Files
@ 834c3a4d591a
Branch filter:
Location: majic-ansible-roles/roles/xmpp_server/tasks/main.yml - annotation
834c3a4d591a
3.6 KiB
text/x-yaml
MAR-218: Use built-in module for diverting the ferm binary.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 | 2e1ff733350e 2e1ff733350e 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a c10934519e18 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a 7cabc17c71c3 14e9fb107a9a 14e9fb107a9a a3d247bb2e09 a3d247bb2e09 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a c10934519e18 14e9fb107a9a 14e9fb107a9a 14e9fb107a9a 2d7abfa9286a c10934519e18 2d7abfa9286a 2d7abfa9286a 2d7abfa9286a a1b9e125a179 114f02e67a4d 114f02e67a4d 0ad9410c243a 0ad9410c243a c10934519e18 fb34333e4b48 2ada86e90026 cc7de990e9e4 cc7de990e9e4 0ad9410c243a 284ed92d40bb c10934519e18 e4a0f78340ef 2ada86e90026 e4a0f78340ef 284ed92d40bb 96e9f230a669 c10934519e18 da031f975c67 da031f975c67 da031f975c67 da031f975c67 7cabc17c71c3 0ad9410c243a 0ad9410c243a 96e9f230a669 96e9f230a669 c10934519e18 da031f975c67 da031f975c67 da031f975c67 da031f975c67 7cabc17c71c3 0ad9410c243a 0ad9410c243a 2e1ff733350e af834be42e8e c10934519e18 c92d79571cf9 c92d79571cf9 7cabc17c71c3 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 c92d79571cf9 aa2802e42d9d c10934519e18 e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef 7cabc17c71c3 aa2802e42d9d 91e4754320e6 c10934519e18 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 7cabc17c71c3 91e4754320e6 91e4754320e6 c10934519e18 91e4754320e6 91e4754320e6 91e4754320e6 91e4754320e6 7cabc17c71c3 91e4754320e6 814be5def61d c10934519e18 814be5def61d 814be5def61d 814be5def61d 814be5def61d 7cabc17c71c3 814be5def61d 814be5def61d 814be5def61d 2e1ff733350e c10934519e18 e4a0f78340ef e4a0f78340ef da031f975c67 da031f975c67 7cabc17c71c3 2e1ff733350e 2e1ff733350e 2e1ff733350e 2e1ff733350e c10934519e18 e4a0f78340ef e4a0f78340ef aa7b596ef595 eb9a1b525c77 eb9a1b525c77 c10934519e18 e4a0f78340ef e4a0f78340ef e4a0f78340ef e4a0f78340ef 7cabc17c71c3 eb9a1b525c77 dbc3381e1ff3 7387caca37f3 7387caca37f3 0c330b88956a fcf5abdd3ad5 7387caca37f3 7387caca37f3 | ---
# Main implementation
# ===================
- name: Set-up the Debian backports repository
ansible.builtin.template:
src: backports.list.j2
dest: /etc/apt/sources.list.d/backports.list
owner: root
group: root
mode: "0644"
register: backports_repository_configuration
- name: Update apt cache if backports repository configuration changed (for immediate use) # noqa no-handler
# [no-handler] Tasks that run when changed should likely be handlers
# Since apt_repository module is not reliable (does not deploy
# change when changing distro version etc), we have to use
# template instead, but this also means we need to trigger the apt
# cache reload by hand.
ansible.builtin.apt:
update_cache: true
when: backports_repository_configuration.changed
- name: Install additional Prosody dependencies
ansible.builtin.apt:
name:
- lua-ldap
- prosody-modules
state: present
notify:
- Restart Prosody
- name: Install Prosody
ansible.builtin.apt:
name: prosody
state: present
notify:
- Restart Prosody
- name: Allow Prosody user to traverse the directory with TLS private keys
ansible.builtin.user:
name: prosody
append: true
groups: ssl-cert
- name: Deploy XMPP TLS private key
ansible.builtin.copy:
dest: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key"
content: "{{ xmpp_tls_key }}"
owner: root
group: prosody
mode: "0640"
notify:
- Restart Prosody
- name: Deploy XMPP TLS certificate
ansible.builtin.copy:
dest: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"
content: "{{ xmpp_tls_certificate }}"
owner: root
group: root
mode: "0644"
notify:
- Restart Prosody
- name: Generate the XMPP server Diffie-Hellman parameter
community.crypto.openssl_dhparam:
owner: root
group: prosody
mode: "0640"
path: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem"
size: 2048
notify:
- Restart Prosody
- name: Deploy configuration file for checking certificate validity via cron
ansible.builtin.copy:
content: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"
dest: "/etc/check_certificate/{{ ansible_fqdn }}_xmpp.conf"
owner: root
group: root
mode: "0644"
- name: Deploy script for validating Prosody certificate
ansible.builtin.copy:
src: "check_prosody_certificate.sh"
dest: "/usr/local/bin/check_prosody_certificate.sh"
owner: root
group: root
mode: "0755"
- name: Set-up crontab task that runs the Prosody certificate checker script once a day
ansible.builtin.copy:
src: "cron_check_prosody_certificate"
dest: "/etc/cron.d/check_prosody_certificate"
owner: root
group: root
mode: "0644"
- name: Deploy LDAP client configuration (for validating LDAP server certificate)
ansible.builtin.copy:
src: prosody_ldaprc
dest: "/var/lib/prosody/.ldaprc"
owner: root
group: prosody
mode: "0640"
notify:
- Restart Prosody
- name: Deploy Prosody configuration file
ansible.builtin.template:
src: "prosody.cfg.lua.j2"
dest: "/etc/prosody/prosody.cfg.lua"
owner: root
group: prosody
mode: "0640"
notify:
- Restart Prosody
- name: Enable and start Prosody service
ansible.builtin.service:
name: prosody
state: started
enabled: true
- name: Deploy firewall configuration for XMPP server
ansible.builtin.copy:
src: "ferm_xmpp.conf"
dest: "/etc/ferm/conf.d/30-xmpp.conf"
owner: root
group: root
mode: "0640"
notify:
- Restart ferm
- name: Explicitly run all handlers
ansible.builtin.import_tasks: ../handlers/main.yml
when: "run_handlers | default(False) | bool()"
tags:
- handlers
|