From a960a3c9a49ea51ebcf341b74275940a6c44076c Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 12 Jul 2020 19:42:36 +0200 Subject: ... --- ymir.nix | 186 +----------------------------------------------------- ymir/ejabberd.yml | 183 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 184 insertions(+), 185 deletions(-) create mode 100644 ymir/ejabberd.yml diff --git a/ymir.nix b/ymir.nix index abb40975..98b3cc0e 100644 --- a/ymir.nix +++ b/ymir.nix @@ -242,191 +242,7 @@ in rec { services.ejabberd = { enable = true; package = pkgs.ejabberd.override { withPam = true; }; - configFile = '' - loglevel: 4 - hosts: - - xmpp.li - - yggdrasil.li - - praseodym.org - - 141.li - - nights.email - certfiles: - - /var/lib/acme/yggdrasil.li/fullchain.pem - - /var/lib/acme/yggdrasil.li/key.pem - listen: - - port: 5222 - ip: "::" - module: ejabberd_c2s - starttls: true - starttls_required: true - max_stanza_size: 262144 - shaper: c2s_shaper - access: c2s - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - max_stanza_size: 524288 - s2s_use_starttls: optional - - auth_method: [pam] - pam_service: xmpp - - acl: - local: - user_regexp: "" - loopback: - ip: - - 127.0.0.0/8 - - ::1/128 - admin: - user: - - "gkleen@xmpp.li" - - "gkleen@praseodym.org" - - "gkleen@141.li" - - "gkleen@yggdrasil.li" - - access_rules: - local: - allow: local - c2s: - deny: blocked - allow: all - announce: - allow: admin - configure: - allow: admin - muc_create: - allow: local - pubsub_createnode: - allow: local - trusted_network: - allow: loopback - - api_permissions: - "console commands": - from: - - ejabberd_ctl - who: all - what: "*" - "admin access": - who: - access: - allow: - - acl: loopback - - acl: admin - oauth: - scope: "ejabberd:admin" - access: - allow: - - acl: loopback - - acl: admin - what: - - "*" - - "!stop" - - "!start" - "public commands": - who: - ip: 127.0.0.1/8 - what: - - status - - connected_users_number - - shaper: - normal: - rate: 3000 - burst_size: 20000 - fast: 100000 - - shaper_rules: - max_user_sessions: 10 - max_user_offline_messages: - 5000: admin - 100: all - c2s_shaper: - none: admin - normal: all - s2s_shaper: fast - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_avatar: {} - mod_blocking: {} - mod_bosh: {} - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_fail2ban: {} - mod_http_api: {} - # mod_http_upload: - # put_url: https://@HOST@:5443/upload - # custom_headers: - # "Access-Control-Allow-Origin": "https://@HOST@" - # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" - # "Access-Control-Allow-Headers": "Content-Type" - mod_last: {} - mod_mam: - ## Mnesia is limited to 2GB, better to use an SQL backend - ## For small servers SQLite is a good fit and is very easy - ## to configure. Uncomment this when you have SQL configured: - ## db_type: sql - assume_mam_usage: true - default: always - mod_mqtt: {} - mod_muc: - access: - - allow - access_admin: - - allow: admin - access_create: muc_create - access_persistent: muc_create - access_mam: - - allow - default_room_options: - mam: true - mod_muc_admin: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_proxy65: - access: local - max_connections: 5 - mod_pubsub: - access_createnode: pubsub_createnode - plugins: - - flat - - pep - force_node_config: - ## Avoid buggy clients to make their bookmarks public - storage:bookmarks: - access_model: whitelist - mod_push: {} - mod_push_keepalive: {} - mod_register: - ## Only accept registration requests from the "trusted" - ## network (see access_rules section above). - ## Think twice before enabling registration from any - ## address. See the Jabber SPAM Manifesto for details: - ## https://github.com/ge0rg/jabber-spam-fighting-manifesto - ip_access: trusted_network - mod_roster: - versioning: true - mod_s2s_dialback: {} - mod_shared_roster: {} - mod_stream_mgmt: - resend_on_timeout: if_offline - mod_stun_disco: {} - mod_vcard: {} - mod_vcard_xupdate: {} - mod_version: - show_os: false - ''; + configFile = ./ymir/ejabberd.yml; }; security.pam.services."xmpp".text = '' diff --git a/ymir/ejabberd.yml b/ymir/ejabberd.yml new file mode 100644 index 00000000..f51629e2 --- /dev/null +++ b/ymir/ejabberd.yml @@ -0,0 +1,183 @@ + loglevel: 4 + hosts: + - xmpp.li + - yggdrasil.li + - praseodym.org + - 141.li + - nights.email + certfiles: + - /var/lib/acme/yggdrasil.li/fullchain.pem + - /var/lib/acme/yggdrasil.li/key.pem + listen: + - port: 5222 + ip: "::" + module: ejabberd_c2s + starttls: true + starttls_required: true + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 +s2s_use_starttls: optional + +auth_method: [pam] +pam_service: xmpp + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + admin: + user: + - "gkleen@xmpp.li" + - "gkleen@praseodym.org" + - "gkleen@141.li" + - "gkleen@yggdrasil.li" + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + # mod_http_upload: + # put_url: https://@HOST@:5443/upload + # custom_headers: + # "Access-Control-Allow-Origin": "https://@HOST@" + # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + # "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + ## db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false -- cgit v1.2.3