Add anonymous subdomain when requested

This will primiarly be used for motoristic.

4 files changed, 75 insertions, 1 deletions

diff --git a/files/nginx_conf.j2 b/files/nginx_conf.j2
index fbddce8..da4222d 100644
--- a/files/nginx_conf.j2
+++ b/files/nginx_conf.j2
@@ -29,3 +29,54 @@ server {
 
 	return 301 https://$host$request_uri;
 }
+
+{% if anonymous_login %}
+
+server {
+	listen 443 ssl;
+	listen [::]:443;
+
+	ssl_certificate /etc/prosody/certs/{{ virtual_host }}.crt;
+	ssl_certificate_key /etc/prosody/certs/{{ virtual_host }}.key;
+
+	server_name anon.{{ virtual_host }};
+
+	location / {
+		proxy_pass https://localhost:5281;
+		proxy_set_header Host "anon.{{ virtual_host }}";
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_buffering off;
+		tcp_nodelay on;
+	}
+
+	location /http-bind {
+		proxy_pass https://localhost:5281;
+		proxy_set_header Host "anon.{{ virtual_host }}";
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_buffering off;
+		tcp_nodelay on;
+	 }
+
+	 location /.well-known/host-meta {
+		add_header Access-Control-Allow-Origin * always;
+		return 200 "<?xml version='1.0' encoding='utf-8'?>
+<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'>
+  <Link rel='urn:xmpp:alt-connections:xbosh'
+        href='https://anon.{{ virtual_host }}/http-bind' />
+</XRD>
+";
+	 }
+}
+
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name anon.{{ virtual_host }};
+
+	return 301 https://$host$request_uri;
+}
+
+{% endif %}
diff --git a/files/prosody.cfg.lua.j2 b/files/prosody.cfg.lua.j2
index e20ba4e..b107536 100644
--- a/files/prosody.cfg.lua.j2
+++ b/files/prosody.cfg.lua.j2
@@ -9,6 +9,7 @@ modules_enabled = {
     "admin_shell";
     "blocklist";
     "bookmarks";
+    "bosh";
     "carbons";
     "cloud_notify";
     "csi_battery_saver";
@@ -31,7 +32,6 @@ modules_enabled = {
     "smacks";
     "time";
     "tls";
-    "turn_external";
     "uptime";
     "vcard4";
     "vcard_legacy";
diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2
index 272e24b..77726ff 100644
--- a/files/virtual_host.cfg.lua.j2
+++ b/files/virtual_host.cfg.lua.j2
@@ -13,6 +13,7 @@ modules_enabled = {
   "invites_register";
   "register";
   "register_apps";
+  "turn_external";
 }
 
 contact_info = {
@@ -39,3 +40,10 @@ log_all_rooms = true
 restrict_room_creation = "local"
 muc_room_default_public = false
 muc_room_default_public_jids = true
+
+{% if anonymous_login %}
+
+VirtualHost "anon.{{ virtual_host }}"
+authentication = "anonymous"
+
+{% endif %}
diff --git a/playbook.yaml b/playbook.yaml
index 06ebc59..64c0243 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -180,6 +180,21 @@
             {{ acme_account_uri_nonprod }}\""
      delegate_to: localhost
 
+   - name: Ensure anonymous records are added to subdomain, if needed
+     ansible.builtin.uri:
+      url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/"
+      method: PUT
+      body_format: json
+      headers:
+       Authorization: Token {{ desec_token }}
+      body:
+       - subname: "anon"
+         type: CNAME
+         ttl: 3600
+         records: ["{{ delegate_host }}."]
+     delegate_to: localhost
+     when: anonymous_login
+
    # We specifically use apt instead of the more general package module here,
    # because we want to ensure the cache is updated before we try and install
    # anything. This is needed because, on a freh Debian install on AWS