~xenrox/ansible

ref: d4811867b5f542c4fb92a2ef6792b5a0ca28af3b ansible/roles/ejabberd/tasks/main.yml -rw-r--r-- 3.6 KiB
d4811867Thorben Günther srht: Fix webhook redis allocation 2 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
---
- name: Get secrets
  ansible.builtin.set_fact:
    ejabberd_secrets: "{{ lookup('community.hashi_vault.hashi_vault', 'ansible/data/ejabberd') }}"

- name: install
  community.general.pacman:
    name: ejabberd
    state: present

- name: create DH group
  ansible.builtin.command: openssl dhparam -out /etc/ejabberd/dhparams.pem 2048 creates=/etc/ejabberd/dhparams.pem

- name: create db user
  community.general.postgresql_user:
    name: ejabberd
    password: "{{ ejabberd_secrets['psql_password'] }}"
  become: true
  become_user: postgres
  no_log: true

- name: create db
  community.general.postgresql_db:
    name: ejabberd
    owner: ejabberd
  become: true
  become_user: postgres
  register: ejabberd_db

- name: get db schema
  ansible.builtin.get_url:
    url: https://raw.githubusercontent.com/processone/ejabberd/master/sql/pg.sql
    dest: /tmp/pg.sql
  when: ejabberd_db.changed

- name: import db schema
  community.general.postgresql_db:
    login_user: ejabberd
    login_password: "{{ ejabberd_secrets['psql_password'] }}"
    name: ejabberd
    state: restore
    target: /tmp/pg.sql
  become: true
  become_user: postgres
  when: ejabberd_db.changed
  no_log: true

- name: configure
  ansible.builtin.template:
    src: ejabberd.yml
    dest: /etc/ejabberd/ejabberd.yml
    owner: jabber
    group: jabber
    mode: 0600
  notify: restart ejabberd

- name: Copy certificate
  ansible.builtin.copy:
    src: /etc/letsencrypt/live/xenrox.net/{{ item }}
    dest: /var/lib/ejabberd/{{ item }}
    remote_src: true
    owner: jabber
    group: jabber
    mode: 0400
  with_items:
    - fullchain.pem
    - privkey.pem

- name: start and enable
  ansible.builtin.systemd:
    name: ejabberd
    enabled: true
    state: started

- name: firewalld allow
  ansible.posix.firewalld:
    service: "{{ item }}"
    state: enabled
    permanent: true
    immediate: true
  with_items:
    - xmpp-client
    - xmpp-server

- name: create upload dir
  ansible.builtin.file:
    path: /var/www/ejabberd_upload
    state: directory
    owner: jabber
    group: jabber
    mode: 0755

- name: create well-known dir
  ansible.builtin.file:
    path: /etc/nginx/html/.well-known
    state: directory
    owner: http
    group: http
    mode: 0755

- name: copy host-meta
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "/etc/nginx/html/.well-known/{{ item }}"
    owner: http
    group: http
    mode: 0644
  with_items:
    - host-meta
    - host-meta.json

- name: create xenrox user
  community.general.ejabberd_user:
    username: xenrox
    host: xenrox.net
    state: present
    password: "{{ ejabberd_secrets['xenrox_password'] }}"
  no_log: true
  # NOTE: currently ansible always displays this module as changed
  # wait for module update to remove changed_when
  changed_when: false

- name: set jabber cron mailto
  ansible.builtin.cron:
    env: true
    name: MAILTO
    user: jabber
    value: admin@xenrox.net

- name: set jabber cronjobs
  ansible.builtin.cron:
    name: "{{ item.name }}"
    state: present
    user: jabber
    job: "chronic /usr/bin/ejabberdctl {{ item.job }}"
    weekday: "1"
    hour: "10"
    minute: "15"
  with_items:
    - { name: delete expired messages, job: delete_expired_messages }
    - { name: delete old mam messages, job: delete_old_mam_messages all 14 }
    - { name: delete old messages, job: delete_old_messages 90 }
    - { name: delete old push sessions, job: delete_old_push_sessions 90 }
    - { name: delete unused users, job: delete_old_users 365 }

- name: Install certificate hook
  ansible.builtin.copy:
    src: ejabberd.hook
    dest: /etc/letsencrypt/hook.d/ejabberd
    owner: root
    group: root
    mode: 0755