Initial commit of ejabberd.yml

Passwords redacted from production copy and some comments added.

ejabberd/ejabberd.yml

@@ -0,0 +1,304 @@
+## This config adapted from the running version on chinwag.org deployed with ejabberd 20.12
+## installed from the buster-backports repository on Debian 10.
+
+# loglevel: Verbosity of log files generated by ejabberd
+loglevel: 3
+
+# rotation: Disable ejabberd's internal log rotation, as the Debian package
+# uses logrotate(8).
+log_rotate_count: 0
+
+hosts:
+  - chinwag.org
+
+acme:
+  auto: false
+
+certfiles:
+  - "/etc/ejabberd/ejabberd.pem"
+
+# TLS configuration
+define_macro:
+  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+  'TLS_OPTIONS':
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_1"
+    - "cipher_server_preference"
+    - "no_compression"
+  'DH_FILE': "/etc/ejabberd/dhparams.pem"
+    # generated with: openssl dhparam -out dhparams.pem 2048
+
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+c2s_dhfile: 'DH_FILE'
+s2s_dhfile: 'DH_FILE'
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'
+  -
+    port: 5223
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    access: c2s
+    shaper: c2s_shaper
+    tls: true
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  -
+    port: 5280
+    ip: "127.0.0.1"
+    module: ejabberd_http
+    protocol_options: 'TLS_OPTIONS'
+    request_handlers:
+      "/admin": ejabberd_web_admin
+      "/api": mod_http_api
+      "/bosh": mod_bosh
+      "/files": mod_http_upload
+      "/ws": ejabberd_http_ws
+  -
+    port: 5347
+    ip: "127.0.0.1"
+    module: ejabberd_service
+    hosts:
+      # biboumi IRC gateway
+      irc.chinwag.org:
+        password: "!!!!COMPONENT PASSWORD"
+  -
+    port: 3478
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    turn_ipv4_address: !!!!IP INTERFACE ADDRESS
+  -
+    port: 5349
+    transport: tcp
+    module: ejabberd_stun
+    use_turn: true
+    tls: true
+    turn_min_port: 49152
+    turn_max_port: 65535
+    turn_ipv4_address: !!!!IP INTERFACE ADDRESS
+
+## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+## password storage (see auth_password_format option).
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+s2s_use_starttls: required
+
+trusted_proxies:
+  - "127.0.0.1"
+
+sql_type: pgsql
+sql_database: 'ejabberd'
+sql_username: 'ejabberd'
+sql_port: 5432
+sql_password: '!!!!DB PASSWORD'
+sql_prepared_statements: false
+sql_pool_size: 2
+new_sql_schema: true
+default_db: sql
+
+## Store the plain passwords or hashed for SCRAM:
+auth_password_format: scram
+auth_method: [external, internal]
+auth_use_cache: false
+extauth_program: "/usr/local/bin/auth-mastodon.py"
+
+
+## Full path to a script that generates the image.
+## captcha_cmd: "/usr/share/ejabberd/captcha.sh"
+
+acl:
+  admin:
+     user:
+       - "!!!!YOUR ADMIN JID"
+
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          acl: loopback
+          acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            acl: loopback
+            acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+
+shaper:
+  normal: 1000
+  fast: 50000
+
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  ## mod_delegation: {}   # for xep0356
+  mod_disco:
+    server_info:
+      -
+        modules: all
+        name: "abuse-addresses"
+        urls: ["mailto:!!!!CONTACT EMAIL"]
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    ## All uploads handled via Nginx proxy under https://chat.chinwag.org
+    docroot: "/srv/www/ejabberd"
+    put_url: "https://chat.@HOST@/files"
+    custom_headers: 
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
+      "Access-Control-Allow-Headers": "Content-Type"
+    thumbnail: false # otherwise needs the identify command from ImageMagick installed
+  mod_last: {}
+  mod_mam:
+    assume_mam_usage: true
+    default: always
+  # mod_mqtt: {}
+  mod_muc:
+    # Use "rooms" as MUC host for consistency with chinwag.im
+    host: "rooms.@HOST@"
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      allow_subscription: true
+      mam: true
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_pres_counter:
+    count: 5
+    interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+   access: local
+   max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    ## Not sure if this is still necessary, need to check
+    force_node_config:
+      "eu.siacs.conversations.axolotl.*":
+        access_model: open
+      "urn:xmpp:omemo:*":
+        access_model: open
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ## No registration via XMPP supported, redirect to Mastodon
+    redirect_url: "https://social.chinwag.org/about"
+  ##   ## Only accept registration requests from the "trusted"
+  ##   ## network (see access_rules section above).
+  ##   ## Think twice before enabling registration from any
+  ##   ## address. See the Jabber SPAM Manifesto for details:
+  ##   ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+  ##   ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_sic: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco:
+    credentials_lifetime: 6h
+  mod_vcard:
+    search: false
+  mod_vcard_xupdate: {}
+  mod_version: {}
+
+allow_contrib_modules: true
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8