From b75aabc56ea013cbe8b3e0f5d1001312b2850070 Mon Sep 17 00:00:00 2001 From: Georg Date: Mon, 30 Aug 2021 20:26:06 +0200 Subject: Init ejabberd Signed-off-by: Georg --- ejabberd/ejabberd.yml | 344 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 344 insertions(+) create mode 100644 ejabberd/ejabberd.yml diff --git a/ejabberd/ejabberd.yml b/ejabberd/ejabberd.yml new file mode 100644 index 0000000..7ef001c --- /dev/null +++ b/ejabberd/ejabberd.yml @@ -0,0 +1,344 @@ +### +###' ejabberd configuration file +### for +### https://liberta.casa +### by georg@lysergic.dev +### +### The parameters used in this configuration file are explained at +### +### https://docs.ejabberd.im/admin/configuration +### +### The configuration file is written in YAML. +### ******************************************************* +### ******* !!! WARNING !!! ******* +### ******* YAML IS INDENTATION SENSITIVE ******* +### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* +### ******************************************************* +### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. +### + +hosts: + - liberta.casa + - lib.casa + +loglevel: debug + +certfiles: + - "/etc/ssl/xmpp/xmpp.liberta.casa.crt" + - "/etc/ssl/xmpp/private/xmpp.liberta.casa.key" + +# ca_file: "/opt/ejabberd/conf/cacert.pem" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "127.0.0.2" + module: ejabberd_http + tls: true + request_handlers: + "/admin": ejabberd_web_admin + "/api": mod_http_api + "/bosh": mod_bosh + "/captcha": ejabberd_captcha + "/upload": mod_http_upload + "/ws": ejabberd_http_ws + # "/oauth": ejabberd_oauth + - + port: 5280 + ip: "127.0.0.2" + module: ejabberd_http + request_handlers: + "/admin": ejabberd_web_admin + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + + - + port: 5347 + ip: 127.0.0.2 + module: ejabberd_service + access: all + hosts: + "biboumi.xyz": + password: $biboumisec + +s2s_use_starttls: required + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + - ::FFFF:127.0.0.1/128 + admin: + user: + - georg@liberta.casa + - acidsys@liberta.casa + - mogad0n@liberta.casa + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + acl: loopback + acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + acl: loopback + acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: 1000 + fast: 50000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +max_fsm_queue: 10000 + +acme: + auto: false + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: + extra_domains: [biboumi.xyz] + name: "LibertaCasa" + server_info: + - + modules: all + name: admin-addresses + urls: + - mailto:hello@liberta.casa + - xmpp:acidsys@liberta.casa + - xmpp:mogad0n@liberta.casa + - + modules: all + name: security-addresses + urls: ["mailto:system@lysergic.dev"] + - + modules: all + name: abuse-addresses + urls: ["mailto:abuse@liberta.casa"] + - + modules: all + name: status-addresses + urls: ["https://status.liberta.casa"] + mod_stun_disco: + credentials_lifetime: 12h + offer_local_services: false + secret: "$stunstaticsec" + services: + - + host: stun.lysergic.dev + port: 3478 + type: stun + transport: udp + restricted: false + - + host: turn.lysergic.dev + port: 3478 + type: turn + transport: udp + restricted: true + - + host: stuns.lysergic.dev + port: 3478 + type: stuns + transport: tcp + restricted: false + - + host: turns.lysergic.dev + port: 3478 + type: turns + transport: tcp + restricted: true + #mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + put_url: https://up.xmpp.@HOST@ + external_secret: "$upsec" + max_size: 26214400 + access: all + dir_mode: "0750" + # thumbnail: true -- not built into the packaged version + vcard: + fn: "LibertaCasa Uploader" + adr: + - + work: true + street: "Data Highway 420" + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + db_type: sql + assume_mam_usage: true + default: never + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + allow_subscription: true # enable MucSub + mam: false + allow_user_invites: true + hosts: [conference.@HOST@, muc.@HOST@] + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + redirect_url: https://sso.casa/ + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_vcard: + db_type: ldap + ldap_rootdn: "cn=ejabberd_vcard,ou=syscid-system,dc=syscid,dc=com" + ldap_password: "$ldapvcardbindsec" + ldap_base: "ou=libertacasa-users,dc=syscid,dc=com" + ldap_vcard_map: + NICKNAME: {"%u": []} + GIVEN: {"%s": [givenName]} + FAMILY: {"%s": [sn]} + FN: {"%s": [displayName]} + EMAIL: {"%s": [mail]} + ID: {"%s": [entryid]} + ldap_search_fields: + User: "%u" + Name: givenName + "Family Name": sn + Email: mail + ID: entryid + ldap_search_reported: + Name: GIVEN + Nickname: NICKNAME + Email: EMAIL + mod_vcard_xupdate: {} + mod_version: + show_os: false + +# custom entries +sql_type: mysql +sql_server: "$dbhost" +sql_database: "$db" +sql_username: "$dbuser" +sql_password: "$dbsec" + +auth_method: + - ldap + - anonymous +anonymous_protocol: sasl_anon +disable_sasl_mechanisms: ["X-OAUTH2"] +ldap_servers: + - orpheus.syscid.com + - gaia.syscid.com +ldap_encrypt: tls +ldap_tls_cacertfile: /etc/pki/trust/anchors/syscid-ca.crt +ldap_tls_verify: hard +ldap_password: "$ldapbindsec" +ldap_rootdn: "cn=ejabberd,ou=syscid-system,dc=syscid,dc=com" +ldap_filter: "(objectClass=inetOrgPerson)" + +#append_host_config: + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 -- cgit v1.2.3