Sebastian Kippe
4448ec2173
Was missing a couple of necessary properties, and is now using an explicit port range for TURN, and opening those ports in UFW.
242 lines
4.8 KiB
Plaintext
242 lines
4.8 KiB
Plaintext
loglevel: 4
|
|
|
|
log_rotate_size: 10485760
|
|
log_rotate_date: ""
|
|
log_rotate_count: 1
|
|
|
|
log_rate_limit: 100
|
|
|
|
hosts:
|
|
<% @hosts.each do |host| -%>
|
|
- "<%= host[:name] %>"
|
|
<% end -%>
|
|
|
|
<% @hosts.each do |host| -%>
|
|
include_config_file: "/opt/ejabberd/conf/<%= host[:name] %>.yml"
|
|
<% end -%>
|
|
|
|
ca_file: "/opt/ejabberd/conf/cacert.pem"
|
|
|
|
define_macro:
|
|
'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
|
|
'TLS_OPTIONS':
|
|
- "no_sslv3"
|
|
- "cipher_server_preference"
|
|
- "no_compression"
|
|
'DH_FILE': "/opt/ejabberd/conf/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048
|
|
|
|
c2s_dhfile: 'DH_FILE'
|
|
s2s_dhfile: 'DH_FILE'
|
|
c2s_ciphers: 'TLS_CIPHERS'
|
|
s2s_ciphers: 'TLS_CIPHERS'
|
|
c2s_protocol_options: 'TLS_OPTIONS'
|
|
s2s_protocol_options: 'TLS_OPTIONS'
|
|
|
|
listen:
|
|
-
|
|
port: 5222
|
|
ip: "::"
|
|
module: ejabberd_c2s
|
|
starttls: true
|
|
max_stanza_size: 65536
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
-
|
|
port: 5223
|
|
ip: "::"
|
|
module: ejabberd_c2s
|
|
tls: true
|
|
max_stanza_size: 65536
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
-
|
|
port: 5269
|
|
ip: "::"
|
|
module: ejabberd_s2s_in
|
|
max_stanza_size: 131072
|
|
shaper: s2s_shaper
|
|
-
|
|
port: 5443
|
|
ip: "::"
|
|
module: ejabberd_http
|
|
request_handlers:
|
|
"/ws": ejabberd_http_ws
|
|
"/bosh": mod_bosh
|
|
"/api": mod_http_api
|
|
"/upload": mod_http_upload
|
|
"/admin": ejabberd_web_admin
|
|
custom_headers:
|
|
"Access-Control-Allow-Origin": "*"
|
|
"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
|
|
"Access-Control-Allow-Headers": "Authorization"
|
|
"Access-Control-Allow-Credentials": "true"
|
|
tls: true
|
|
## "/pub/archive": mod_http_fileserver
|
|
## register: true
|
|
captcha: false
|
|
-
|
|
port: 3478
|
|
transport: udp
|
|
module: ejabberd_stun
|
|
auth_realm: <%= @stun_auth_realm %>
|
|
use_turn: true
|
|
turn_ip: <%= @turn_ip_address %>
|
|
turn_min_port: <%= @turn_min_port %>
|
|
turn_max_port: <%= @turn_max_port %>
|
|
|
|
s2s_use_starttls: optional
|
|
|
|
auth_password_format: scram
|
|
auth_method: sql
|
|
|
|
default_db: sql
|
|
|
|
shaper:
|
|
normal: 1000
|
|
fast: 50000
|
|
|
|
max_fsm_queue: 10000
|
|
|
|
acl:
|
|
admin:
|
|
user:
|
|
<% @admin_users.each do |admin| -%>
|
|
- "<%= admin %>"
|
|
<% end -%>
|
|
|
|
local:
|
|
user_regexp: ""
|
|
|
|
loopback:
|
|
ip:
|
|
- "127.0.0.0/8"
|
|
- "::1/128"
|
|
- "::FFFF:127.0.0.1/128"
|
|
|
|
shaper_rules:
|
|
max_user_sessions: 10
|
|
max_user_offline_messages:
|
|
- 5000: admin
|
|
- 100
|
|
c2s_shaper:
|
|
- none: admin
|
|
- normal
|
|
s2s_shaper: fast
|
|
|
|
access_rules:
|
|
local:
|
|
- allow: local
|
|
c2s:
|
|
- deny: blocked
|
|
- allow
|
|
announce:
|
|
- allow: admin
|
|
configure:
|
|
- allow: admin
|
|
muc_create:
|
|
- allow: admin
|
|
- allow: local
|
|
pubsub_createnode:
|
|
- allow: local
|
|
register:
|
|
- allow
|
|
trusted_network:
|
|
- allow: loopback
|
|
|
|
api_permissions:
|
|
"console commands":
|
|
from:
|
|
- ejabberd_ctl
|
|
who: all
|
|
what: "*"
|
|
"admin access":
|
|
who:
|
|
- access:
|
|
- allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
- oauth:
|
|
- scope: "ejabberd:admin"
|
|
- access:
|
|
- allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
what:
|
|
- "*"
|
|
- "!stop"
|
|
- "!start"
|
|
"public commands":
|
|
who:
|
|
- ip: "127.0.0.1/8"
|
|
what:
|
|
- "status"
|
|
- "connected_users_number"
|
|
|
|
language: "en"
|
|
|
|
modules:
|
|
mod_adhoc: {}
|
|
mod_admin_extra: {}
|
|
mod_announce: # recommends mod_adhoc
|
|
access: announce
|
|
mod_blocking: {} # requires mod_privacy
|
|
mod_caps: {}
|
|
mod_carboncopy: {}
|
|
mod_client_state: {}
|
|
mod_configure: {} # requires mod_adhoc
|
|
mod_disco:
|
|
server_info:
|
|
-
|
|
modules: all
|
|
name: "abuse-addresses"
|
|
urls: ["mailto:abuse@@HOST@"]
|
|
mod_bosh: {}
|
|
mod_http_upload:
|
|
docroot: "/opt/ejabberd/uploads/xmpp.@HOST@/"
|
|
put_url: "https://xmpp.@HOST@:5443/upload"
|
|
thumbnail: false # otherwise needs the identify command from ImageMagick installed
|
|
mod_last: {}
|
|
mod_mam:
|
|
default: always
|
|
request_activates_archiving: true
|
|
mod_muc_admin: {}
|
|
mod_offline:
|
|
access_max_user_messages: max_user_offline_messages
|
|
mod_ping: {}
|
|
mod_privacy: {}
|
|
mod_private: {}
|
|
mod_proxy65: {}
|
|
mod_pubsub:
|
|
access_createnode: pubsub_createnode
|
|
ignore_pep_from_offline: false
|
|
last_item_cache: false
|
|
max_items_node: 10
|
|
plugins:
|
|
- "flat"
|
|
- "pep" # pep requires mod_caps
|
|
mod_push: {}
|
|
mod_push_keepalive: {}
|
|
# Allow existing accounts to change their password
|
|
mod_register:
|
|
access: none
|
|
mod_roster:
|
|
versioning: true
|
|
store_current_id: true
|
|
mod_shared_roster: {}
|
|
mod_stun_disco: {}
|
|
mod_vcard:
|
|
search: false
|
|
mod_vcard_xupdate: {}
|
|
mod_avatar: {}
|
|
mod_version: {}
|
|
mod_stream_mgmt: {}
|
|
mod_s2s_dialback: {}
|
|
mod_http_api: {}
|
|
|
|
allow_contrib_modules: true
|
|
|
|
### Local Variables:
|
|
### mode: yaml
|
|
### End:
|
|
### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
|