diff options
Diffstat (limited to 'roles/prosody/templates')
-rw-r--r-- | roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2 | 119 | ||||
-rw-r--r-- | roles/prosody/templates/usr/local/bin/prosody-update-roster.j2 | 56 |
2 files changed, 175 insertions, 0 deletions
diff --git a/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2 b/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2 new file mode 100644 index 0000000..9a07f8e --- /dev/null +++ b/roles/prosody/templates/etc/prosody/prosody.cfg.lua.j2 @@ -0,0 +1,119 @@ +admins = { {% for admin in prosody_admins %}"{{ admin }}"{% if loop.last %},{% endif %}{% endfor %} } + +network_backend = "event" + +plugin_paths = { "{{ prosody_module_dir }}" } + +modules_enabled = { + -- required modules + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. + "tls"; -- Add support for secure TLS on c2s/s2s connections + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + + -- optional modules + "csi"; -- Client state indication + "carbons"; -- Keep multiple clients in sync + "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more + "private"; -- Private XML storage (for room bookmarks, etc.) + "blocklist"; -- Allow users to block communications with other users + "vcard4"; -- User profiles (stored in PEP) + "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard + "limits"; -- Enable bandwidth limiting for XMPP connections + + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "mam"; -- Store messages in an archive and allow users to access it + "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands + "groups"; -- Shared roster support + + -- community modules + "smacks"; -- Stream management / fast reconnects + "csi_battery_saver"; -- Mobile optimizations + "turn_external"; -- STUN/TURN server + "reload_modules"; -- Reload modules on config reload +} + +reload_modules = { "groups", "tls" } +pidfile = "/run/prosody/prosody.pid"; + +allow_registration = false +groups_file = "{{ prosody_groups_file }}" + +c2s_require_encryption = true +s2s_require_encryption = true +s2s_secure_auth = false + +-- Enable rate limits for incoming client and server connections +limits = { + c2s = { + rate = "10kb/s"; + }; + s2sin = { + rate = "30kb/s"; + }; +} + +-- Authentication +authentication = "ldap" +ldap_server = "{{ prosody_ldap_hosts | join(' ') }}" +ldap_rootdn = "uid={{ prosody_sysaccount_username }},{{ freeipa_sysaccount_basedn }}" +ldap_password = "{{ prosody_sysaccount_password }}" +ldap_base = "{{ freeipa_user_basedn }}" +ldap_filter = "(&(jid=$user@$host)(memberOf=cn={{ prosody_access_group }},{{ freeipa_group_basedn }}))" +ldap_tls = true + +-- Storage +storage = "sql" +sql = { + driver = "PostgreSQL", + database = "{{ prosody_db_name }}", + username = "{{ prosody_user }}", + host = "{{ prosody_db_host }}" +} + +archive_expires_after = "{{ prosody_archive_expires_after }}" + +-- Logging +log = { + info = "*console"; +} + +-- Certificates +certificates = "/etc/pki/prosody" + +-- HTTP +http_ports = { {{ prosody_http_port }} } +http_interfaces = { "127.0.0.1", "::1" } +https_interfaces = { } +https_ports = { } +http_external_url = "https://{{ prosody_http_host }}/" +https_external_url = "https://{{ prosody_http_host }}/" +http_max_content_size = {{ prosody_upload_file_size_limit }} +trusted_proxies = { "127.0.0.1", "::1" } + +Component "{{ prosody_http_host }}" "http_upload" + +http_upload_file_size_limit = {{ prosody_upload_file_size_limit }} +http_upload_expire_after = {{ prosody_upload_expire_after }} +http_upload_quota = {{ prosody_upload_quota }} + +-- Virtual hosts +{% for vhost in prosody_vhosts %} +VirtualHost "{{ vhost }}" +disco_items = { + { "{{ prosody_http_host }}" }, +} +turn_external_host = "{{ prosody_turn_host }}" +turn_external_port = {{ prosody_turn_port }} +turn_external_secret = "{{ prosody_turn_secret }}" + +{% endfor %} + +{% for vhost in prosody_conference_vhosts %} +Component "{{ vhost }}" "muc" + modules_enabled = { "muc_mam" } +{% endfor %} diff --git a/roles/prosody/templates/usr/local/bin/prosody-update-roster.j2 b/roles/prosody/templates/usr/local/bin/prosody-update-roster.j2 new file mode 100644 index 0000000..680ab91 --- /dev/null +++ b/roles/prosody/templates/usr/local/bin/prosody-update-roster.j2 @@ -0,0 +1,56 @@ +#!/usr/libexec/platform-python + +# Copyright (c) 2023 stonewall@sacredheartsc.com +# MIT License https://opensource.org/licenses/MIT +# +# Generates a shared roster file for Prosody from the given IPA group. + +import os +import sys +import ldap +import ldap.sasl +import ldap.filter +import hashlib +import subprocess + +LDAP_URI = '{{ freeipa_ldap_uri }}' +USER_BASEDN = '{{ freeipa_user_basedn }}' +GROUP_BASEDN = '{{ freeipa_group_basedn }}' + +PROSODY_GROUPS_FILE = '{{ prosody_groups_file }}' +PROSODY_ACCESS_GROUP = '{{ prosody_access_group }}' + +ROSTER_GROUP_NAME = 'Internal' + +os.environ['GSS_USE_PROXY'] = 'yes' +conn = ldap.initialize(LDAP_URI) +conn.protocol_version = ldap.VERSION3 +conn.sasl_interactive_bind_s('', ldap.sasl.sasl({}, 'GSSAPI')) + +users = conn.search_s( + USER_BASEDN, + ldap.SCOPE_SUBTREE, + ldap.filter.filter_format('memberOf=cn=%s,%s', [PROSODY_ACCESS_GROUP, GROUP_BASEDN]), + ['jid', 'displayName']) + +if not users: + exit(1) + +with open(PROSODY_GROUPS_FILE, 'rb') as f: + hash_before = hashlib.md5(f.read()).hexdigest() + f.close() + +with open(PROSODY_GROUPS_FILE, 'w') as f: + print(f'[{ROSTER_GROUP_NAME}]', file=f) + for user in users: + jid = user[1]['jid'][0].decode('utf-8') + displayName = user[1]['displayName'][0].decode('utf-8') + print(f'{jid}={displayName}', file=f) + f.close() + +with open(PROSODY_GROUPS_FILE, 'rb') as f: + hash_after = hashlib.md5(f.read()).hexdigest() + f.close() + +if hash_before != hash_after: + subprocess.run(['prosodyctl', 'reload']) |