Update to 2021-12-01 19:13

roles/prosody/defaults/main.yml

@@ -0,0 +1,100 @@
+---
+
+prosody_c2s_ports: [ 5222 ]
+prosody_s2s_ports: [ 5269 ]
+prosody_http_ports: [ 5280 ]
+prosody_component_ports: [ 5347 ]
+
+prosody_c2s_src_ip:
+  - 0.0.0.0/0
+prosody_s2s_src_ip:
+  - 0.0.0.0/0
+prosody_http_src_ip: []
+prosody_component_src_ip: []
+
+prosody_admin_users: []
+
+# 3rd party modules to install
+prosody_base_modules:
+  - name: mod_auth_ldap
+  - name: ext_events.lib
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/ext_events.lib.lua
+  - name: util.lib
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/util.lib.lua
+  - name: mod_speakerstats
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_speakerstats.lua
+  - name: mod_speakerstats_component
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_speakerstats_component.lua
+  - name: mod_turncredentials
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_turncredentials.lua
+  - name: mod_conference_duration
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_conference_duration.lua
+  - name: mod_conference_duration_component
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_conference_duration_component.lua
+  - name: mod_client_proxy
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_client_proxy.lua
+  - name: mod_roster_command
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_roster_command.lua
+  - name: mod_muc_lobby_rooms
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_muc_lobby_rooms.lua
+  - name: mod_muc_breakout_rooms
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_muc_breakout_rooms.lua
+  - name: mod_muc_rate_limit
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_muc_rate_limit.lua
+  - name: mod_muc_meeting_id
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_muc_meeting_id.lua
+  - name: mod_muc_domain_mapper
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_muc_domain_mapper.lua
+  - name: mod_jitsi_session
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_jitsi_session.lua
+  - name: mod_external_services
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_external_services.lua
+  - name: mod_av_moderation
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_av_moderation.lua
+  - name: mod_av_moderation_component
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_av_moderation_component.lua
+  - name: mod_polls
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_polls.lua
+  - name: mod_limits_exception
+    url: https://raw.githubusercontent.com/jitsi/jitsi-meet/master/resources/prosody-plugins/mod_limits_exception.lua
+
+prosody_extra_modules: []
+prosody_modules: "{{ (prosody_base_modules + prosody_extra_modules) | unique }}"
+
+prosody_base_modules_enabled:
+  - roster
+  - saslauth
+  - tls
+  - dialback
+  - disco
+  - carbons
+  - pep
+  - private
+  - blocklist
+  - vcard4
+  - vcard_legacy
+  - version
+  - uptime
+  - time
+  - ping
+  - register
+  - admin_adhoc
+  - bosh
+  - pubsub
+prosody_extra_modules_enabled: []
+prosody_modules_enabled: "{{ (prosody_base_modules_enabled + prosody_extra_modules_enabled) | unique }}"
+
+prosody_base_modules_disabled: []
+prosody_extra_modules_disabled: []
+prosody_modules_disabled: "{{ (prosody_base_modules_disabled + prosody_extra_modules_disabled) | unique }}"
+
+# Wether registration is alowed or not. Not available with all auth backends (not compatible with LDAP for example)
+prosody_allow_registration: False
+
+prosody_auth_provider: "{{ (ad_auth | default(False) or ldap_auth | default(False)) | ternary('ldap','internal_hashed') }}"
+prosody_ldap_servers: "{{ ad_ldap_servers | default([ad_auth | default(False) | ternary(ad_realm | default(samba_realm) | default(ansible_domain) | lower, ldap_uri | default('ldap://' + ansible_domain) | urlsplit('hostname'))]) }}"
+prosody_ldap_base: "{{ ad_auth | default(False) | ternary((ad_ldap_user_search_base is defined) | ternary(ad_ldap_user_search_base,'DC=' + ad_realm | default(samba_realm) | default(ansible_domain) | regex_replace('\\.',',DC=')), ldap_user_base | default('ou=Users') + ',' + ldap_base | default(ansible_domain | regex_replace('\\.',',dc='))) }}"
+prosody_ldap_filter: "{{ ad_auth | default(False) | ternary('(&(objectClass=user)(sAMAccountName=%s))','(&(objectClass=inetOrgPerson)(uid=%s))') }}"
+prosody_ldap_starttls: True
+# prosody_ldap_bind_dn: CN=prosody,OU=Apps,DC=domain,DC=tld
+# prosody_ldap_bind_pass: S3cr3t.

roles/prosody/files/mod_participant_metadata.lua

@@ -0,0 +1,53 @@
+local _jid = require "util.jid";
+
+log('info', 'Loaded Custom Presence identity');
+
+module:hook("pre-presence/full", function (event)
+
+  local function get_room_from_jid(jid)
+    local node, host = _jid.split(jid);
+    local component = hosts[host];
+      
+    if component then
+      local muc = component.modules.muc
+      if muc and rawget(muc,"rooms") then
+        -- We're running 0.9.x or 0.10 (old MUC API)
+        return muc.rooms[jid];
+      elseif muc and rawget(muc,"get_room_from_jid") then
+        -- We're running >0.10 (new MUC API)
+        return muc.get_room_from_jid(jid);
+      else
+        return
+      end
+    end
+  end
+
+  local origin, stanza = event.origin, event.stanza;
+  local to = _jid.bare(stanza.attr.to);
+
+  if get_room_from_jid(to) then
+    local room = get_room_from_jid(to);
+    local occupant = room._occupants[tostring(stanza.attr.to)];
+
+    if occupant then
+      local email = stanza:get_child_text("email") or "";
+      local role = tostring(occupant.role);
+
+      if email ~= "" and role == "moderator" then
+        stanza:maptags(
+          function(tag)
+            for k, v in pairs(tag) do
+              if k == "name" and v == "identity" then
+                return nil
+              end
+            end
+          return tag
+        end)
+
+        stanza:tag("identity"):tag("user");
+        stanza:tag("id"):text(email):up();
+        stanza:up();
+      end
+    end
+  end
+end);

roles/prosody/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: reload prosody
+  service: name=prosody state=reloaded
+
+- name: restart prosody
+  service: name=prosody state=restarted
+
+- name: restart saslauthd
+  service: name=saslauthd state=restarted

roles/prosody/tasks/conf.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Deploy prosody configuration
+  template: src={{ item.src }} dest={{ item.dest }} owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - src: prosody.cfg.lua.j2
+      dest: /etc/prosody/prosody.cfg.lua
+      group: prosody
+      mode: 640
+  notify: reload prosody
+  tags: prosody
+
+# TODO: support vhosts

roles/prosody/tasks/directories.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Create directories
+  file: path={{ item.dir }} state=directory owner={{ item.owner | default(omit) }} group={{ item.group | default(omit) }} mode={{ item.mode | default(omit) }}
+  loop:
+    - dir: /etc/prosody/ansible_conf.d
+    - dir: /opt/prosody/modules
+  tags: prosody

roles/prosody/tasks/facts.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Ensure cyrus is enabled
+  set_fact: prosody_modules_enabled={{ prosody_modules_enabled + ['auth_cyrus'] }}
+  when: prosody_auth_provider == 'cyrus' and 'auth_cyrus' not in prosody_modules_enabled
+  tags: prosody
+

roles/prosody/tasks/install.yml

@@ -0,0 +1,46 @@
+---
+
+- name: Install prosody
+  yum:
+    name:
+      - prosody
+      - lua-ldap
+      - lua-cyrussasl
+  tags: prosody
+
+- name: Create systemd unit snippet dir
+  file: path=/etc/systemd/system/prosody.service.d state=directory
+  tags: prosody
+
+- name: Install modules
+  get_url:
+    url: "{{ item.url | default('https://raw.githubusercontent.com/prosody-modules/' ~ item.name ~ '/master/' ~ item.name ~ '.lua') }}"
+    dest: /opt/prosody/modules/{{ item.name }}.lua
+  loop: "{{ prosody_modules }}"
+  notify: restart prosody
+  tags: prosody
+
+- name: Install Participan Metadata module
+  copy:
+    src: mod_participant_metadata.lua
+    dest: /opt/prosody/modules/
+  notify: restart prosody
+  tags: prosody
+
+- name: Remove useless unit override
+  file: path=/etc/systemd/system/prosody.service.d/99-ansible.conf state=absent
+  register: prosody_unit
+  notify: restart prosody
+  tags: prosody
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: prosody_unit.changed
+  tags: prosody
+
+- name: Allow prosody to query LDAP servers
+  seboolean: name={{ item }} state=True persistent=True
+  loop:
+    - authlogin_nsswitch_use_ldap
+  when: ansible_selinux.status == 'enabled'
+  tags: prosody

roles/prosody/tasks/iptables.yml

@@ -0,0 +1,19 @@
+---
+
+- name: Handle ports for prosody
+  iptables_raw:
+    name: prosody_port_{{ item.name }}
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -p tcp -m multiport --dports {{ item.ports | join(',') }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  loop:
+    - name: c2s
+      src_ip: "{{ prosody_c2s_src_ip }}"
+      ports: "{{ prosody_c2s_ports }}"
+    - name: s2s
+      src_ip: "{{ prosody_s2s_src_ip }}"
+      ports: "{{ prosody_s2s_ports }}"
+    - name: http
+      src_ip: "{{ prosody_http_src_ip }}"
+      ports: "{{ prosody_http_ports }}"
+  when: iptables_manage | default(True)
+  tags: firewall,prosody

roles/prosody/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- include: directories.yml
+- include: install.yml
+- include: facts.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml

roles/prosody/tasks/service.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Start and enable prosody
+  service: name=prosody state=started enabled=True
+  tags: prosody

roles/prosody/templates/prosody.cfg.lua.j2

@@ -0,0 +1,73 @@
+-- {{ ansible_managed }}
+
+plugin_paths = { "/opt/prosody/modules" }
+
+admins = {
+{% for user in prosody_admin_users %}
+  "{{ user }}",
+{% endfor %}
+}
+modules_enabled = {
+{% for module in prosody_modules_enabled %}
+  "{{ module }}";
+{% endfor %}
+}
+modules_disabled = {
+{% for module in prosody_modules_disabled %}
+  "{{ module }}";
+{% endfor %}
+}
+
+allow_registration = {{ prosody_allow_registration | ternary('true','false') }}
+c2s_require_encryption = true
+s2s_require_encryption = true
+s2s_secure_auth = false
+
+c2s_ports = {
+{% for port in prosody_c2s_ports %}
+  {{ port }},
+{% endfor %}
+}
+s2s_port = {
+{% for port in prosody_s2s_ports %}
+  {{ port }},
+{% endfor %}
+}
+http_port = {
+{% for port in prosody_http_ports %}
+  {{ port }},
+{% endfor %}
+}
+component_ports = {
+{% for port in prosody_component_ports %}
+  {{ port }},
+{% endfor %}
+}
+component_interface = "0.0.0.0"
+
+authentication = "{{ prosody_auth_provider }}"
+
+{% if prosody_auth_provider == 'ldap' %}
+ldap_base = "{{ prosody_ldap_base }}"
+ldap_server = "{{ prosody_ldap_servers | join(' ') }}"
+{% if prosody_ldap_bind_dn is defined and prosody_ldap_bind_pass is defined %}
+ldap_rootdn = "{{ prosody_ldap_bind_dn }}"
+ldap_password = "{{ prosody_ldap_bind_pass }}"
+{% endif %}
+ldap_filter = "{{ prosody_ldap_filter }}"
+ldap_scope = "subtree"
+ldap_tls = {{ prosody_ldap_starttls | ternary('true','false') }}
+{% endif %}
+
+log = {
+  info = "*console";
+  error = "*console";
+}
+
+certificates = "/etc/pki/prosody/";
+pidfile = "/run/prosody/prosody.pid";
+daemonize = false;
+
+VirtualHost "localhost"
+
+Include "ansible_conf.d/*.cfg.lua"