diff options
| -rw-r--r-- | README.md | 33 | ||||
| -rw-r--r-- | ansible.cfg | 7 | ||||
| -rw-r--r-- | files/prosody.cfg.lua.j2 (renamed from files/prosody.cfg.lua) | 21 | ||||
| -rw-r--r-- | files/turnserver.conf.j2 | 11 | ||||
| -rw-r--r-- | files/virtual_host.cfg.lua.j2 | 27 | ||||
| -rw-r--r-- | playbook.yaml | 87 |
6 files changed, 159 insertions, 27 deletions
@@ -36,9 +36,11 @@ the following DNS records: | -------- | ---- | ---------- | --------- | | A Record | @ | Static IP | Automatic | -| Type | Host | Target | TTL | -| ------------ | ------ | ----------- | --------- | -| CNAME Record | upload | Root domain | Automatic | +| Type | Host | Target | TTL | +| ------------ | ---------- | ----------- | --------- | +| CNAME Record | conference | Root domain | Automatic | +| CNAME Record | turn | Root domain | Automatic | +| CNAME Record | upload | Root domain | Automatic | See [Prosody's docs](https://prosody.im/doc/dns) for information on alternative arrangements. @@ -48,15 +50,22 @@ arrangements. Now, open the following firewall ports on the external firewall (the firewall on the box itself will be taken care of by the playbook): -| Application | Protocol | Port | -| ----------- | -------- | ---- | -| SSH | TCP | 22 | -| HTTP | TCP | 80 | -| XEP-0065 | TCP,UDP | 5000 | -| XMPP Client | TCP | 5222 | -| XMPP Server | TCP | 5269 | -| HTTP Server | TCP | 5280 | -| HTTP Server | TCP | 5281 | +| Application | Protocol | Port | +| ----------- | -------- | ----------- | +| SSH | TCP | 22 | +| HTTP | TCP | 80 | +| XEP-0065 | TCP,UDP | 5000 | +| XMPP Client | TCP | 5222 | +| XEP-0368 | TCP | 5223 | +| XMPP Server | TCP | 5269 | +| XEP-0368 | TCP | 5270 | +| XEP-0363 | TCP | 5280 | +| XEP-0363 | TCP | 5281 | +| XEP-0215 | TCP,UDP | 3478 | +| XEP-0215 | TCP,UDP | 3479 | +| XEP-0215 | TCP,UDP | 5349 | +| XEP-0215 | TCP,UDP | 5350 | +| XEP-0215 | TCP,UDP | 49152-65535 | ### Install ansible on the control node diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..ce70a05 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,7 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev> +# +# SPDX-License-Identifier: AGPL-3.0-only + +[connection] + +pipelining = true diff --git a/files/prosody.cfg.lua b/files/prosody.cfg.lua.j2 index d75781a..53d3d48 100644 --- a/files/prosody.cfg.lua +++ b/files/prosody.cfg.lua.j2 @@ -17,9 +17,6 @@ modules_enabled = { "dialback"; "disco"; "external_services"; - "invites"; - "invites_adhoc"; - "invites_register"; "limits"; "mam"; "mimicking"; @@ -29,11 +26,14 @@ modules_enabled = { "private"; "proxy65"; "register"; + "register_apps"; "roster"; "saslauth"; + "server_contact_info"; "smacks"; "time"; "tls"; + "turn_external"; "uptime"; "vcard4"; "vcard_legacy"; @@ -55,11 +55,18 @@ s2s_require_encryption = true c2s_require_encryption = true authentication = "internal_hashed" certificates = "certs" +c2s_direct_tls_ports = { 5223 } +s2s_direct_tls_ports = { 5270 } -- From Monal considerations for XMPP server admins smacks_hibernation_time = 86400 allow_registration = true +site_apps_show = { + "conversations"; + "dino"; + "monal"; +} limits = { c2s = { @@ -72,4 +79,12 @@ limits = { archive_expires_after = "10y" +storage = "sql" +sql = { + driver = "PostgreSQL"; + database = "prosody"; + username = "prosody"; + password = "{{ postgres_password }}"; +} + Include "conf.d/*.cfg.lua" diff --git a/files/turnserver.conf.j2 b/files/turnserver.conf.j2 new file mode 100644 index 0000000..05c956c --- /dev/null +++ b/files/turnserver.conf.j2 @@ -0,0 +1,11 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev> +# +# SPDX-License-Identifier: AGPL-3.0-only + +syslog +no-rfc5780 +no-stun-backward-compatibility +response-origin-only-with-rfc5780 +realm=turn.{{ virtual_host }} +use-auth-secret +static-auth-secret={{ turn_secret }} diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2 index 26058cb..5a6064a 100644 --- a/files/virtual_host.cfg.lua.j2 +++ b/files/virtual_host.cfg.lua.j2 @@ -4,5 +4,32 @@ VirtualHost "{{ virtual_host }}" +turn_external_host = "turn.{{ virtual_host }}" +turn_external_secret = "{{ turn_secret }}" + +site_name = "{{ virtual_host }}" + Component "upload.{{ virtual_host }}" "http_file_share" http_file_share_expires_after = 10 * 365 * 24 * 60 * 60 + +Component "conference.{{ virtual_host }}" "muc" +modules_enabled = { + "muc_mam"; + "vcard_muc"; +} + +muc_log_expires_after = "10y" +log_all_rooms = true + +restrict_room_creation = "local" +max_history_messages = 1000 +enforce_registered_nickname = true + +muc_room_default_public = false +muc_room_default_persistent = true +muc_room_default_members_only = false +muc_room_default_moderated = false +muc_room_default_public_jids = true +muc_room_default_change_subject = false +muc_room_default_history_length = 1000 +muc_room_default_language = "en" diff --git a/playbook.yaml b/playbook.yaml index 48b482a..94137d3 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -10,25 +10,30 @@ - name: Ensure required packages are installed ansible.builtin.package: name: - - borgmatic - - certbot - - prosody - - prosody-modules - - python3-certbot-apache - - ufw + - borgmatic # Backups + - certbot # SSL certificates + - coturn # Audio / video calling server + - lua-dbi-postgresql # Prosody postgres connection + - postgresql # Database + - prosody # XMPP server + - prosody-modules # Extra addons + - python3-certbot-apache # Web server to issue challenge responses + - python3-psycopg2 # Used by ansible postgres role + - ufw # Firewall state: present become: true - - name: Ensure required ports are open + - name: Ensure required ports with ufw applications are open community.general.ufw: rule: allow name: "{{ item }}" state: enabled loop: - OpenSSH + - Turnserver - WWW - XMPP become: true - - name: Ensure tcp ports are open for other XEPs + - name: Ensure other required tcp ports are open community.general.ufw: rule: allow port: "{{ item }}" @@ -36,10 +41,13 @@ state: enabled loop: - 5000 # XEP-0065 + - 5223 # XEP-0368 + - 5270 # XEP-0368 - 5280 # XEP-0363 - 5281 # XEP-0363 + # - 5432 # Postgres become: true - - name: Ensure udp ports are open for other XEPs + - name: Ensure other udp ports are open community.general.ufw: rule: allow port: "{{ item }}" @@ -62,13 +70,63 @@ ansible.builtin.command: >- certbot --non-interactive --agree-tos --post-hook "/bin/true" --email {{ certbot_email }} --no-eff-email --expand --apache --keep - --domains {{ virtual_host }},upload.{{ virtual_host }} + -d {{ virtual_host }},upload.{{ virtual_host }},turn.{{ virtual_host }} become: true register: certbot changed_when: "'Running post-hook command' in certbot.stdout" + - name: Ensure turn is configured + ansible.builtin.template: + src: "{{ playbook_dir }}/files/turnserver.conf.j2" + dest: /etc/turnserver.conf + owner: root + group: prosody + mode: "0640" + become: true + notify: Reload coturn + - name: Ensure prosody database is set up + community.postgresql.postgresql_db: + name: prosody + become: true + become_user: postgres + - name: Ensure prosody role is created + community.postgresql.postgresql_user: + db: prosody + name: prosody + become: true + become_user: postgres + - name: Ensure prosody schema is created + community.postgresql.postgresql_schema: + db: prosody + name: prosody + owner: prosody + become: true + become_user: postgres + register: my_result + - name: Ensure prosody user exists on database + community.postgresql.postgresql_user: + name: prosody + become: true + become_user: postgres + - name: Ensure prosody user has permissions on database + community.postgresql.postgresql_privs: + type: database + database: prosody + privs: ALL + roles: prosody + become: true + become_user: postgres + - name: Ensure prosody user has permissions on schema + community.postgresql.postgresql_privs: + type: table + database: prosody + objs: ALL_IN_SCHEMA + privs: ALL + roles: prosody + become: true + become_user: postgres - name: Ensure top-level prosody configuration is installed - ansible.builtin.copy: - src: "{{ playbook_dir }}/files/prosody.cfg.lua" + ansible.builtin.template: + src: "{{ playbook_dir }}/files/prosody.cfg.lua.j2" dest: /etc/prosody/prosody.cfg.lua owner: root group: prosody @@ -130,3 +188,8 @@ name: prosody state: reloaded become: true + - name: Reload coturn + ansible.builtin.service: + name: coturn + state: restarted + become: true |