From 597664f66ec799bd90f7d0fec987da0cc08532e4 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 1 Nov 2022 14:42:38 +0000 Subject: [PATCH 01/10] add my ssh key --- group_vars/all.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/group_vars/all.yml b/group_vars/all.yml index 52e5f65..3840072 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -19,6 +19,7 @@ user_mgmt_default: present: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEay33koXmcBcrDuCQKkCBlw/gKiPtwLswATPqIR7udl fritz@fluorine.grimpen.net" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyVVwh0cUPxZ/wwRsB8YRsQE/cxjEX6gomS7EPArXuX fritz@NaOH" + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSZUs/SgJRKK+NgmifBt8xehIbrpdQtpT9MeRkdwdHU fritz@m1air" absent: [] deelkar: ssh_key: From ca45f138f99cc804c5128280edd01887dbdcaaa6 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sat, 26 Nov 2022 20:55:44 +0100 Subject: [PATCH 02/10] Define frab vm for blazr --- bhyve.yml | 11 ----------- group_vars/all.yml | 5 +++++ host_vars/emma.ccchb.de | 21 +++++++++++++++++++++ 3 files changed, 26 insertions(+), 11 deletions(-) diff --git a/bhyve.yml b/bhyve.yml index c741552..2eb4fcc 100644 --- a/bhyve.yml +++ b/bhyve.yml @@ -1,15 +1,4 @@ --- -- hosts: - - localhost - - become: yes - - tasks: - - name: Install passlib - package: - name: py39-netaddr - state: present - - hosts: - emma diff --git a/group_vars/all.yml b/group_vars/all.yml index 3840072..1036635 100644 --- a/group_vars/all.yml +++ b/group_vars/all.yml @@ -31,3 +31,8 @@ user_mgmt_default: present: - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDSHkU00aO4U98ikMiiiWiEeRj/597UzFcFctwY8iwLy humm@fluorine" absent: [] + blazr: + ssh_key: + present: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDbxgesllBFfJUfwYX58rZln0ZpOq/Jyp361OmKohiQFHUyWK6wlPqDmfhqJuLPkAZQOjmK25gvLQXJ19+y1arjtGgbgf2nrjkCJ1l/2SHIa088DVYvZDLly+cSDMOUwgM1bzlKrHYK5asFihM+XJDV2oKUBIWaVNLHK99hpmiDXQ== jollyjinx@planetexpress.local" + absent: [] diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de index 37db5a9..569c898 100644 --- a/host_vars/emma.ccchb.de +++ b/host_vars/emma.ccchb.de @@ -40,6 +40,8 @@ haproxy_http: addr: '2a01:4f8:150:926f::13' - host: 'element.ccchb.de' addr: '2a01:4f8:150:926f::13' + - host: 'frab.ccchb.de' + addr: '2a01:4f8:150:926f::17' haproxy_sni: - host: 'ccchb.de' @@ -68,6 +70,8 @@ haproxy_sni: addr: '2a01:4f8:150:926f::13' - host: 'element.ccchb.de' addr: '2a01:4f8:150:926f::13' + - host: 'frab.ccchb.de' + addr: '2a01:4f8:150:926f::17' bhyve_ipv4: 10.0.0.0 bhyve_ipv6: 2a01:4f8:150:926f::4 @@ -219,3 +223,20 @@ bhyve_guests: volsize: 128g volblocksize: 64k primarycache: metadata + + - name: frab + index: 9 + enabled: true + ram: 1G + cpus: 1 + image: ubuntu-22.04.1-live-server-amd64.iso + password: foobar + order: + - ISO + - DISKS + disks: + - name: disk + properties: + volsize: 128g + volblocksize: 64k + primarycache: metadata From f5a258b9a1c811bbac2322250a362e2f4ebcd073 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sat, 26 Nov 2022 22:38:59 +0100 Subject: [PATCH 03/10] Changes --- bhyve.yml | 1 + debian.yml | 1 - group_vars/debian | 4 ++-- host_vars/emma.ccchb.de | 1 - host_vars/frab.emma.ccchb.de.yml | 15 +++++++++++++++ hosts/10_frab | 2 ++ site.yml | 1 + users.yml | 6 ++++++ 8 files changed, 27 insertions(+), 4 deletions(-) create mode 100644 host_vars/frab.emma.ccchb.de.yml create mode 100644 hosts/10_frab create mode 100644 users.yml diff --git a/bhyve.yml b/bhyve.yml index 2eb4fcc..05fc900 100644 --- a/bhyve.yml +++ b/bhyve.yml @@ -3,6 +3,7 @@ - emma become: yes + tags: bhyve roles: - bhyve diff --git a/debian.yml b/debian.yml index 5e48cde..a80ff5f 100644 --- a/debian.yml +++ b/debian.yml @@ -3,4 +3,3 @@ become: yes roles: - debian - - { role: user_mgmt, tags: [user_mgmt]} diff --git a/group_vars/debian b/group_vars/debian index bc7ba4f..b4f76d2 100644 --- a/group_vars/debian +++ b/group_vars/debian @@ -1,5 +1,5 @@ --- -ansible_python_interpreter: /usr/bin/python3.7 +ansible_python_interpreter: /usr/bin/python3 dns: 213.133.98.98 8.8.8.8 ipv6_subnet: '2a01:4f8:150:926f::' @@ -8,6 +8,6 @@ ipv4_subnet: 10.0.0.0 ipv6: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)+1) }}/127' ipv6route: '{{ ipv6_subnet | ipmath(2 * (vm_index +2)) }}' -ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}' +#ansible_ssh_host: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}' ipv4: '{{ ipv4_subnet | ipmath(2 * vm_index +1) }}/31' ipv4route: '{{ ipv4_subnet | ipmath(2 * vm_index) }}' diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de index 569c898..8caeff6 100644 --- a/host_vars/emma.ccchb.de +++ b/host_vars/emma.ccchb.de @@ -232,7 +232,6 @@ bhyve_guests: image: ubuntu-22.04.1-live-server-amd64.iso password: foobar order: - - ISO - DISKS disks: - name: disk diff --git a/host_vars/frab.emma.ccchb.de.yml b/host_vars/frab.emma.ccchb.de.yml new file mode 100644 index 0000000..3d170bb --- /dev/null +++ b/host_vars/frab.emma.ccchb.de.yml @@ -0,0 +1,15 @@ +vm_index: 9 + +user_mgmt: + crest: + state: present + groups: sudo + fritz: + state: present + groups: sudo + humm: + state: present + groups: sudo + blazr: + state: present + groups: sudo diff --git a/hosts/10_frab b/hosts/10_frab new file mode 100644 index 0000000..b0b1f7b --- /dev/null +++ b/hosts/10_frab @@ -0,0 +1,2 @@ +[frab] +frab.emma.ccchb.de \ No newline at end of file diff --git a/site.yml b/site.yml index 845bad0..7d5f227 100644 --- a/site.yml +++ b/site.yml @@ -7,3 +7,4 @@ - import_playbook: mail.yml - import_playbook: restic.yml - import_playbook: wiki.yml +- import_playbook: users.yml diff --git a/users.yml b/users.yml new file mode 100644 index 0000000..ea6b615 --- /dev/null +++ b/users.yml @@ -0,0 +1,6 @@ +--- +- hosts: debian frab + become: yes + tags: [user_mgmt] + roles: + - user_mgmt From 3ad3372f84300feea909f973146b32baaf5afbc9 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sat, 26 Nov 2022 23:49:01 +0000 Subject: [PATCH 04/10] Jabber stuff --- jabber.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 jabber.yml diff --git a/jabber.yml b/jabber.yml new file mode 100644 index 0000000..7ecba0d --- /dev/null +++ b/jabber.yml @@ -0,0 +1,8 @@ +--- +- hosts: + - jabber + become: yes + tags: [jabber] + roles: + - certbot + - prosody From e53fbcb802abf8261cb913a8a9f26c2e8e64d182 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Sat, 26 Nov 2022 23:50:39 +0000 Subject: [PATCH 05/10] Add rudimentary README --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 373c6a4..af86f26 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ # ansible -CCC HB Ansible \ No newline at end of file +CCC HB Ansible + +## Deployment + + ansible-playbook -i hosts/ [-l HOSTS] [-t TAGS] sites.yml From 6a7110194d148c38d89ce60844272ee28ff91db1 Mon Sep 17 00:00:00 2001 From: Fritz Conrad Grimpen Date: Thu, 29 Dec 2022 19:13:28 +0100 Subject: [PATCH 06/10] Foo --- roles/prosody/defaults/main.yml | 36 ----- roles/prosody/templates/nginx.j2 | 4 + roles/prosody/templates/prosody.cfg.lua.j2 | 159 +++++++++++++-------- 3 files changed, 102 insertions(+), 97 deletions(-) diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml index ebd029b..bbadc9c 100644 --- a/roles/prosody/defaults/main.yml +++ b/roles/prosody/defaults/main.yml @@ -3,42 +3,6 @@ prosody_domain: "jabber.ccchb.de" prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem" prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem" prosody_allow_registration: false -prosody_modules: - - roster - - saslauth - - tls - - dialback - - disco - - private - - bookmarks - - vcard - - proxy65 - - legacyauth - - version - - uptime - - time - - ping - - pep - - register - - adhoc - - admin_adhoc - - posix - - bosh - - websocket - - groups - - announce - - watchregistrations - - blocking - - smacks - - carbons - - cloud_notify - - csi - - mam - - filter_chatstates - - throttle_presence - - http_upload - - turncredentials - - vcard_legacy prosody_nginx_install: true prosody_nginx_conf: | diff --git a/roles/prosody/templates/nginx.j2 b/roles/prosody/templates/nginx.j2 index bf6f639..6609a1d 100644 --- a/roles/prosody/templates/nginx.j2 +++ b/roles/prosody/templates/nginx.j2 @@ -15,4 +15,8 @@ server { proxy_set_header Host {{ prosody_domain }}; proxy_pass http://127.0.0.1:5280/upload; } + + location /file_share { + proxy_pass http://127.0.0.1:5280/file_share; + } } diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 index 6ac7996..32dfeae 100644 --- a/roles/prosody/templates/prosody.cfg.lua.j2 +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -1,5 +1,15 @@ -- Prosody XMPP Server Configuration --- {{ ansible_managed }} +-- +-- Information on configuring Prosody can be found on our +-- website at http://prosody.im/doc/configure +-- +-- Tip: You can check that the syntax of this file is correct +-- when you have finished by running: luac -p prosody.cfg.lua +-- If there are any errors, it will let you know what and where +-- they are, otherwise it will keep quiet. +-- +-- Good luck, and happy Jabbering! + ---------- Server-wide settings ---------- -- Settings in this section apply to the whole server and are the default settings @@ -13,27 +23,62 @@ admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccch -- Enable use of libevent for better performance under high load -- For more information see: http://prosody.im/doc/libevent -use_libevent = false; - -plugin_paths = { "/opt/prosody-modules" } +use_libevent = true; -- This is the list of modules Prosody will load on startup. -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. -- Documentation on modules can be found at: http://prosody.im/doc/modules modules_enabled = { - {% for module in prosody_modules %} - "{{ module }}"; - {% endfor %} + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. + + -- Not essential, but recommended + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard"; -- Allow users to set vCards + + -- These are commented by default as they have a performance impact + --"privacy"; -- Support privacy lists + --"compression"; -- Stream compression (requires the lua-zlib package installed) + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing music and more + "register"; -- Allow users to register on this server using a client and change passwords + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + "http_files"; -- Serve static files from a directory over HTTP + "http_file_share"; + + -- Other specific functionality + "groups"; -- Shared roster support + --"announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + "watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + "turn_external"; }; --- These modules are auto-loaded, should you --- (for some mad reason) want to disable --- them then uncomment them below +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: modules_disabled = { - -- "presence"; -- Route user/contact status information - -- "message"; -- Route messages - -- "iq"; -- Route info queries -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections }; -- Disable account creation by default, for security @@ -42,26 +87,33 @@ allow_registration = {{ prosody_allow_registration }}; -- These are the SSL/TLS-related settings. If you don't want -- to use SSL/TLS, you may comment or remove this --- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION *** -ssl = { - protocol = "sslv23"; - key = "{{ prosody_ssl_key }}"; - certificate = "{{ prosody_ssl_cert }}"; - dhparam = "/etc/prosody/certs/dh-2048.pem"; - options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; - ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; -} -legacy_ssl_ports = { 5223 } -http_external_url = "https://{{ prosody_domain }}/" --- Only allow encrypted streams? Encryption is already used when --- available. These options will cause Prosody to deny connections that --- are not encrypted. Note that some servers do not support s2s --- encryption or have it disabled, including gmail.com and Google Apps --- domains. +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. ---c2s_require_encryption = false ---s2s_require_encryption = false +c2s_require_encryption = true + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see http://prosody.im/doc/s2s#security + +s2s_secure_auth = false + +-- Many servers don't support encryption or have invalid or self-signed +-- certificates. You can list domains here that will not be required to +-- authenticate using certificates. They will be authenticated using DNS. + +--s2s_insecure_domains = { "gmail.com" } + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +--s2s_secure_domains = { "jabber.org" } + +-- Required for init scripts and prosodyctl +pidfile = "/var/run/prosody/prosody.pid" -- Select the authentication backend to use. The 'internal' providers -- use Prosody's configured data storage to store the authentication data. @@ -84,35 +136,16 @@ authentication = "internal_hashed" --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } - --- STUN/TURN ---turncredentials_host = "jabber.emma.ccchb.de" -turncredentials_host = "einstein.cskreie.de" -turncredentials_secret = "gabbagabbahey" - - --- HTTP-UPLOAD -http_upload_file_size_limit = 10485760 -- 10M -http_max_content_size = 20971520 -- 20M -http_upload_quota = 104857600 -- 100M -http_upload_expire_after = 2592000 -- 30d - -- Logging configuration -- For advanced logging see http://prosody.im/doc/logging --- Hint: If you create a new log file or rename them, don't forget --- to update the logrotate config at /etc/logrotate.d/prosody log = { - -- Log all error messages to prosody.err error = "/var/log/prosody/prosody.err"; - -- Log everything of level "info" and higher (that is, all except "debug" messages) - -- to prosody.log - -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging - -- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging - --"*syslog"; -- Uncomment this for logging to syslog } --- Pidfile, used by prosodyctl and the init.d script -pidfile = "/var/run/prosody/prosody.pid"; +http_external_url = "https://{{ prosody_domain }}/" +trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", } +turn_external_host = "einstein.cskreie.de" +turn_external_secret = "gabbagabbahey" ----------- Virtual hosts ----------- -- You need to add a VirtualHost entry for each domain you wish Prosody to serve. @@ -131,9 +164,9 @@ VirtualHost "{{ prosody_domain }}" protocol = "sslv23"; key = "{{ prosody_ssl_key }}"; certificate = "{{ prosody_ssl_cert }}"; - dhparam = "/etc/prosody/certs/dh-2048.pem"; - options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; - ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; + dhparam = "/etc/prosody/certs/dh-2048.pem"; + options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; + ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; } ------ Components ------ @@ -142,10 +175,15 @@ VirtualHost "{{ prosody_domain }}" -- For more information on components, see http://prosody.im/doc/components ---Set up a MUC (multi-user chat) room server on conference.example.com: +--Component "conference.example.com" "muc" Component "muc.{{ prosody_domain }}" "muc" -modules_enabled = { - "vcard_muc", "muc_mam", -} + modules_enabled = { + "vcard_muc", + "muc_mam" + } + +Component "upload.{{ prosody_domain }}" "http_file_share" + -- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: --Component "proxy.example.com" "proxy65" @@ -157,4 +195,3 @@ modules_enabled = { -- --Component "gateway.example.com" -- component_secret = "password" - From 01647698b29f62027c8ca6997285a42930a4938d Mon Sep 17 00:00:00 2001 From: Fritz Conrad Grimpen Date: Sat, 31 Dec 2022 04:29:35 +0100 Subject: [PATCH 07/10] roles/prosody: Current configuration --- roles/prosody/defaults/main.yml | 4 ++-- roles/prosody/tasks/main.yml | 2 +- roles/prosody/templates/prosody.cfg.lua.j2 | 7 +++++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml index bbadc9c..b642916 100644 --- a/roles/prosody/defaults/main.yml +++ b/roles/prosody/defaults/main.yml @@ -1,7 +1,7 @@ --- prosody_domain: "jabber.ccchb.de" -prosody_ssl_cert: "/etc/letsencrypt/live/{{ prosody_domain }}/fullchain.pem" -prosody_ssl_key: "/etc/letsencrypt/live/{{ prosody_domain }}/privkey.pem" +prosody_ssl_cert: "/etc/prosody/certs/fullchain.pem" +prosody_ssl_key: "/etc/prosody/certs/privkey.pem" prosody_allow_registration: false prosody_nginx_install: true diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml index fffe4b6..19464ed 100644 --- a/roles/prosody/tasks/main.yml +++ b/roles/prosody/tasks/main.yml @@ -16,6 +16,6 @@ - name: Configure prosody template: src: prosody.cfg.lua.j2 - dest: /etc/prosody/prosody_test.cfg.lua + dest: /etc/prosody/prosody.cfg.lua ... diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 index 32dfeae..20b182d 100644 --- a/roles/prosody/templates/prosody.cfg.lua.j2 +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -56,6 +56,7 @@ modules_enabled = { -- Admin interfaces "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + "admin_shell"; --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 -- HTTP modules @@ -71,6 +72,12 @@ modules_enabled = { --"motd"; -- Send a message to users when they log in --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. "turn_external"; + "carbons"; + "blocklist"; + "mam"; + "csi_simple"; + "vcard_legacy"; + "proxy65"; }; -- These modules are auto-loaded, but should you want From 8b43765a279a092d6218961c586f3561b3a614bd Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Wed, 20 Dec 2023 20:26:48 +0000 Subject: [PATCH 08/10] Update Prosody config --- roles/prosody/defaults/main.yml | 4 + roles/prosody/templates/prosody.cfg.lua.j2 | 194 +++++---------------- 2 files changed, 45 insertions(+), 153 deletions(-) diff --git a/roles/prosody/defaults/main.yml b/roles/prosody/defaults/main.yml index b642916..46c0762 100644 --- a/roles/prosody/defaults/main.yml +++ b/roles/prosody/defaults/main.yml @@ -4,6 +4,10 @@ prosody_ssl_cert: "/etc/prosody/certs/fullchain.pem" prosody_ssl_key: "/etc/prosody/certs/privkey.pem" prosody_allow_registration: false +prosody_http_url: "https://jabber.ccchb.de/" +prosody_turn_server: "einstein.cskreie.de" +prosody_turn_secret: "gabbagabbahey" + prosody_nginx_install: true prosody_nginx_conf: | listen [::]:443 ssl http2; diff --git a/roles/prosody/templates/prosody.cfg.lua.j2 b/roles/prosody/templates/prosody.cfg.lua.j2 index 20b182d..5e552da 100644 --- a/roles/prosody/templates/prosody.cfg.lua.j2 +++ b/roles/prosody/templates/prosody.cfg.lua.j2 @@ -1,166 +1,73 @@ --- Prosody XMPP Server Configuration --- --- Information on configuring Prosody can be found on our --- website at http://prosody.im/doc/configure --- --- Tip: You can check that the syntax of this file is correct --- when you have finished by running: luac -p prosody.cfg.lua --- If there are any errors, it will let you know what and where --- they are, otherwise it will keep quiet. --- --- Good luck, and happy Jabbering! +-- {{ ansible_managed }} - ----------- Server-wide settings ---------- --- Settings in this section apply to the whole server and are the default settings --- for any virtual hosts - --- This is a (by default, empty) list of accounts that are admins --- for the server. Note that you must create the accounts separately --- (see http://prosody.im/doc/creating_accounts for info) --- Example: admins = { "user1@example.com", "user2@example.net" } admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" } --- Enable use of libevent for better performance under high load --- For more information see: http://prosody.im/doc/libevent use_libevent = true; - --- This is the list of modules Prosody will load on startup. --- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. --- Documentation on modules can be found at: http://prosody.im/doc/modules modules_enabled = { - -- Generally required - "roster"; -- Allow users to have a roster. Recommended ;) - "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. - "tls"; -- Add support for secure TLS on c2s/s2s connections - "dialback"; -- s2s dialback support - "disco"; -- Service discovery - "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. - - -- Not essential, but recommended - "private"; -- Private XML storage (for room bookmarks, etc.) - "vcard"; -- Allow users to set vCards - - -- These are commented by default as they have a performance impact - --"privacy"; -- Support privacy lists - --"compression"; -- Stream compression (requires the lua-zlib package installed) + "roster"; + "saslauth"; + "tls"; + "dialback"; + "disco"; + "posix"; + "private"; -- Nice to have - "version"; -- Replies to server version requests - "uptime"; -- Report how long server has been running - "time"; -- Let others know the time here on this server - "ping"; -- Replies to XMPP pings with pongs - "pep"; -- Enables users to publish their mood, activity, playing music and more - "register"; -- Allow users to register on this server using a client and change passwords + "version"; + "uptime"; + "time"; + "ping"; + "pep"; + "register"; -- Admin interfaces - "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands - "admin_shell"; - --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + "admin_adhoc"; + "admin_shell"; -- HTTP modules - "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" - "http_files"; -- Serve static files from a directory over HTTP - "http_file_share"; + "bosh"; + "http_files"; + "http_file_share"; -- Other specific functionality - "groups"; -- Shared roster support - --"announce"; -- Send announcement to all online users - --"welcome"; -- Welcome users who register accounts - "watchregistrations"; -- Alert admins of registrations - --"motd"; -- Send a message to users when they log in - --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. - "turn_external"; - "carbons"; - "blocklist"; - "mam"; - "csi_simple"; - "vcard_legacy"; - "proxy65"; + "groups"; + "watchregistrations"; + "turn_external"; + "carbons"; + "blocklist"; + "mam"; + "csi_simple"; + "vcard_legacy"; + "proxy65"; }; --- These modules are auto-loaded, but should you want --- to disable them then uncomment them here: -modules_disabled = { - -- "offline"; -- Store offline messages - -- "c2s"; -- Handle client connections - -- "s2s"; -- Handle server-to-server connections -}; - --- Disable account creation by default, for security --- For more information see http://prosody.im/doc/creating_accounts -allow_registration = {{ prosody_allow_registration }}; - --- These are the SSL/TLS-related settings. If you don't want --- to use SSL/TLS, you may comment or remove this - --- Force clients to use encrypted connections? This option will --- prevent clients from authenticating unless they are using encryption. +allow_registration = {% if prosody_allow_registration then "True" else "False" %}; c2s_require_encryption = true - --- Force certificate authentication for server-to-server connections? --- This provides ideal security, but requires servers you communicate --- with to support encryption AND present valid, trusted certificates. --- NOTE: Your version of LuaSec must support certificate verification! --- For more information see http://prosody.im/doc/s2s#security - s2s_secure_auth = false --- Many servers don't support encryption or have invalid or self-signed --- certificates. You can list domains here that will not be required to --- authenticate using certificates. They will be authenticated using DNS. - ---s2s_insecure_domains = { "gmail.com" } - --- Even if you leave s2s_secure_auth disabled, you can still require valid --- certificates for some domains by specifying a list here. - ---s2s_secure_domains = { "jabber.org" } - --- Required for init scripts and prosodyctl +-- PID file, necessary for prosodyctl pidfile = "/var/run/prosody/prosody.pid" --- Select the authentication backend to use. The 'internal' providers --- use Prosody's configured data storage to store the authentication data. --- To allow Prosody to offer secure authentication mechanisms to clients, the --- default provider stores passwords in plaintext. If you do not trust your --- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed --- for information about using the hashed backend. - authentication = "internal_hashed" --- Select the storage backend to use. By default Prosody uses flat files --- in its configured data directory, but it also supports more backends --- through modules. An "sql" backend is included by default, but requires --- additional dependencies. See http://prosody.im/doc/storage for more info. - ---storage = "sql" -- Default is "internal" - --- For the "sql" backend, you can uncomment *one* of the below to configure: ---sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. ---sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } ---sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } - --- Logging configuration --- For advanced logging see http://prosody.im/doc/logging log = { error = "/var/log/prosody/prosody.err"; } -http_external_url = "https://{{ prosody_domain }}/" +-- TODO: Fix escaping +http_external_url = "{{ prosody_http_url }}" trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", } -turn_external_host = "einstein.cskreie.de" -turn_external_secret = "gabbagabbahey" ------------ Virtual hosts ----------- --- You need to add a VirtualHost entry for each domain you wish Prosody to serve. --- Settings under each VirtualHost entry apply *only* to that host. +-- TURN Server +turn_external_host = "{{ prosody_turn_server }}" +turn_external_secret = "{{ prosody_turn_secret }}" + VirtualHost "localhost" -VirtualHost "{{ prosody_domain }}" +VirtualHost "jabber.ccchb.de" enabled = true -- Remove this line to enable this host -- Assign this host a certificate for TLS, otherwise it would use the one @@ -168,37 +75,18 @@ VirtualHost "{{ prosody_domain }}" -- Note that old-style SSL on port 5223 only supports one certificate, and will always -- use the global one. ssl = { - protocol = "sslv23"; + protocol = "tlsv1_2+"; key = "{{ prosody_ssl_key }}"; certificate = "{{ prosody_ssl_cert }}"; dhparam = "/etc/prosody/certs/dh-2048.pem"; - options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" }; + -- TODO: Evaluate allowed ciphers ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"; } ------- Components ------ --- You can specify components to add hosts that provide special services, --- like multi-user conferences, and transports. --- For more information on components, see http://prosody.im/doc/components - ----Set up a MUC (multi-user chat) room server on conference.example.com: ---Component "conference.example.com" "muc" -Component "muc.{{ prosody_domain }}" "muc" +Component "muc.jabber.ccchb.de" "muc" modules_enabled = { "vcard_muc", "muc_mam" } -Component "upload.{{ prosody_domain }}" "http_file_share" - --- Set up a SOCKS5 bytestream proxy for server-proxied file transfers: ---Component "proxy.example.com" "proxy65" - ----Set up an external component (default component port is 5347) --- --- External components allow adding various services, such as gateways/ --- transports to other networks like ICQ, MSN and Yahoo. For more info --- see: http://prosody.im/doc/components#adding_an_external_component --- ---Component "gateway.example.com" --- component_secret = "password" +Component "upload.jabber.ccchb.de" "http_file_share" From 81803de24e9e21fcc3fd52e3988af42d886e6156 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 6 Feb 2024 22:21:24 +0100 Subject: [PATCH 09/10] Add reverse proxy for auth.ccchb.de --- host_vars/emma.ccchb.de | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/host_vars/emma.ccchb.de b/host_vars/emma.ccchb.de index 8caeff6..973375f 100644 --- a/host_vars/emma.ccchb.de +++ b/host_vars/emma.ccchb.de @@ -42,6 +42,8 @@ haproxy_http: addr: '2a01:4f8:150:926f::13' - host: 'frab.ccchb.de' addr: '2a01:4f8:150:926f::17' + - host: 'auth.ccchb.de' + addr: '2a01:4f8:150:926f::11' haproxy_sni: - host: 'ccchb.de' @@ -72,6 +74,8 @@ haproxy_sni: addr: '2a01:4f8:150:926f::13' - host: 'frab.ccchb.de' addr: '2a01:4f8:150:926f::17' + - host: 'auth.ccchb.de' + addr: '2a01:4f8:150:926f::11' bhyve_ipv4: 10.0.0.0 bhyve_ipv6: 2a01:4f8:150:926f::4 From a3610995f0e68c02cf28af20ec58b6d273b49c42 Mon Sep 17 00:00:00 2001 From: Fritz Grimpen Date: Tue, 6 Feb 2024 22:21:57 +0100 Subject: [PATCH 10/10] gives me acces --- host_vars/gitea.emma.ccchb.de.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/host_vars/gitea.emma.ccchb.de.yml b/host_vars/gitea.emma.ccchb.de.yml index 84d41d7..a72c703 100644 --- a/host_vars/gitea.emma.ccchb.de.yml +++ b/host_vars/gitea.emma.ccchb.de.yml @@ -1,6 +1,6 @@ vm_index: 2 -gitea_version: "1.17.1" +gitea_version: "1.21.2" gitea_app_name: "dev.ccchb.de" # technical: @@ -29,6 +29,9 @@ gitea_require_signin: false gitea_register_email_confirm: true gitea_enable_captcha: true +gitea_disable_registration: false +gitea_only_allow_external_registration: true + # privacy: gitea_offline_mode: true gitea_disable_gravatar: true @@ -45,3 +48,6 @@ user_mgmt: humm: state: present groups: sudo + fritz: + state: present + groups: sudo