diff --git a/roles/jabber/files/prosody.cfg.lua.j2 b/roles/jabber/files/prosody.cfg.lua.j2 new file mode 100644 index 0000000..501c560 --- /dev/null +++ b/roles/jabber/files/prosody.cfg.lua.j2 @@ -0,0 +1,231 @@ +daemonize = true +pidfile = "/run/prosody/prosody.pid" + +-- TODO server name +name = "JabberFR" +min_seconds_between_registrations = 86400 +welcome_message = "Bienvenue $username sur le chat $host ! Pour toutes vos questions sur Jabber, nous vous recommandons https://{{ hostname }}/\nMerci de NE PAS repondre a ce message automatique." + +limits = { + c2s = { + rate = "3kb/s"; + burst = "2s"; + }; + s2sin = { + rate = "10kb/s"; + burst = "5s"; + }; +} + +-- For mod_http_list_domains +main_domains = { + "{{ hostname }}"; +} + +-- For mod_block_registrations +block_registrations_users = { + "admin", "owner", "operator", "webmaster", "postmaster" +} + +-- For mod_s2s_blacklist +s2s_blacklist = { + -- From https://github.com/JabberSPAM/blacklist/blob/master/blacklist.txt + "bashtel.ru", + "darkengine.biz", + "hiddenlizard.org", + "jabber.cd", + "jabber.ipredator.se", + "jabber.npw.net", + "jabber.sampo.ru", + "otr.chat", + "paranoid.scarab.name", + "rassnet.org", + "safetyjabber.com", + "sj.ms", + "xmpp.bytesund.biz", +} + +-- Prevents clients from hogging all of the fds with unauthed c2s. +c2s_timeout = 120 + +-- For MAM. +storage = { + archive = "xmlarchive"; + muc_log = "xmlarchive"; +} + +-- For ChatSecure to actually receive push notifications. +-- TODO: translate new message +push_notification_important_body = "Nouveau message." + +-- So that every domain get our services. +disco_items = { + { "chat.{{ hostname }}", "Salons de discussion" }; + --{ "irc.{{ hostname }}", "Passerelle IRC" }; + { "proxy.{{ hostname }}", "Partager plus facilement des fichiers" }; + { "upload.{{ hostname }}", "Héberger de petits fichiers" }; +} + +-- TODO: default MUC for support/feedback +contact_info = { + abuse = { "mailto:root@{{ hostname }}", "xmpp:root@{{ hostname }}" }, + admin = { "mailto:root@{{ hostname }}", "xmpp:root@{{ hostname }}" }, + --feedback = { "xmpp:jabberfr@chat.{{ hostname }}?join" }, + security = { "mailto:root@{{ hostname }}", "xmpp:root@{{ hostname }}" }, + --support = { "xmpp:jabberfr@chat.{{ hostname }}?join" }, +} + +-- Needed for bosh to work at all on the web. +cross_domain_bosh = true +cross_domain_websocket = true +consider_bosh_secure = true +consider_websocket_secure = true +http_interfaces = { "::1" } +https_interfaces = {} + +-- Which clients don’t need TLS to connect. +secure_interfaces = { "::1", "127.0.0.1" } + +-- Ugh, spam… +--firewall_scripts = { "/etc/prosody/spammer.pfw" } + +-- TODO: admins +admins = { "root@{{ hostname }}" } + +-- For more information see: https://prosody.im/doc/libevent +--use_libevent = true +network_backend = "epoll" + +-- TODO: maybe we have to change this? +plugin_paths = { "/usr/lib/prosody/prosody-modules-private"; "/usr/lib/prosody/prosody-modules" } + +modules_enabled = { + + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- Not essential, but recommended + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard4"; -- User profiles (stored in PEP) + "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard + + -- Nice to have + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "mam"; -- Store messages in an archive and allow users to access it + "csi_simple"; -- Simple Mobile optimizations + + -- Admin interfaces + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + + -- HTTP modules + "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + "websocket"; -- XMPP over WebSockets + + -- Other specific functionality + "limits"; -- Enable bandwidth limiting for XMPP connections + "server_contact_info"; -- Publish contact information for this service + "welcome"; -- Welcome users who register accounts + "watchregistrations"; -- Alert admins of registrations + + -- prosody-modules + "lastlog"; -- Allows to specify traffic bandwidth limits. + "smacks"; -- Prevents an unreliable connection from eating the battery. + "smacks_offline"; -- Because. + "cloud_notify"; -- For iOS, Android 6+ and WP clients to work properly. + "csi"; -- Optimisations for mobile. + "throttle_unsolicited"; -- Damn spammers! + --"firewall"; -- Ugh, spammers… + "s2s_blacklist"; -- Thanks, spammers. + "secure_interfaces"; -- Insecure local registration. + "auto_answer_disco_info"; -- Answers disco#info on the behalf of the local user. + "inject_ecaps2"; -- Add support for XEP-0390 for all local users. + "ipcheck"; -- Like STUN but over XMPP. + "s2s_bidi"; -- To reduce the amount of s2s. + "bookmarks2"; -- To synchronise bookmarks between XEP-0402 and Private XML. + --"nodeinfo2"; -- For https://the-federation.info +} + +certificate = "/etc/prosody/certs/{{ hostname }}.crt" + +c2s_require_encryption = true +s2s_require_encryption = true +s2s_secure_auth = true + +authentication = "internal_hashed" + +archive_expires_after = "1w" -- Remove archived messages after 2 weeks +archive_cleanup_interval = 15 + +log = { + --debug = "/var/log/prosody/prosody.debug"; + info = "/var/log/prosody/prosody.log"; + error = "/var/log/prosody/prosody.err"; +} + +certificates = "certs" + +https_certificate = "/etc/prosody/certs/{{ hostname }}.crt" + +VirtualHost "jabber.fr" + http_external_url = "https://jabber.fr/" + +VirtualHost "anon.{{ hostname }}" + authentication = "anonymous" + allow_anonymous_s2s = false + modules_enabled = { + "muc_ban_ip"; + } + modules_disabled = { + "mam"; + } + +-- TODO: subdomain +Component "chat.{{ hostname }}" "muc" + modules_enabled = { + "s2s_bidi"; -- To reduce the amount of s2s. + "muc_mam"; + "muc_badge"; + "http_muc_log"; + "http_muc_list"; + "http_avatar"; + "vcard_muc"; + "muc_webchat_url"; + } + admins = { "tofu@{{ hostname }}" } + muc_room_cache_size = 1024 + +Component "proxy.{{ hostname }}" "proxy65" + modules_disabled = { + "s2s"; + "tls"; + } + +Component "upload.{{ hostname }}" "http_upload" + modules_enabled = { + "file_management"; + } + modules_disabled = { + "s2s"; + "tls"; + } + http_external_url = "https://upload.{{ hostname }}/" + http_paths = { + upload = "/"; + } + http_upload_path = "/srv/http/upload.{{ hostname }}/" + http_upload_file_size_limit = 10 * 1024 * 1024 + +-- TODO: IRC Gateway +-- Component "irc.{{ hostname }}" +-- component_secret = ":p" + diff --git a/roles/jabber/tasks/main.yml b/roles/jabber/tasks/main.yml new file mode 100644 index 0000000..24b13b1 --- /dev/null +++ b/roles/jabber/tasks/main.yml @@ -0,0 +1,9 @@ +- name: jabber-setup-prosody + apt: + name: prosody + state: present + +- name: jabber-config + template: + src: ../files/prosody.cfg.lua.j2 + dest: /etc/prosody/prosody.cfg.lua