blob: 4cafdcbf6c9eb0ab9949f49c91339e9cb640c10a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
Prosody LetsEncrypt Proxy
=========================
Description
-----------
The `prosody_letsencrypt_proxy` role is used to copy certificates from your
webserver to your XMPP server.
Because XMPP clients require certificates matching the bare JID domain, it's
difficult to acquire LetsEncrypt certificates unless your XMPP and web server
are on the same host.
This role has two modes: `master` and `slave`.
The `master` mode should be run on your domain's webserver. Certificates are
retrieved from LetsEncrypt via Certbot, and placed in a special `sftp`-accessible
location.
The `slave` mode should be run on your XMPP host. It periodically scrapes the
new certificates from the `master`, and reloads Prosody if necessary.
Variables
---------
This role **accepts** the following variables:
Variable | Default | Description
-------------------------|------------------------|------------
`prosody_le_role` | `slave` | Either `master` or `slave`
`prosody_le_domains` | `{{ prosody_vhosts }}` | XMPP domains
`prosody_le_proxy_host` | | Host to retrieve certificates from
`prosody_le_ssh_privkey` | | SSH private key for SFTP
`prosody_le_ssh_pubkey` | | SSH public key for SFTP
Usage
-----
Example playbook:
````yaml
- name: configure webserver
hosts: www1
roles:
- role: apache_vhost
apache_server_name: www.example.com
apache_server_aliases: [example.com]
apache_canonical_hostname: www.example.com
apache_document_root: /var/www/www.example.com
apache_letsencrypt: yes
- role: prosody_letsencrypt_proxy
vars:
prosody_le_role: master
prosdy_le_domains:
- example.com
prosody_le_pubkey: |
-----BEGIN OPENSSH PUBLIC KEY-----
AAAAAAAAetc
- name: configure prosody
hosts: xmpp_servers
roles:
- role: prosody
vars:
prosody_vhosts:
- example.com
prosody_le_role: slave
prosdy_le_proxy_host: www1
prosody_ssh_privkey: |
-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAetc
````
|