diff options
| author | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 16:34:31 +0100 |
|---|---|---|
| committer | Matthew Fennell <matthew@fennell.dev> | 2025-09-21 17:57:54 +0100 |
| commit | eaf1e70bed9fb6029800a8d8ba5b0b53b4f32929 (patch) | |
| tree | 345a5c52e8deb50cec10b6120cf60c25b1dea238 /playbook.yaml | |
| parent | fbb14450ea04f955aab4d1b9c4eab05d5f8707c6 (diff) | |
Place s2s modules behind a flag
We do not need s2s modules or config for a single-user transport oriented
server.
Likewise, we do not need admin or abuse contacts if s2s is disabled. No
messages can escape, and it would be impossible to contact them regardless!
Diffstat (limited to 'playbook.yaml')
| -rw-r--r-- | playbook.yaml | 47 |
1 files changed, 39 insertions, 8 deletions
diff --git a/playbook.yaml b/playbook.yaml index 4fb5ffa..c551456 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -159,6 +159,24 @@ type: SRV ttl: 3600 records: ["0 5 5223 {{ delegate_host }}."] + - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}' + type: TLSA + ttl: 3600 + records: ["3 1 1 {{ dane_hash.stdout }}"] + - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}' + type: TLSA + ttl: 3600 + records: ["3 1 1 {{ dane_hash.stdout }}"] + delegate_to: localhost + + - name: Ensure s2s records are registered in subdomain + ansible.builtin.uri: + url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/" + method: PUT + body_format: json + headers: + Authorization: Token {{ desec_token }} + body: - subname: "_xmpp-server._tcp" type: SRV ttl: 3600 @@ -175,14 +193,6 @@ type: SRV ttl: 3600 records: ["0 5 5270 {{ delegate_host }}."] - - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}' - type: TLSA - ttl: 3600 - records: ["3 1 1 {{ dane_hash.stdout }}"] - - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}' - type: TLSA - ttl: 3600 - records: ["3 1 1 {{ dane_hash.stdout }}"] - subname: '{{ "_5269._tcp" + tlsa_appended_subdomain }}' type: TLSA ttl: 3600 @@ -192,6 +202,7 @@ ttl: 3600 records: ["3 1 1 {{ dane_hash.stdout }}"] delegate_to: localhost + when: not is_transport_server # We specifically use apt instead of the more general package module here, # because we want to ensure the cache is updated before we try and install @@ -240,8 +251,28 @@ state: enabled loop: - OpenSSH + become: true + + - name: Ensure full XMPP ports are open + community.general.ufw: + rule: allow + name: "{{ item }}" + state: enabled + loop: - XMPP become: true + when: not is_transport_server + + - name: Ensure only c2s ports are open + community.general.ufw: + rule: allow + port: "{{ item }}" + proto: tcp + state: enabled + loop: + - 5222 + become: true + when: is_transport_server - name: Ensure invite-specific ports with ufw applications are open community.general.ufw: |