Software / code / prosody-modules
Annotate
misc/systemd/prosody.service @ 6110:1a6cd0bbb7ab
mod_compliance_2023: Add 2023 Version of the compliance module, basis is the 2021 Version.
diff --git a/mod_compliance_2023/README.md b/mod_compliance_2023/README.md
new file mode 100644
--- /dev/null
+++ b/mod_compliance_2023/README.md
@@ -0,0 +1,22 @@
+---
+summary: XMPP Compliance Suites 2023 self-test
+labels:
+- Stage-Beta
+rockspec:
+ dependencies:
+ - mod_cloud_notify
+
+...
+
+Compare the list of enabled modules with
+[XEP-0479: XMPP Compliance Suites 2023] and produce basic report to the
+Prosody log file.
+
+If installed with the Prosody plugin installer then all modules needed for a green checkmark should be included. (With prosody 0.12 only [mod_cloud_notify] is not included with prosody and we need the community module)
+
+# Compatibility
+
+ Prosody-Version Status
+ --------------- ----------------------
+ trunk Works as of 2024-12-21
+ 0.12 Works
diff --git a/mod_compliance_2023/mod_compliance_2023.lua b/mod_compliance_2023/mod_compliance_2023.lua
new file mode 100644
--- /dev/null
+++ b/mod_compliance_2023/mod_compliance_2023.lua
@@ -0,0 +1,79 @@
+-- Copyright (c) 2021 Kim Alvefur
+--
+-- This module is MIT licensed.
+
+local hostmanager = require "core.hostmanager";
+
+local array = require "util.array";
+local set = require "util.set";
+
+local modules_enabled = module:get_option_inherited_set("modules_enabled");
+
+for host in pairs(hostmanager.get_children(module.host)) do
+ local component = module:context(host):get_option_string("component_module");
+ if component then
+ modules_enabled:add(component);
+ modules_enabled:include(module:context(host):get_option_set("modules_enabled", {}));
+ end
+end
+
+local function check(suggested, alternate, ...)
+ if set.intersection(modules_enabled, set.new({suggested; alternate; ...})):empty() then return suggested; end
+ return false;
+end
+
+local compliance = {
+ array {"Server"; check("tls"); check("disco")};
+
+ array {"Advanced Server"; check("pep", "pep_simple")};
+
+ array {"Web"; check("bosh"); check("websocket")};
+
+ -- No Server requirements for Advanced Web
+
+ array {"IM"; check("vcard_legacy", "vcard"); check("carbons"); check("http_file_share", "http_upload")};
+
+ array {
+ "Advanced IM";
+ check("vcard_legacy", "vcard");
+ check("blocklist");
+ check("muc");
+ check("private");
+ check("smacks");
+ check("mam");
+ check("bookmarks");
+ };
+
+ array {"Mobile"; check("smacks"); check("csi_simple", "csi_battery_saver")};
+
+ array {"Advanced Mobile"; check("cloud_notify")};
+
+ array {"A/V Calling"; check("turn_external", "external_services", "turncredentials", "extdisco")};
+
+};
+
+function check_compliance()
+ local compliant = true;
+ for _, suite in ipairs(compliance) do
+ local section = suite:pop(1);
+ if module:get_option_boolean("compliance_" .. section:lower():gsub("%A", "_"), true) then
+ local missing = set.new(suite:filter(function(m) return type(m) == "string" end):map(function(m) return "mod_" .. m end));
+ if suite[1] then
+ if compliant then
+ compliant = false;
+ module:log("warn", "Missing some modules for XMPP Compliance 2023");
+ end
+ module:log("info", "%s Compliance: %s", section, missing);
+ end
+ end
+ end
+
+ if compliant then module:log("info", "XMPP Compliance 2023: Compliant ✔️"); end
+end
+
+if prosody.start_time then
+ check_compliance()
+else
+ module:hook_global("server-started", check_compliance);
+end
+
| author | Menel <menel@snikket.de> |
|---|---|
| date | Sun, 22 Dec 2024 16:06:28 +0100 (3 months ago) |
| parent | 5904:eb1c524a5150 |
| rev | line source |
|---|---|
|
5904
eb1c524a5150
misc/systemd: Add comment with link to our debian resources including systemd service file
Kim Alvefur <zash@zash.se>
parents:
5903
diff
changeset
|
1 # This is an example service file. For some time there's now also one in used in our Debian releases at https://hg.prosody.im/debian/ |
|
eb1c524a5150
misc/systemd: Add comment with link to our debian resources including systemd service file
Kim Alvefur <zash@zash.se>
parents:
5903
diff
changeset
|
2 |
|
2351
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 [Unit] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 ### see man systemd.unit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 Description=Prosody XMPP Server |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 Documentation=https://prosody.im/doc |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 [Service] |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 ### See man systemd.service ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 # With this configuration, systemd takes care of daemonization |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 # so Prosody should be configured with daemonize = false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 Type=simple |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 # Not sure if this is needed for 'simple' |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 PIDFile=/var/run/prosody/prosody.pid |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 # Start by executing the main executable |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 ExecStart=/usr/bin/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 ExecReload=/bin/kill -HUP $MAINPID |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 # Restart on crashes |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 Restart=on-abnormal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 # Set O_NONBLOCK flag on sockets passed via socket activation |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 NonBlocking=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 ### See man systemd.exec ### |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 WorkingDirectory=/var/lib/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 User=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 Group=prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
| 5903 | 35 UMask=0027 |
|
2351
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 # Nice=0 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 # Set stdin to /dev/null since Prosody does not need it |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 StandardInput=null |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 # Direct stdout/-err to journald for use with log = "*stdout" |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 StandardOutput=journal |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 StandardError=inherit |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 # This usually defaults to 4k or so |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 # LimitNOFILE=1M |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 ## Interesting protection methods |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 # Finding a useful combo of these settings would be nice |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 # |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 # Needs read access to /etc/prosody for config |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 # Needs write access to /var/lib/prosody for storing data (for internal storage) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 # Needs write access to /var/log/prosody for writing logs (depending on config) |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 # Needs read access to code and libraries loaded |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 # ReadWriteDirectories=/var/lib/prosody /var/log/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 # InaccessibleDirectories=/boot /home /media /mnt /root /srv |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 # ReadOnlyDirectories=/usr /etc/prosody |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 # PrivateTmp=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 # PrivateDevices=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 # PrivateNetwork=false |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 # ProtectSystem=full |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 # ProtectHome=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 # ProtectKernelTunables=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 # ProtectControlGroups=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 # SystemCallFilter= |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 # This should break LuaJIT |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 # MemoryDenyWriteExecute=true |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
|
f8ecb4b248b0
misc: An experimental systemd service file
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
