aboutsummaryrefslogtreecommitdiff
path: root/scripts/hostclass/xmpp_server
blob: 188944758351afa1e3532cc756aa75ff5d853c45 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

#!/bin/sh

# The LDAP library used by prosody (lualdap) does not support SASL binds.
# Therefore, you must specify the prosody_ldap_password variable.

# prosody_acme_host=
: ${prosody_admins:=''}
: ${prosody_public_fqdn:="$fqdn"}
: ${prosody_domains:="$email_domain"}
: ${prosody_ldap_passwd:='changeme'}
: ${prosody_dbname:='prosody'}
: ${prosody_dbhost:="$postgres_host"}
: ${prosody_access_role:='xmpp-access'}
: ${prosody_archive_expiration:='1w'}
: ${prosody_upload_sizelimit:='104857600'} # 100 MB
: ${prosody_upload_expiration:='604800'}   # 1 week
: ${prosody_upload_quota:='25769803776'}   # 24 GB
: ${prosody_turn_port:='3478'}
: ${prosody_turn_host:="$turn_domain"}
: ${prosody_turn_realm:="$turn_domain"}
: ${prosody_turn_secret="$turn_secret"}

prosody_dn="uid=${prosody_username},${robots_basedn}"
prosody_local_user=prosody
prosody_conf_dir=/usr/local/etc/prosody
prosody_certs_dir="${prosody_conf_dir}/certs"
prosody_keytab="${keytab_dir}/prosody.keytab"
prosody_roster_path="${prosody_conf_dir}/roster.ini"
prosody_http_port=8080
prosody_upload_dir=/var/db/prosody/http_upload

prosody_https_cacert="${acme_cert_dir}/nginx.ca.crt"
prosody_https_cert="${acme_cert_dir}/nginx.crt"
prosody_https_key="${acme_cert_dir}/nginx.key"

# Install required packages.
pkg install -y \
  prosody \
  prosody-modules \
  lua54-luadbi \
  lua54-lualdap \
  nginx

# Create ZFS dataset for HTTP upload files.
create_dataset -o "mountpoint=${prosody_upload_dir}" "${state_dataset}/http_upload"

# Set ownership on http_upload directory.
install_directory -o "$prosody_local_user" -g "$prosody_local_user" -m 0750 "$prosody_upload_dir"

# Create prosody user private group.
ldap_add "cn=${prosody_username},${private_groups_basedn}" <<EOF
objectClass: groupOfMembers
objectClass: posixGroup
cn: ${prosody_username}
gidNumber: ${prosody_uid}
member: uid=${prosody_username},${robots_basedn}
EOF

# Create prosody user account.
ldap_add "$prosody_dn" <<EOF
objectClass: account
objectClass: posixAccount
uid: ${prosody_username}
cn: ${prosody_username}
uidNumber: ${prosody_uid}
gidNumber: ${prosody_uid}
gecos: Prosody Pseudo-User
loginShell: /sbin/nologin
homeDirectory: /nonexistent
EOF

# Create principal and keytab.
add_principal -nokey -x "dn=${prosody_dn}" "$prosody_username"

ktadd -k "$prosody_keytab" "$prosody_username"
chgrp "$prosody_local_user" "$prosody_keytab"
chmod 640 "$prosody_keytab"

prosody_local_uid=$(id -u "$prosody_local_user")
install_directory -o "$prosody_local_user" -m 0700 "/var/krb5/user/${prosody_local_uid}"
ln -snfv "$prosody_keytab" "/var/krb5/user/${prosody_local_uid}/client.keytab"

# Set LDAP password for prosody user.
ldap_passwd "$prosody_dn" "$prosody_ldap_password"

# Create postgres user and database.
postgres_create_role "$prosody_dbhost" "$prosody_username"
postgres_create_database "$prosody_dbhost" "$prosody_dbname" "$prosody_username"

# Retrieve prosody certificates via ACME proxy.
install_directory -o root -g "$prosody_local_user" -m 0770 "$prosody_certs_dir"
install_file -m 0555 /usr/local/libexec/prosody-acme-proxy
su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-acme-proxy ${prosody_username}@${prosody_acme_host} ${prosody_domains}"

# Copy prosody configuration.
install_template -o root -g "$prosody_local_user" -m 0640 /usr/local/etc/prosody/prosody.cfg.lua

# Configure automatic roster.
install_file -m 0555 /usr/local/libexec/prosody-update-roster
install -Cv -m 0640 -o "$prosody_local_user" -g "$prosody_local_user" /dev/null "${prosody_conf_dir}/roster.ini"
su -m "$prosody_local_user" -c "/usr/local/libexec/prosody-update-roster ${prosody_access_role} > ${prosody_roster_path}"

# Copy prosody crontab.
install_template -m 0644 /etc/cron.d/prosody

# Configure nginx.
install_template -m 0644 /usr/local/etc/nginx/nginx.conf
sysrc -v nginx_enable=YES
service nginx restart

install_template -m 0600 /usr/local/etc/sudoers.d/acme
acme_install_certificate \
  -C "$prosody_https_cacert" \
  -c "$prosody_https_cert" \
  -k "$prosody_https_key" \
  -g "$nginx_user" \
  -r 'sudo service nginx reload' \
  "$prosody_public_fqdn"

# Now that we have the ACME certs, add the nginx vhost.
install_template -m 0644 /usr/local/etc/nginx/vhosts.conf

# Enable and start daemons.
sysrc -v prosody_enable=YES
service prosody restart
service nginx restart

# Create access role.
ldap_add "cn=${prosody_access_role},${roles_basedn}" <<EOF
objectClass: groupOfMembers
cn: ${prosody_access_role}
EOF
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-28 12:14:50 -0500