From eaf1e70bed9fb6029800a8d8ba5b0b53b4f32929 Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Sun, 21 Sep 2025 16:34:31 +0100
Subject: Place s2s modules behind a flag

We do not need s2s modules or config for a single-user transport oriented
server.

Likewise, we do not need admin or abuse contacts if s2s is disabled. No
messages can escape, and it would be impossible to contact them regardless!
---
 playbook.yaml | 47 +++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 39 insertions(+), 8 deletions(-)

(limited to 'playbook.yaml')

diff --git a/playbook.yaml b/playbook.yaml
index 4fb5ffa..c551456 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -159,6 +159,24 @@
          type: SRV
          ttl: 3600
          records: ["0 5 5223 {{ delegate_host }}."]
+       - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}'
+         type: TLSA
+         ttl: 3600
+         records: ["3 1 1 {{ dane_hash.stdout }}"]
+       - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}'
+         type: TLSA
+         ttl: 3600
+         records: ["3 1 1 {{ dane_hash.stdout }}"]
+     delegate_to: localhost
+
+   - name: Ensure s2s records are registered in subdomain
+     ansible.builtin.uri:
+      url: "https://desec.io/api/v1/domains/{{ virtual_host }}/rrsets/"
+      method: PUT
+      body_format: json
+      headers:
+       Authorization: Token {{ desec_token }}
+      body:
        - subname: "_xmpp-server._tcp"
          type: SRV
          ttl: 3600
@@ -175,14 +193,6 @@
          type: SRV
          ttl: 3600
          records: ["0 5 5270 {{ delegate_host }}."]
-       - subname: '{{ "_5222._tcp" + tlsa_appended_subdomain }}'
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
-       - subname: '{{ "_5223._tcp" + tlsa_appended_subdomain }}'
-         type: TLSA
-         ttl: 3600
-         records: ["3 1 1 {{ dane_hash.stdout }}"]
        - subname: '{{ "_5269._tcp" + tlsa_appended_subdomain }}'
          type: TLSA
          ttl: 3600
@@ -192,6 +202,7 @@
          ttl: 3600
          records: ["3 1 1 {{ dane_hash.stdout }}"]
      delegate_to: localhost
+     when: not is_transport_server
 
    # We specifically use apt instead of the more general package module here,
    # because we want to ensure the cache is updated before we try and install
@@ -240,8 +251,28 @@
       state: enabled
      loop:
       - OpenSSH
+     become: true
+
+   - name: Ensure full XMPP ports are open
+     community.general.ufw:
+      rule: allow
+      name: "{{ item }}"
+      state: enabled
+     loop:
       - XMPP
      become: true
+     when: not is_transport_server
+
+   - name: Ensure only c2s ports are open
+     community.general.ufw:
+      rule: allow
+      port: "{{ item }}"
+      proto: tcp
+      state: enabled
+     loop:
+      - 5222
+     become: true
+     when: is_transport_server
 
    - name: Ensure invite-specific ports with ufw applications are open
      community.general.ufw:
-- 
cgit v1.2.3