...

author: Gregor Kleen <gkleen@yggdrasil.li> 2020-07-12 19:42:36 +0200
committer: Gregor Kleen <gkleen@yggdrasil.li> 2020-07-12 19:42:36 +0200
commit: a960a3c9a49ea51ebcf341b74275940a6c44076c (patch)
tree: 6fc43e0aa3d550c94491231d75bbe331c4541a22 /ymir/ejabberd.yml
parent: f8a30dfd880637a9db306fd16b0da22354d93d03 (diff)
download: nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar
nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.gz
nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.bz2
nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.xz
nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.zip
1 files changed, 183 insertions, 0 deletions
diff --git a/ymir/ejabberd.yml b/ymir/ejabberd.yml
new file mode 100644
index 00000000..f51629e2
--- /dev/null
+++ b/ymir/ejabberd.yml
@@ -0,0 +1,183 @@
+  loglevel: 4
+  hosts:
+    - xmpp.li
+    - yggdrasil.li
+    - praseodym.org
+    - 141.li
+    - nights.email
+  certfiles: 
+    - /var/lib/acme/yggdrasil.li/fullchain.pem
+    - /var/lib/acme/yggdrasil.li/key.pem
+  listen:
+    - port: 5222
+      ip: "::"
+      module: ejabberd_c2s
+      starttls: true
+      starttls_required: true
+      max_stanza_size: 262144
+      shaper: c2s_shaper
+      access: c2s
+    - port: 5269
+      ip: "::"
+      module: ejabberd_s2s_in
+      max_stanza_size: 524288
+s2s_use_starttls: optional
+auth_method: [pam]
+pam_service: xmpp
+acl:
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+  admin:
+    user:
+      - "gkleen@xmpp.li"
+      - "gkleen@praseodym.org"
+      - "gkleen@141.li"
+      - "gkleen@yggdrasil.li"
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      access:
+        allow:
+          - acl: loopback
+          - acl: admin
+      oauth:
+        scope: "ejabberd:admin"
+        access:
+          allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - status
+      - connected_users_number
+shaper:
+  normal:
+    rate: 3000
+    burst_size: 20000
+  fast: 100000
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  # mod_http_upload:
+  #   put_url: https://@HOST@:5443/upload
+  #   custom_headers:
+  #     "Access-Control-Allow-Origin": "https://@HOST@"
+  #     "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+  #     "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  mod_mam:
+    ## Mnesia is limited to 2GB, better to use an SQL backend
+    ## For small servers SQLite is a good fit and is very easy
+    ## to configure. Uncomment this when you have SQL configured:
+    ## db_type: sql
+    assume_mam_usage: true
+    default: always
+  mod_mqtt: {}
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      mam: true
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      ## Avoid buggy clients to make their bookmarks public
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ## Only accept registration requests from the "trusted"
+    ## network (see access_rules section above).
+    ## Think twice before enabling registration from any
+    ## address. See the Jabber SPAM Manifesto for details:
+    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_stun_disco: {}
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
author	Gregor Kleen <gkleen@yggdrasil.li>	2020-07-12 19:42:36 +0200
committer	Gregor Kleen <gkleen@yggdrasil.li>	2020-07-12 19:42:36 +0200
commit	a960a3c9a49ea51ebcf341b74275940a6c44076c (patch)
tree	6fc43e0aa3d550c94491231d75bbe331c4541a22 /ymir/ejabberd.yml
parent	f8a30dfd880637a9db306fd16b0da22354d93d03 (diff)
download	nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.gz nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.bz2 nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.tar.xz nixos-a960a3c9a49ea51ebcf341b74275940a6c44076c.zip

diff --git a/ymir/ejabberd.yml b/ymir/ejabberd.yml new file mode 100644 index 00000000..f51629e2 --- /dev/null +++ b/ymir/ejabberd.yml
@@ -0,0 +1,183 @@
	1	loglevel: 4
	2	hosts:
	3	- xmpp.li
	4	- yggdrasil.li
	5	- praseodym.org
	6	- 141.li
	7	- nights.email
	8	certfiles:
	9	- /var/lib/acme/yggdrasil.li/fullchain.pem
	10	- /var/lib/acme/yggdrasil.li/key.pem
	11	listen:
	12	- port: 5222
	13	ip: "::"
	14	module: ejabberd_c2s
	15	starttls: true
	16	starttls_required: true
	17	max_stanza_size: 262144
	18	shaper: c2s_shaper
	19	access: c2s
	20	- port: 5269
	21	ip: "::"
	22	module: ejabberd_s2s_in
	23	max_stanza_size: 524288
	24	s2s_use_starttls: optional
	25
	26	auth_method: [pam]
	27	pam_service: xmpp
	28
	29	acl:
	30	local:
	31	user_regexp: ""
	32	loopback:
	33	ip:
	34	- 127.0.0.0/8
	35	- ::1/128
	36	admin:
	37	user:
	38	- "gkleen@xmpp.li"
	39	- "gkleen@praseodym.org"
	40	- "gkleen@141.li"
	41	- "gkleen@yggdrasil.li"
	42
	43	access_rules:
	44	local:
	45	allow: local
	46	c2s:
	47	deny: blocked
	48	allow: all
	49	announce:
	50	allow: admin
	51	configure:
	52	allow: admin
	53	muc_create:
	54	allow: local
	55	pubsub_createnode:
	56	allow: local
	57	trusted_network:
	58	allow: loopback
	59
	60	api_permissions:
	61	"console commands":
	62	from:
	63	- ejabberd_ctl
	64	who: all
	65	what: "*"
	66	"admin access":
	67	who:
	68	access:
	69	allow:
	70	- acl: loopback
	71	- acl: admin
	72	oauth:
	73	scope: "ejabberd:admin"
	74	access:
	75	allow:
	76	- acl: loopback
	77	- acl: admin
	78	what:
	79	- "*"
	80	- "!stop"
	81	- "!start"
	82	"public commands":
	83	who:
	84	ip: 127.0.0.1/8
	85	what:
	86	- status
	87	- connected_users_number
	88
	89	shaper:
	90	normal:
	91	rate: 3000
	92	burst_size: 20000
	93	fast: 100000
	94
	95	shaper_rules:
	96	max_user_sessions: 10
	97	max_user_offline_messages:
	98	5000: admin
	99	100: all
	100	c2s_shaper:
	101	none: admin
	102	normal: all
	103	s2s_shaper: fast
	104
	105	modules:
	106	mod_adhoc: {}
	107	mod_admin_extra: {}
	108	mod_announce:
	109	access: announce
	110	mod_avatar: {}
	111	mod_blocking: {}
	112	mod_bosh: {}
	113	mod_caps: {}
	114	mod_carboncopy: {}
	115	mod_client_state: {}
	116	mod_configure: {}
	117	mod_disco: {}
	118	mod_fail2ban: {}
	119	mod_http_api: {}
	120	# mod_http_upload:
	121	# put_url: https://@HOST@:5443/upload
	122	# custom_headers:
	123	# "Access-Control-Allow-Origin": "https://@HOST@"
	124	# "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
	125	# "Access-Control-Allow-Headers": "Content-Type"
	126	mod_last: {}
	127	mod_mam:
	128	## Mnesia is limited to 2GB, better to use an SQL backend
	129	## For small servers SQLite is a good fit and is very easy
	130	## to configure. Uncomment this when you have SQL configured:
	131	## db_type: sql
	132	assume_mam_usage: true
	133	default: always
	134	mod_mqtt: {}
	135	mod_muc:
	136	access:
	137	- allow
	138	access_admin:
	139	- allow: admin
	140	access_create: muc_create
	141	access_persistent: muc_create
	142	access_mam:
	143	- allow
	144	default_room_options:
	145	mam: true
	146	mod_muc_admin: {}
	147	mod_offline:
	148	access_max_user_messages: max_user_offline_messages
	149	mod_ping: {}
	150	mod_privacy: {}
	151	mod_private: {}
	152	mod_proxy65:
	153	access: local
	154	max_connections: 5
	155	mod_pubsub:
	156	access_createnode: pubsub_createnode
	157	plugins:
	158	- flat
	159	- pep
	160	force_node_config:
	161	## Avoid buggy clients to make their bookmarks public
	162	storage:bookmarks:
	163	access_model: whitelist
	164	mod_push: {}
	165	mod_push_keepalive: {}
	166	mod_register:
	167	## Only accept registration requests from the "trusted"
	168	## network (see access_rules section above).
	169	## Think twice before enabling registration from any
	170	## address. See the Jabber SPAM Manifesto for details:
	171	## https://github.com/ge0rg/jabber-spam-fighting-manifesto
	172	ip_access: trusted_network
	173	mod_roster:
	174	versioning: true
	175	mod_s2s_dialback: {}
	176	mod_shared_roster: {}
	177	mod_stream_mgmt:
	178	resend_on_timeout: if_offline
	179	mod_stun_disco: {}
	180	mod_vcard: {}
	181	mod_vcard_xupdate: {}
	182	mod_version:
	183	show_os: false