aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/xmpp_server
blob: 667014ff804b111f4610d5e1c5419be2ff87e138 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

#!/bin/sh

# The LDAP library used by prosody (lualdap) does not support SASL binds.
# Therefore, you must specify the prosody_ldap_password variable.

# prosody_acme_host=
: ${prosody_admins:=''}
: ${prosody_public_fqdn:="$fqdn"}
: ${prosody_domains:="$email_domain"}
: ${prosody_ldap_password:='changeme'}
: ${prosody_dbname:='prosody'}
: ${prosody_dbhost:="$postgres_host"}
: ${prosody_access_role:='xmpp-access'}
: ${prosody_archive_expiration:='1w'}
: ${prosody_upload_sizelimit:='104857600'} # 100 MB
: ${prosody_upload_expiration:='604800'}   # 1 week
: ${prosody_upload_quota:='25769803776'}   # 24 GB
: ${prosody_turn_port:='3478'}
: ${prosody_turn_host:="$turn_domain"}
: ${prosody_turn_realm:="$turn_domain"}
: ${prosody_turn_secret="$turn_secret"}

prosody_dn="uid=${prosody_username},${robots_basedn}"
prosody_local_user=prosody
prosody_conf_dir=/usr/local/etc/prosody
prosody_certs_dir="${prosody_conf_dir}/certs"
prosody_keytab="${keytab_dir}/prosody.client.keytab"
prosody_roster_path="${prosody_conf_dir}/roster.ini"
prosody_http_port=8080
prosody_db_dir=/var/db/prosody
prosody_upload_dir="${prosody_db_dir}/http_upload"

prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
prosody_https_cert="${acme_cert_dir}/nginx.crt"
prosody_https_key="${acme_cert_dir}/nginx.key"

# Install required packages.
pkg install -y \
  prosody \
  prosody-modules \
  lua54-luadbi \
  lua54-lualdap \
  nginx

# Create ZFS dataset for HTTP upload files.
create_dataset -o "mountpoint=${prosody_db_dir}" "${state_dataset}/prosody"
install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_db_dir"

# Create prosody user private group.
ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
objectClass: groupOfMembers
objectClass: posixGroup
cn: ${prosody_username}
gidNumber: ${prosody_uid}
member: uid=${prosody_username},${robots_basedn}
EOF

# Create prosody user account.
ldap_add "$prosody_dn" <<EOF
objectClass: account
objectClass: posixAccount
uid: ${prosody_username}
cn: ${prosody_username}
uidNumber: ${prosody_uid}
gidNumber: ${prosody_uid}
gecos: Prosody Pseudo-User
loginShell: /sbin/nologin
homeDirectory: /nonexistent
EOF

# Create principal and keytab.
add_principal -nokey -x "dn=${prosody_dn}" "$prosody_username"

ktadd -k "$prosody_keytab" "$prosody_username"
chgrp "$prosody_local_user" "$prosody_keytab"
chmod 640 "$prosody_keytab"

prosody_local_uid=$(id -u "$prosody_local_user")
install_directory -o "$prosody_local_user" -m 0700 "/var/krb5/user/${prosody_local_uid}"
ln -snfv "$prosody_keytab" "/var/krb5/user/${prosody_local_uid}/client.keytab"

# Set LDAP password for prosody user.
ldap_passwd "$prosody_dn" "$prosody_ldap_password"

# Create postgres user and database.
postgres_create_role "$prosody_dbhost" "$prosody_username"
postgres_create_database "$prosody_dbhost" "$prosody_dbname" "$prosody_username"

# Retrieve prosody certificates via ACME proxy.
install_directory -o root -g "$prosody_local_user" -m 0770 "$prosody_certs_dir"
install_file -m 0555 /usr/local/libexec/prosody-acme-proxy
su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-acme-proxy ${prosody_username}@${prosody_acme_host} ${prosody_domains}"

# Copy prosody configuration.
install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody/prosody.cfg.lua

# Configure automatic roster.
install_file -m 0555 /usr/local/libexec/prosody-update-roster
install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} ${prosody_roster_path}"

# Copy prosody crontab.
install_template -m 0644 /etc/cron.d/prosody

# Configure nginx.
install_template -m 0644 "${nginx_conf_dir}/nginx.conf"
[ -f "${nginx_conf_dir}/vhosts.conf" ] || install -Cv -m 0644 /dev/null "${nginx_conf_dir}/vhosts.conf"
sysrc -v nginx_enable=YES
service nginx restart

# Retrieve webserver certificate via ACME.
install_template -m 0600 /usr/local/etc/sudoers.d/acme
acme_install_certificate \
  -g "$nginx_user" \
  -r 'sudo service nginx reload' \
  nginx \
  "$prosody_public_fqdn"

# Now that we have the ACME certs, add the vhosts.
install_template -m 0644 "${nginx_conf_dir}/vhosts.conf"
service nginx restart

# Enable and start daemons.
sysrc -v prosody_enable=YES
service prosody restart
service nginx restart

# Create access role.
ldap_add "cn=${prosody_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${prosody_access_role}
EOF
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-27 03:11:29 -0500