| Age | Commit message (Collapse) | Author |
|---|
|
I am rolling out a Matrix bot that will auto-reply to contacts in bridged
conversations, encouraging people to reach out to me on XMPP.
The bot will send them an invite link, retrieved from this API.
|
|
This will primiarly be used for motoristic.
|
|
Although this playbook originally installed certificates to the server, this
turned out to be a bad idea, because the playbook could in some circumstances
(if the acme project had already renewed the certs) have installed a different
certificate to the remote server.
By delgating responsibility to the acme server fully, this should prevent any
such issues, as well as potential DANE misconfigurations.
|
|
|
|
The naming scheme I'm using for prod and nonprod environments have changed,
therefore this commit also updates the documentation to match this.
|
|
These references were out of date with what was needed from the playbook.
|
|
The AAAA record should be created by the libcloud bootstrap process instead, so
that the playbook can ssh using the hostname as normal.
|
|
The playbook initially deleted the public keys from root's authorized_keys
after copying them to admin, but this prevents the playbook from running the
"Ensure admin account is created" commands in subsequent runs. Therefore, we
shouldn't delete them.
In the long term, I would like to find a way to only attempt to run the root
commands if it's not possible to ssh as admin. This is as I don't like the idea
of root having direct ssh access.
|
|
Initially, I used AWS Lightsail for deployment. However, I am now using Vultr
via libcloud, which does not create a user named "admin" by default. Therefore,
this commit aims to ensure that such an account is created, even on providers
that don't create it by default.
|
|
We remove some extra MUC configuration here that should not be needed, as these
settings should be handled by the defaults anyway.
|
|
These are now fully automated, thanks to the libcloud setup, which is currently
sitting in a separate repository, that will be merged with this one.
Therefore, there is no longer any need to configure these manually.
|
|
I misunderstood how MAM works, and thought that storing messages long-term
would allow new clients to retrieve long-term history. This commit moves the
server's configuration back to the default of one week.
|
|
I have moved DNS configuration for all of my servers to deSEC, thanks to its
easy-to-use REST interface. This allows me to configure DNS records as part of
the playbook, instead of having to add them manually for each new server I'd
like to create. The consequence of this is that the playbook now has a hard
dependency on deSEC.
|
|
My ACME scripts currently reload (instead of restarting) prosody after
installing new certificates. Therefore, I would like to make sure that these
new certificates are picked up on such an action.
|
|
This makes it easier to navigate through the playbook, and jump to the part
that you're interested in editing, using the { and } keys in vim.
|
|
I would like certificate renewal to be handled centrally across all of my
deployed services. Therefore, responsibility for certificate renewal no longer
belongs in this playbook.
|
|
I tried to create a fresh nonprod deployment today on
continuous.staging.nonprod.chat.fennell.dev. However, the first step failed
because the apt command could not find borgmatic.
The solution was to run apt update before running apt install. Unfortunately,
ansible's package module does not have an option for this. Therefore, although
I would have liked to stick with "package" (to keep it general and away from
the specific of using "apt" as a package manager), I have switched back to
using the apt module so that the step can succeed without any manual
intervention on fresh install.
|
|
I'll use this file to store notes about the specific deployments I have.
|
|
|
|
This commit adds support for XEPS 0065 and 0365 - i.e. sending files from one
account to another.
|
|
This is based on the recommendation of Monal's "Considerations for XMPP server
admins" document.
|
|
This commit adds support for XEP-0215, or the discovery of external services.
|
|
This commit adds support for XEP-0357, or cloud push notifications, and lets
notifications be reliably delivered on iOS and Android.
|
|
This should help reduce XMPP clients' battery consumption on mobile devices.
|
|
I would like the message expiry to be very long, so that there is very little
chance of users not being able to retrieve messages.
|
|
This commit enabled SOCKS5 Bytestreams, allowing users to send and receive
files.
|
|
Previously, the playbook would fail if it needed to install packages, as this
(in the case of apt) requires sudo.
|
|
At present, these are not automated by the runbook and need to be manually run
as part of setup for each new managed host the playbook is run against.
|
|
This directory is created by a user command, not as part of the package
installation process. Therefore, it may not exist if the user has not yet
configured borgmatic on the host.
|
|
This commit uses the simpler, more standard validate feature of template
instead of triggering a handler. The feature is there - may as well use it!
|
|
This commit adds borgmatic, to provide automated backups.
|
|
For now, there are not too many variables to set per host. However, this will
likely change in future commits, with a greater number of variables needing to
be configured. Therefore, this commit encourages the user to define these
variables in a yaml file, which will be more cleanly scalable.
|
|
I may in the future introduce yaml config file templates, since this is a
relatively common format for configuring services. If I do so, I should ensure
that yamllint gets run on these too.
|
|
This commit adds some basic DNS instructions for the initial setup of the host,
which can be used when the domain of the JID matches the domain of the host.
|
|
The playbook previosuly assigned the prosody config files to the root group.
With root as the owner, and permissions as 0640, this meant that prosody was
not able to read the files. This commit fixes this.
|
|
This commit ensures certificates are installed, via Lets Encrypt.
|
|
There is no sense reloading prosody if none of its configuration files have
changed. Therefore, this commit moves the reload to a handler that only gets
triggered in this situation.
|
|
There are some checks that are enabled by default in yamllint, that are not
caught by default by ansible-lint. For instance, ansible-lint does not check
for line lengths in its default configuration. Therefore, we would like to
re-introduce yamllint to make sure we do not miss any checks.
|
|
ansible-lint uses yamllint under the hood, and also checks for many more
"logical" errors in the ansible config.
|
|
I would like to avoid accidentally committing one of these files.
|
|
This commit uses the new per-host virtual_host variable to create the necessary
prosody host-specific cfg files.
|
|
This commit adds a prosody configuration file that can be installed on the
remote hosts. This lets me make the configuration locally, deploy it to staging
environments, and then to prod, without having to directly login to the hosts.
|
|
This commit enables the necessary ports for XMPP, web hosting (to allow certbot
to renew automatically) and SSH.
|
|
At present, the playbook simply ensures that all required packages are
installed.
|
|
This project is licensed under AGPL-3.0-only. I would like to use reuse across
this project, therefore the license is placed in the LICENSES directory.
|
