diff --git a/seqs/ejabberd.sh b/seqs/ejabberd.sh new file mode 100755 index 0000000..2b715fb --- /dev/null +++ b/seqs/ejabberd.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +toolName=ejabberd +toolConfLoc="/etc/ejabberd/ejabberd.yml" +# for http upload +toolStorageLoc="/var/ejabberd" +certRoot="/etc/letsencrypt" + +# needed for different steps +myDomain= +myUser= +myPass= + +step_1_info() { echo "Install $toolName via apt"; } +step_1_alias() { ALIAS="install"; } +step_1() { + exe apt update + exe apt install -y $toolName + exe systemctl stop $toolName +} + +step_2_info() { echo "Use certificate from local letsencrypt"; } +step_2() { + readDomain + + local certLoc="${certRoot}/${myDomain}/full.pem" + if [ ! -f "$certLoc" ] ; then + echo "[ERROR] $certLoc not found" + return 1; + fi + + local toolCertLoc="/etc/ejabberd/ejabberd.pem" + if [ -f "${toolCertLoc}.bck" ] ; then + echo "[ERROR] Cannot backup original $toolName certificate" + return 1; + fi + + exe mv "$toolCertLoc" "${toolCertLoc}.bck" + exe ln -s "$certLoc" "$toolCertLoc" + # for read access to certificate + exe chown root:ejabberd "$certRoot" + exe chmod 750 "$certRoot" +} + +step_3_info() { echo "Create basic configuration"; } +step_3() { + readDomain + echo -e "\nThis user will be the admin:" + readUser + addConf -c "$(cat $SEQDIR/ejabberd.yml)" "$toolConfLoc" + saveReturn $? + endReturn + exe sed -i "s/mydomain\.eu/${myDomain}/" "$toolConfLoc" + exe sed -i "s/myuser/${myUser}/" "$toolConfLoc" + exe mkdir -p "$toolStorageLoc" + exe chown root:$toolName "$toolStorageLoc" +} + +step_4_info() { echo "Restart $toolName"; } +step_4_alias() { ALIAS="restart"; } +step_4() { + exe service ejabberd restart +} + +step_5_info() { echo "Create new user"; } +step_5_alias() { ALIAS="adduser"; } +step_5() { + readDomain + readUser + readUserPass + exe ejabberdctl register $myUser $myDomain $myPass +} + +step_10_info() { echo "List existing user"; } +step_10_alias() { ALIAS="listuser"; } +step_10() { + readDomain + exe ejabberdctl registered_users $myDomain +} + +step_12_info() { echo "Change password for existing user"; } +step_12_alias() { ALIAS="passwd"; } +step_12() { + readDomain + readUser + readUserPass + exe ejabberdctl change_password $myUser $myDomain $myPass +} + + +readDomain() { + if [ "$myDomain" == "" ] ; then + read -p "Enter your domain: " myDomain + endCheckEmpty myDomain "$toolName domain" + fi +} + +readUser() { + echo -e "\nDon't use spaces in user name!" + if [ "$myUser" == "" ] ; then + read -p "Enter user name: " myUser + echo + endCheckEmpty myUser "$toolName user name" + fi +} + +readUserPass() { + echo -e "\nDon't use spaces in user password!" + if [ "$myPass" == "" ] ; then + read -s -p "Enter user password: " myPass + echo + read -s -p "Enter user password again: " myPass2 + echo + if [ "$myPass" != "$myPass2" ] ; then + echo "[ERROR] Passwords don't match" + return 1; + fi + endCheckEmpty myPass "$toolName user password" + fi +} + +SEQDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >>/dev/null 2>&1 && pwd )" +VERSION_SEQREV=4 +. sequencer.sh diff --git a/seqs/ejabberd.yml b/seqs/ejabberd.yml new file mode 100644 index 0000000..9b752d4 --- /dev/null +++ b/seqs/ejabberd.yml @@ -0,0 +1,291 @@ +loglevel: 3 + +log_rotate_size: 0 +log_rotate_date: "" +log_rate_limit: 100 + +hosts: + - "mydomain.eu" + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + ## + ## If TLS is compiled in and you installed a SSL + ## certificate, specify the full path to the + ## file and uncomment these lines: + ## + certfile: "/etc/ejabberd/ejabberd.pem" + starttls: true + ## + ## To enforce TLS encryption for client connections, + ## use this instead of the "starttls" option: + ## + ## starttls_required: true + ## + ## Custom OpenSSL options + ## + protocol_options: + - "no_sslv3" + ## - "no_tlsv1" + max_stanza_size: 65536 + shaper: c2s_shaper + access: c2s + zlib: true + resend_on_timeout: if_offline + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + "/websocket": ejabberd_http_ws + ## "/pub/archive": mod_http_fileserver + web_admin: true + http_bind: true + ## register: true + ## captcha: true + tls: true + certfile: "/etc/ejabberd/ejabberd.pem" + - + port: 5443 + module: ejabberd_http + tls: true + certfile: "/etc/ejabberd/ejabberd.pem" + request_handlers: + "upload": mod_http_upload + custom_headers: + "Access-Control-Allow-Origin": "*" + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" + "Access-Control-Allow-Headers": "Authorization" + "Access-Control-Allow-Credentials": "true" + +## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text +## password storage (see auth_password_format option). +disable_sasl_mechanisms: "digest-md5" + +s2s_use_starttls: optional + +s2s_certfile: "/etc/ejabberd/ejabberd.pem" + +s2s_protocol_options: + - "no_sslv3" + +outgoing_s2s_families: + - ipv4 +## - ipv6 +outgoing_s2s_timeout: 10000 + +auth_method: internal +auth_password_format: scram + +shaper: + ## + ## The "normal" shaper limits traffic speed to 1000 B/s + ## + normal: 1000 + + ## + ## The "fast" shaper limits traffic speed to 50000 B/s + ## + fast: 50000 + +max_fsm_queue: 1000 + +###. ==================== +###' ACCESS CONTROL LISTS +acl: + admin: + user: + - "myuser": "mydomain.eu" + #- "@localhost" + + local: + user_regexp: "" + + loopback: + ip: + - "127.0.0.0/8" + +shaper_rules: + ## Maximum number of simultaneous sessions allowed for a single user: + max_user_sessions: 10 + ## Maximum number of offline messages that users can have: + max_user_offline_messages: + - 5000: admin + - 100 + ## For C2S connections, all users except admins use the "normal" shaper + c2s_shaper: + - none: admin + - normal + ## All S2S connections use the "fast" shaper + s2s_shaper: fast + +###. ============ +###' ACCESS RULES +access_rules: + ## This rule allows access only for local users: + local: + - allow: local + ## Only non-blocked users can use c2s connections: + c2s: + - deny: blocked + - allow + ## Only admins can send announcement messages: + announce: + - allow: admin + ## Only admins can use the configuration interface: + configure: + - allow: admin + ## Only accounts of the local ejabberd server can create rooms: + muc_create: + - allow: local + ## Only accounts on the local ejabberd server can create Pubsub nodes: + pubsub_createnode: + - allow: local + ## In-band registration allows registration of any possible username. + ## To disable in-band registration, replace 'allow' with 'deny'. + register: + - deny + ## Only allow to register from localhost + trusted_network: + - allow: loopback + ## Do not establish S2S connections with bad servers + s2s: + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + ## - deny: + ## - ip: "XXX.XXX.XXX.XXX/32" + - allow + +language: "en" + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: # recommends mod_adhoc + access: announce + mod_blocking: {} # requires mod_privacy + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} # requires mod_adhoc + ##mod_delegation: {} # for xep0356 + mod_disco: {} + mod_echo: {} + mod_irc: {} + mod_http_bind: {} + mod_http_upload: + docroot: "/var/ejabberd" + put_url: "https://@HOST@:5443/upload" + thumbnail: true + dir_mode: "2770" + max_size: 104857600 # 100MB + ## mod_http_fileserver: + ## docroot: "/var/www" + ## accesslog: "/var/log/ejabberd/access.log" + mod_last: {} + mod_muc: + ## host: "conference.@HOST@" + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + ## mod_muc_log: {} + mod_muc_admin: {} + ## mod_multicast: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + ## mod_pres_counter: + ## count: 5 + ## interval: 60 + mod_privacy: {} + mod_private: {} + ## mod_proxy65: {} + mod_pubsub: + access_createnode: pubsub_createnode + ## reduces resource comsumption, but XEP incompliant + #ignore_pep_from_offline: true + ## XEP compliant, but increases resource comsumption + ignore_pep_from_offline: false + last_item_cache: false + max_items_node: 1000 + default_node_config: + max_items: 1000 + plugins: + - "flat" + - "hometree" + - "pep" # pep requires mod_caps + ## mod_register: + ## + ## Protect In-Band account registrations with CAPTCHA. + ## + ## captcha_protected: true + ## + ## Set the minimum informational entropy for passwords. + ## + ## password_strength: 32 + ## + ## After successful registration, the user receives + ## a message with this subject and body. + ## + ## welcome_message: + ## subject: "Welcome!" + ## body: |- + ## Hi. + ## Welcome to this XMPP server. + ## + ## When a user registers, send a notification to + ## these XMPP accounts. + ## + ## registration_watchers: + ## - "admin1@example.org" + ## + ## Only clients in the server machine can register accounts + ## + ## ip_access: trusted_network + ## + ## Local c2s or remote s2s users cannot register accounts + ## + ## access_from: deny + ## access: register + mod_roster: + versioning: true + mod_shared_roster: {} + mod_stats: {} + mod_time: {} + mod_vcard: + search: false + mod_version: {} + +## +## Enable modules with custom options in a specific virtual host +## +## host_config: +## "localhost": +## modules: +## mod_echo: +## host: "mirror.localhost" + +## +## Enable modules management via ejabberdctl for installation and +## uninstallation of public/private contributed modules +## (enabled by default) +## + +allow_contrib_modules: true + +###. +###' +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: