XMPP cert handling improvements, ufw rules, and tests

roles/common/tasks/ssl.yml

 - name: Copy SSL private key into place
-  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=root owner=root
+  copy: src=wildcard_private.key dest=/etc/ssl/private/wildcard_private.key group=ssl-cert owner=root mode=640
 
 - name: Copy SSL public certificate into place
   copy: src=wildcard_public_cert.crt dest=/etc/ssl/certs/wildcard_public_cert.crt group=root owner=root

roles/common/tasks/ufw.yml

     - ssh/tcp
     - ssmtp/tcp
     - imaps/tcp
+    - 5222/tcp  # xmpp c2s
+    - 5269/tcp  # xmpp s2s
     - 6697/tcp  # znc
     - openvpn/udp
     - 60000:61000/udp  # mosh udp packets

roles/xmpp/tasks/prosody.yml

 - name: Install Prosody from official repository
   apt: pkg=prosody update_cache=yes
 
+- name: Add prosody user to ssl-cert group
+  user: name=prosody groups=ssl-cert append=yes
+
 - name: Create Prosody data directory
   file: state=directory path=/decrypted/prosody owner=prosody group=prosody
 
-- name: Copy SSL private key into place for Prosody
-  shell: cp /etc/ssl/private/wildcard_private.key /etc/ssl/private/wildcard_private_prosody.key
-
-- name: Ensure prosody user and group can read private key
-  file: path=/etc/ssl/private/wildcard_private_prosody.key group=prosody owner=prosody
-
-- name: Copy SSL public certificate into place for Prosody
-  shell: cp /etc/ssl/certs/wildcard_public_cert.crt /etc/ssl/certs/wildcard_public_cert_prosody.crt
-
-- name: Ensure prosody user and group can read cert
-  file: path=/etc/ssl/certs/wildcard_public_cert_prosody.crt group=prosody owner=prosody
-
 - name: Configure Prosody
   template: src=prosody.cfg.lua.j2 dest=/etc/prosody/prosody.cfg.lua group=root owner=root
   notify: restart prosody

roles/xmpp/templates/prosody.cfg.lua.j2

 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
-	key = "/etc/ssl/private/wildcard_private_prosody.key";
-	certificate = "/etc/ssl/certs/wildcard_public_cert_prosody.crt";
+	key = "/etc/ssl/private/wildcard_private.key";
+	certificate = "/etc/ssl/certs/wildcard_public_cert.crt";
 }
 
 -- Force clients to use encrypted connections? This option will

roles/xmpp/vars/main.yml

-prosody_admin: al3x@al3x.net
-prosody_virtual_domain: al3x.net

tests.py

         m.expunge()
         m.close()
         m.logout()
+
+
+class XMPPTests(unittest.TestCase):
+    def test_xmpp_c2s(self):
+        """Prosody is listening on 5222 for clients and requiring TLS"""
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((TEST_SERVER, 5222))
+
+        # Based off http://wiki.xmpp.org/web/Programming_Jabber_Clients
+        s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
+               "xmlns='jabber:client' to='sovereign.local' version='1.0'>")
+
+        data = s.recv(1024)
+        s.close()
+
+        self.assertRegexpMatches(
+            data,
+            "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls>"
+        )
+
+    def test_xmpp_s2s(self):
+        """Prosody is listening on 5269 for servers"""
+
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.connect((TEST_SERVER, 5269))
+
+        # Base off http://xmpp.org/extensions/xep-0114.html
+        s.send("<stream:stream xmlns:stream='http://etherx.jabber.org/streams' "
+               "xmlns='jabber:component:accept' to='sovereign.local'>")
+
+        data = s.recv(1024)
+        s.close()
+
+        self.assertRegexpMatches(
+            data,
+            "from='sovereign.local'"
+        )