--- - name: Install Python apt bindings apt: name: python-apt - name: Add Debian backports repository for Debian Stretch apt_repository: repo: "deb http://ftp.debian.org/debian {{ ansible_distribution_release }}-backports main" filename: "backports" state: present mode: 0644 when: "ansible_distribution_release == 'stretch'" - name: Pin the lua-ldap package to backports repository for Debian Stretch template: src: "lua_ldap_backports_pin.j2" dest: "/etc/apt/preferences.d/lua-ldap" owner: root group: root mode: 0644 when: "ansible_distribution_release == 'stretch'" - name: Add Prosody repository apt key apt_key: data: "{{ lookup('file', 'prosody-debian-packages.gpg') }}" state: present - name: Add Prosody repository apt_repository: repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main" state: present # Stick to the 'latest' state to ensure we get pinned package # installed in case of distribution upgrades. - name: Install Lua LDAP library apt: name: lua-ldap # [403] Package installs should not use latest # The latest has to be used when upgrading existing systems to get # the correct version of lua-ldap with support for Lua 5.2 from # the backports repository. state: latest # noqa 403 notify: - Restart Prosody - name: Install Prosody apt: name: "{{ xmpp_prosody_package }}" state: present notify: - Restart Prosody - name: Allow Prosody user to traverse the directory with TLS private keys user: name: prosody append: true groups: ssl-cert - name: Deploy XMPP TLS private key copy: dest: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key" content: "{{ xmpp_tls_key }}" owner: root group: prosody mode: 0640 notify: - Restart Prosody - name: Deploy XMPP TLS certificate copy: dest: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" content: "{{ xmpp_tls_certificate }}" owner: root group: root mode: 0644 notify: - Restart Prosody - name: Generate the XMPP server Diffie-Hellman parameter openssl_dhparam: owner: root group: prosody mode: 0640 path: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem" size: 2048 notify: - Restart Prosody - name: Deploy configuration file for checking certificate validity via cron copy: content: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" dest: "/etc/check_certificate/{{ ansible_fqdn }}_xmpp.conf" owner: root group: root mode: 0644 - name: Deploy script for validating Prosody certificate copy: src: "check_prosody_certificate.sh" dest: "/usr/local/bin/check_prosody_certificate.sh" owner: root group: root mode: 0755 - name: Set-up crontab task that runs the Prosody certificate checker script once a day copy: src: "cron_check_prosody_certificate" dest: "/etc/cron.d/check_prosody_certificate" owner: root group: root mode: 0644 - name: Set-up directory for storing additional Prosody modules file: path: "/usr/local/lib/prosody/modules/" state: directory owner: root group: root mode: 0755 - name: Deploy the Prosody mod_auth_ldap module get_url: url: "https://hg.prosody.im/prosody-modules/raw-file/tip/mod_auth_ldap/mod_auth_ldap.lua" dest: "/usr/local/lib/prosody/modules/mod_auth_ldap.lua" - name: Set-up file permissions for the Prosody mod_auth_ldap module file: dest: "/usr/local/lib/prosody/modules/mod_auth_ldap.lua" owner: root group: root mode: 0644 - name: Deploy Prosody configuration file template: src: "prosody.cfg.lua.j2" dest: "/etc/prosody/prosody.cfg.lua" owner: root group: prosody mode: 0640 notify: - Restart Prosody - name: Enable Prosody service on boot (workaround for systemctl broken handling of SysV) command: "rcconf -on prosody" register: result changed_when: not result.stderr - name: Enable and start Prosody service service: name: prosody state: started - name: Deploy firewall configuration for XMPP server copy: src: "ferm_xmpp.conf" dest: "/etc/ferm/conf.d/30-xmpp.conf" owner: root group: root mode: 0640 notify: - Restart ferm - name: Explicitly run all handlers include: ../handlers/main.yml when: "run_handlers | default(False) | bool()" tags: - handlers