| Age | Commit message (Collapse) | Author |
|---|
|
This is needed as the transports are by default treated as guests by prosody,
and therefore unable to upload files without explicit permission.
|
|
The template worked fine for singleton lists, but it fails when adding another
entry since there is no separator between the elements! Thankfully Lua has some
nice syntax allowing you to use a semicolon as a separator, which doesn't by
itself imply more than one element.
|
|
This commit allows transport servers to define the relevant components on the
XMPP server. Transports are configured by adding the following config to the
inventory's variables:
transports:
- subdomain: a-example-legacy-network
secret: a-long-randomly-generated-secret
- subdomain: another-example-legacy-network
secret: another-long-randomly-generated-secret
These are iterated over and a privileged component is created for each.
|
|
This change allows targeted deployments just to transport servers, or
deployments to all prod servers (including transport) at once.
|
|
Prosody falls back to a legacy DNS module and also logs warnings if lua-unbound
is not installed.
|
|
If a section is not enabled on a particular server, that section's header
comment should not be visible.
|
|
This provides a more performant alternative to BOSH for clients wishing to
access the server over HTTP.
|
|
This configuration allows me to remove the proxy DNS records, and keep the
configuration internal to prosody.
|
|
We do not need s2s modules or config for a single-user transport oriented
server.
Likewise, we do not need admin or abuse contacts if s2s is disabled. No
messages can escape, and it would be impossible to contact them regardless!
|
|
According to mod_tls documentation, c2s_require_encryption and
s2s_require_encryption already default to true. Therefore, they can be removed.
Likewise, the default for authentication is internal_hashed, and the certs are
already in the "certs" subdirectory relative to the prosody config file.
|
|
I have s2s_secure_auth enabled, which disables dialback. Therefore, this module
is not needed.
|
|
Use consistent 4-space indentation.
Do not allow new scopes to be opened and closed on the same line. This allows
me to more easily add jinja if statements without having to make formatting
changes at the same time.
|
|
There will be no s2s connections on the transport server, so anti-spam modules
won't provide much benefit.
|
|
Invites are not needed on a single-user transport-only server. Therefore, place
this functionality behind a flag.
|
|
I am planning on deploying a new single-user server, without s2s connections or
other features, specifically for transports.
This necessiates splitting off some functionality behind a flag, so that it is
only enabled for non-transport ("standard") servers.
|
|
I added python3-pexpect to the dependency list in
de867dadbcc3c69d97acf96bf3e86d11295eea39, to use the pexpect ansible module for
a reason that is lost to the sands of time. This module is no longer used, so
the dependency can be removed.
|
|
While looking through the list of available prosody-modules, these
seemed useful.
|
|
While looking through the list of available prosody-modules, these two
seemed useful.
|
|
Thankfully the servers I manage have not seen any spam, nevertheless,
I'd rather set up some kind of mitigation now, before it becomes a
problem.
|
|
Whoops! mod_component is not supposed to be loaded directly, instead it
gets indirectly loaded as a result of the relevant component
definitions.
|
|
I took the opportunity to look through the module list and add some
extra ones that were missing before.
|
|
These are newly available in Trixie. I believe Monal will start loudly
warning if they are not used in the near future.
|
|
According to prosodyctl check, this module is no longer used or needed.
|
|
This is not available in prosody-modules
0.0~hg20250402.f315edc39f3d+dfsg-2.
|
|
I found these variables a bit confusing after having to interact with
them again. It is useful to have some context now I have forgotten all
about the DS record setup!
|
|
It is useful to jump to diferent variables using the {} keys in vim, and
the rest of the playbook has similar whitespace.
|
|
domain_with_ds is checked against the empty string when checking whether
we should define ds_subname.
When no parent_domain was found, we setting domain_with_ds to None,
which in Ansible 10 was (correctly) failing the domain_with_ds != ""
check. However, in Ansible 12, it now fails that check, meaning that
Ansible tried to evaluate ds_subname even when domain_with_ds was None,
resulting in a type conversion failure.
Therefore, make sure that domain_with_ds is always a string, even if
parent_domain is undefined, and use the empty string to represent this,
as expected in the playbook itself.
|
|
Some services, such as munin, read the hostname from the system, and
don't allow "virtual host" configuration like prosody. For such
services, we want to make sure the hostname is set correctly.
|
|
I want ansible to take full control of managing /etc/hosts, hostname
etc. I think it is most convenient to disable cloud-init entirely, to
prevent contention between ansible and cloud-init.
|
|
db and database have been deprecated, and replaced with login_db.
|
|
I don't need to specify the exact interpreter through ansible, as I can
do this from the host itself.
|
|
This is now enforced by ansible-lint.
|
|
There's no need to jump back to 2 GiB yet, but I was finding 10 MiB too
restrictive.
|
|
Debug logging was historically enabled in nonprod. This would let me
test interactions between the client and the server by checking exactly
what was sent and received.
However, this will shortly not be needed as prosody 13 supports
prosodyctl shell watch log, allowing me to "dip in" to debug logs
whenver needed.
|
|
This was originally intended for motoristic, but is no longer needed by
any domain.
|
|
This was only ever enabled for testing purposes, and is no longer
needed.
|
|
I made a mistake in the original configuration - I tried to give each
virtual host a separate turnserver on its own subdomain. However, since
koyo.haus and fennell.dev (and likewise in nonprod) share a virtual
machine, they can only have one turnserver between them (in the
turnserver.conf, there can only be a single realm).
Therefore, always point to koyo.haus for the turnserver in each
environment.
|
|
|
|
I used to have a dedicated server for cert renewals; now I just run it
from my laptop, with an increased cron frequency. This is simpler,
especially when there is a powercut, and I'll certainly use my laptop
every 30 days.
|
|
It's too time-consuming, especially when making multiple commits in one
go, and having tested those changes by manually running make staging
already.
|
|
These steps where not idempotent, because there was no way to check if
the password was correct. So, they would again each time.
The playbook gets run infrequently enough, and it is simple enough, to
add users manually.
|
|
|
|
This makes it easier to debug why a step is unexpectedly not idempotent.
|
|
Backups are now handled outside of the playbook.
|
|
This was quite generous, and if everyone used it at the same time, the
host would fall over!
|
|
|
|
|
|
The main way the config varies from Debian's default, is that we make sure to
reboot after each upgrade.
|
|
This is useful for two reasons:
* To test clients that render roster groups provided by the server
* To evaluate whether it is worth enabling this flag in production
|
|
This lets us log each individual stanza from a server perspective, which can be
useful when debugging client behaviour.
|
