aboutsummaryrefslogtreecommitdiffstats
path: root/roles/prosody/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'roles/prosody/tasks')
-rw-r--r--roles/prosody/tasks/database.yml17
-rw-r--r--roles/prosody/tasks/freeipa.yml64
-rw-r--r--roles/prosody/tasks/main.yml97
3 files changed, 178 insertions, 0 deletions
diff --git a/roles/prosody/tasks/database.yml b/roles/prosody/tasks/database.yml
new file mode 100644
index 0000000..675ab11
--- /dev/null
+++ b/roles/prosody/tasks/database.yml
@@ -0,0 +1,17 @@
+- name: create database
+ postgresql_db:
+ name: '{{ prosody_db_name }}'
+ state: present
+ delegate_to: '{{ postgresql_inventory_host }}'
+ become: yes
+ become_user: postgres
+
+- name: create database user
+ postgresql_user:
+ name: '{{ prosody_user }}'
+ db: '{{ prosody_db_name }}'
+ priv: ALL
+ state: present
+ delegate_to: '{{ postgresql_inventory_host }}'
+ become: yes
+ become_user: postgres
diff --git a/roles/prosody/tasks/freeipa.yml b/roles/prosody/tasks/freeipa.yml
new file mode 100644
index 0000000..caff62a
--- /dev/null
+++ b/roles/prosody/tasks/freeipa.yml
@@ -0,0 +1,64 @@
+- name: create user
+ ipauser:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ prosody_user }}'
+ loginshell: /sbin/nologin
+ homedir: '{{ prosody_data_dir }}'
+ givenname: Prosody
+ sn: Service Account
+ state: present
+ run_once: yes
+
+- name: retrieve user keytab
+ include_role:
+ name: freeipa_keytab
+ vars:
+ keytab_principal: '{{ prosody_user }}'
+ keytab_path: '{{ prosody_keytab }}'
+
+- name: configure gssproxy for kerberized postgres
+ include_role:
+ name: gssproxy_client
+ vars:
+ gssproxy_name: prosody
+ gssproxy_section: service/prosody
+ gssproxy_client_keytab: '{{ prosody_keytab }}'
+ gssproxy_cred_usage: initiate
+ gssproxy_euid: prosody
+
+- name: create systemd override directory
+ file:
+ path: /etc/systemd/system/prosody.service.d
+ state: directory
+
+- name: create systemd override file
+ copy:
+ src: etc/systemd/system/prosody.service.d/override.conf
+ dest: /etc/systemd/system/prosody.service.d/override.conf
+ register: prosody_systemd_unit
+ notify: restart prosody
+
+- name: reload systemd units
+ systemd:
+ daemon_reload: yes
+ when: prosody_systemd_unit.changed
+
+- name: create SELinux policy for prosody to access gssproxy
+ include_role:
+ name: selinux_policy
+ apply:
+ tags: selinux
+ vars:
+ selinux_policy_name: prosody_gssproxy
+ selinux_policy_te: '{{ prosody_selinux_policy_te }}'
+ tags: selinux
+
+- name: create access group
+ ipagroup:
+ ipaadmin_principal: '{{ ipa_user }}'
+ ipaadmin_password: '{{ ipa_pass }}'
+ name: '{{ prosody_access_group }}'
+ nonposix: yes
+ state: present
+ run_once: yes
diff --git a/roles/prosody/tasks/main.yml b/roles/prosody/tasks/main.yml
new file mode 100644
index 0000000..c29dd38
--- /dev/null
+++ b/roles/prosody/tasks/main.yml
@@ -0,0 +1,97 @@
+- name: install prosody
+ dnf:
+ name: '{{ prosody_packages }}'
+ state: present
+
+- name: request conference vhost certificates
+ include_role:
+ name: certbot
+ vars:
+ certificate_sans: ['{{ item }}']
+ certificate_path: '{{ prosody_certificate_dir }}/{{ item }}.crt'
+ certificate_key_path: '{{ prosody_certificate_dir }}/{{ item }}.key'
+ certificate_owner: prosody
+ certificate_hook: systemctl reload prosody
+ certificate_use_apache: yes
+ loop: '{{ prosody_conference_vhosts }}'
+
+- import_tasks: freeipa.yml
+ tags: freeipa
+
+- import_tasks: database.yml
+ tags: database
+
+- name: create module directory
+ file:
+ path: '{{ prosody_module_dir }}'
+ state: directory
+
+- name: clone module repository
+ hg:
+ repo: '{{ prosody_module_repo }}'
+ dest: '{{ prosody_module_dir }}'
+
+- name: generate configuration
+ template:
+ src: etc/prosody/prosody.cfg.lua.j2
+ dest: /etc/prosody/prosody.cfg.lua
+ owner: root
+ group: prosody
+ mode: 0640
+ notify: restart prosody
+
+- name: open firewall ports
+ firewalld:
+ permanent: yes
+ immediate: yes
+ service: '{{ item }}'
+ state: enabled
+ loop:
+ - xmpp-client
+ - xmpp-server
+ tags: firewalld
+
+- name: enable httpd_can_network_connect SELinux boolean
+ seboolean:
+ name: httpd_can_network_connect
+ state: yes
+ persistent: yes
+ tags: selinux
+
+- name: create roster file with correct permissions
+ copy:
+ content: ''
+ dest: '{{ prosody_groups_file }}'
+ owner: prosody
+ group: prosody
+ mode: 0640
+ force: no
+
+- name: generate roster script
+ template:
+ src: usr/local/bin/prosody-update-roster.j2
+ dest: /usr/local/bin/prosody-update-roster
+ mode: 0555
+
+- name: create prosody-update-roster timer
+ include_role:
+ name: systemd_timer
+ vars:
+ timer_name: prosody-update-roster
+ timer_description: Update prosody shared roster
+ timer_after: network.target
+ timer_on_calendar: daily
+ timer_exec: /usr/local/bin/prosody-update-roster
+ timer_user: prosody
+
+- name: generate shared roster
+ systemd:
+ name: prosody-update-roster.service
+ state: started
+ changed_when: no
+
+- name: start prosody
+ systemd:
+ name: prosody
+ enabled: yes
+ state: started
generated by cgit (git 2.34.1) at 2024-09-19 17:05:07 -0400