From 486ea99717440c398e8e1ada828678d3cd98a9e0 Mon Sep 17 00:00:00 2001 From: Mike Barnes Date: Sun, 21 Feb 2021 23:39:41 +0000 Subject: [PATCH] Initial commit of ejabberd.yml Passwords redacted from production copy and some comments added. --- ejabberd/ejabberd.yml | 304 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 304 insertions(+) create mode 100644 ejabberd/ejabberd.yml diff --git a/ejabberd/ejabberd.yml b/ejabberd/ejabberd.yml new file mode 100644 index 0000000..907ca4c --- /dev/null +++ b/ejabberd/ejabberd.yml @@ -0,0 +1,304 @@ +## This config adapted from the running version on chinwag.org deployed with ejabberd 20.12 +## installed from the buster-backports repository on Debian 10. + +# loglevel: Verbosity of log files generated by ejabberd +loglevel: 3 + +# rotation: Disable ejabberd's internal log rotation, as the Debian package +# uses logrotate(8). +log_rotate_count: 0 + +hosts: + - chinwag.org + +acme: + auto: false + +certfiles: + - "/etc/ejabberd/ejabberd.pem" + +# TLS configuration +define_macro: + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + 'DH_FILE': "/etc/ejabberd/dhparams.pem" + # generated with: openssl dhparam -out dhparams.pem 2048 + +c2s_ciphers: 'TLS_CIPHERS' +s2s_ciphers: 'TLS_CIPHERS' +c2s_protocol_options: 'TLS_OPTIONS' +s2s_protocol_options: 'TLS_OPTIONS' +c2s_dhfile: 'DH_FILE' +s2s_dhfile: 'DH_FILE' + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + protocol_options: 'TLS_OPTIONS' + - + port: 5223 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + access: c2s + shaper: c2s_shaper + tls: true + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5280 + ip: "127.0.0.1" + module: ejabberd_http + protocol_options: 'TLS_OPTIONS' + request_handlers: + "/admin": ejabberd_web_admin + "/api": mod_http_api + "/bosh": mod_bosh + "/files": mod_http_upload + "/ws": ejabberd_http_ws + - + port: 5347 + ip: "127.0.0.1" + module: ejabberd_service + hosts: + # biboumi IRC gateway + irc.chinwag.org: + password: "!!!!COMPONENT PASSWORD" + - + port: 3478 + transport: udp + module: ejabberd_stun + use_turn: true + turn_ipv4_address: !!!!IP INTERFACE ADDRESS + - + port: 5349 + transport: tcp + module: ejabberd_stun + use_turn: true + tls: true + turn_min_port: 49152 + turn_max_port: 65535 + turn_ipv4_address: !!!!IP INTERFACE ADDRESS + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: + - "digest-md5" + - "X-OAUTH2" + +s2s_use_starttls: required + +trusted_proxies: + - "127.0.0.1" + +sql_type: pgsql +sql_database: 'ejabberd' +sql_username: 'ejabberd' +sql_port: 5432 +sql_password: '!!!!DB PASSWORD' +sql_prepared_statements: false +sql_pool_size: 2 +new_sql_schema: true +default_db: sql + +## Store the plain passwords or hashed for SCRAM: +auth_password_format: scram +auth_method: [external, internal] +auth_use_cache: false +extauth_program: "/usr/local/bin/auth-mastodon.py" + + +## Full path to a script that generates the image. +## captcha_cmd: "/usr/share/ejabberd/captcha.sh" + +acl: + admin: + user: + - "!!!!YOUR ADMIN JID" + + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + acl: loopback + acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + acl: loopback + acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: 1000 + fast: 50000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + ## mod_delegation: {} # for xep0356 + mod_disco: + server_info: + - + modules: all + name: "abuse-addresses" + urls: ["mailto:!!!!CONTACT EMAIL"] + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + ## All uploads handled via Nginx proxy under https://chat.chinwag.org + docroot: "/srv/www/ejabberd" + put_url: "https://chat.@HOST@/files" + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Content-Type" + thumbnail: false # otherwise needs the identify command from ImageMagick installed + mod_last: {} + mod_mam: + assume_mam_usage: true + default: always + # mod_mqtt: {} + mod_muc: + # Use "rooms" as MUC host for consistency with chinwag.im + host: "rooms.@HOST@" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + allow_subscription: true + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_pres_counter: + count: 5 + interval: 60 + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + ## Not sure if this is still necessary, need to check + force_node_config: + "eu.siacs.conversations.axolotl.*": + access_model: open + "urn:xmpp:omemo:*": + access_model: open + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## No registration via XMPP supported, redirect to Mastodon + redirect_url: "https://social.chinwag.org/about" + ## ## Only accept registration requests from the "trusted" + ## ## network (see access_rules section above). + ## ## Think twice before enabling registration from any + ## ## address. See the Jabber SPAM Manifesto for details: + ## ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ## ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_sic: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: + credentials_lifetime: 6h + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_version: {} + +allow_contrib_modules: true +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8