diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 12:45:28 +0100 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 12:45:28 +0100 |
| commit | fea8112921b688c508bbab34587dc3c6661c72fa (patch) | |
| tree | d8c69ff3a5535418298cfe6f61b96898b47d7ed8 | |
| parent | c6db3465d868b11f1e379c31db4b1166d29d177c (diff) | |
Place invites behind a flag
I am planning on deploying a new single-user server, without s2s connections or
other features, specifically for transports.
This necessiates splitting off some functionality behind a flag, so that it is
only enabled for non-transport ("standard") servers.
| -rw-r--r-- | files/prosody.cfg.lua.j2 | 13 | ||||
| -rw-r--r-- | files/virtual_host.cfg.lua.j2 | 9 | ||||
| -rw-r--r-- | playbook.yaml | 28 |
3 files changed, 44 insertions, 6 deletions
diff --git a/files/prosody.cfg.lua.j2 b/files/prosody.cfg.lua.j2 index bf010fc..692b0a3 100644 --- a/files/prosody.cfg.lua.j2 +++ b/files/prosody.cfg.lua.j2 @@ -5,6 +5,8 @@ plugin_paths = { "/usr/local/lib/prosody/modules" } modules_enabled = { + + -- Core "account_activity"; "admin_adhoc"; "admin_shell"; @@ -18,8 +20,6 @@ modules_enabled = { "dialback"; "disco"; "external_services"; - "http"; - "http_libjs"; "lastactivity"; "lastlog2"; "limits"; @@ -53,6 +53,13 @@ modules_enabled = { "vcard_legacy"; "version"; "watch_spam_reports"; + + -- Invites +{% if not is_transport_server %} + "http"; + "http_libjs"; +{% endif %} + } modules_disabled = { } @@ -85,9 +92,11 @@ turn_external_secret = "{{ turn_secret }}" -- From Monal considerations for XMPP server admins smacks_hibernation_time = 86400 +{% if not is_transport_server %} allow_registration = true invite_expiry = 86400 * 365 registration_invite_only = true +{% endif %} firewall_scripts = { "module:scripts/spam-blocking.pfw"; diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2 index f7c7379..afc9774 100644 --- a/files/virtual_host.cfg.lua.j2 +++ b/files/virtual_host.cfg.lua.j2 @@ -7,7 +7,12 @@ VirtualHost "{{ virtual_host }}" admins = { "admin@{{ virtual_host }}" }; modules_enabled = { + + -- Core "groups"; + + -- Invites +{% if not is_transport_server %} "invites"; "invites_adhoc"; "invites_api"; @@ -16,6 +21,8 @@ modules_enabled = { "invites_tracking"; "register"; "register_apps"; +{% endif %} + } site_apps_show = { @@ -30,9 +37,11 @@ contact_info = { admin = { "xmpp:admin@{{ virtual_host }}" }; } +{% if not is_transport_server %} allow_user_invites = true http_external_url = "https://{{ virtual_host }}/" site_name = "{{ virtual_host }}" +{% endif %} Component "upload.{{ virtual_host }}" "http_file_share" http_file_share_size_limit = 300 * 1024 * 1024 diff --git a/playbook.yaml b/playbook.yaml index 33c4e45..4b0f4c7 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -203,10 +203,7 @@ ansible.builtin.apt: name: - coturn # Audio / video calling server - - libjs-bootstrap4 # Used by invite webpage - - libjs-jquery # Used by invite webpage - lua-dbi-postgresql # Prosody postgres connection - - nginx # Serve invite webpages - postgresql # Database - prosody # XMPP server - prosody-modules # Extra addons @@ -217,6 +214,17 @@ update_cache: true become: true + - name: Ensure invite-specific packages are installed + ansible.builtin.apt: + name: + - libjs-bootstrap4 # Used by invite webpage + - libjs-jquery # Used by invite webpage + - nginx # Serve invite webpages + state: present + update_cache: true + become: true + when: not is_transport_server + - name: Ensure required ports with ufw applications are open community.general.ufw: rule: allow @@ -225,10 +233,19 @@ loop: - OpenSSH - Turnserver - - WWW Full - XMPP become: true + - name: Ensure invite-specific ports with ufw applications are open + community.general.ufw: + rule: allow + name: "{{ item }}" + state: enabled + loop: + - WWW Full + become: true + when: not is_transport_server + - name: Ensure other required tcp ports are open community.general.ufw: rule: allow @@ -262,6 +279,7 @@ state: absent become: true notify: Restart nginx + when: not is_transport_server - name: Ensure nginx config is installed ansible.builtin.template: @@ -272,6 +290,7 @@ mode: "0644" become: true notify: Restart nginx + when: not is_transport_server - name: Ensure nginx config is enabled ansible.builtin.file: @@ -282,6 +301,7 @@ state: link become: true notify: Restart nginx + when: not is_transport_server - name: Ensure turn is configured ansible.builtin.template: |