Ansible playbook that deploys prosody to a server. https://git.fennell.dev/xmpp-prosody-ansible-deploy/atom?h=master 2026-01-14T23:11:39Z 2026-01-14T23:11:39Z Matthew Fennell matthew@fennell.dev 2026-01-14T23:11:39Z urn:sha1:546a3bb370a8394d133228236a835a0b606ae8a8 I have two keys, one for interactive access, and one for automated jobs. On migration to the new host, I added the interactive key via the VPS provider's form, but neglected to add the key for automated jobs. This led to the backup jobs failing. Therefore, define keys in the inventory that should be copied to the host, and ensure they are installed to root. The subsequent step then copies these to the admin account. There is one problem with this approach: ssh remains open to root. Although privilege escalation from admin is possible, I would like to take steps to reduce root access where possible. However, the playbook currently has to work both on first run when bootstrapping the box, as well as subsequent runs. On the first run, the playbook only has access to root and must create the admin account. However, once the admin account has been created, the playbook should never again interact with root. Therefore, in the near future, I'd like to introduce a "bootstrap" action to the playbook, that should only be run on the first deploy to the host, and disable ssh access to root once finished. Subsequent runs should only interact via admin. 2026-01-11T15:05:36Z Matthew Fennell matthew@fennell.dev 2026-01-11T15:05:36Z urn:sha1:71dff47fe74bd888feb957ee545ba9bdad6fb076 I initially had a single notes.md file with just the changes that I needed. But, I want to expand this to also include some runbooks and ad-hoc scripts, that are too tied to my specific installation to be in the public repository. 2026-01-10T15:45:03Z Matthew Fennell matthew@fennell.dev 2026-01-10T15:45:03Z urn:sha1:4cdb662d1ee723d3190d29d65732a1877d628fbf Technically, the database is only being created and not fully set up. 2026-01-10T15:41:57Z Matthew Fennell matthew@fennell.dev 2026-01-10T15:41:57Z urn:sha1:f0c3a3056f317aa1065fbf23668a245b62b55165 This enables delta backups, reducing bandwidth sent off the server. 2026-01-10T15:39:31Z Matthew Fennell matthew@fennell.dev 2026-01-10T15:39:31Z urn:sha1:f3a0496912c4ceb9d2032946bb0e31525f50a613 There are some cases where I do not want to run DNS-related steps. For instance, when setting up a new server, which should replace an existing one, it is necessary to skip the DNS steps until the server has been fully migrated and I am ready to switch the hot/cold sides. Therefore, tag all DNS steps. This allows them to be skipped during ansible playbook execution using --skip-tags dns. 2026-01-03T14:31:58Z Matthew Fennell matthew@fennell.dev 2026-01-03T14:31:58Z urn:sha1:fa86d5476e8714e74a526046d86f0a2d6096293b This allows users who are registering using the invite webpage to register an account directly online, in case their desired client is not listed. I doubt this will ever be used, but without this module, the register manually link is broken in the invite page, and on the off chance it is used, I want to provide a good experience. 2026-01-03T14:27:07Z Matthew Fennell matthew@fennell.dev 2026-01-03T14:27:07Z urn:sha1:5aebdf5c72549adc87189021fd996269558e0543 While ensuring that all hosts are deployed to the chat subdomain, I applied the same logic to the invite pages too. However, this broke invites as prosody's HTTP module has a check which ensures that the page being served is on the same domain as the virtual host, meaning that invite pages hosted under the chat subdomain would receive a 404. So, serve invite pages from the domain itself (which is the default config in prosody). To do this, we must direct such requests from nginx too. 2026-01-02T14:31:17Z Matthew Fennell matthew@fennell.dev 2026-01-02T14:31:17Z urn:sha1:770db24aeec0d85cae8c0357c5a13468e8478cac A year is a little excessive. 2026-01-02T13:40:03Z Matthew Fennell matthew@fennell.dev 2026-01-02T13:40:03Z urn:sha1:ffd87ae6c33513fd3e187e924efdad9a8fa0f7b3 I have now moved all servers' nameservers to Mythic Beasts. Replace the old deSEC requests to ones to Mythic Beasts. 2026-01-02T13:38:09Z Matthew Fennell matthew@fennell.dev 2026-01-02T13:38:09Z urn:sha1:d9305b275096db83180f4306a0f962fd0785b823 I only want to store the actual hash in dane_hash and not a full python object corresponding to the execution of the command.