# Listen on separate port for backup purposes.

Port 2222

# Use the SSH protocol version 2 (which is safer).

Protocol 2

# Define dedicated host keys for backup SSH server.

HostKey /etc/ssh-backup/ssh_host_rsa_key

HostKey /etc/ssh-backup/ssh_host_ecdsa_key

HostKey /etc/ssh-backup/ssh_host_ed25519_key

# Use privilege separation for increased security.

UsePrivilegeSeparation yes

# Configure logging.

SyslogFacility AUTH

LogLevel INFO

# Users logging-in have 10 seconds to login upon established connection.

LoginGraceTime 10

# Don't allow root accounts logins.

PermitRootLogin no

# Enforce strict checking of home directory mode. However, this is not used for

# the chroots (chroots must check mode).

StrictModes yes

# Allow public key authentication.

PubkeyAuthentication yes

# Don't read the user's ~/.rhosts and ~/.shosts files for eventual

# RhostsRSAAuthentication or HostbasedAuthentication.

IgnoreRhosts yes

# Disable host-based authentication.

HostbasedAuthentication no

# Do not allow logins with empty passwords.

PermitEmptyPasswords no

# Don't allow challenge-response authentication.

ChallengeResponseAuthentication no

# Disable password-based authentication.

PasswordAuthentication no

# Disable X11 forwarding.

X11Forwarding no

# Do not print motd to avoid eventual issues for clients.

PrintMotd no

# Do not print the date and time of the last user login.

PrintLastLog no

# Use TPC keepalives for detecting dead connections.

TCPKeepAlive yes

# Use the internal SFTP so we can also easily utilise chroot.

Subsystem sftp internal-sftp

# Use PAM. But thanks to PasswordAuthentication being set to "no", PAM will be

# used just for session stuff.

UsePAM yes

# Specify a dedicated PID file for the backup SSH.

# Users logging-in are forced to use the SFTP server.

ForceCommand internal-sftp

# Chroot logged-in users to their home directories.

ChrootDirectory %h

# Do not allow any TCP forwarding.

AllowTCPForwarding no

# Only allow the members of this group to log-in into this instance of OpenSSH

# server.

AllowGroups backup

import os

import testinfra.utils.ansible_runner

testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(

    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('parameters-*')

def test_installed_packages(host):

    """

    Tests if all the necessary packages have been installed.

    """

    assert host.package('slapd').is_installed

    assert host.package('python-ldap').is_installed

def test_ldap_user_group(host):

    """

    Tests if LDAP server user is part of group that allows it to traverse TLS

    private keys directory.

    """

    assert "ssl-cert" in host.user('openldap').groups

def test_ldap_server_service_sockets_and_ports(host):

    """

    Tests if LDAP server has been configured to listen on correct sockets.

    """

    assert host.socket('tcp://389').is_listening

    assert host.socket('tcp://636').is_listening

def test_ldap_server_service(host):

    """

    Tests if the LDAP service is enabled and running.

    """

    service = host.service('slapd')

    assert service.is_enabled

    assert service.is_running

def test_syslog_configuration(host):

    """

    Tests if syslog configuration file has been deployed, and log file was

    created correctly (and is being logged to).

    """

    config = host.file('/etc/rsyslog.d/slapd.conf')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    with host.sudo():

        log = host.file('/var/log/slapd.log')

        assert log.is_file

        assert 'slapd' in log.content

def test_log_rotation_configuration(host):

    """

    Tests if log rotation configuration file has been deployed correctly and has

    valid syntax.

    """

    config = host.file('/etc/logrotate.d/slapd')

    assert config.is_file

    assert config.user == 'root'

    assert config.group == 'root'

    assert config.mode == 0o644

    with host.sudo():

        assert host.run('logrotate /etc/logrotate.d/slapd').rc == 0

def test_misc_schema_presence(host):

    """

    Tests if the misc LDAP schema has been imported.

    """

    with host.sudo():

        misc_schema = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert misc_schema.rc == 0

        assert 'dn: cn={4}misc,cn=schema,cn=config' in misc_schema.stdout

def test_memberof_module(host):

    """

    Tests if the memberof overlay has been enabled for the main database.

    """

    with host.sudo():

        memberof = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -b cn=config dn')

        assert memberof.rc == 0

        assert 'dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config' in memberof.stdout

def test_basic_directory_structure(host):

    """

    Tests if the base LDAP directory structure has been set-up correctly.

    """

    with host.sudo():

        ous = ["people", "groups", "services"]

        for ou in ous:

            entry = host.run('ldapsearch -H ldapi:/// -Q -LLL -Y EXTERNAL -s base -b ou=%s,dc=local' % ou)

            assert entry.rc == 0

            assert entry.stdout == """dn: ou=%(ou)s,dc=local

objectClass: organizationalUnit

ou: %(ou)s

""" % {'ou': ou}

def test_mail_service_entries(host):

    """

-- Additional paths to search for modules.

plugin_paths = { "/usr/local/lib/prosody/modules/" }

-- List of server administrators.

admins = { {% for admin in xmpp_administrators %}"{{ admin }}", {% endfor %} }

-- List of modules to load on startup.

modules_enabled = {

  -- Generally required

    "roster"; -- Allow users to have a roster. Recommended ;)

    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.

    "tls"; -- Add support for secure TLS on c2s/s2s connections

    "dialback"; -- s2s dialback support

    "disco"; -- Service discovery

    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

  -- Not essential, but recommended

    "private"; -- Private XML storage (for room bookmarks, etc.)

    "vcard"; -- Allow users to set vCards

  -- Nice to have

    "version"; -- Replies to server version requests

    "uptime"; -- Report how long server has been running

    "time"; -- Let others know the time here on this server

    "ping"; -- Replies to XMPP pings with pongs

    "pep"; -- Enables users to publish their mood, activity, playing music and more

    "register"; -- Allow users to register on this server using a client and change passwords

  -- Admin interfaces

    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands

  -- Other specific functionality

    "announce"; -- Send announcement to all online users

    "legacyauth"; -- Allow legacy authentication and SSL

};

-- Disable account creation by default, for security

-- For more information see http://prosody.im/doc/creating_accounts

allow_registration = false;

-- These are the SSL/TLS-related settings. If you don't want

-- to use SSL/TLS, you may comment or remove this

ssl = {

  key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";

  certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";

}

-- Ports on which to have direct TLS/SSL.

legacy_ssl_ports = { 5223 }

-- Force clients to use encrypted connection.

c2s_require_encryption = true

-- Disable certificate validation for server-to-server connections.

s2s_secure_auth = false

-- Path to Prosody's PID file.

-- Authentication backend.

authentication = "ldap"

ldap_server = "{{ xmpp_ldap_server }}"

ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"

ldap_password = "{{ xmpp_ldap_password }}"

ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"

ldap_scope = "onelevel"

ldap_tls = true

ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"

-- Storage backend.

storage = "internal"

-- Logging configuration.

log = {

  info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging

  error = "/var/log/prosody/prosody.err";

  "*syslog";

}

-- Domains which should be handled by Prosody, with dedicated MUC and file

-- proxying components.

{% for domain in xmpp_domains -%}

VirtualHost "{{ domain }}"

Component "conference.{{ domain }}" "muc"

  restrict_room_creation = "local"

Component "proxy.{{ domain }}" "proxy65"

  proxy65_acl = { "{{ domain }}" }

{% endfor -%}