commit 6595945b1322a52f3f7aa829df7b7a88c29d3129 Author: Sébastien Date: Sat Feb 10 23:00:37 2018 +0100 Initial commit diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..5a95b14 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,27 @@ +--- +sudo: required +language: python +python: "2.7" + +# Install ansible + +before_install: + - sudo apt-get update -qq + - sudo apt-get install -qq python-apt python-pycurl python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..bda6513 --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +Copyright 2017 Romain Porte + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the "Software"), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies +of the Software, and to permit persons to whom the Software is furnished to do +so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..d8cb6ec --- /dev/null +++ b/README.md @@ -0,0 +1,35 @@ +Prosody playbook +================ + +[![Build Status](https://travis-ci.org/MicroJoe/ansible-role-prosody.svg?branch=master)](https://travis-ci.org/MicroJoe/ansible-role-prosody) + +A playbook for installing Prosody on Debian, with security in mind: + +- Force s2s encryption +- Force c2s encryption +- Use LetsEncrypt certificate for TLS +- Use best crypto fine-tuning + +Role Variables +-------------- + +TBD. + +Example Playbook +---------------- + + - hosts: servers + roles: + - role: MicroJoe.prosody + prosody_domain: xmpp.example.com + tags: [prosody] + +License +------- + +MIT + +Author Information +------------------ + +Romain Porte diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..9fa87c7 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# defaults file for MicroJoe.prosody + +letsencrypt_domain: "{{ prosody_domain }}" +prosody_ssl_cert_source: /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem +prosody_ssl_key_source: /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem + +prosody_ssl_cert_dest: /etc/prosody/certs/{{ prosody_domain }}.crt +prosody_ssl_key_dest: /etc/prosody/certs/{{ prosody_domain }}.key + +prosody_proxy_domain: proxy.{{ prosody_domain }} diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..77bd265 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,11 @@ +--- +# handlers file for MicroJoe.prosody +- name: reload prosody config + service: + name: prosody + state: reloaded + +- name: restart prosody + service: + name: prosody + state: restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..3c9084a --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,15 @@ +galaxy_info: + author: Romain Porte + description: Install Prosody with Letsencrypt compatibility + license: MIT + + min_ansible_version: 2.0 + + platforms: + - name: Debian + versions: + - stretch + + galaxy_tags: [prosody, debian, letsencrypt] + +dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b5540e3 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,65 @@ +--- +# tasks file for MicroJoe.prosody + +- name: Install debian dependencies + apt: + name: apt-transport-https + state: present + +- name: Install official prosody repository's key + apt_key: + url: https://prosody.im/files/prosody-debian-packages.key + state: present + +- name: Install official prosody repository + apt_repository: + repo: deb https://packages.prosody.im/debian stretch main + state: present + +- name: Install prosody package + apt: + name: prosody + state: latest + update_cache: yes + +- name: Configure prosody + template: + src: prosody.cfg.lua.j2 + dest: /etc/prosody/prosody.cfg.lua + group: root + owner: root + mode: 0755 + validate: "luac -p %s" + notify: reload prosody config + +- name: Copy TLS cert to /etc/prosody/certs/ + command: /bin/cp "{{ prosody_ssl_cert_source }}" "{{ prosody_ssl_cert_dest }}" + notify: reload prosody config + +- name: Copy TLS key to /etc/prosody/certs/ + command: /bin/cp "{{ prosody_ssl_key_source }}" "{{ prosody_ssl_key_dest }}" + notify: reload prosody config + +- name: Set good access to certs + file: + path: "{{ item }}" + owner: root + group: prosody + mode: 0640 + with_items: + - "{{ prosody_ssl_key_dest }}" + - "{{ prosody_ssl_cert_dest }}" + +# Everyday at 4 AM + +- name: Install crontab for periodic copy of LetsEncypt certs + cron: + name: Copy LetsEncrypt certificates and restart + hour: 4 + minute: 0 + job: "cp {{ prosody_ssl_cert_source }} {{ prosody_ssl_cert_dest }} && + cp {{ prosody_ssl_key_source }} {{ prosody_ssl_key_dest }} && + systemctl restart prosody" + +- name: Enable and restart prosody service + service: name=prosody enabled=yes state=restarted diff --git a/templates/prosody.cfg.lua.j2 b/templates/prosody.cfg.lua.j2 new file mode 100644 index 0000000..eea4e8a --- /dev/null +++ b/templates/prosody.cfg.lua.j2 @@ -0,0 +1,220 @@ +-- Prosody XMPP Server Configuration +-- +-- Information on configuring Prosody can be found on our +-- website at https://prosody.im/doc/configure +-- +-- Tip: You can check that the syntax of this file is correct +-- when you have finished by running this command: +-- prosodyctl check config +-- If there are any errors, it will let you know what and where +-- they are, otherwise it will keep quiet. +-- +-- Good luck, and happy Jabbering! + + +---------- Server-wide settings ---------- +-- Settings in this section apply to the whole server and are the default settings +-- for any virtual hosts + +-- This is a (by default, empty) list of accounts that are admins +-- for the server. Note that you must create the accounts separately +-- (see https://prosody.im/doc/creating_accounts for info) +-- Example: admins = { "user1@example.com", "user2@example.net" } +admins = { } + +-- Enable use of libevent for better performance under high load +-- For more information see: https://prosody.im/doc/libevent +--use_libevent = true + +-- Prosody will always look in its source directory for modules, but +-- this option allows you to specify additional locations where Prosody +-- will look for modules first. For community modules, see https://modules.prosody.im/ +--plugin_paths = {} + +-- This is the list of modules Prosody will load on startup. +-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too. +-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard"; -- Allow users to set vCards + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "register"; -- Allow users to register on this server using a client and change passwords + --"mam"; -- Store messages in an archive and allow users to access it + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + --"admin_telnet"; -- Opens telnet console interface on localhost port 5582 + + -- HTTP modules + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"websocket"; -- XMPP over WebSockets + --"http_files"; -- Serve static files from a directory over HTTP + + -- Other specific functionality + --"limits"; -- Enable bandwidth limiting for XMPP connections + --"groups"; -- Shared roster support + --"server_contact_info"; -- Publish contact information for this service + --"announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + --"motd"; -- Send a message to users when they log in + --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. + "proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use +} + +-- These modules are auto-loaded, but should you want +-- to disable them then uncomment them here: +modules_disabled = { + -- "offline"; -- Store offline messages + -- "c2s"; -- Handle client connections + -- "s2s"; -- Handle server-to-server connections + -- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc. +} + +-- Disable account creation by default, for security +-- For more information see https://prosody.im/doc/creating_accounts +allow_registration = false + +-- Force clients to use encrypted connections? This option will +-- prevent clients from authenticating unless they are using encryption. + +c2s_require_encryption = true + +-- Force servers to use encrypted connections? This option will +-- prevent servers from authenticating unless they are using encryption. +-- Note that this is different from authentication + +s2s_require_encryption = true + + +-- Force certificate authentication for server-to-server connections? +-- This provides ideal security, but requires servers you communicate +-- with to support encryption AND present valid, trusted certificates. +-- NOTE: Your version of LuaSec must support certificate verification! +-- For more information see https://prosody.im/doc/s2s#security + +s2s_secure_auth = true + +-- Some servers have invalid or self-signed certificates. You can list +-- remote domains here that will not be required to authenticate using +-- certificates. They will be authenticated using DNS instead, even +-- when s2s_secure_auth is enabled. + +--s2s_insecure_domains = { "insecure.example" } + +-- Even if you leave s2s_secure_auth disabled, you can still require valid +-- certificates for some domains by specifying a list here. + +--s2s_secure_domains = { "jabber.org" } + +-- Required for init scripts and prosodyctl +pidfile = "/var/run/prosody/prosody.pid" + +-- Select the authentication backend to use. The 'internal' providers +-- use Prosody's configured data storage to store the authentication data. +-- To allow Prosody to offer secure authentication mechanisms to clients, the +-- default provider stores passwords in plaintext. If you do not trust your +-- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed +-- for information about using the hashed backend. + +authentication = "internal_hashed" + +-- Select the storage backend to use. By default Prosody uses flat files +-- in its configured data directory, but it also supports more backends +-- through modules. An "sql" backend is included by default, but requires +-- additional dependencies. See https://prosody.im/doc/storage for more info. + +--storage = "sql" -- Default is "internal" + +-- For the "sql" backend, you can uncomment *one* of the below to configure: +--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename. +--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } +--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" } + + +-- Archiving configuration +-- If mod_mam is enabled, Prosody will store a copy of every message. This +-- is used to synchronize conversations between multiple clients, even if +-- they are offline. This setting controls how long Prosody will keep +-- messages in the archive before removing them. + +archive_expires_after = "1w" -- Remove archived messages after 1 week + +-- You can also configure messages to be stored in-memory only. For more +-- archiving options, see https://prosody.im/doc/modules/mod_mam + +-- Logging configuration +-- For advanced logging see https://prosody.im/doc/logging +log = { + info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging + error = "/var/log/prosody/prosody.err"; + -- "*syslog"; -- Uncomment this for logging to syslog + -- "*console"; -- Log to the console, useful for debugging with daemonize=false +} + +-- Uncomment to enable statistics +-- For more info see https://prosody.im/doc/statistics +-- statistics = "internal" + +-- Certificates +-- Every virtual host and component needs a certificate so that clients and +-- servers can securely verify its identity. Prosody will automatically load +-- certificates/keys from the directory specified here. +-- For more information, including how to use 'prosodyctl' to auto-import certificates +-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates + +-- Location of directory to find certificates in (relative to main config file): +certificates = "certs" + +ssl = { + ciphers = "AES256+EECDH:AES256+EDH:!aNULL"; + --dhparam = "/etc/prosody/certs/dhparam4096.pem"; + options = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use", "no_tlsv1", "no_tlsv1_1"} +} + +----------- Virtual hosts ----------- +-- You need to add a VirtualHost entry for each domain you wish Prosody to serve. +-- Settings under each VirtualHost entry apply *only* to that host. + +--VirtualHost "localhost" + +VirtualHost "{{ prosody_domain }}" + +--VirtualHost "example.com" +-- certificate = "/path/to/example.crt" + +------ Components ------ +-- You can specify components to add hosts that provide special services, +-- like multi-user conferences, and transports. +-- For more information on components, see https://prosody.im/doc/components + +---Set up a MUC (multi-user chat) room server on conference.example.com: +--Component "conference.example.com" "muc" +Component "{{ prosody_proxy_domain }}" "Proxy65" + proxy65_address = "{{ prosody_domain }}" + +---Set up an external component (default component port is 5347) +-- +-- External components allow adding various services, such as gateways/ +-- transports to other networks like ICQ, MSN and Yahoo. For more info +-- see: https://prosody.im/doc/components#adding_an_external_component +-- +--Component "gateway.example.com" +-- component_secret = "password" diff --git a/tests/inventory b/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/tests/test.yml b/tests/test.yml new file mode 100644 index 0000000..276b84a --- /dev/null +++ b/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - ansible-role-prosody diff --git a/vars/main.yml b/vars/main.yml new file mode 100644 index 0000000..ea2d12e --- /dev/null +++ b/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for MicroJoe.prosody \ No newline at end of file