New seq for ejabberd on debian

2019-06-06 17:32:46 +02:00
parent 6cb5dc595b
commit 223b9d7abe
2 changed files with 415 additions and 0 deletions
--- a/seqs/ejabberd.yml
+++ b/seqs/ejabberd.yml
@@ -0,0 +1,291 @@
+loglevel: 3 
+
+log_rotate_size: 0
+log_rotate_date: ""
+log_rate_limit: 100
+
+hosts:
+  - "mydomain.eu"
+
+listen: 
+  - 
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    ##
+    ## If TLS is compiled in and you installed a SSL
+    ## certificate, specify the full path to the
+    ## file and uncomment these lines:
+    ##
+    certfile: "/etc/ejabberd/ejabberd.pem"
+    starttls: true
+    ##
+    ## To enforce TLS encryption for client connections,
+    ## use this instead of the "starttls" option:
+    ##
+    ## starttls_required: true
+    ##
+    ## Custom OpenSSL options
+    ##
+    protocol_options:
+      - "no_sslv3"
+    ##   - "no_tlsv1"
+    max_stanza_size: 65536
+    shaper: c2s_shaper
+    access: c2s
+    zlib: true
+    resend_on_timeout: if_offline
+  - 
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+  - 
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      "/websocket": ejabberd_http_ws
+    ##  "/pub/archive": mod_http_fileserver
+    web_admin: true
+    http_bind: true
+    ## register: true
+    ## captcha: true
+    tls: true
+    certfile: "/etc/ejabberd/ejabberd.pem"
+  -
+    port: 5443
+    module: ejabberd_http
+    tls: true
+    certfile: "/etc/ejabberd/ejabberd.pem"
+    request_handlers:
+      "upload": mod_http_upload
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
+      "Access-Control-Allow-Headers": "Authorization"
+      "Access-Control-Allow-Credentials": "true"
+
+## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+## password storage (see auth_password_format option).
+disable_sasl_mechanisms: "digest-md5"
+
+s2s_use_starttls: optional
+
+s2s_certfile: "/etc/ejabberd/ejabberd.pem"
+
+s2s_protocol_options:
+  - "no_sslv3"
+
+outgoing_s2s_families:
+   - ipv4
+##   - ipv6
+outgoing_s2s_timeout: 10000
+
+auth_method: internal
+auth_password_format: scram
+
+shaper:
+  ##
+  ## The "normal" shaper limits traffic speed to 1000 B/s
+  ##
+  normal: 1000
+
+  ##
+  ## The "fast" shaper limits traffic speed to 50000 B/s
+  ##
+  fast: 50000
+
+max_fsm_queue: 1000
+
+###.   ====================
+###'   ACCESS CONTROL LISTS
+acl:
+  admin:
+     user:
+       - "myuser": "mydomain.eu"
+         #- "@localhost"
+ 
+  local: 
+    user_regexp: ""
+
+  loopback:
+    ip:
+      - "127.0.0.0/8"
+
+shaper_rules:
+  ## Maximum number of simultaneous sessions allowed for a single user:
+  max_user_sessions: 10
+  ## Maximum number of offline messages that users can have:
+  max_user_offline_messages:
+    - 5000: admin
+    - 100
+  ## For C2S connections, all users except admins use the "normal" shaper
+  c2s_shaper:
+    - none: admin
+    - normal
+  ## All S2S connections use the "fast" shaper
+  s2s_shaper: fast
+
+###.  ============
+###'  ACCESS RULES
+access_rules:
+  ## This rule allows access only for local users:
+  local:
+    - allow: local
+  ## Only non-blocked users can use c2s connections:
+  c2s:
+    - deny: blocked
+    - allow
+  ## Only admins can send announcement messages:
+  announce:
+    - allow: admin
+  ## Only admins can use the configuration interface:
+  configure: 
+    - allow: admin
+  ## Only accounts of the local ejabberd server can create rooms:
+  muc_create: 
+    - allow: local
+  ## Only accounts on the local ejabberd server can create Pubsub nodes:
+  pubsub_createnode: 
+    - allow: local
+  ## In-band registration allows registration of any possible username.
+  ## To disable in-band registration, replace 'allow' with 'deny'.
+  register: 
+    - deny 
+  ## Only allow to register from localhost
+  trusted_network: 
+    - allow: loopback
+  ## Do not establish S2S connections with bad servers
+  s2s: 
+  ##   - deny:
+  ##     - ip: "XXX.XXX.XXX.XXX/32"
+  ##   - deny:
+  ##     - ip: "XXX.XXX.XXX.XXX/32"
+    - allow
+
+language: "en"
+
+modules: 
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce: # recommends mod_adhoc
+    access: announce
+  mod_blocking: {} # requires mod_privacy
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {} # requires mod_adhoc
+  ##mod_delegation: {} # for xep0356
+  mod_disco: {}
+  mod_echo: {}
+  mod_irc: {}
+  mod_http_bind: {}
+  mod_http_upload:
+    docroot: "/var/ejabberd"
+    put_url: "https://@HOST@:5443/upload"
+    thumbnail: true
+    dir_mode: "2770"
+    max_size: 104857600 # 100MB
+  ## mod_http_fileserver:
+  ##   docroot: "/var/www"
+  ##   accesslog: "/var/log/ejabberd/access.log"
+  mod_last: {}
+  mod_muc: 
+    ## host: "conference.@HOST@"
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+  ## mod_muc_log: {}
+  mod_muc_admin: {}
+  ## mod_multicast: {}
+  mod_offline: 
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  ## mod_pres_counter:
+  ##   count: 5
+  ##   interval: 60
+  mod_privacy: {}
+  mod_private: {}
+  ## mod_proxy65: {}
+  mod_pubsub: 
+    access_createnode: pubsub_createnode
+    ## reduces resource comsumption, but XEP incompliant
+    #ignore_pep_from_offline: true
+    ## XEP compliant, but increases resource comsumption
+    ignore_pep_from_offline: false
+    last_item_cache: false
+    max_items_node: 1000
+    default_node_config:
+      max_items: 1000
+    plugins: 
+      - "flat"
+      - "hometree"
+      - "pep" # pep requires mod_caps
+  ## mod_register:
+    ##
+    ## Protect In-Band account registrations with CAPTCHA.
+    ##
+    ##   captcha_protected: true
+    ##
+    ## Set the minimum informational entropy for passwords.
+    ##
+    ##   password_strength: 32
+    ##
+    ## After successful registration, the user receives
+    ## a message with this subject and body.
+    ##
+    ##   welcome_message:
+    ##     subject: "Welcome!"
+    ##     body: |-
+    ##       Hi.
+    ##       Welcome to this XMPP server.
+    ##
+    ## When a user registers, send a notification to
+    ## these XMPP accounts.
+    ##
+    ##   registration_watchers:
+    ##     - "admin1@example.org"
+    ##
+    ## Only clients in the server machine can register accounts
+    ##
+    ##   ip_access: trusted_network
+    ##
+    ## Local c2s or remote s2s users cannot register accounts
+    ##
+    ##   access_from: deny
+    ##   access: register
+  mod_roster:
+    versioning: true
+  mod_shared_roster: {}
+  mod_stats: {}
+  mod_time: {}
+  mod_vcard:
+    search: false
+  mod_version: {}
+
+##
+## Enable modules with custom options in a specific virtual host
+##
+## host_config:
+##   "localhost":
+##     modules:
+##       mod_echo:
+##         host: "mirror.localhost"
+
+##
+## Enable modules management via ejabberdctl for installation and
+## uninstallation of public/private contributed modules
+## (enabled by default)
+##
+
+allow_contrib_modules: true
+
+###.
+###'
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: