hosts/myouga/ejabberd.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300

loglevel: info
log_rotate_count: 0 # We assume external logrotate

hosts:
  - ba.ln.ea.cx

certfiles:
  - /etc/letsencrypt/live/ba.ln.ea.cx/fullchain.pem
  - /etc/letsencrypt/live/ba.ln.ea.cx/privkey.pem

acme:
  auto: false

# TLS configuration
define_macro:
  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
  'TLS_OPTIONS':
    - no_sslv3
    - no_tlsv1
    - no_tlsv1_1
    - cipher_server_preference
    - no_compression
    # 'DH_FILE': "/path/to/dhparams.pem"
    # generated with: openssl dhparam -out dhparams.pem 2048
  'IP4': "45.61.184.234"

include_config_file:
  /run/keys/biboumi/password.yml:
    allow_only: [define_macro]
  /etc/lldap_readonly.passwd.yml:
    allow_only: [define_macro]

c2s_ciphers: 'TLS_CIPHERS'
s2s_ciphers: 'TLS_CIPHERS'
c2s_protocol_options: 'TLS_OPTIONS'
s2s_protocol_options: 'TLS_OPTIONS'
# c2s_dhfile: 'DH_FILE'
# s2s_dhfile: 'DH_FILE'

acl:
  local:
    user_regexp: ""
  admin:
    user: marsironpi@ba.ln.ea.cx

access_rules:
  configure:
    allow: owner
  c2s:
    allow: all
    deny: blocked
  announce:
    allow: admin
  muc_create:
    allow: local
  muc_admin:
    allow: admin
  ejabberd_stun:
    allow: local
  pubsub_createnode:
    allow: local
  proxy65_allow:
    allow: local
  http_upload_access:
    allow: local
  ejabberd_service:
    allow: local

listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    # shaper: c2s_shaper
    access: c2s
    starttls_required: true
    protocol_options: 'TLS_OPTIONS'
  -
    port: 5223
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    # shaper: c2s_shaper
    access: c2s
    tls: true
    protocol_options: 'TLS_OPTIONS'
  -
    port: 5269
    ip: "::"
    module: ejabberd_s2s_in
    max_stanza_size: 524288
    # shaper: s2s_shaper
  -
    port: 5270
    ip: "::"
    module: ejabberd_s2s_in
    max_stanza_size: 524288
    # shaper: s2s_shaper
    tls: true
    protocol_options: 'TLS_OPTIONS'
  -
    port: 5347
    ip: 127.0.0.1
    module: ejabberd_service
    access: ejabberd_service
    hosts:
      irc.ba.ln.ea.cx:
        password: BIBOUMI_PASSWORD
  -
    port: 5280
    ip: "::"
    module: ejabberd_http
    request_handlers:
      /bosh: mod_bosh
      /.well-known/host-meta: mod_host_meta
      /.well-known/host-meta.json: mod_host_meta
      # /converse: mod_conversejs
  -
    port: 5443
    ip: "::"
    module: ejabberd_http
    tls: true
    protocol_options: 'TLS_OPTIONS'
    request_handlers:
      /bosh: mod_bosh
      /ws: ejabberd_http_ws
      /upload: mod_http_upload
  -
    port: 3478
    ip: "::"
    transport: udp
    module: ejabberd_stun
    use_turn: true
    auth_type: user
    turn_ipv4_address: 'IP4'
    # turn_ipv6_address: ""
  -
    port: 3478
    ip: "::"
    transport: tcp
    module: ejabberd_stun
    use_turn: true
    auth_type: user
    turn_ipv4_address: 'IP4'
    # turn_ipv6_address: ""
  -
    port: 5349
    ip: "::"
    transport: tcp
    module: ejabberd_stun
    use_turn: true
    auth_type: user
    tls: true
    turn_ipv4_address: 'IP4'
    # turn_ipv6_address: ""

trusted_proxies: [127.0.0.1]

# Disable digest-md5 SASL authentication. digest-md5 requires
# plain-text password storage (see auth_password_format option).
disable_sasl_mechanisms:
  - digest-md5
  - X-OAUTH2

s2s_use_starttls: required

# shaper:
#   normal:
#     rate: 3000
#     burst_size: 20000
#   fast: 200000

# shaper_rules:
#   max_user_sessions: 10
#   max_user_offline_messages:
#     1000: all
#   c2s_shaper:
#     normal: all
#   s2s_shaper: fast

default_db: sql
sql_type: sqlite
sql_database: /var/lib/ejabberd/db.sqlite
new_sql_schema: true
update_sql_schema: true

auth_method: ldap
ldap_base: ou=people,dc=ba,dc=ln,dc=ea,dc=cx
ldap_rootdn: uid=lldap_readonly,ou=people,dc=ba,dc=ln,dc=ea,dc=cx
ldap_password: 'LLDAP_READONLY_PASSWORD'
ldap_servers:
  - localhost
ldap_port: 3890
ldap_uids:
  - jabberid
  - uid
ldap_filter: "(memberOf=jabber)"

modules:
  # Core
  mod_disco: {} # Service Discovery (XEP-0030)
  mod_caps: {} # Entity Capabilities (XEP-0115)
  mod_pubsub: # Personal Eventing Protocol (XEP-0163)
    access_createnode: pubsub_createnode
    hosts:
      - pub.@HOST@
    plugins:
      - flat
      - pep
    force_node_config:
      "eu.siacs.conversations.axolotl.*":
        access_model: open # OMEMO should be open
      "storage:bookmarks":
        access_model: whitelist # Bookmarks should be private

  # Web
  mod_bosh: {} # XMPP Over BOSH (XEP-0206)
  mod_host_meta: {} # Discovering Alternative XMPP Connection Methods (XEP-0156)
  # mod_conversejs:
  #   conversejs_options:
  #     theme: dracula
  #     assets_path: "./"
  #   conversejs_resources: "/var/www/converse/dist"
  #   conversejs_script: "converse.min.js"
  #   conversejs_css: "converse.min.css"

  # IM
  mod_vcard: {} # vcard-temp (XEP-0054)
  mod_vcard_xupdate: {} # vCard-Based Avatars (XEP-0153)
  mod_avatar: {} # User Avatar to vCard-Based Avatars Conversion (XEP-0398)
  mod_carboncopy: {} # Message Carbons (XEP-0280)
  mod_privacy: {}
  mod_blocking: {} # Blocking Command (XEP-0191)
  mod_muc: # Multi-User Chat (XEP-0045)
    access_create: muc_create
    access_admin: muc_admin
    default_room_options:
      allow_subscription: true
      enable_hats: true
      mam: true
      persistent: true
    hosts:
      - cam.@HOST@
  mod_private: {} # Bookmark Storage (XEP-0048), Private XML Storage (XEP-0049)
  mod_mam: # Message Archive Management (XEP-0313)
    assume_mam_usage: true
    default: always
    user_mucsub_from_muc_archive: true
  mod_stream_mgmt: # Stream Management (XEP-0198)
    resume_timeout: 2880 # 48 hours
    max_ack_queue: infinity

  mod_http_upload: # HTTP File Upload (XEP-0363)
    access: http_upload_access
    hosts:
      - dep.@HOST@
    thumbnail: true
    rm_on_unregister: false
    custom_headers:
      "Access-Control-Allow-Origin": "https://@HOST@"
      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
      "Access-Control-Allow-Headers": "Content-Type"

  # Mobile
  mod_client_state: {} # Client State Indication (XEP-0352)
  mod_push: {} # Push Notifications (XEP-0357)
  mod_push_keepalive: {}

  # A/V
  mod_stun_disco: # External Service Discovery (XEP-0215)
    access: ejabberd_stun

  # Misc.
  mod_adhoc: {}
  mod_announce:
    access: announce
  mod_configure: {}
  mod_last: {}
  mod_muc_admin: {}
  mod_offline:
    use_mam_for_storage: true
  mod_ping: {}
  mod_pres_counter:
    count: 100
    interval: 1 min
  mod_proxy65:
    ip: "::"
    access: proxy65_access
    hosts:
      - pro.@HOST@
  mod_roster:
    versioning: true
  mod_time: {}
  mod_version: {}

### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8