diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 16:34:31 +0100 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 17:57:54 +0100 |
| commit | eaf1e70bed9fb6029800a8d8ba5b0b53b4f32929 (patch) | |
| tree | 345a5c52e8deb50cec10b6120cf60c25b1dea238 | |
| parent | fbb14450ea04f955aab4d1b9c4eab05d5f8707c6 (diff) | |
Place s2s modules behind a flag
We do not need s2s modules or config for a single-user transport oriented
server.
Likewise, we do not need admin or abuse contacts if s2s is disabled. No
messages can escape, and it would be impossible to contact them regardless!
| -rw-r--r-- | files/prosody.cfg.lua.j2 | 19 | ||||
| -rw-r--r-- | files/virtual_host.cfg.lua.j2 | 4 | ||||
| -rw-r--r-- | playbook.yaml | 47 |
3 files changed, 60 insertions, 10 deletions
diff --git a/files/prosody.cfg.lua.j2 b/files/prosody.cfg.lua.j2 index 85ab04b..c05c730 100644 --- a/files/prosody.cfg.lua.j2 +++ b/files/prosody.cfg.lua.j2 @@ -31,8 +31,6 @@ modules_enabled = { "private"; "proxy65"; "roster"; - "s2s_auth_dane_in"; - "s2s_bidi"; "sasl2"; "sasl2_bind2"; "sasl2_fast"; @@ -69,9 +67,20 @@ modules_enabled = { "watch_spam_reports"; {% endif %} + -- S2S +{% if not is_transport_server %} + "s2s_auth_dane_in"; + "s2s_bidi"; +{% endif %} + } modules_disabled = { + +{% if is_transport_server %} + "s2s"; +{% endif %} + } pidfile = "/run/prosody/prosody.pid"; @@ -87,14 +96,20 @@ log = { }; } +{% if not is_transport_server %} s2s_secure_auth = true +{% endif %} + c2s_direct_tls_ports = { 5223 } + +{% if not is_transport_server %} s2s_direct_tls_ports = { 5270 } use_dane = true +{% endif %} {% if not is_transport_server %} anti_spam_services = { diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2 index 97dcef8..d972e74 100644 --- a/files/virtual_host.cfg.lua.j2 +++ b/files/virtual_host.cfg.lua.j2 @@ -4,9 +4,11 @@ VirtualHost "{{ virtual_host }}" +{% if not is_transport_server %} admins = { "admin@{{ virtual_host }}" } +{% endif %} modules_enabled = { @@ -36,6 +38,7 @@ site_apps_show = { } {% endif %} +{% if not is_transport_server %} contact_info = { abuse = { "xmpp:abuse@{{ virtual_host }}" @@ -44,6 +47,7 @@ contact_info = { "xmpp:admin@{{ virtual_host }}" }; } +{% endif %} {% if not is_transport_server %} allow_user_invites = true diff --git a/playbook.yaml b/playbook.yaml index 4fb5ffa..c551456 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -159,6 +159,24 @@ type: SRV ttl: 3600 records: ["0 5 5223 {{ delegate_host }}."] + - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}' + type: TLSA + ttl: 3600 + records: ["3 1 1 {{ dane_hash.stdout }}"] + - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}' + type: TLSA + ttl: 3600 + records: ["3 1 1 {{ dane_hash.stdout }}"] + delegate_to: localhost + + - name: Ensure s2s records are registered in subdomain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: - subname: "_xmpp-server._tcp" type: SRV ttl: 3600 @@ -175,14 +193,6 @@ type: SRV ttl: 3600 records: ["0 5 5270 {{ delegate_host }}."] - - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}' - type: TLSA - ttl: 3600 - records: ["3 1 1 {{ dane_hash.stdout }}"] - - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}' - type: TLSA - ttl: 3600 - records: ["3 1 1 {{ dane_hash.stdout }}"] - subname: '{{ "_5269._tcp" + tlsa_appended_subdomain }}' type: TLSA ttl: 3600 @@ -192,6 +202,7 @@ ttl: 3600 records: ["3 1 1 {{ dane_hash.stdout }}"] delegate_to: localhost + when: not is_transport_server # We specifically use apt instead of the more general package module here, # because we want to ensure the cache is updated before we try and install @@ -240,8 +251,28 @@ state: enabled loop: - OpenSSH + become: true + + - name: Ensure full XMPP ports are open + community.general.ufw: + rule: allow + name: "{{ item }}" + state: enabled + loop: - XMPP become: true + when: not is_transport_server + + - name: Ensure only c2s ports are open + community.general.ufw: + rule: allow + port: "{{ item }}" + proto: tcp + state: enabled + loop: + - 5222 + become: true + when: is_transport_server - name: Ensure invite-specific ports with ufw applications are open community.general.ufw: |