~xenrox/ansible: roles/ejabberd/tasks/main.yml

---
- name: Get secrets
  ansible.builtin.set_fact:
    ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}"

- name: install
  community.general.pacman:
    name: ejabberd
    state: present

- name: create DH group
  ansible.builtin.command: openssl dhparam -out /etc/ejabberd/dhparams.pem 2048 creates=/etc/ejabberd/dhparams.pem

- name: create db user
  community.general.postgresql_user:
    name: ejabberd
    password: "{{ ejabberd_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true

- name: create db
  community.general.postgresql_db:
    name: ejabberd
    owner: ejabberd
  become: true
  become_user: postgres
  register: ejabberd_db

- name: get db schema
  ansible.builtin.get_url:
    url: https://raw.githubusercontent.com/processone/ejabberd/master/sql/pg.sql
    dest: /tmp/pg.sql
    owner: root
    group: root
    mode: 0644
  when: ejabberd_db.changed

- name: import db schema
  community.general.postgresql_db:
    login_user: ejabberd
    login_password: "{{ ejabberd_secrets['psql_password'] }}"
    name: ejabberd
    state: restore
    target: /tmp/pg.sql
  become: true
  become_user: postgres
  when: ejabberd_db.changed
  no_log: true

- name: configure
  ansible.builtin.template:
    src: ejabberd.yml
    dest: /etc/ejabberd/ejabberd.yml
    owner: jabber
    group: jabber
    mode: 0600
  notify: restart ejabberd

- name: Copy certificate
  ansible.builtin.copy:
    src: /etc/letsencrypt/live/xenrox.net/{{ item }}
    dest: /var/lib/ejabberd/{{ item }}
    remote_src: true
    owner: jabber
    group: jabber
    mode: 0400
  with_items:
    - fullchain.pem
    - privkey.pem

- name: start and enable
  ansible.builtin.systemd:
    name: ejabberd
    enabled: true
    state: started

- name: firewalld allow
  ansible.posix.firewalld:
    service: "{{ item }}"
    state: enabled
    permanent: true
    immediate: true
  with_items:
    - xmpp-client
    - xmpp-server

- name: create upload dir
  ansible.builtin.file:
    path: /var/www/ejabberd_upload
    state: directory
    owner: jabber
    group: jabber
    mode: 0755

- name: create well-known dir
  ansible.builtin.file:
    path: /etc/nginx/html/.well-known
    state: directory
    owner: http
    group: http
    mode: 0755

- name: copy host-meta
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/nginx/html/.well-known/{{ item }}"
    owner: http
    group: http
    mode: 0644
  with_items:
    - host-meta
    - host-meta.json

- name: create xenrox user
  community.general.ejabberd_user:
    username: xenrox
    host: xenrox.net
    state: present
    password: "{{ ejabberd_secrets['xenrox_password'] }}"
  no_log: true
  # NOTE: currently ansible always displays this module as changed
  # wait for module update to remove changed_when
  changed_when: false

- name: set jabber cron mailto
  ansible.builtin.cron:
    env: true
    name: MAILTO
    user: jabber
    value: admin@xenrox.net

- name: set jabber cronjobs
  ansible.builtin.cron:
    name: "{{ item.name }}"
    state: present
    user: jabber
    job: "chronic /usr/bin/ejabberdctl {{ item.job }}"
    weekday: "1"
    hour: "10"
    minute: "15"
  with_items:
    - { name: delete expired messages, job: delete_expired_messages }
    - { name: delete old mam messages, job: delete_old_mam_messages all 14 }
    - { name: delete old messages, job: delete_old_messages 90 }
    - { name: delete old push sessions, job: delete_old_push_sessions 90 }
    - { name: delete unused users, job: delete_old_users 365 }

- name: Install certificate hook
  ansible.builtin.copy:
    src: ejabberd.hook
    dest: /etc/letsencrypt/hook.d/ejabberd
    owner: root
    group: root
    mode: 0755