From d58dac1bb32b87e79e16a2e9777a6dced701aa3b Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Tue, 25 Mar 2025 21:24:12 -0400
Subject: add mollysocket support to xmpp server

---
 files/usr/local/etc/mollysocket.conf.xmpp_server  |   5 +
 files/usr/local/etc/nginx/vhosts.conf.xmpp_server |  23 ++++
 files/usr/local/etc/rc.d/mollysocket.xmpp_server  |  50 ++++++++
 scripts/hostclass/xmpp_server                     | 134 ---------------------
 scripts/hostclass/xmpp_server/10-prosody          | 137 ++++++++++++++++++++++
 scripts/hostclass/xmpp_server/20-mollysocket      |  61 ++++++++++
 vars/hostclass/xmpp_server                        |   3 +-
 7 files changed, 278 insertions(+), 135 deletions(-)
 create mode 100644 files/usr/local/etc/mollysocket.conf.xmpp_server
 create mode 100644 files/usr/local/etc/rc.d/mollysocket.xmpp_server
 delete mode 100644 scripts/hostclass/xmpp_server
 create mode 100644 scripts/hostclass/xmpp_server/10-prosody
 create mode 100644 scripts/hostclass/xmpp_server/20-mollysocket

diff --git a/files/usr/local/etc/mollysocket.conf.xmpp_server b/files/usr/local/etc/mollysocket.conf.xmpp_server
new file mode 100644
index 0000000..9fd83c9
--- /dev/null
+++ b/files/usr/local/etc/mollysocket.conf.xmpp_server
@@ -0,0 +1,5 @@
+host = "127.0.0.1"
+port = ${mollysocket_local_port}
+webserver = true
+allowed_endpoints = ["https://${prosody_public_fqdn}/"]
+vapid_privkey = "${mollysocket_vapid_key}"
diff --git a/files/usr/local/etc/nginx/vhosts.conf.xmpp_server b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
index fad92ad..7cbe5a2 100644
--- a/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
+++ b/files/usr/local/etc/nginx/vhosts.conf.xmpp_server
@@ -21,3 +21,26 @@ server {
     proxy_pass http://127.0.0.1:${prosody_http_port};
   }
 }
+
+server {
+  listen ${mollysocket_port}      ssl default_server;
+  listen [::]:${mollysocket_port} ssl default_server;
+
+  http2 on;
+
+  ssl_certificate         ${prosody_https_cert};
+  ssl_certificate_key     ${prosody_https_key};
+  ssl_trusted_certificate ${prosody_https_cacert};
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+
+  location / {
+    proxy_http_version 1.1;
+    proxy_set_header Host \$host:\$server_port;
+    proxy_set_header X-Real-IP \$remote_addr;
+    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto \$scheme;
+    proxy_set_header X-Original-URL \$uri;
+    proxy_pass http://127.0.0.1:${mollysocket_local_port};
+  }
+}
diff --git a/files/usr/local/etc/rc.d/mollysocket.xmpp_server b/files/usr/local/etc/rc.d/mollysocket.xmpp_server
new file mode 100644
index 0000000..1a03931
--- /dev/null
+++ b/files/usr/local/etc/rc.d/mollysocket.xmpp_server
@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# PROVIDE: mollysocket
+# REQUIRE: NETWORKING
+# KEYWORD: shutdown
+
+. /etc/rc.subr
+
+name=mollysocket
+rcvar=mollysocket_enable
+
+load_rc_config "$name"
+
+: ${mollysocket_enable:='NO'}
+: ${mollysocket_dir:='/usr/local/mollysocket/mollysocket.git'}
+: ${mollysocket_user='mollysocket'}
+: ${mollysocket_log_level:='info'}
+: ${mollysocket_syslog_facility:='daemon'}
+: ${mollysocket_conf_file:='/usr/local/etc/mollysocket.conf'}
+
+mollysocket_syslog_tag=mollysocket
+mollysocket_run_dir=/var/run/mollysocket
+mollysocket_db_dir=/var/db/mollysocket
+mollysocket_env="MOLLY_CONF=${mollysocket_conf_file} MOLLY_DB=${mollysocket_db_dir}/db.sqlite RUST_LOG=${mollysocket_log_level}"
+
+required_files="${mollysocket_conf_file}"
+sig_stop=SIGINT
+
+mollysocket_chdir=$mollysocket_dir
+pidfile=${mollysocket_run_dir}/mollysocket.pid
+command=/usr/sbin/daemon
+
+command_args="-f \
+-s ${mollysocket_log_level} \
+-l ${mollysocket_syslog_facility} \
+-T ${mollysocket_syslog_tag} \
+-p ${pidfile} \
+-t ${name} \
+${mollysocket_dir}/target/release/mollysocket server"
+
+procname="${mollysocket_dir}/target/release/mollysocket"
+start_precmd=mollysocket_prestart
+
+mollysocket_prestart(){
+  install -d -m 0755 -o ${mollysocket_user} ${mollysocket_run_dir}
+  install -d -m 0750 -o ${mollysocket_user} ${mollysocket_db_dir}
+}
+
+run_rc_command "$1"
+
diff --git a/scripts/hostclass/xmpp_server b/scripts/hostclass/xmpp_server
deleted file mode 100644
index 621f688..0000000
--- a/scripts/hostclass/xmpp_server
+++ /dev/null
@@ -1,134 +0,0 @@
-#!/bin/sh
-
-# The LDAP library used by prosody (lualdap) does not support SASL binds.
-# Therefore, you must specify the prosody_ldap_password variable.
-
-# prosody_acme_host=
-: ${prosody_admins:=''}
-: ${prosody_public_fqdn:="$fqdn"}
-: ${prosody_push_fqdn:="push.${email_domain}"}
-: ${prosody_domains:="$email_domain"}
-: ${prosody_ldap_password:='changeme'}
-: ${prosody_dbname:='prosody'}
-: ${prosody_dbhost:="$postgres_host"}
-: ${prosody_access_role:='xmpp-access'}
-: ${prosody_archive_expiration:='1w'}
-: ${prosody_upload_sizelimit:='104857600'} # 100 MB
-: ${prosody_upload_expiration:='604800'}   # 1 week
-: ${prosody_upload_quota:='25769803776'}   # 24 GB
-: ${prosody_turn_port:='3478'}
-: ${prosody_turn_host:="$turn_domain"}
-: ${prosody_turn_realm:="$turn_domain"}
-: ${prosody_turn_secret="$turn_secret"}
-
-prosody_dn="uid=${prosody_username},${robots_basedn}"
-prosody_local_user=prosody
-prosody_conf_dir=/usr/local/etc/prosody
-prosody_certs_dir="${prosody_conf_dir}/certs"
-prosody_keytab="${keytab_dir}/prosody.client.keytab"
-prosody_roster_path="${prosody_conf_dir}/roster.ini"
-prosody_http_port=8080
-prosody_db_dir=/var/db/prosody
-prosody_upload_dir="${prosody_db_dir}/http_upload"
-
-prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
-prosody_https_cert="${acme_cert_dir}/nginx.crt"
-prosody_https_key="${acme_cert_dir}/nginx.key"
-
-# Install required packages.
-pkg install -y \
-  prosody \
-  prosody-modules \
-  lua54-luadbi \
-  lua54-lualdap \
-  nginx
-
-# Create ZFS dataset for HTTP upload files.
-create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
-install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"
-
-# Create prosody user private group.
-ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
-objectClass: groupOfMembers
-objectClass: posixGroup
-cn: ${prosody_username}
-gidNumber: ${prosody_uid}
-member: uid=${prosody_username},${robots_basedn}
-EOF
-
-# Create prosody user account.
-ldap_add "$prosody_dn" <<EOF
-objectClass: account
-objectClass: posixAccount
-uid: ${prosody_username}
-cn: ${prosody_username}
-uidNumber: ${prosody_uid}
-gidNumber: ${prosody_uid}
-gecos: Prosody Pseudo-User
-loginShell: /sbin/nologin
-homeDirectory: /nonexistent
-EOF
-
-# Create principal and keytab.
-add_principal -nokey -x "dn=${prosody_dn}" "$prosody_username"
-
-ktadd -k "$prosody_keytab" "$prosody_username"
-chgrp "$prosody_local_user" "$prosody_keytab"
-chmod 640 "$prosody_keytab"
-
-prosody_local_uid=$(id -u "$prosody_local_user")
-install_directory -o "$prosody_local_user" -m 0700 "/var/krb5/user/${prosody_local_uid}"
-ln -snfv "$prosody_keytab" "/var/krb5/user/${prosody_local_uid}/client.keytab"
-
-# Set LDAP password for prosody user.
-ldap_passwd "$prosody_dn" "$prosody_ldap_password"
-
-# Create postgres user and database.
-postgres_create_role "$prosody_dbhost" "$prosody_username"
-postgres_create_database "$prosody_dbhost" "$prosody_dbname" "$prosody_username"
-
-# Retrieve prosody certificates via ACME proxy.
-install_directory -o root -g "$prosody_local_user" -m 0770 "$prosody_certs_dir"
-install_file -m 0555 /usr/local/libexec/prosody-acme-proxy
-su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-acme-proxy ${prosody_username}@${prosody_acme_host} ${prosody_domains}"
-
-# Copy prosody configuration.
-install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody/prosody.cfg.lua
-
-# Configure automatic roster.
-install_file -m 0555 /usr/local/libexec/prosody-update-roster
-install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
-su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"
-
-# Copy prosody crontab.
-install_template -m 0644 /etc/cron.d/prosody
-
-# Configure nginx.
-install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
-[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
-sysrc -v nginx_enable=YES
-service nginx restart
-install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf
-
-# Retrieve webserver certificate via ACME.
-install_template -m 0600 /usr/local/etc/sudoers.d/acme
-acme_install_certificate \
-  -g "$nginx_user" \
-  -r 'sudo service nginx reload' \
-  nginx \
-  "$prosody_public_fqdn"
-
-# Now that we have the ACME certs, add the vhosts.
-install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
-service nginx restart
-
-# Enable and start daemons.
-sysrc -v prosody_enable=YES
-[ "${prosody_restart:-}" = false ] || service prosody restart
-service nginx restart
-
-# Create access role.
-ldap_add "cn=${prosody_access_role},${roles_basedn}" <<EOF
-objectClass: groupOfMembers
-cn: ${prosody_access_role}
-EOF
diff --git a/scripts/hostclass/xmpp_server/10-prosody b/scripts/hostclass/xmpp_server/10-prosody
new file mode 100644
index 0000000..3383282
--- /dev/null
+++ b/scripts/hostclass/xmpp_server/10-prosody
@@ -0,0 +1,137 @@
+#!/bin/sh
+
+# The LDAP library used by prosody (lualdap) does not support SASL binds.
+# Therefore, you must specify the prosody_ldap_password variable.
+
+# prosody_acme_host=
+: ${prosody_admins:=''}
+: ${prosody_public_fqdn:="$fqdn"}
+: ${prosody_push_fqdn:="push.${email_domain}"}
+: ${prosody_domains:="$email_domain"}
+: ${prosody_ldap_password:='changeme'}
+: ${prosody_dbname:='prosody'}
+: ${prosody_dbhost:="$postgres_host"}
+: ${prosody_access_role:='xmpp-access'}
+: ${prosody_archive_expiration:='1w'}
+: ${prosody_upload_sizelimit:='104857600'} # 100 MB
+: ${prosody_upload_expiration:='604800'}   # 1 week
+: ${prosody_upload_quota:='25769803776'}   # 24 GB
+: ${prosody_turn_port:='3478'}
+: ${prosody_turn_host:="$turn_domain"}
+: ${prosody_turn_realm:="$turn_domain"}
+: ${prosody_turn_secret="$turn_secret"}
+
+prosody_dn="uid=${prosody_username},${robots_basedn}"
+prosody_local_user=prosody
+prosody_conf_dir=/usr/local/etc/prosody
+prosody_certs_dir="${prosody_conf_dir}/certs"
+prosody_keytab="${keytab_dir}/prosody.client.keytab"
+prosody_roster_path="${prosody_conf_dir}/roster.ini"
+prosody_http_port=8080
+prosody_db_dir=/var/db/prosody
+prosody_upload_dir="${prosody_db_dir}/http_upload"
+
+prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
+prosody_https_cert="${acme_cert_dir}/nginx.crt"
+prosody_https_key="${acme_cert_dir}/nginx.key"
+
+mollysocket_local_port=8081
+
+# Install required packages.
+pkg install -y \
+  prosody \
+  prosody-modules \
+  lua54-luadbi \
+  lua54-lualdap \
+  nginx \
+  ca_root_nss
+
+# Create ZFS dataset for HTTP upload files.
+create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
+install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"
+
+# Create prosody user private group.
+ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
+objectClass: groupOfMembers
+objectClass: posixGroup
+cn: ${prosody_username}
+gidNumber: ${prosody_uid}
+member: uid=${prosody_username},${robots_basedn}
+EOF
+
+# Create prosody user account.
+ldap_add "$prosody_dn" <<EOF
+objectClass: account
+objectClass: posixAccount
+uid: ${prosody_username}
+cn: ${prosody_username}
+uidNumber: ${prosody_uid}
+gidNumber: ${prosody_uid}
+gecos: Prosody Pseudo-User
+loginShell: /sbin/nologin
+homeDirectory: /nonexistent
+EOF
+
+# Create principal and keytab.
+add_principal -nokey -x "dn=${prosody_dn}" "$prosody_username"
+
+ktadd -k "$prosody_keytab" "$prosody_username"
+chgrp "$prosody_local_user" "$prosody_keytab"
+chmod 640 "$prosody_keytab"
+
+prosody_local_uid=$(id -u "$prosody_local_user")
+install_directory -o "$prosody_local_user" -m 0700 "/var/krb5/user/${prosody_local_uid}"
+ln -snfv "$prosody_keytab" "/var/krb5/user/${prosody_local_uid}/client.keytab"
+
+# Set LDAP password for prosody user.
+ldap_passwd "$prosody_dn" "$prosody_ldap_password"
+
+# Create postgres user and database.
+postgres_create_role "$prosody_dbhost" "$prosody_username"
+postgres_create_database "$prosody_dbhost" "$prosody_dbname" "$prosody_username"
+
+# Retrieve prosody certificates via ACME proxy.
+install_directory -o root -g "$prosody_local_user" -m 0770 "$prosody_certs_dir"
+install_file -m 0555 /usr/local/libexec/prosody-acme-proxy
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-acme-proxy ${prosody_username}@${prosody_acme_host} ${prosody_domains}"
+
+# Copy prosody configuration.
+install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody/prosody.cfg.lua
+
+# Configure automatic roster.
+install_file -m 0555 /usr/local/libexec/prosody-update-roster
+install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"
+
+# Copy prosody crontab.
+install_template -m 0644 /etc/cron.d/prosody
+
+# Configure nginx.
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
+sysrc -v nginx_enable=YES
+service nginx restart
+install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf
+
+# Retrieve webserver certificate via ACME.
+install_template -m 0600 /usr/local/etc/sudoers.d/acme
+acme_install_certificate \
+  -g "$nginx_user" \
+  -r 'sudo service nginx reload' \
+  nginx \
+  "$prosody_public_fqdn"
+
+# Now that we have the ACME certs, add the vhosts.
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
+service nginx restart
+
+# Enable and start daemons.
+sysrc -v prosody_enable=YES
+[ "${prosody_restart:-}" = false ] || service prosody restart
+service nginx restart
+
+# Create access role.
+ldap_add "cn=${prosody_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${prosody_access_role}
+EOF
diff --git a/scripts/hostclass/xmpp_server/20-mollysocket b/scripts/hostclass/xmpp_server/20-mollysocket
new file mode 100644
index 0000000..9bed162
--- /dev/null
+++ b/scripts/hostclass/xmpp_server/20-mollysocket
@@ -0,0 +1,61 @@
+#!/bin/sh
+
+# mollysocket allows sending push notifications to Molly (Signal clone)
+# via UnifiedPush.
+
+: ${mollysocket_repo='https://github.com/mollyim/mollysocket'}
+: ${mollysocket_branch='1.6.0'}
+: ${mollysocket_vapid_key='changeme'}
+
+mollysocket_username=mollysocket
+mollysocket_uid=794
+mollysocket_home=/usr/local/mollysocket
+mollysocket_repo_dir="${mollysocket_home}/mollysocket.git"
+mollysocket_db_dir=/var/db/mollysocket
+mollysocket_conf_file=/usr/local/etc/mollysocket.conf
+
+# Install required packages.
+pkg install -y \
+  git-lite \
+  rust \
+  sqlite3
+
+# Add local mollysocket user.
+add_user \
+  -u "$mollysocket_uid" \
+  -c "Mollysocket User" \
+  -d "$mollysocket_home" \
+  -s /usr/sbin/nologin \
+  "$mollysocket_username"
+
+# Create persistent ZFS dataset for mollysocket's sqlite db.
+create_dataset -o "mountpoint=${mollysocket_db_dir}" "${state_dataset}/mollysocket"
+
+# Set permissions on the mollysocket db directory.
+install_directory -m 0770 -o "$mollysocket_username" -g "$mollysocket_username" "$mollysocket_db_dir"
+
+# Create mollysocket home directory.
+install_directory -o "$mollysocket_username" -g "$mollysocket_username" -m 0775 "$mollysocket_home"
+
+# Clone mollysocket git repo.
+[ -d "${mollysocket_repo_dir}" ] || su -m "$mollysocket_username" -c \
+  "git clone ${mollysocket_repo} ${mollysocket_repo_dir}"
+
+# Update mollysocket git repo.
+su -m "$mollysocket_username" -c "git -C ${mollysocket_repo_dir} fetch"
+su -m "$mollysocket_username" -c "git -C ${mollysocket_repo_dir} switch --detach ${mollysocket_branch}"
+
+# Build mollysocket.
+( cd "$mollysocket_repo_dir"
+  su -m "$mollysocket_username" -c "HOME=${mollysocket_home} RUSTFLAGS=-L/usr/local/lib cargo build --release"
+)
+
+# Copy mollysocket rc.d script.
+install_file -m 0555 /usr/local/etc/rc.d/mollysocket
+
+# Copy mollysocket config file.
+install_template -m 0640 -g "$mollysocket_username" "$mollysocket_conf_file"
+
+# Enable and start mollysocket.
+sysrc -v mollysocket_enable=YES
+service mollysocket restart
diff --git a/vars/hostclass/xmpp_server b/vars/hostclass/xmpp_server
index fb63bbe..0830827 100644
--- a/vars/hostclass/xmpp_server
+++ b/vars/hostclass/xmpp_server
@@ -2,7 +2,8 @@
 
 prosody_c2s_tls_port=5223
 prosody_s2s_tls_port=5270
+mollysocket_port=8443
 
-allowed_tcp_ports="ssh http https xmpp-client xmpp-server ${prosody_c2s_tls_port} ${prosody_s2s_tls_port}"
+allowed_tcp_ports="ssh http https xmpp-client xmpp-server ${prosody_c2s_tls_port} ${prosody_s2s_tls_port} ${mollysocket_port}"
 acme=true
 nginx_public=true
-- 
cgit v1.2.3