11:14 a.m.
Hi,
I' want to setup a secure, state-of-the-art XMPP server. Since debops
provides a prosody role, I want to use this, but it seams to be a bit
incomplete. (I don't care about the ldap-integration being a to-do.)
- What is the general state of this debops.prosody role?
- Is debops.prosody integrated with debops.pki and esp. the ACME support?
Thanks in advance for any answers,
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel(a)crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
4:10 p.m.
On May 11, Hartmut Goebel wrote:
Hi,
Welcome!
I' want to setup a secure, state-of-the-art XMPP server. Since
debops
provides a prosody role, I want to use this, but it seams to be a bit
incomplete. (I don't care about the ldap-integration being a to-do.)
- What is the general state of this debops.prosody role?
It should work with the prosody package from Debian Stretch. Not sure about
the service itself though, I just tried the role to see if the service is
configured, haven't deployed any XMPP service in production yet.
- Is debops.prosody integrated with debops.pki and esp. the ACME
support?
Yes, the role is integrated with debops.pki. For the ACME support, you will
have to install the nginx via debops.nginx role; you could use the webserver
to redirect users to the main page if you don't plan to set up anything else
on that host besides the XMPP server.
Good luck, let me know how the setup went and if there are any issues.
Maciej
3:02 p.m.
Hi Maciej,
thanks for your answer.
It should work with the prosody package from Debian Stretch. Not sure
about
the service itself though, I just tried the role to see if the service is
configured, haven't deployed any XMPP service in production yet.
Anybody else using the debops.prosody role in production?
> - Is debops.prosody integrated with debops.pki and esp. the ACME
support?
Yes, the role is integrated with debops.pki. For the ACME support, you will
have to install the nginx via debops.nginx role; you could use the webserver
to redirect users to the main page if you don't plan to set up anything else
on that host besides the XMPP server.
I don't know prosody well, and probably I still do not understand debops
acme-support, but for me it looks like the service if configures
partially only.
*
The playbook service/prosody does not include the roles pki nor nginx.
*
According to https://prosody.im/doc/certificates#automatic_location,
there has to be a certificate for each VirtualHost and Component
definition (e.g. example.com and conference.example.com).
* I could not find any of these name in /etc/ansible nor in /etc/pki.
Thus even if run manually, neither the ACME role not the nginx role
will pick it up, I assume. Thus the ACME certificate will not
include these domain-names.
*
The same is true for "{{ prosody__domain }}" (but I guess this does
not require a certificate).
My configuration is straight forward:
prosody__domain: im.my-ngo.org
prosody__config_virtual_hosts:
- name: my-ngo.org
enabled: true
pki_realm: host
Also some bugs
* Changing the pki_system_realm has no effect on the prosody
configuration. I assume since the debops.pki role is not used.
Any hints? Shall I file some bug-reports?
--
Regards
Hartmut Goebel
| Hartmut Goebel | h.goebel(a)crazy-compilers.com |
| www.crazy-compilers.com | compilers which you thought are impossible |
5:34 p.m.
On May 12, Hartmut Goebel wrote:
> Yes, the role is integrated with debops.pki. For the ACME
support, you will
> have to install the nginx via debops.nginx role; you could use the webserver
> to redirect users to the main page if you don't plan to set up anything else
> on that host besides the XMPP server.
I don't know prosody well, and probably I still do not understand debops
acme-support, but for me it looks like the service if configures
partially only.
The playbook service/prosody does not include the roles pki nor nginx.
The 'debops.pki' role does not have to be included in the
'debops.prosody'
playbook. The PKI role sets up a few Ansible local facts that point to the
default PKI realm; the 'debops.prosody' role uses these local facts to
configure the service with the correct set of certificates. The 'debops.pki'
role has standardized the X.509 certificate and private key locations, so that
other DebOps/Ansible roles don't have to worry about finding them.
The variables in the 'debops.prosody' that hook to the 'debops.pki' local
facts are here:
https://github.com/debops/debops/blob/master/ansible/roles/debops.prosody...
As for the ACME support, I would suggest that you review the 'debops.pki'
documentation, there's a section that explains it in detail. In essence,
'debops.pki' role will configure the Let's Encrypt certificates on
non-standard PKI realms (the 'domain' PKI realm has ACME support disabled
intentionally), as long as the 'debops.nginx' role is present - via the
http-01 authentication method. All you should have to do to enable ACME
certificates on a host, is that it is reachable from the ouside, and has a DNS
record pointing to it, like 'host.example.org'. Then just create a PKI realm
on it:
#v+
---
pki_host_realms:
- name: 'host.example.org'
#v-
Then, when you run the 'debops.pki' role on that host, when it has configred
nginx webserver, ACME certs should be requested and received automatically.
Then, when you point 'prosody__pki_realm' variable to 'host.example.org'
PKI
realm, Prosody should automatically use the ACME certs.
According to
https://prosody.im/doc/certificates#automatic_location,
there has to be a certificate for each VirtualHost and Component
definition (e.g. example.com and conference.example.com).
* I could not find any of these name in /etc/ansible nor in /etc/pki.
Thus even if run manually, neither the ACME role not the nginx role
will pick it up, I assume. Thus the ACME certificate will not
include these domain-names.
You have to create the needed PKI realm first, a realm can have multiple
domain names. See the 'debops.pki' documentation for details. If you have any
issues, we can arrange a hangouts or teamviewer session so I can show you how
this works in detail.
If you still have trouble understanding the DebOps PKI/ACME setup after
reading the documentation, then I suppose that the docs need some
improvements. Any idea about what could be added to make this setup easier to
understand is welcome. :-)
The same is true for "{{ prosody__domain }}" (but I
guess this does
not require a certificate).
My configuration is straight forward:
prosody__domain: im.my-ngo.org
prosody__config_virtual_hosts:
- name: my-ngo.org
enabled: true
pki_realm: host
In that case you should create a new PKI realm:
pki_host_realms:
- name: 'my-ngo.org'
acme_subdomains: [ 'im' ]
* Changing the pki_system_realm has no effect on the prosody
configuration. I assume since the debops.pki role is not used.
First check if the /etc/ansible/facts.d/pki.fact has the correct realm you
specified as the default one. Next, er-run the debops.prosody role, it should
pick the new realm up from the local facts and modify the Prosody
configuration.
Any hints? Shall I file some bug-reports?
Let me know if the above suggestions helped first. I don't think there are any
bugs related to PKI in the debops.prosody role right now, but we will see if
the above helps.
Cheers,
Maciej
2050
days inactive
2051
days old
3 comments
2 participants
participants (2)
-
Hartmut Goebel -
Maciej Delmanowski