--- - name: Ensure XMPP ports are open ufw: rule: allow port: "{{ item }}" proto: tcp with_items: - 5269 - 5222 - name: Configure Prosody VirtualHosts from Onion services. when: prosody_virtualhost_onions is defined import_tasks: configure-virtualhost-onions.yaml - name: Install Prosody. include_tasks: "install-{{ ansible_os_family | default('Debian') | lower }}.yaml" - name: Import certificates from Let's Encrypt shell: prosodyctl --root cert import /etc/letsencrypt/live - name: Ensure Prosody TLS key is readable. file: path: /etc/prosody/certs/localhost.key owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "400" notify: Restart Prosody. # FIXME: Variablize this so not only `localhost.{crt,key}` are used. - name: Enable HTTPS TLS certificates. file: src: "{{ item.src }}" dest: "/etc/prosody/certs/{{ item.dest }}" state: link loop: - src: localhost.key dest: https.key - src: localhost.crt dest: https.crt - name: Ensure Prosody VirtualHost configuration directories exist. file: path: "/etc/prosody/{{ item }}" state: directory owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "700" loop: - virtualhosts-available - virtualhosts-enabled - name: Ensure Prosody plugin directories exist. when: prosody_config.plugin_paths is defined file: path: "{{ item }}" state: directory owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "500" loop: "{{ prosody_config.plugin_paths }}" - name: Install Prosody plugin. when: - prosody_config.plugin_paths is defined - prosody_plugins is defined - item.state | default('present') == "present" get_url: url: "{{ prosody_plugins_src_base_url }}{{ item.version | default('tip') }}/mod_{{ item.name }}/mod_{{ item.name }}.lua" # FIXME: Which plugin path? Just the first one, for now. dest: "{{ prosody_config.plugin_paths[0] }}/mod_{{ item.name }}.lua" checksum: "{{ item.checksum | default(omit) }}" owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "400" loop: "{{ prosody_plugins }}" notify: Restart Prosody. - name: Remove Prosody plugin. when: - prosody_config.plugin_paths is defined - prosody_plugins is defined - item.state | default('present') == "absent" file: # FIXME: Which plugin path? Just the first one, for now. path: "{{ prosody_config.plugin_paths[0] }}/mod_{{ item.name }}.lua" state: "{{ item.state | default('absent') }}" loop: "{{ prosody_plugins }}" - name: Add deploy hook to Let's Encrypt copy: src: files/prosody-deploy-hook.sh dest: /etc/letsencrypt/renewal-hooks/deploy/prosody-deploy-hook.sh mode: 0755 backup: yes - name: Configure LDAP options include_tasks: configure_ldap.yml when: ldap_config is defined # TODO(unknwon): Support variable directory placements. # TODO(unknwon): Support specific TLS key/crt files rather than just `localhost`. # - name: Manage VirtualHost TLS keys and certificates. # vars: # file_types: # - key # - crt # block: # - name: Link VirtualHost TLS keys and certificates. # when: # - prosody_config.VirtualHosts is defined # - item.0.domain != "localhost" # - item.0.state | default('present') == "present" # file: # path: "/etc/prosody/certs/{{ item.0.domain }}.{{ item.1 }}" # state: link # src: "localhost.{{ item.1 }}" # loop: "{{ prosody_config.VirtualHosts | product(file_types) | list }}" # - name: Remove TLS keys and certificates from absent VirtualHosts. # when: # - prosody_config.VirtualHosts is defined # - item.0.domain != "localhost" # - item.0.state | default('present') == "absent" # file: # path: "/etc/prosody/certs/{{ item.0.domain }}.{{ item.1 }}" # state: absent # loop: "{{ prosody_config.VirtualHosts | product(file_types) | list }}" - name: Write Prosody configuration. template: src: prosody.cfg.lua.j2 dest: /etc/prosody/prosody.cfg.lua owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "600" # TODO(unknwon): Fix validation. #validate: "prosodyctl --config %s check config" notify: Restart Prosody. - name: Write Prosody VirtualHost configuration. when: - prosody_config.VirtualHosts is defined - item.state | default('present') == "present" template: src: prosody-virtualhost.cfg.lua.j2 dest: "/etc/prosody/virtualhosts-available/{{ item.domain }}.cfg.lua" owner: "{{ prosody_server_username }}" group: "{{ prosody_server_username }}" mode: "600" # TODO(unknwon): Fix validation. #validate: "prosodyctl --config %s check config" loop: "{{ prosody_config.VirtualHosts }}" notify: Restart Prosody. - name: Enable Prosody VirtualHost configuration. when: - prosody_config.VirtualHosts is defined - item.enabled | default(true) file: path: "/etc/prosody/virtualhosts-enabled/{{ item.domain }}.cfg.lua" state: link src: "/etc/prosody/virtualhosts-available/{{ item.domain }}.cfg.lua" loop: "{{ prosody_config.VirtualHosts }}" notify: Restart Prosody. - name: Remove absent Prosody VirtualHost configuration. when: - prosody_config.VirtualHosts is defined - item.0.state | default('present') == "absent" file: path: "/etc/prosody/{{ item.1 }}/{{ item.0.domain }}.cfg.lua" state: absent loop: "{{ prosody_config.VirtualHosts | product(paths) | list }}" vars: paths: - "virtualhosts-available" - "virtualhosts-enabled" notify: Restart Prosody. - name: Set Prosody user accounts. include_tasks: users.yaml no_log: true loop: "{{ prosody_users }}" vars: account_file: "{{ prosody_server_data_dir }}/{{ item.jid.split('@') | last | replace('.', '%2e') }}/accounts/{{ item.jid.split('@') | first }}.dat"