blob: 48b482aa4848bae376c8bd76142b9e2bb92ab072 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
#
# SPDX-License-Identifier: AGPL-3.0-only
---
- name: Ensure XMPP server is set up
hosts: xmpp_server
tasks:
- name: Ensure required packages are installed
ansible.builtin.package:
name:
- borgmatic
- certbot
- prosody
- prosody-modules
- python3-certbot-apache
- ufw
state: present
become: true
- name: Ensure required ports are open
community.general.ufw:
rule: allow
name: "{{ item }}"
state: enabled
loop:
- OpenSSH
- WWW
- XMPP
become: true
- name: Ensure tcp ports are open for other XEPs
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: tcp
state: enabled
loop:
- 5000 # XEP-0065
- 5280 # XEP-0363
- 5281 # XEP-0363
become: true
- name: Ensure udp ports are open for other XEPs
community.general.ufw:
rule: allow
port: "{{ item }}"
proto: udp
state: enabled
loop:
- 5000 # XEP-0065
- 5280 # XEP-0363
- 5281 # XEP-0363
become: true
- name: Ensure certbot on-renew hook is installed
ansible.builtin.copy:
src: "{{ playbook_dir }}/files/on_renew.sh"
dest: /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
owner: root
group: root
mode: "0755"
become: true
- name: Ensure certificates are installed
ansible.builtin.command: >-
certbot --non-interactive --agree-tos --post-hook "/bin/true"
--email {{ certbot_email }} --no-eff-email --expand --apache --keep
--domains {{ virtual_host }},upload.{{ virtual_host }}
become: true
register: certbot
changed_when: "'Running post-hook command' in certbot.stdout"
- name: Ensure top-level prosody configuration is installed
ansible.builtin.copy:
src: "{{ playbook_dir }}/files/prosody.cfg.lua"
dest: /etc/prosody/prosody.cfg.lua
owner: root
group: prosody
mode: "0640"
become: true
notify: Reload prosody
- name: Ensure host-specific prosody configuration is available
ansible.builtin.template:
src: "{{ playbook_dir }}/files/virtual_host.cfg.lua.j2"
dest: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
owner: root
group: prosody
mode: "0644"
become: true
notify: Reload prosody
- name: Ensure host-specific prosody configuration is set
ansible.builtin.file:
src: "/etc/prosody/conf.avail/{{ virtual_host }}.cfg.lua"
dest: "/etc/prosody/conf.d/{{ virtual_host }}.cfg.lua"
owner: root
group: prosody
state: link
become: true
notify: Reload prosody
- name: Ensure prosody is enabled
ansible.builtin.service:
name: prosody
enabled: true
become: true
- name: Ensure borgmatic private key is installed
ansible.builtin.copy:
src: "{{ borg_private_key_path }}"
dest: /root/.ssh/borg_key
owner: root
group: root
mode: "0600"
become: true
- name: Ensure borgmatic config directory exists
ansible.builtin.file:
path: /etc/borgmatic
state: directory
owner: root
group: root
mode: "0700"
become: true
- name: Ensure borgmatic is configured
ansible.builtin.template:
src: "{{ playbook_dir }}/files/borgmatic_config.yaml.j2"
dest: "/etc/borgmatic/config.yaml"
owner: root
group: root
mode: "0600"
validate: validate-borgmatic-config --config %s
become: true
handlers:
- name: Reload prosody
ansible.builtin.service:
name: prosody
state: reloaded
become: true
|
