    module: mod_mqtt
+    backlog: 1000
+
+
+## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+## password storage (see auth_password_format option).
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+s2s_use_starttls: required
+
+## Store the plain passwords or hashed for SCRAM:
+auth_password_format: scram
+
+## Full path to a script that generates the image.
+## captcha_cmd: "/usr/share/ejabberd/captcha.sh"
+
+acl:
+  admin:
+    user:
+      - "stupeflo@trans13nrv.eu.org"
+      - "llowin@trans13nrv.eu.org"
+      - "saram@trans13nrv.eu.org"
+      - "margot@trans13nrv.eu.org"
+
+  local:
+    user_regexp: ""
+    server:
+      - "trans13nrv.eu.org"
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 200000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_admin_update_sql: {}
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  ## mod_delegation: {}   # for xep0356
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    name: "HTTP File Upload"
+    access: local
+    max_size: 104857600 # 100 MiB.
+    file_mode: "0640"
+    dir_mode: "2750"
+    docroot: "/opt/ejabberd/upload/@HOST@"
+    put_url: "https://@HOST@:5443/upload"
+    thumbnail: false
+    custom_headers:
+      "Access-Control-Allow-Origin": "https://domain.tld"
+      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+      "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  mod_mam:
+    ## Mnesia is limited to 2GB, better to use an SQL backend
+    ## For small servers SQLite is a good fit and is very easy
+    ## to configure. Uncomment this when you have SQL configured:
+    db_type: sql
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      mam: true
+    host: muc.trans13nrv.eu.org
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_pres_counter:
+    count: 5
+    interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  ## mod_proxy65:
+  ##   access: local
+  ##   max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    ignore_pep_from_offline: false
+    last_item_cache: false
+    max_items_node: 1000
+    default_node_config:
+      max_items: 1000
+    plugins:
+      - "flat"
+      - "pep"
+    host: pubsub.trans13nrv.eu.org
+    force_node_config:
+      "eu.siacs.conversations.axolotl.*":
+        access_model: open
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  ## mod_register:
+  ##   ## Only accept registration requests from the "trusted"
+  ##   ## network (see access_rules section above).
+  ##   ## Think twice before enabling registration from any
+  ##   ## address. See the Jabber SPAM Manifesto for details:
+  ##   ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+  ##   ip_access: trusted_network
+  mod_register:
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_sic: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard:
+    search: false
+  mod_vcard_xupdate: {}
+  mod_version: {}
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8

playbooks/tasks/chat/movim.yml

@@ -0,0 +1,164 @@
+---
+- name: Check Whether movim is present
+  ansible.builtin.stat:
+    path: "{{ movim.path }}"
+  register: "movim_dir"
+
+- name: Check whether movim is installed
+  ansible.builtin.set_fact:
+    movim_is_installed: "{{ movim_dir.stat is defined and movim_dir.stat.isdir }}"
+
+- name: Guess current version
+  block:
+    - name: Check movim installed tag
+      when: movim_is_installed
+      register: "movim_installed_tag"
+      ansible.builtin.shell:
+        argv:
+          - git
+          - describe
+          - --tags
+        chdir: "{{ movim.path }}"
+      become: true
+      become_user: "{{ www.user }}"
+
+    - name: Register current movim version
+      ansible.builtin.set_fact:
+        movim_installed_version: "{{ movim_installed_tag.stdout | regex_replace('^v(\\d+)\\.(\\d+)\\.(\\d+)$', '\\1.\\2.\\3') }}"
+
+- name: Installing
+  when: not movim_is_installed
+  block:
+    - name: Cloning
+      ansible.builtin.git:
+        repo: https://github.com/movim/movim.git
+        dest: "{{ movim.path }}"
+        version: "v{{ movim.version }}"
+
+    - name: Setting Mode and Ownershp
+      ansible.builtin.file:
+        path: "{{ movim.path }}"
+        state: directory
+        owner: "{{ www.user }}"
+        group: "{{ www.group }}"
+        recurse: true
+        mode: "755"
+
+- name: Updating
+  when: movim_is_installed and movim.version is version(movim_installed_version, ">", "semver")
+  block:
+    - name: Fetching
+      ansible.builtin.shell:
+        argv:
+          - git
+          - fetch
+          - --tags
+        chdir: "{{ movim.path }}"
+      become: true
+      become_user: "{{ www.user }}"
+    - name: Checking Out
+      ansible.builtin.shell:
+        argv:
+          - git
+          - checkout
+          - "v{{ movim.version }}"
+        chdir: "{{ movim.path }}"
+      become: true
+      become_user: "{{ www.user }}"
+
+- name: Installing or updating Movim dependanciens
+  community.general.composer:
+    working_dir: "{{ movim.path }}"
+    command: install
+  become: true
+  become_user: "{{ www.user }}"
+
+- name: Setting-Up Movim execution environment
+  ansible.builtin.blockinfile:
+    path: "{{ movim.path }}/.env"
+    block: |
+      # Database configuration
+      DB_DRIVER=pgsql
+      DB_HOST=127.0.0.1
+      DB_PORT=5432
+      DB_DATABASE=movim
+      DB_USERNAME=movim
+      DB_PASSWORD=movim
+
+      # Daemon configuration
+      DAEMON_URL=https://chat.trans13nrv.eu.org/ # Public URL of your Movim instance
+      DAEMON_PORT=8080 # Port on which the daemon will listen
+      DAEMON_INTERFACE=127.0.0.1 # Interface on which the daemon will listen, must be an IP
+      DAEMON_DEBUG=false
+      DAEMON_VERBOSE=false
+
+    owner: "{{ www.user }}"
+    group: "{{ www.group }}"
+    create: true
+    mode: "600"
+
+- name: Migrating Database
+  community.general.composer:
+    command: "movim:migrate"
+    working_dir: "{{ movim.path }}"
+  become: true
+  become_user: "{{ www.user }}"
+
+- name: Setting-Up Movim demon service
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/system/movim.service
+    block: |
+      [Unit]
+      Description=Movim daemon
+      After=nginx.service network.target local-fs.target
+
+      [Service]
+      User=www-data
+      Type=simple
+      Environment=PUBLIC_URL=https://chat.trans13nrv.eu.org/
+      Environment=WS_PORT=8080
+      EnvironmentFile=-/etc/default/movim
+      ExecStart=/usr/bin/php daemon.php start
+      WorkingDirectory={{ movim.path }}
+      StandardOutput=syslog
+      SyslogIdentifier=movim
+      PIDFile=/run/movim.pid
+      Restart=on-failure
+      RestartSec=10
+
+      [Install]
+      WantedBy=multi-user.target
+    owner: "{{ root.user }}"
+    group: "{{ root.group }}"
+    mode: "644"
+    create: true
+
+- name: Ensure demon cache directories exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    owner: "{{ www.user }}"
+    group: "{{ www.group }}"
+    mode: "755"
+    state: directory
+  with_items:
+    - "{{ movim.path }}/cache"
+    - "{{ movim.path }}/public/cache"
+
+- name: Reload SystemD daemon
+  ansible.builtin.shell:
+    argv:
+      - systemctl
+      - daemon-reload
+
+- name: Enable and restarted Movim Damon Service
+  when: not movim_is_installed
+  ansible.builtin.systemd_service:
+    service: movim.service
+    enabled: true
+    state: restarted
+
+- name: Enable and start Movim Damon Service
+  ansible.builtin.systemd_service:
+    service: movim.service
+    state: restarted
+  when: movim_is_installed

playbooks/tasks/chat/nginx.yml

@@ -0,0 +1,43 @@
+---
+- name: Create auto redirect to TLS for movim
+  ansible.builtin.blockinfile:
+    path: "{{ nginx.paths.sites_available }}/redirect_to_https"
+    block: |
+      server {
+        listen 80 default_server;
+        server_name _;
+        return 301 https://$host$request_uri;
+      }
+    create: true
+
+- name: Create movim website
+  ansible.builtin.template:
+    dest: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
+    src: tasks/chat/templates/movim.j2
+    owner: "{{ root.user }}"
+    group: "{{ root.group }}"
+    mode: "644"
+
+- name: Enable movim website
+  ansible.builtin.file:
+    state: link
+    dest: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
+    src: "{{ nginx.paths.sites_available }}/{{ movim.domain }}"
+
+- name: Enable auto redirect to TLS
+  ansible.builtin.file:
+    state: link
+    dest: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
+    src: "{{ nginx.paths.sites_available }}/redirect_to_https"
+
+- name: Set access logs to off
+  ansible.builtin.blockinfile:
+    path: "{{ nginx.paths.conf_d }}/10-access_log-disabled.conf"
+    block: |
+      access_log off;
+    create: true
+
+- name: Reload nginx service
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: restarted

playbooks/tasks/chat/templates/ejabberd.yaml.j2

@@ -0,0 +1,275 @@
+loglevel: {{ service.log.level | default("none") }}
+log_rotate_count: {{ service.log.rotate | default("0") }}
+
+hosts:
+{%- for domain in service.domains %}
+  - {{ domain }}
+{%- endfor %}
+
+certfiles:
+  - {{ service.certificate.certfile | default("/etc/ejabberd/ejabberd.pem") }}
+{%- if service.certificate.keyfile %}
+  - service.certificate.keyfile | default("/etc/letsencrypt/live/localhost/fullchain.pem")
+{%- endif %}
+#  - /etc/letsencrypt/live/localhost/privkey.pem
+
+# TLS configuration
+define_macro:
+  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+  'TLS_OPTIONS':
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_1"
+    - "cipher_server_preference"
+    - "no_compression"
+    # 'DH_FILE': "/path/to/dhparams.pem"
+    # generated with: openssl dhparam -out dhparams.pem 2048
+
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+# c2s_dhfile: 'DH_FILE'
+# s2s_dhfile: 'DH_FILE'
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'
+  -
+    port: 5223
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5443
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      /api: mod_http_api
+      /bosh: mod_bosh
+      ## /captcha: ejabberd_captcha
+      ## /upload: mod_http_upload
+      /ws: ejabberd_http_ws
+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      /admin: ejabberd_web_admin
+      /.well-known/acme-challenge: ejabberd_acme
+  -
+    port: 3478
+    ip: "::"
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    ## The server's public IPv4 address:
+    # turn_ipv4_address: "203.0.113.3"
+    ## The server's public IPv6 address:
+    # turn_ipv6_address: "2001:db8::3"
+  -
+    port: 1883
+    ip: "::"
+    module: mod_mqtt
+    backlog: 1000
+
+
+## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+## password storage (see auth_password_format option).
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+s2s_use_starttls: required
+
+## Store the plain passwords or hashed for SCRAM:
+auth_password_format: scram
+
+## Full path to a script that generates the image.
+## captcha_cmd: "/usr/share/ejabberd/captcha.sh"
+
+acl:
+  admin:
+     user:
+       - ""
+
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 200000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  ## mod_delegation: {}   # for xep0356
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  ## mod_http_upload:
+  ##   put_url: https://@HOST@:5443/upload
+  ##   custom_headers:
+  ##     "Access-Control-Allow-Origin": "https://@HOST@"
+  ##     "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+  ##     "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  ## mod_mam:
+  ##   ## Mnesia is limited to 2GB, better to use an SQL backend
+  ##   ## For small servers SQLite is a good fit and is very easy
+  ##   ## to configure. Uncomment this when you have SQL configured:
+    ##   ## db_type: sql
+  ##   assume_mam_usage: true
+  ##   default: always
+  mod_mqtt: {}
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      mam: true
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_pres_counter:
+    count: 5
+    interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  ## mod_proxy65:
+  ##   access: local
+  ##   max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      "eu.siacs.conversations.axolotl.*":
+        access_model: open
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  ## mod_register:
+  ##   ## Only accept registration requests from the "trusted"
+  ##   ## network (see access_rules section above).
+  ##   ## Think twice before enabling registration from any
+  ##   ## address. See the Jabber SPAM Manifesto for details:
+  ##   ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+  ##   ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_sic: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard:
+    search: false
+  mod_vcard_xupdate: {}
+  mod_version: {}
+
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8

playbooks/tasks/chat/templates/movim.j2

@@ -0,0 +1,53 @@
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ movim.domain }};
+	ssl_certificate /etc/letsencrypt/live/{{ movim.domain }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ movim.domain }}/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+
+	# Where Movim public directory is setup
+	root {{ movim.path }}/public;
+
+	index index.php;
+
+	# Ask nginx to cache every URL starting with "/picture"
+	location /picture {
+		set $no_cache 0; # Enable cache only there
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
+
+	location / {
+		set $no_cache 1;
+		try_files $uri $uri/ /index.php$is_args$args;
+	}
+
+	location ~ \.php$ {
+		add_header X-Cache $upstream_cache_status;
+
+		fastcgi_pass unix:/run/php/php8.2-fpm.sock;
+		fastcgi_ignore_headers "Cache-Control" "Expires" "Set-Cookie";
+		fastcgi_cache_valid any 7d;
+		fastcgi_cache_bypass $no_cache;
+		fastcgi_no_cache $no_cache;
+
+		# Pass everything to PHP FastCGI, at the discretion of the administrator
+		include fastcgi.conf;
+	}
+
+	location /ws/ {
+		proxy_pass http://127.0.0.1:8080/;
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "Upgrade";
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto https;
+		proxy_redirect off;
+		proxy_read_timeout 1800s;
+		proxy_send_timeout 1800s;
+	}
+}

playbooks/tasks/chat/x509.yml

@@ -0,0 +1,55 @@
+---
+- name: Disable movim website
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/{{ movim.domain }}"
+    state: absent
+
+- name: Disable auto redirect to TLS
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/redirect_to_https"
+    state: absent
+
+- name: Enable default website
+  ansible.builtin.file:
+    dest: "{{ nginx.paths.sites_enabled }}/default"
+    src: "{{ nginx.paths.sites_available }}/default"
+    state: link
+
+- name: Install X509 certificates for movim
+  ansible.builtin.command:
+    argv:
+      - certbot
+      - certonly
+      - --agree-tos
+      - -m
+      - psotmaster@trans13nrv.eu.org
+      - --nginx
+      - -d
+      - "{{ movim.domain }}"
+    creates: "/etc/letsencrypt/live/{{ movim.domain }}*/privkey.pem"
+
+- name: Install X509 certificates for ejabberd hosts
+  ansible.builtin.command:
+    argv:
+      - certbot
+      - certonly
+      - --agree-tos
+      - -m
+      - psotmaster@trans13nrv.eu.org
+      - --nginx
+      - -d
+      - trans13nrv.eu.org
+      - -d
+      - xmpp.trans13nrv.eu.org
+      - -d
+      - muc.trans13nrv.eu.org
+      - -d
+      - "pubsub.trans13nrv.eu.org"
+      - -d
+      - upload.trans13nrv.eu.org
+    creates: "/etc/letsencrypt/live/trans13nrv.eu.org/privkey.pem"
+
+- name: Disable default website
+  ansible.builtin.file:
+    path: "{{ nginx.paths.sites_enabled }}/default"
+    state: absent

playbooks/tasks/ns/files/db.trans13nrv.eu.org.zone

@@ -1,31 +1,43 @@
 $ORIGIN trans13nrv.eu.org.
 $TTL 300s
 @   SOA ns1 postmaster (
-                    2024121101 ; Serial
+                    2024052340 ; Serial
                     8h         ; Refresh
                     30m        ; Retry
                     1w         ; Expire
                     1h )       ; Negative Cache TTL
 
 ; name servers
-    NS  ns1
+        NS       ns1
 
-ns1     A       91.134.159.68
+ns1     A       137.74.82.130
 
 ; mailing
-@       MX      10      mail.hebergemoi.fr.
+@       MX      10 mail.hebergemoi.fr.
 
 ;;; XMPP ;;;
-; server IP / name
-;_jabber A   0.0.0.1
-;xmpp    CNAME _jabber
+; server IP
+jabber  A       137.74.82.131
+@       A       137.74.82.131
 
 ; ports
-;_xmpp-server._tcp   IN SRV  0 0 5269 _jabber
-;_xmpp-client._tcp   IN SRV  0 0 5222 _jabber
+_xmpp-server._tcp   IN SRV  5 0 5269 xmpp
+_xmpps-server._tcp  IN SRV  5 0 5270 xmpp
+_xmpp-client._tcp   IN SRV  5 0 5222 xmpp
+_xmpps-client._tcp  IN SRV  5 0 5223 xmpp
 
-; multi-user-chat
-;muc CNAME _jabber
+_stun._udp   IN SRV  5 0 3478 turn
+_stun._tcp   IN SRV  5 0 3478 turn
+_stuns._tcp  IN SRV  5 0 5349 turn
+_turn._udp   IN SRV  5 0 3478 turn
+_turn._tcp   IN SRV  5 0 3478 turn
+_turns._tcp  IN SRV  5 0 5349 turn
 
-; web UI
-;chat    CNAME _jabber
+; Aliases
+xmpp    CNAME   jabber ; XMPP Service
+turn    CNAME   jabber ; VOIP service
+chat    CNAME   jabber ; Web Frontend
+muc     CNAME   jabber ; Multi-User chat
+upload  CNAME   jabber ; Upload over XMPP
+pubsub  CNAME   jabber ; Pub-Sub over XMPP
+proxy   CNAME   jabber ; Proxy for file transfer over XMPP

playbooks/vars.yml

@@ -9,4 +9,22 @@ dns:
   - zone:
       domain_name: trans13nrv.eu.org
 root:
-  user: root
+  user: root
+  group: root
+www:
+  user: www-data
+  group: www-data
+movim:
+  version: "0.26"
+  path: /var/www/chat.trans13nrv.eu.org
+  domain: chat.trans13nrv.eu.org
+postgres:
+  user: postgres
+nginx:
+  paths:
+    sites_enabled: /etc/nginx/sites-enabled
+    sites_available: /etc/nginx/sites-available
+    conf_d: /etc/nginx/conf.d
+ejabberd:
+  user: ejabberd
+  group: ejabberd