From d58dac1bb32b87e79e16a2e9777a6dced701aa3b Mon Sep 17 00:00:00 2001
From: Cullum Smith <cullum@sacredheartsc.com>
Date: Tue, 25 Mar 2025 21:24:12 -0400
Subject: add mollysocket support to xmpp server

---
 scripts/hostclass/xmpp_server/10-prosody | 137 +++++++++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 scripts/hostclass/xmpp_server/10-prosody

(limited to 'scripts/hostclass/xmpp_server/10-prosody')

diff --git a/scripts/hostclass/xmpp_server/10-prosody b/scripts/hostclass/xmpp_server/10-prosody
new file mode 100644
index 0000000..3383282
--- /dev/null
+++ b/scripts/hostclass/xmpp_server/10-prosody
@@ -0,0 +1,137 @@
+#!/bin/sh
+
+# The LDAP library used by prosody (lualdap) does not support SASL binds.
+# Therefore, you must specify the prosody_ldap_password variable.
+
+# prosody_acme_host=
+: ${prosody_admins:=''}
+: ${prosody_public_fqdn:="$fqdn"}
+: ${prosody_push_fqdn:="push.${email_domain}"}
+: ${prosody_domains:="$email_domain"}
+: ${prosody_ldap_password:='changeme'}
+: ${prosody_dbname:='prosody'}
+: ${prosody_dbhost:="$postgres_host"}
+: ${prosody_access_role:='xmpp-access'}
+: ${prosody_archive_expiration:='1w'}
+: ${prosody_upload_sizelimit:='104857600'} # 100 MB
+: ${prosody_upload_expiration:='604800'}   # 1 week
+: ${prosody_upload_quota:='25769803776'}   # 24 GB
+: ${prosody_turn_port:='3478'}
+: ${prosody_turn_host:="$turn_domain"}
+: ${prosody_turn_realm:="$turn_domain"}
+: ${prosody_turn_secret="$turn_secret"}
+
+prosody_dn="uid=${prosody_username},${robots_basedn}"
+prosody_local_user=prosody
+prosody_conf_dir=/usr/local/etc/prosody
+prosody_certs_dir="${prosody_conf_dir}/certs"
+prosody_keytab="${keytab_dir}/prosody.client.keytab"
+prosody_roster_path="${prosody_conf_dir}/roster.ini"
+prosody_http_port=8080
+prosody_db_dir=/var/db/prosody
+prosody_upload_dir="${prosody_db_dir}/http_upload"
+
+prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
+prosody_https_cert="${acme_cert_dir}/nginx.crt"
+prosody_https_key="${acme_cert_dir}/nginx.key"
+
+mollysocket_local_port=8081
+
+# Install required packages.
+pkg install -y \
+  prosody \
+  prosody-modules \
+  lua54-luadbi \
+  lua54-lualdap \
+  nginx \
+  ca_root_nss
+
+# Create ZFS dataset for HTTP upload files.
+create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
+install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"
+
+# Create prosody user private group.
+ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
+objectClass: groupOfMembers
+objectClass: posixGroup
+cn: ${prosody_username}
+gidNumber: ${prosody_uid}
+member: uid=${prosody_username},${robots_basedn}
+EOF
+
+# Create prosody user account.
+ldap_add "$prosody_dn" <<EOF
+objectClass: account
+objectClass: posixAccount
+uid: ${prosody_username}
+cn: ${prosody_username}
+uidNumber: ${prosody_uid}
+gidNumber: ${prosody_uid}
+gecos: Prosody Pseudo-User
+loginShell: /sbin/nologin
+homeDirectory: /nonexistent
+EOF
+
+# Create principal and keytab.
+add_principal -nokey -x "dn=${prosody_dn}" "$prosody_username"
+
+ktadd -k "$prosody_keytab" "$prosody_username"
+chgrp "$prosody_local_user" "$prosody_keytab"
+chmod 640 "$prosody_keytab"
+
+prosody_local_uid=$(id -u "$prosody_local_user")
+install_directory -o "$prosody_local_user" -m 0700 "/var/krb5/user/${prosody_local_uid}"
+ln -snfv "$prosody_keytab" "/var/krb5/user/${prosody_local_uid}/client.keytab"
+
+# Set LDAP password for prosody user.
+ldap_passwd "$prosody_dn" "$prosody_ldap_password"
+
+# Create postgres user and database.
+postgres_create_role "$prosody_dbhost" "$prosody_username"
+postgres_create_database "$prosody_dbhost" "$prosody_dbname" "$prosody_username"
+
+# Retrieve prosody certificates via ACME proxy.
+install_directory -o root -g "$prosody_local_user" -m 0770 "$prosody_certs_dir"
+install_file -m 0555 /usr/local/libexec/prosody-acme-proxy
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-acme-proxy ${prosody_username}@${prosody_acme_host} ${prosody_domains}"
+
+# Copy prosody configuration.
+install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody/prosody.cfg.lua
+
+# Configure automatic roster.
+install_file -m 0555 /usr/local/libexec/prosody-update-roster
+install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
+su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"
+
+# Copy prosody crontab.
+install_template -m 0644 /etc/cron.d/prosody
+
+# Configure nginx.
+install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
+[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
+sysrc -v nginx_enable=YES
+service nginx restart
+install_file -m 0644 /etc/newsyslog.conf.d/nginx.conf
+
+# Retrieve webserver certificate via ACME.
+install_template -m 0600 /usr/local/etc/sudoers.d/acme
+acme_install_certificate \
+  -g "$nginx_user" \
+  -r 'sudo service nginx reload' \
+  nginx \
+  "$prosody_public_fqdn"
+
+# Now that we have the ACME certs, add the vhosts.
+install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
+service nginx restart
+
+# Enable and start daemons.
+sysrc -v prosody_enable=YES
+[ "${prosody_restart:-}" = false ] || service prosody restart
+service nginx restart
+
+# Create access role.
+ldap_add "cn=${prosody_access_role},${roles_basedn}" <<EOF
+objectClass: groupOfMembers
+cn: ${prosody_access_role}
+EOF
-- 
cgit v1.2.3