* Modules enabled: roster, saslauth, tls, dialback, posix, private, vcard,

  version, uptime, time, ping, pep, register, admin_adhoc, announce, legacyauth.

* Self-registration is not allowed.

* TLS is configured. Legacy TLS is available on port 5223.

* Client-to-server communication requires encryption (TLS).

* Authentication is done via LDAP. For setting the LDAP TLS truststore, see

  :ref:`LDAP Client <ldap_client>`.

* Internal storage is used.

* For each domain specified, a dedicated conference/multi-user chat (MUC)

  service is set-up, with FQDN set to ``conference.DOMAIN``.

* For each domain specified, a dedicated file proxy service will be set-up, with

  FQDN set to ``proxy.DOMAIN``.

Prosody expects a specific directory structure in LDAP when doing look-ups:

* Prosody will log-in to LDAP as user

  ``cn=prosody,ou=services,XMPP_LDAP_BASE_DN``.

* User entries are read from sub-tree (first-level only)

  ``ou=people,XMPP_LDAP_BASE_DN``. Query filter used for finding users is

  ``(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,XMPP_LDAP_BASE_DN))``. This

  allows group-based granting of XMPP service to users.

Parameters

~~~~~~~~~~

**xmpp_administrators** (list, mandatory)

  List of Prosody users that should be granted administrator privileges over

  Prosody. Each item is a string with value equal to XMPP user ID

  (i.e. ``john.doe@example.com``).

**xmpp_domains** (list, optional, ``{{ ansible_domain }}``)

  List of domains that are served by this Prosody instance. Each item is a

  string specifying a domain.

**xmpp_ldap_base_dn** (string, mandatory)

  Base DN on the LDAP server. A specific directory structure is expected under

  this entry (as explained above) in order to locate the available domains,

  users, aliases etc.

**xmpp_ldap_password** (string, mandatory)

  Password used for authenticating to the LDAP server.

**xmpp_ldap_server** (string, mandatory)

  Fully qualified domain name, hostname, or IP address of the LDAP server used

  for user authentication and listing.

  notify:

    - Restart Prosody

- name: Set-up directory for storing additional Prosody modules

  file: path=/usr/local/lib/prosody/modules/ state=directory mode=755 owner=root group=root

- name: Deploy the Prosody mod_auth_ldap module

  get_url: url=https://prosody-modules.googlecode.com/hg/mod_auth_ldap/mod_auth_ldap.lua

           dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua

- name: Set-up file permissions for the Prosody mod_auth_ldap module

  file: dest=/usr/local/lib/prosody/modules/mod_auth_ldap.lua owner=root group=root mode=644

- name: Deploy Prosody configuration file

  template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua

  notify:

    - Restart Prosody

- name: Enable and start Prosody service

  service: name=prosody enabled=yes state=started

- name: Deploy firewall configuration for XMPP server

  copy: src="ferm_xmpp.conf" dest="/etc/ferm/conf.d/30-xmpp.conf" owner=root group=root mode=640

  notify:

---

local_mail_aliases:

  root: "root john.doe@{{ testsite_domain }}"

smtp_relay_host: mail.{{ testsite_domain }}

smtp_relay_truststore: /etc/ssl/certs/ca.pem

backup_clients:

  - server: web.{{ testsite_domain }}

    public_key: "{{ lookup('file', inventory_dir + '/ssh/web.' + testsite_domain + '.pub') }}"

    ip: 10.32.64.18

  - server: mail.{{ testsite_domain }}

    public_key: "{{ lookup('file', inventory_dir + '/ssh/mail.' + testsite_domain + '.pub') }}"

    ip: 10.32.64.15

  - server: ldap.{{ testsite_domain }}

    public_key: "{{ lookup('file', inventory_dir + '/ssh/ldap.' + testsite_domain + '.pub') }}"

    ip: 10.32.64.12

backup_host_ssh_private_keys:

  dsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_dsa_key') }}"

  rsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_rsa_key') }}"

  ed25519: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ed25519_key') }}"

  ecdsa: "{{ lookup('file', inventory_dir + '/ssh/backup_server_ecdsa_key') }}"