diff options
| -rw-r--r-- | README.md | 1 | ||||
| -rw-r--r-- | files/nginx_conf.j2 | 51 | ||||
| -rw-r--r-- | files/virtual_host.cfg.lua.j2 | 7 | ||||
| -rw-r--r-- | playbook.yaml | 15 |
4 files changed, 0 insertions, 74 deletions
@@ -87,7 +87,6 @@ inventory/ ```yaml acme_account_uri_nonprod: # the staging uri we should add CAA records for acme_account_uri_prod: # the prod uri we should add CAA records for -anonymous_login: # should we allow anonymous users on the server? e.g. true borg_private_key_path: # e.g. /home/matthew/.ssh/some-key borg_repo: # the repo to use, e.g. ssh://example.org/./repo cert_host: # the server that manages certs, e.g. matthew-server.local diff --git a/files/nginx_conf.j2 b/files/nginx_conf.j2 index 3c38ced..ee4cbbc 100644 --- a/files/nginx_conf.j2 +++ b/files/nginx_conf.j2 @@ -29,54 +29,3 @@ server { return 301 https://$host$request_uri; } - -{% if anonymous_login %} - -server { - listen 443 ssl; - listen [::]:443; - - ssl_certificate /etc/prosody/certs/{{ virtual_host }}.crt; - ssl_certificate_key /etc/prosody/certs/{{ virtual_host }}.key; - - server_name anon.{{ virtual_host }}; - - location / { - proxy_pass https://localhost:5281; - proxy_set_header Host "anon.{{ virtual_host }}"; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - tcp_nodelay on; - } - - location /http-bind { - proxy_pass https://localhost:5281; - proxy_set_header Host "anon.{{ virtual_host }}"; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - tcp_nodelay on; - } - - location /.well-known/host-meta { - add_header Access-Control-Allow-Origin * always; - return 200 "<?xml version='1.0' encoding='utf-8'?> -<XRD xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0'> - <Link rel='urn:xmpp:alt-connections:xbosh' - href='https://anon.{{ virtual_host }}/http-bind' /> -</XRD> -"; - } -} - -server { - listen 80; - listen [::]:80; - - server_name anon.{{ virtual_host }}; - - return 301 https://$host$request_uri; -} - -{% endif %} diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2 index eb3a52e..3816998 100644 --- a/files/virtual_host.cfg.lua.j2 +++ b/files/virtual_host.cfg.lua.j2 @@ -47,10 +47,3 @@ log_all_rooms = true restrict_room_creation = "local" muc_room_default_public = false muc_room_default_public_jids = true - -{% if anonymous_login %} - -VirtualHost "anon.{{ virtual_host }}" -authentication = "anonymous" - -{% endif %} diff --git a/playbook.yaml b/playbook.yaml index 802ba2a..45e7ac0 100644 --- a/playbook.yaml +++ b/playbook.yaml @@ -168,21 +168,6 @@ records: ["3 1 1 {{ dane_hash.stdout }}"] delegate_to: localhost - - name: Ensure anonymous records are added to subdomain, if needed - ansible.builtin.uri: - url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/" - method: PUT - body_format: json - headers: - Authorization: Token {{ desec_token }} - body: - - subname: "anon" - type: CNAME - ttl: 3600 - records: ["{{ delegate_host }}."] - delegate_to: localhost - when: anonymous_login - # We specifically use apt instead of the more general package module here, # because we want to ensure the cache is updated before we try and install # anything. This is needed because, on a freh Debian install on AWS |