loglevel: 3
hide_sensitive_log_data: true

log_rotate_size: 0
log_rotate_date: ""
log_rate_limit: 100

hosts:
  - "mydomain.eu"

listen: 
  - 
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    certfile: "/etc/ejabberd/ejabberd.pem"
    ## starttls: true
    ##
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    protocol_options:
      - "no_sslv3"
      - "no_tlsv1"
      - "no_tlsv1_1"
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
    zlib: true
    resend_on_timeout: if_offline
  - 
    port: 5269
    ip: "::"
    module: ejabberd_s2s_in
  - 
    port: 5280
    ip: "::"
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    ## captcha: true
    tls: true
    certfile: "/etc/ejabberd/ejabberd.pem"
  -
    port: 5443
    module: ejabberd_http
    tls: true
    certfile: "/etc/ejabberd/ejabberd.pem"
    request_handlers:
      "upload": mod_http_upload
    custom_headers:
      "Access-Control-Allow-Origin": "*"
      "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
      "Access-Control-Allow-Headers": "Authorization"
      "Access-Control-Allow-Credentials": "true"

## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms:
  - "digest-md5"
  - "x-oauth2"

s2s_use_starttls: required
s2s_certfile: "/etc/ejabberd/ejabberd.pem"
s2s_protocol_options:
  - "no_sslv3"
  - "no_tlsv1"
  - "no_tlsv1_1"

outgoing_s2s_families:
   - ipv4
##   - ipv6
outgoing_s2s_timeout: 10000

auth_method: internal
auth_password_format: scram

###.  ===============
###'  DATABASE _SETUP

### MySQL server:
###
#sql_type: mysql
#sql_server: "localhost"
#sql_database: "db_name"
#sql_username: "db_user"
#sql_password: "db_pass"
## Keepalive in seconds
#sql_keepalive_interval: 28800
#sql_pool_size: 5

###.  ===============
###'  TRAFFIC SHAPERS
shaper:
  ##
  ## The "normal" shaper limits traffic speed to 1000 B/s
  ##
  normal: 1000

  ##
  ## The "fast" shaper limits traffic speed to 50000 B/s
  ##
  fast: 50000

max_fsm_queue: 1000

###.   ====================
###'   ACCESS CONTROL LISTS
acl:
  admin:
     user:
       - "myuser": "mydomain.eu"
         #- "@localhost"
 
  local: 
    user_regexp: ""

  loopback:
    ip:
      - "127.0.0.0/8"

shaper_rules:
  ## Maximum number of simultaneous sessions allowed for a single user:
  max_user_sessions: 10
  ## Maximum number of offline messages that users can have:
  max_user_offline_messages:
    - 5000: admin
    - 100
  ## For C2S connections, all users except admins use the "normal" shaper
  c2s_shaper:
    - none: admin
    - normal
  ## All S2S connections use the "fast" shaper
  s2s_shaper: fast

###.  ============
###'  ACCESS RULES
access_rules:
  ## This rule allows access only for local users:
  local:
    - allow: local
  ## Only non-blocked users can use c2s connections:
  c2s:
    - deny: blocked
    - allow
  ## Only admins can send announcement messages:
  announce:
    - allow: admin
  ## Only admins can use the configuration interface:
  configure: 
    - allow: admin
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create: 
    - allow: local
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode: 
    - allow: local
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register: 
    - deny 
  ## Only allow to register from localhost
  trusted_network: 
    - allow: loopback
  ## Do not establish S2S connections with bad servers
  s2s: 
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
  ##   - deny:
  ##     - ip: "XXX.XXX.XXX.XXX/32"
    - allow

language: "en"

modules: 
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {} # requires mod_adhoc
  ##mod_delegation: {} # for xep0356
  mod_disco:
    server_info:
      -
        modules: all
        name: "abuse-addresses"
        urls:
          - "mailto:jabberadmin@mydomain.eu"
  mod_echo: {}
  mod_irc: {}
  mod_http_bind: {}
  mod_http_upload:
    docroot: "/var/ejabberd"
    put_url: "https://@HOST@:5443/upload"
    thumbnail: true
    dir_mode: "2770"
    max_size: 104857600 # 100MB
  ## mod_http_fileserver:
  ##   docroot: "/var/www"
  ##   accesslog: "/var/log/ejabberd/access.log"
  mod_last: {}
  mod_muc: 
    ## host: "conference.@HOST@"
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
  ## mod_muc_log: {}
  mod_muc_admin: {}
  ## mod_multicast: {}
  mod_offline: 
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  ## mod_pres_counter:
  ##   count: 5
  ##   interval: 60
  mod_privacy: {}
  mod_private: {}
  ## mod_proxy65: {}
  mod_pubsub: 
    access_createnode: pubsub_createnode
    ## reduces resource comsumption, but XEP incompliant
    #ignore_pep_from_offline: true
    ## XEP compliant, but increases resource comsumption
    ignore_pep_from_offline: false
    last_item_cache: false
    max_items_node: 1000
    default_node_config:
      max_items: 1000
    plugins: 
      - "flat"
      - "hometree"
      - "pep" # pep requires mod_caps
  mod_register:
    ##
    ## Protect In-Band account registrations with CAPTCHA.
    ##
    ##   captcha_protected: true
    ##
    ## Set the minimum informational entropy for passwords.
    ##
    ##   password_strength: 32
    ##
    ## After successful registration, the user receives
    ## a message with this subject and body.
    ##
    ##   welcome_message:
    ##     subject: "Welcome!"
    ##     body: |-
    ##       Hi.
    ##       Welcome to this XMPP server.
    ##
    ## When a user registers, send a notification to
    ## these XMPP accounts.
    ##
    ##   registration_watchers:
    ##     - "admin1@example.org"
    ##
    ## Only clients in the server machine can register accounts
    ##
    ##   ip_access: trusted_network
    ##
    ## Local c2s or remote s2s users cannot register accounts
    ##
    ##   access_from: deny
    ##   access: register
    
    # No registration, but allow existing accounts to change password
    access: none
  mod_roster:
    versioning: true
  mod_shared_roster: {}
  mod_stats: {}
  mod_time: {}
  mod_vcard:
    search: false
  mod_version:
    show_os: false

##
## Enable modules with custom options in a specific virtual host
##
## host_config:
##   "localhost":
##     modules:
##       mod_echo:
##         host: "mirror.localhost"

##
## Enable modules management via ejabberdctl for installation and
## uninstallation of public/private contributed modules
## (enabled by default)
##

allow_contrib_modules: true

###.
###'
### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: