Commit f85d4c62 authored by Bernhard Geier's avatar Bernhard Geier
Browse files

certbot aus snap benutzen, kleine bugfixes

- Certbot ist nicht im Repo von Tumbleweed 15.4, aus snap store nehmen
- Bugfix: TLS-Zertifikat für Web-Domain erstellen
- Doku: Vorgehen mit Zertifikaten der XMPP-Domains erklärt,
  example-Config erweitert
- prosody.web_domain.name jetz optional
- Keine lua 5.3-Pakete installieren, da auch Tumbleweed 15.4 noch lua 5.1 für Prosody benutzt
- Rolle "firewalld" zum Deaktivieren der Firewall vorgezogen, da sonst
  Certbot keine Zertifikate beziehen kann
parent 5ce1b3c9
......@@ -21,7 +21,7 @@ The configuration for `host_vars/xmpp.bytewerk.org` is used for a productive ser
### Requirements:
* Server running openSUSE Leap 15.2 or 15.3 with a fixed IPv4 address
* Server running openSUSE Leap 15.2, 15.3, 15.4 with a fixed IPv4 address
* A domain name, and you are able to edit its nameserver entries
......@@ -30,6 +30,9 @@ The configuration for `host_vars/xmpp.bytewerk.org` is used for a productive ser
Ansible >= 2.10 is required.
1. Make sure you can log in on the server as root, without having to type in a password. (Use SSH Public Key authentication.)
1. Rename the file `hosts.example` to `hosts`, edit it and set your server's hostname and IP address
1. In directory `host_vars` rename the file `xmpp.example.com` to your server's hostname and set your preferences in that file
1. In directory `host_vars` rename the file `xmpp.example.com` to your server's hostname, set your preferences in that file and create the required DNS entries as shown in that file.
1. Execute `ansible-playbook -i hosts xmpp.yml` to start the installation.\
You can use the option `--diff` to see in detail what Ansible does on your server, and/or `--check` for a dry-run.
#### Final step:
Copy the TLS certificate and keys for each XMPP domain(s) into /etc/prosody/certs/<domainname/ (cert file: "fullchain.pem", key file: "privkey.pem") and restart Prosody with `systemctl restart prosody`
......@@ -5,18 +5,18 @@
##### EXAMPLE:
# In this example configuration we're setting up a XMPP server named "xmpp.example.com" that serves two XMPP domains.
# "foobar.org" shows all possible configuration options, "server.net" is a minimal example.
# In this example configuration we're setting up a XMPP server named "xmpp.example.com" that serves two XMPP domains:
# "server.net" is a minimal example, "foobar.org" shows all possible configuration options.
#
# - foobar.org:
# - server.net:
# Users can register with their XMPP client, open for anyone.
# conversejs is accessible via https://xmpp.example.com/conversejs-foobar
# conversejs is accessible via https://xmpp.example.com/conversejs-server.net
#
# - server.net:
# - foobar.org:
# Restricted to users who already have an account on the IMAP server "mail.server.net".
# Valid IMAP users can immediatelly use the XMPP server, no extra registration required.
# (JIDs: <IMAP-username>@server.net, password: <IMAP-password>)
# conversejs is accessible via https://xmpp.example.com/conversejs-server.net
# conversejs is accessible via https://xmpp.example.com/conversejs-foobar
#
# "xmpp.example.com" will be used for BOSH, websockets, STUN/TURN server, Converse.js and a info web page - for both XMPP domains.
#
......@@ -115,7 +115,7 @@ prosody:
# virtual host on this server offering BOSH, websockets, Converse.js and optionally a web site (see "content_git") for all xmpp_domains
web_domain:
name: "xmpp.example.com"
name: "xmpp.example.com" # (default: the server's hostname)
admin_email: "webmaster@example.com" # mail address of webserver admin
content_git: # optional. If you want https://xmpp.example.net display some content, put that in a git repo and set it's URL below.
url: http://git.bingo-ev.de/geierb/bytewerk-xmpp-server-website.git
......@@ -123,9 +123,32 @@ prosody:
# list here your XMPP domains
xmpp_domains:
# Minimal example
- name: "server.net"
# Components # you need all four (muc, proxy65, upload, pubsub), and you need to create A records in DNS pointing to this server
muc: "conference.server.net"
proxy65: "proxy65.server.net"
uploads: "upload.server.net"
pubsub: "pubsub.server.net"
legacy_ssl_port: 5225
authentication_provider: internal_hashed # where to store user accounts (possible values: internal_hashed, imap. default: internal_hashed)
allow_registration: true # possible values: true, false, invite (default: false)
# - true: allow anyone to register within a XMPP client
# - false: all users have to be created manually by the server admin with "prosodyctl adduser <JID>"
# - invite: allow existing users to invite new users
# no effect if "authentication_provider = imap", new users must be created on the IMAP server in that case
admin_jids:
- admin@foobar.org
- chef@server.net
# More sophisticated example
- name: "foobar.org"
components: # you need all four (muc, proxy65, upload, pubsub), and you need to set them up in DNS
components: # you need all four (muc, proxy65, upload, pubsub), and you need to create A records in DNS pointing to this server
conference: "conference.foobar.org"
proxy65: "proxy.foobar.org"
upload: "upload.foobar.org"
......@@ -133,12 +156,7 @@ prosody:
legacy_ssl_port: 5223 # port for "legacy SSL" connections, must be listed in DNS and not be shared with other XMPP domains
authentication_provider: internal_hashed # where to store user accounts (possible values: internal_hashed, imap. default: internal_hashed)
allow_registration: invite # possible values: true, false, invite (default: false)
# true: allow anyone to register within a XMPP client
# false: users have to be created manually by the server admin with "prosodyctl adduser <JID>"
# invite: allow existing users to invite new users
# no effect if "authentication_provider = imap", new users must be created on the IMAP server in that case
authentication_provider: imap # use the IMAP server configured above for user authentication (possible values: internal_hashed, imap. default: internal_hashed)
max_upload_mbyte: 1000 # max. file upload size in MByte (default: 100)
delete_uploads_after_days: 31 # delete uploaded files after XX days. (default: never)
delete_messages_after_days: 31 # delete archived messages after XX days. (default: never)
......@@ -164,22 +182,6 @@ prosody:
name: "nrpe-testuser" # test user's jid will be "nrpe-testuser@foobar.org"
password: "hkjwhd8u230wjl" # optional, default: random
- name: "server.net"
# Components
muc: "conference.server.net"
proxy65: "proxy65.server.net"
uploads: "upload.server.net"
pubsub: "pubsub.server.net"
legacy_ssl_port: 5225
authentication_provider: imap # use the IMAP server configured above for user authentication (possible values: internal_hashed, imap. default: internal_hashed)
admin_jids:
- admin@foobar.org
- chef@server.net
# Converse.js
......
......@@ -51,7 +51,7 @@
- name: Create common web vHost configuration
template:
src: "vhost-web.j2"
dest: "/etc/apache2/vhosts.d/{{ prosody.web_domain.name }}.conf"
dest: "/etc/apache2/vhosts.d/{{ prosody.web_domain.name | default(inventory_hostname) }}.conf"
mode: "0644"
notify: restart apache2
......@@ -72,7 +72,7 @@
repo: "https://github.com/DigitaleGesellschaft/Anonip.git"
dest: "/usr/local/Anonip.git"
clone: yes
version: master
version: main
notify: restart apache2
tags:
- skip_ansible_lint
......@@ -88,7 +88,7 @@
git:
repo: "{{ prosody.web_domain.content_git.url }}"
version: "{{ prosody.web_domain.content_git.branch | default('master') }}"
dest: "/srv/var/www/vhosts/{{ prosody.web_domain.name }}/"
dest: "/srv/var/www/vhosts/{{ prosody.web_domain.name | default(inventory_hostname) }}/"
clone: yes
update: yes
tags:
......
# {{ ansible_managed }}
ServerName {{ prosody.web_domain.name }}
ServerName {{ prosody.web_domain.name | default(inventory_hostname) }}
......@@ -56,5 +56,5 @@
</Location>
# Redirect to info page
Redirect 301 / https://{{ prosody.web_domain.name }}/
Redirect 301 / https://{{ prosody.web_domain.name | default(inventory_hostname) }}/
</VirtualHost>
......@@ -48,5 +48,5 @@
Include /etc/apache2/letsencrypt-ssl-apache.conf
# Redirect to info page
Redirect 301 / https://{{ prosody.web_domain.name }}/
Redirect 301 / https://{{ prosody.web_domain.name | default(inventory_hostname) }}/
</VirtualHost>
......@@ -48,5 +48,5 @@
Include /etc/apache2/letsencrypt-ssl-apache.conf
# Redirect to info page
Redirect 301 / https://{{ prosody.web_domain.name }}/
Redirect 301 / https://{{ prosody.web_domain.name | default(inventory_hostname) }}/
</VirtualHost>
# {{ ansible_managed }}
# Required for:
# - maintaining Prosody's LetsEncrypt certificate {{ prosody.web_domain.name }}
# - reverse proxy for BOSH (URL: https://{{ prosody.web_domain.name }}/http-bind)
# - maintaining Prosody's LetsEncrypt certificate {{ prosody.web_domain.name | default(inventory_hostname) }}
# - reverse proxy for BOSH (URL: https://{{ prosody.web_domain.name | default(inventory_hostname) }}/http-bind)
# - reverse proxy for BOSH-Autoconfiguration (XEP-0156)
# - reverse proxy for Websocket (URL: https://{{ prosody.web_domain.name }}/xmpp-websocket)
# - reverse proxy for Websocket (URL: https://{{ prosody.web_domain.name | default(inventory_hostname) }}/xmpp-websocket)
# - reverse proxy for Prosody's invite based user registration
<VirtualHost *:80>
ServerName {{ prosody.web_domain.name }}
ServerName {{ prosody.web_domain.name | default(inventory_hostname) }}
ServerAdmin {{ prosody.web_domain.admin_email }}
DocumentRoot /srv/var/www/vhosts/{{ prosody.web_domain.name }}
DocumentRoot /srv/var/www/vhosts/{{ prosody.web_domain.name | default(inventory_hostname) }}
# Logging
ErrorLog /var/log/apache2/{{ prosody.web_domain.name }}-error_log
CustomLog "|/usr/bin/python3 /usr/local/Anonip.git/anonip.py --skip-private --output /var/log/apache2/{{ prosody.web_domain.name }}-access_log" combined env=!dontlog
ErrorLog /var/log/apache2/{{ prosody.web_domain.name | default(inventory_hostname) }}-error_log
CustomLog "|/usr/bin/python3 /usr/local/Anonip.git/anonip.py --skip-private --output /var/log/apache2/{{ prosody.web_domain.name | default(inventory_hostname) }}-access_log" combined env=!dontlog
# Don't loose time with IP address lookups
HostnameLookups Off
......@@ -36,18 +36,18 @@
<VirtualHost *:443>
ServerName {{ prosody.web_domain.name }}
ServerName {{ prosody.web_domain.name | default(inventory_hostname) }}
ServerAdmin {{ prosody.web_domain.admin_email }}
DocumentRoot /srv/var/www/vhosts/{{ prosody.web_domain.name }}
DocumentRoot /srv/var/www/vhosts/{{ prosody.web_domain.name | default(inventory_hostname) }}
# Enable HTTP/2, if available
Protocols h2 http/1.1
# Logging
ErrorLog /var/log/apache2/{{ prosody.web_domain.name }}-error_log
CustomLog "|/usr/bin/python3 /usr/local/Anonip.git/anonip.py --skip-private --output /var/log/apache2/{{ prosody.web_domain.name }}-access_log" combined env=!dontlog
ErrorLog /var/log/apache2/{{ prosody.web_domain.name | default(inventory_hostname) }}-error_log
CustomLog "|/usr/bin/python3 /usr/local/Anonip.git/anonip.py --skip-private --output /var/log/apache2/{{ prosody.web_domain.name | default(inventory_hostname) }}-access_log" combined env=!dontlog
# Don't loose time with IP address lookups
HostnameLookups Off
......@@ -56,8 +56,8 @@
UseCanonicalName Off
# LetsEncrypt
SSLCertificateFile /etc/letsencrypt/live/{{ prosody.web_domain.name }}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ prosody.web_domain.name }}/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/{{ prosody.web_domain.name | default(inventory_hostname) }}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ prosody.web_domain.name | default(inventory_hostname) }}/privkey.pem
Include /etc/apache2/letsencrypt-ssl-apache.conf
###############################
......
- name: Install Certbot
- name: Remove distribution Certbot
zypper:
name: "python3-certbot-apache"
name: "{{ item }}"
state: absent
loop:
- python3-certbot-apache
- python3-certbot
- name: Set up repository snappy repository
zypper_repository:
name: "snappy"
repo: 'https://download.opensuse.org/repositories/system:snappy/openSUSE_Leap_{{ ansible_distribution_version }}/'
auto_import_keys: yes
runrefresh: yes
- name: Install snapd
zypper:
name: "snapd"
- name: Ensure snapd is running
systemd:
name: snapd
state: started
enabled: yes
- name: Install certbot
snap:
classic: yes
name: certbot
- name: Create certificates for XMPP components
include_tasks: vhosts.yml
......@@ -27,7 +53,7 @@
- name: Add certbot cronjob
cron:
name: "Renew LetsEncrypt Certificates, check weekly. After renewal scripts in /etc/letsencrypt/renewal-hooks/post get executed to enable the new certs in Apache2, Coturn and Prosody"
job: "/usr/bin/certbot renew --quiet"
job: "/snap/bin/certbot renew --quiet"
minute: "10"
hour: "1"
weekday: "0"
- name: Check if certificates do already exist
stat:
path: /etc/letsencrypt/live/{{ domain[item] }}/cert.pem
path: /etc/letsencrypt/live/{{ item }}/cert.pem
register: letsencrypt_cert_stat
loop: "{{ domain | list }}"
loop: "{{ domain | dict2items | map(attribute='value') + [ prosody.web_domain.name | default(inventory_hostname) ] }}"
- name: Stop Apache2 to allow certbot to generate a cert
service:
......@@ -10,9 +10,12 @@
state: stopped
when: not ansible_check_mode and letsencrypt_cert_stat.results | selectattr('stat.exists','equalto', false) | list | count > 0
notify: restart apache2
register: apache2_service_result
failed_when: "apache2_service_result is failed and 'Could not find the requested service' not in apache2_service_result.msg"
- name: Generate new certificate
command: /usr/bin/certbot certonly --standalone --noninteractive --agree-tos --email {{ prosody.web_domain.admin_email }} -d {{ domain[item] }}
command: /snap/bin/certbot certonly --standalone --noninteractive --agree-tos --email {{ prosody.web_domain.admin_email }} -d {{ item }}
args:
creates: /etc/letsencrypt/live/{{ domain[item] }}/cert.pem
loop: "{{ domain | list }}"
creates: /etc/letsencrypt/live/{{ item }}/cert.pem
loop: "{{ domain | dict2items | map(attribute='value') + [ prosody.web_domain.name | default(inventory_hostname) ] }}"
......@@ -6,7 +6,7 @@
#external-ip=87.151.201.244
# Hostname
server-name={{ prosody.web_domain.name }}
server-name={{ prosody.web_domain.name | default(inventory_hostname) }}
# Ports that clients can connect to
listening-port=3478
......@@ -14,8 +14,8 @@ alt-listening-port=3479
tls-listening-port=5349
alt-tls-listening-port=5350
cert=/etc/pki/coturn/{{ prosody.web_domain.name }}/fullchain.pem
pkey=/etc/pki/coturn/{{ prosody.web_domain.name }}/privkey.pem
cert=/etc/pki/coturn/{{ prosody.web_domain.name | default(inventory_hostname) }}/fullchain.pem
pkey=/etc/pki/coturn/{{ prosody.web_domain.name | default(inventory_hostname) }}/privkey.pem
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
no-tlsv1
......@@ -32,7 +32,7 @@ no-cli
keep-address-family
# Realm must be set. Its value does not matter when using a shared secret for authentication as we do
realm={{ prosody.web_domain.name }}
realm={{ prosody.web_domain.name | default(inventory_hostname) }}
# More security for TURN
fingerprint
......@@ -53,11 +53,11 @@ simple-log
# HOW TO TEST:
# For testing on https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/:
# STUN:
# Use URL "stun:{{ prosody.web_domain.name }}:3478", username empty, password empty.
# Use URL "stun:{{ prosody.web_domain.name | default(inventory_hostname) }}:3478", username empty, password empty.
# Result's last line must contain "srflx".
# TURN:
# Comment "use-auth-secret" and "static-auth-secret" above, enable a test user by uncommenting the line "user=test:test" below and restart coturn.
# Then use "turn:{{ prosody.web_domain.name }}:3478", username=test, password=test.
# Then use "turn:{{ prosody.web_domain.name | default(inventory_hostname) }}:3478", username=test, password=test.
# Result's last line must contain "relay".
# Do not forget to undo the changes and restart coturn afterwards!
#user=test:test
......
......@@ -38,7 +38,7 @@ command[check_prosodyctl]=sudo /usr/local/nrpe-plugins/check_prosodyctl
# Certificates for legacy SSL
{% for domain in prosody.xmpp_domains %}
command[check_certificate_{{ domain.name }}]=/usr/lib/nagios/plugins/check_http -C 13,6 --ssl -H {{ prosody.web_domain.name }} -p {{ domain.legacy_ssl_port }}
command[check_certificate_{{ domain.name }}]=/usr/lib/nagios/plugins/check_http -C 13,6 --ssl -H {{ prosody.web_domain.name | default(inventory_hostname) }} -p {{ domain.legacy_ssl_port }}
{% endfor %}
# Certificates for Prosody components
......@@ -49,7 +49,7 @@ command[check_certificate_{{ domain.components[component] }}]=/usr/lib/nagios/pl
{% endfor %}
# Certificate for web domain
command[check_certificate_{{ prosody.web_domain.name }}]=/usr/lib/nagios/plugins/check_http -C 21,7 --sni --ssl -H {{ prosody.web_domain.name }}
command[check_certificate_{{ prosody.web_domain.name | default(inventory_hostname) }}]=/usr/lib/nagios/plugins/check_http -C 21,7 --sni --ssl -H {{ prosody.web_domain.name | default(inventory_hostname) }}
# .well-known URI
{% for domain in prosody.xmpp_domains %}
......@@ -58,5 +58,5 @@ command[check_wellknown_{{ domain.name }}]=/usr/lib/nagios/plugins/check_http -H
# converse.js
{% for domain in prosody.xmpp_domains %}
command[check_conversejs_{{ domain.name }}]=/usr/lib/nagios/plugins/check_http --ssl -H {{ prosody.web_domain.name }} -u {{ domain.conversejs.weblocation | default("/conversejs-" + domain.name) }} -s converse.initialize
command[check_conversejs_{{ domain.name }}]=/usr/lib/nagios/plugins/check_http --ssl -H {{ prosody.web_domain.name | default(inventory_hostname) }} -u {{ domain.conversejs.weblocation | default("/conversejs-" + domain.name) }} -s converse.initialize
{% endfor %}
# Install Prosody
- name: Set up repository devel-lua for package lua53-luadbi with PostgreSQL support
- name: Set up repository devel-lua (contains luaXX-luadbi with PostgreSQL support and newer Prosody)
zypper_repository:
name: "devel_languages_lua"
repo: 'https://download.opensuse.org/repositories/devel:/languages:/lua/{{ ansible_distribution_version }}/'
......@@ -8,17 +8,17 @@
- name: Install Prosody
# Prosody supports lua 5.3
# for an unknown reason it still defaults to lua 5.1
# for an unknown reason Leap still uses to lua 5.1
zypper:
name: "{{ item }}"
loop:
- "devel_languages_lua:prosody"
- "devel_languages_lua:lua53-luadbi"
- "lua53-luaevent"
- "lua53-luaunbound"
#- "devel_languages_lua:lua53-luadbi"
#- "lua53-luaevent"
#- "lua53-luaunbound"
- "devel_languages_lua:lua51-luadbi"
- "lua51-luaevent"
- "lua51-luaunbound"
- "devel_languages_lua:prosody"
- name: Create directory for systemd service override
file:
......@@ -223,4 +223,3 @@
- { url: "https://cdn.jsdelivr.net/npm/jquery@3.5/dist/jquery.min.js", subdir: "jquery" }
- { url: "https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css", subdir: "bootstrap4/css" }
- { url: "https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js", subdir: "bootstrap4/js" }
......@@ -152,7 +152,7 @@ limit_auth_period = 15; -- within 15 seconds...
limit_auth_max = 5; -- ...tolerate no more than 5 failed authentication attempts
-- WebRTC/Jingle support:
turn_external_host = "{{ prosody.web_domain.name }}";
turn_external_host = "{{ prosody.web_domain.name | default(inventory_hostname) }}";
turn_external_port = 3478;
turn_external_secret = "{{ turnpwd }}";
turn_external_tcp = true;
......@@ -167,7 +167,7 @@ consider_bosh_secure = true; -- Allow operations requiring encryption over plain
consider_websocket_secure = true; -- Allow operations requiring encryption over plain HTTP (i.e. when using a reverse proxy for HTTPS) (default: false)
-- mod_http: HTTPS is done by an Apache2 reverse proxy, so Prosody's HTTPS server can be disabled and HTTP limited to localhost
http_external_url = "https://{{ prosody.web_domain.name }}"; -- Promote all HTTP(S) services using this base URL
http_external_url = "https://{{ prosody.web_domain.name | default(inventory_hostname) }}"; -- Promote all HTTP(S) services using this base URL
http_interfaces = { "127.0.0.1", "::1" }; -- Only listen for HTTP requests on localhost on port 5280 (default: { "*", "::" })
https_interfaces = { }; -- Do not listen for HTTPS requests on any interface on port 5281 - this disables Prosody's HTTPS server (default: { "*", "::" })
......
......@@ -17,7 +17,7 @@ groups_file = "/etc/prosody/sharedGroups-{{ item.name }}.txt"
contact_info = {
abuse = { {{ item.admin_jids | default([]) | map('regex_replace', '^', 'xmpp:') | map("to_json") | join(", ") }} },
admin = { {{ item.admin_jids | default([]) | map('regex_replace', '^', 'xmpp:') | map("to_json") | join(", ") }} },
support = { "https://{{ prosody.web_domain.name }}/" }
support = { "https://{{ prosody.web_domain.name | default(inventory_hostname) }}/" }
};
-- Authentication method (default: internal_hashed)
......@@ -74,13 +74,13 @@ conversejs_options = {
}
conversejs_tags = {
-- Load libsignal-protocol.js for OMEMO support (GPLv3; be aware of licence implications)
[[<script src="https://{{ prosody.web_domain.name }}/conversejs-libsignal-protocol-javascript/libsignal-protocol.js"></script>]];
[[<script src="https://{{ prosody.web_domain.name | default(inventory_hostname) }}/conversejs-libsignal-protocol-javascript/libsignal-protocol.js"></script>]];
{% if item.conversejs.community_plugins is defined %}
-- Load community plugins
{% for plugin in item.conversejs.community_plugins %}
[[<script src="https://{{ prosody.web_domain.name }}/packages/{{ plugin }}/{{ plugin }}.js"></script>]];
[[<link type="text/css" rel="stylesheet" media="screen" href="https://{{ prosody.web_domain.name }}/packages//{{ plugin }}/{{ plugin }}.css" />]];
[[<script src="https://{{ prosody.web_domain.name | default(inventory_hostname) }}/packages/{{ plugin }}/{{ plugin }}.js"></script>]];
[[<link type="text/css" rel="stylesheet" media="screen" href="https://{{ prosody.web_domain.name | default(inventory_hostname) }}/packages//{{ plugin }}/{{ plugin }}.css" />]];
{% endfor %}
{% endif %}
}
......@@ -108,7 +108,7 @@ allow_user_invites = true; -- Allow non-admin users to invite contacts to regist
-- mod_invites_page
site_name = "{{ item.name }} Messenger Service"; -- The friendly name of this server (default: "example.com")
-- mod_invites_register_web
webchat_url = "https://{{ prosody.web_domain.name }}/{{ item.conversejs.weblocation | default("conversejs-" + item.name) }}"; -- External URL to converse.js (default: http_path of conversejs)
webchat_url = "https://{{ prosody.web_domain.name | default(inventory_hostname) }}/{{ item.conversejs.weblocation | default("conversejs-" + item.name) }}"; -- External URL to converse.js (default: http_path of conversejs)
-- Change URLs for mod_invites to support multiple domains
http_paths = {
register_apps = "/{{ item.name }}/register_apps";
......
......@@ -4,6 +4,7 @@
roles:
- set_passwords
- journald
- firewalld
- certbot
- apache2
- coturn
......@@ -11,4 +12,3 @@
- conversejs
- prosody
- nrpe
- firewalld
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment