From 2d4ffc5c7fb6c4ff0d83c32314bb3211ab873805 Mon Sep 17 00:00:00 2001 From: Nicolas North Date: Tue, 3 Jul 2018 15:25:12 +0200 Subject: [PATCH] Add config file for ejabberd-18.06 No changes over ejabberd-18.04 config file for now --- conf/ejabberd/ejabberd-18.06.yml | 569 +++++++++++++++++++++++++++++++ 1 file changed, 569 insertions(+) create mode 100644 conf/ejabberd/ejabberd-18.06.yml diff --git a/conf/ejabberd/ejabberd-18.06.yml b/conf/ejabberd/ejabberd-18.06.yml new file mode 100644 index 0000000..fcded7b --- /dev/null +++ b/conf/ejabberd/ejabberd-18.06.yml @@ -0,0 +1,569 @@ +################################################################################ +################################################################################ +################################################################################ + +### This is the configuration file for an instance of +### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone. +### for ejabberd XMPP server v18.06 + +### aenigma is an openspace project [openspace.xxx] +### initial commit by nz on 2017-09-23 +### https://aenigma.xyz | https://github.com/openspace42/aenigma/ + +################################################################################ +################################################################################ +################################################################################ + +###. ======= +###' LOGGING + +loglevel: 4 + +log_rotate_size: 10485760 +log_rotate_date: "" +log_rotate_count: 1 +log_rate_limit: 100 + +###. =============== +###' NODE PARAMETERS + +## net_ticktime: 60 + +###. ================ +###' SERVED HOSTNAMES + +hosts: + - "example.im" + +## route_subdomains: s2s + +###. ============ +###' Certificates + +certfiles: + - "/etc/ssl/aenigma/*.pem" + +###. ================= +###' TLS configuration + +### aenigma notice +### to enable state-of-the-art, NOT backwards-compatible TLS encryption +### [breaking all bridges with legacy servers and therefore the rest of XMPP community] +### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' | + +###. =============== +###' LISTENING PORTS + + +define_macro: + + 'DHFILE': "/etc/ssl/aenigma/dh.pem" + 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" + 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH" + 'TLSOPTS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + 'S2STLSOPTS': + - "no_sslv3" + - "cipher_server_preference" + - "no_compression" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + starttls: true + protocol_options: 'TLSOPTS' + dhfile: 'DHFILE' + ciphers: 'CIPHERS' + starttls_required: true + zlib: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5223 + ip: "::" + module: ejabberd_c2s + protocol_options: 'TLSOPTS' + dhfile: 'DHFILE' + ciphers: 'CIPHERS' + tls: true + zlib: true + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 131072 + shaper: s2s_shaper + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + "/ws": ejabberd_http_ws + "/bosh": mod_bosh + "/api": mod_http_api + ## "/pub/archive": mod_http_fileserver + web_admin: true + http_poll: true + http_bind: true + ## register: true + captcha: false + + ## - + ## port: 8888 + ## ip: "::" + ## module: ejabberd_service + ## access: all + ## shaper_rule: fast + ## ip: "127.0.0.1" + ## privilege_access: + ## roster: "both" + ## message: "outgoing" + ## presence: "roster" + ## delegations: + ## "urn:xmpp:mam:1": + ## filtering: ["node"] + ## "http://jabber.org/protocol/pubsub": + ## filtering: [] + ## hosts: + ## "icq.example.org": + ## password: "secret" + ## "sms.example.org": + ## password: "secret" + + ## - + ## port: 3478 + ## transport: udp + ## module: ejabberd_stun + + ## - + ## port: 4560 + ## ip: "::" + ## module: ejabberd_xmlrpc + ## maxsessions: 10 + ## timeout: 5000 + ## access_commands: + ## admin: + ## commands: all + ## options: [] + + - + port: 5444 + ip: "::" + module: ejabberd_http + request_handlers: + "": mod_http_upload + tls: true + protocol_options: 'TLSOPTS' + dhfile: 'DHFILE' + ciphers: 'CIPHERS' + +disable_sasl_mechanisms: "digest-md5" + +###. ================== +###' S2S GLOBAL OPTIONS + +s2s_use_starttls: required +s2s_dhfile: 'DHFILE' +s2s_protocol_options: 'S2STLSOPTS' +s2s_ciphers: 'S2SCIPHERS' + +## aenigma_host_config_domain_placeholder_start: +## aenigma_host_config_domain_placeholder_end: + +## aenigma_host_config_xu_placeholder_start: +## aenigma_host_config_xu_placeholder_end: + +## s2s_access: s2s + +## outgoing_s2s_families: +## - ipv4 +## - ipv6 +## outgoing_s2s_timeout: 190 + +###. ============== +###' AUTHENTICATION + +auth_method: internal + +auth_password_format: scram + +## fqdn: "server3.example.com" + +## auth_method: external +## extauth_program: "/path/to/authentication/script" +## auth_method: sql +## auth_method: pam +## pam_service: "pamservicename" + +## auth_method: ldap +## ldap_servers: +## - "localhost" +## ldap_encrypt: none +## ldap_encrypt: tls +## ldap_port: 389 +## ldap_port: 636 +## ldap_rootdn: "dc=example,dc=com" +## ldap_password: "******" +## ldap_base: "dc=example,dc=com" +## ldap_uids: +## - "mail": "%u@mail.example.org" +## ldap_filter: "(objectClass=shadowAccount)" + +## auth_method: anonymous +## anonymous_protocol: sasl_anon | login_anon | both +## allow_multiple_connections: true | false + +## host_config: +## "public.example.org": +## auth_method: anonymous +## allow_multiple_connections: false +## anonymous_protocol: sasl_anon + +## host_config: +## "public.example.org": +## auth_method: +## - internal +## - anonymous + +###. ============== +###' DATABASE SETUP + +## pgsql_users_number_estimate: true + +###. =============== +###' TRAFFIC SHAPERS + +shaper: + normal: 1000 + fast: 50000 + +max_fsm_queue: 10000 +###. ==================== +###' ACCESS CONTROL LISTS +acl: + ## + ## The 'admin' ACL grants administrative privileges to XMPP accounts. + ## You can put here as many accounts as you want. + ## + admin: + user: + - "admin@example.im" + + ## blocked: + ## user: + ## - "baduser@example.org" + ## - "test" + + local: + user_regexp: "" + + ## jabberorg: + ## server: + ## - "jabber.org" + ## aleksey: + ## user: + ## - "aleksey@jabber.ru" + ## test: + ## user_regexp: "^test" + ## user_glob: "test*" + + loopback: + ip: + - "127.0.0.0/8" + - "::1/128" + - "::FFFF:127.0.0.1/128" + + ## bad_servers: + ## server: + ## - "xmpp.zombie.org" + ## - "xmpp.spam.com" + +## host_config: +## "localhost": +## acl: +## admin: +## user: +## - "bob-local@localhost" + +###. ============ +###' SHAPER RULES + +shaper_rules: + ## Maximum number of simultaneous sessions allowed for a single user: + max_user_sessions: 24 + ## Maximum number of offline messages that users can have: + max_user_offline_messages: + - 16384: admin + - 8192 + ## For C2S connections, all users except admins use the "normal" shaper + c2s_shaper: + - none: admin + - normal + ## All S2S connections use the "fast" shaper + s2s_shaper: fast + +###. ============ +###' ACCESS RULES +access_rules: + ## This rule allows access only for local users: + local: + - allow: local + ## Only non-blocked users can use c2s connections: + c2s: + - deny: blocked + - allow + ## Only admins can send announcement messages: + announce: + - allow: admin + ## Only admins can use the configuration interface: + configure: + - allow: admin + ## Only accounts of the local ejabberd server can create rooms: + muc_create: + - allow: local + ## Only accounts on the local ejabberd server can create Pubsub nodes: + pubsub_createnode: + - allow: local + ## In-band registration allows registration of any possible username. + ## To disable in-band registration, replace 'allow' with 'deny'. + register: + - allow + ## Only allow to register from localhost + trusted_network: + - allow: loopback + ## Do not establish S2S connections with bad servers + ## If you enable this you also have to uncomment "s2s_access: s2s" + ## s2s: + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + ## - allow + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + - access: + - allow: + - acl: loopback + - acl: admin + - oauth: + - scope: "ejabberd:admin" + - access: + - allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + - ip: "127.0.0.1/8" + what: + - "status" + - "connected_users_number" +## registration_timeout: 600 + +## host_config: +## "localhost": +## access: +## c2s: +## - allow: admin +## - deny +## register: +## - deny + +###. ================ +###' DEFAULT LANGUAGE +language: "en" + +## host_config: +## "localhost": +## language: "ru" + +###. ======= +###' CAPTCHA + +## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh" + +## captcha_host: "example.im:5280" + +## captcha_limit: 5 + +###. ==== +###' ACME +## +## In order to use the acme certificate acquiring through "Let's Encrypt" +## an http listener has to be configured to listen to port 80 so that +## the authorization challenges posed by "Let's Encrypt" can be solved. +## +## A simple way of doing this would be to add the following in the listening +## section and to configure port forwarding from 80 to 5280 either via NAT +## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc. +## - +## port: 5280 +## ip: "::" +## module: ejabberd_http + +## acme: + + ## A contact mail that the ACME Certificate Authority can contact in case of + ## an authorization issue, such as a server-initiated certificate revocation. + ## It is not mandatory to provide an email address but it is highly suggested. + ## contact: "mailto:example-admin@example.com" + + + ## The ACME Certificate Authority URL. + ## This could either be: + ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA + ## - https://acme-staging.api.letsencrypt.org - for the staging CA + ## - http://localhost:4000 - for a local version of the CA + ## ca_url: "https://acme-v01.api.letsencrypt.org" +###. ======= +###' MODULES +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: # recommends mod_adhoc + access: announce + mod_blocking: {} # requires mod_privacy + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} # requires mod_adhoc + ## mod_delegation: {} # for xep0356 + mod_disco: {} + mod_echo: + host: "xe.@HOST@" + mod_irc: + host: "xi.@HOST@" + mod_bosh: {} + mod_http_fileserver: + docroot: "/var/www/ejabberd/" + accesslog: "/var/log/ejabberd/www_access.log" + mod_http_upload: + host: "xu.@HOST@" + docroot: "@HOME@/uploads" + put_url: "https://xu.@HOST@:443" + thumbnail: false # otherwise needs the identify command from ImageMagick installed + max_size: 262144000 + file_mode: "0640" + dir_mode: "2750" + access: + - allow + mod_http_upload_quota: + max_days: 120 + mod_last: {} + mod_mix: + host: "xm.@HOST@" + mod_muc: + host: "xc.@HOST@" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + history_size: 42 + default_room_options: + mam: true + allow_subscription: true + mod_muc_admin: {} + ## mod_muc_log: {} + ## mod_multicast: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + ## mod_pres_counter: + ## count: 5 + ## interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: {} + mod_pubsub: + host: "xp.@HOST@" + access_createnode: pubsub_createnode + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 1000 + default_node_config: + max_items: 1000 + plugins: + - "flat" + - "hometree" + - "pep" # pep requires mod_caps + mod_push: + include_sender: true + include_body: true + mod_push_keepalive: {} + mod_register: + ## captcha_protected: true + ## password_strength: 32 + welcome_message: + subject: "Hello world" + body: |- + Hi there! + Happy to see you onboard. + This is the aenigma XMPP server at hostname.im hosting domain example.im. + The admin for this instance is admin@example.im. + https://aenigma.xyz + + registration_watchers: + - "admin@example.im" + + ### ip_access: trusted_network + + access_from: allow + + access: register + mod_roster: + versioning: true + store_current_id: true + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_vcard_xupdate: {} + mod_avatar: {} + mod_version: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_mam: + default: always + cache_size: 1048576 + cache_life_time: 2678400 + mod_s2s_dialback: {} + mod_http_api: {} + mod_fail2ban: {} + +## host_config: +## "localhost": +## modules: +## mod_echo: +## host: "mirror.localhost" + +allow_contrib_modules: true + +###. +###' +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: