ejabberd.yml.movim.example

ejabberd.yml.movim.example · 11 KiB · Text Raw

### ### ejabberd configuration file ### ### The parameters used in this configuration file are explained at ### ### https://docs.ejabberd.im/admin/configuration ### ### The configuration file is written in YAML. ### ******************************************************* ### ******* !!! WARNING !!! ******* ### ******* YAML IS INDENTATION SENSITIVE ******* ### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* ### ******************************************************* ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. ### hosts: - example.org - anon.example.org host_config: example.org: auth_method: [ldap] ldap_servers: - 127.0.0.1 ldap_port: 389 ldap_uids: - uid ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=org" ldap_password: "thisisareadonlysupersecurepassword" ldap_base: "ou=people,dc=example,dc=org" anon.example.org: #Todo: disable http_upload auth_method: [anonymous] disable_sasl_mechanisms: [ "X-OAUTH2", "digest-md5" , "plain" ] anonymous_protocol: sasl_anon append_host_config: example.org: modules: mod_http_upload: put_url: https://uploads.@HOST@/upload docroot: /data/exampleorg/xmpp/ejabberd/user-uploads #max_size: 104857600 # 100 MiB (default) file_mode: "0640" dir_mode: "2750" mod_http_upload_quota: max_days: 365 loglevel: warning # rotation: Disable ejabberd's internal log rotation #log_rotate_count: 0 ca_file: /opt/ejabberd/conf/cacert.pem #certfiles: # - /opt/ejabberd/conf/server.pem ## If you already have certificates, list them here certfiles: - /data/exampleorg/xmpp/ejabberd/certs/*/*.pem acme: auto: false # TLS configuration define_macro: 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 'TLS_OPTIONS': - "no_sslv3" - "no_tlsv1" - "no_tlsv1_1" - "cipher_server_preference" - "no_compression" 'DH_FILE': "/data/exampleorg/xmpp/ejabberd/certs/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' c2s_dhfile: 'DH_FILE' s2s_dhfile: 'DH_FILE' listen: - port: 5222 ip: "::" module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s starttls_required: true protocol_options: 'TLS_OPTIONS' - port: 5223 ip: "::" tls: true module: ejabberd_c2s max_stanza_size: 262144 shaper: c2s_shaper access: c2s starttls_required: true - port: 5269 ip: "::" module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5280 ip: "::" # ip: "127.0.0.1" protocol_options: 'TLS_OPTIONS' module: ejabberd_http request_handlers: /admin: ejabberd_web_admin /api: mod_http_api /bosh: mod_bosh # /captcha: ejabberd_captcha /upload: mod_http_upload /ws: ejabberd_http_ws # /.well-known/acme-challenge: ejabberd_acme custom_headers: "Access-Control-Allow-Origin": "*" "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT" "Access-Control-Allow-Headers": "Authorization" "Access-Control-Allow-Credentials": "true" ## STUN/TURN ToDo # - # port: 3478 # ip: "::" # transport: udp # module: ejabberd_stun # use_turn: true ## The server's public IPv4 address: # turn_ipv4_address: "203.0.113.3" ## The server's public IPv6 address: # turn_ipv6_address: "2001:db8::3" # - # port: 5349 # transport: tcp # module: ejabberd_stun # use_turn: true # tls: true # turn_min_port: 49152 # turn_max_port: 65535 # turn_ipv4_address: !!!!IP INTERFACE ADDRESS # - # port: 1883 # ip: "::" # module: mod_mqtt # backlog: 1000 ## Matrix gateway ## ToDo: change port to avoid conflict with nginx/synapse and reverse-proxy it # - # port: 8448 # module: ejabberd_http # tls: false # request_handlers: # "/_matrix": mod_matrix_gw ## XMPP Components - port: 5347 ip: "127.0.0.1" module: ejabberd_service global_routes: false hosts: # biboumi IRC gateways irc.example.org: password: "supersecretpasswordhere" ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text ## password storage (see auth_password_format option). disable_sasl_mechanisms: - "digest-md5" ## Disable SASL SCRAM Downgrade Protection (XEP-0474) ## Todo: remove once Movim supports XEP-0474 disable_sasl_scram_downgrade_protection: true s2s_use_starttls: required trusted_proxies: - "127.0.0.1" - "192.168.1.1" ## Postgresql database config sql_type: pgsql sql_database: 'ejabberd' sql_username: 'ejabberd' #sql_server: localhost # Postgres container systemd-ejabberd-psql sql_port: 5432 sql_password: 'anothersupersecretpasswordhere' sql_prepared_statements: false #sql_pool_size: 2 #default 10 new_sql_schema: true update_sql_schema: true # Use SQL as the default persistent database default_db: sql acl: admin: user: - "admin@example.org" local: user_regexp: "" loopback: ip: - 127.0.0.0/8 - ::1/128 access_rules: local: allow: local c2s: deny: blocked allow: all announce: allow: admin configure: allow: admin muc_create: allow: local pubsub_createnode: allow: local trusted_network: allow: loopback api_permissions: "console commands": from: - ejabberd_ctl who: all what: "*" "admin access": who: access: allow: - acl: loopback - acl: admin oauth: scope: "ejabberd:admin" access: allow: - acl: loopback - acl: admin what: - "*" - "!stop" - "!start" "public commands": who: ip: 127.0.0.1/8 what: - status - connected_users_number shaper: normal: rate: 3000 burst_size: 20000 fast: 100000 shaper_rules: max_user_sessions: 10 max_user_offline_messages: 5000: admin 100: all c2s_shaper: none: admin normal: all s2s_shaper: fast soft_upload_quota: 250: all # MiB hard_upload_quota: 300: all # MiB modules: mod_adhoc: {} mod_admin_extra: {} mod_announce: access: announce mod_avatar: {} mod_blocking: {} mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} mod_disco: server_info: - modules: all name: "admin-addresses" urls: - "xmpp:admin@example.org" - modules: all name: "security-addresses" urls: - "xmpp:support@chat.example.org?join" - modules: all name: "abuse-addresses" urls: - "xmpp:support@chat.example.org?join" - modules: all name: "feedback-addresses" urls: - "xmpp:support@chat.example.org?join" - modules: all name: "support-addresses" urls: - "mailto:info@example.org" # mod_fail2ban: {} mod_host_meta: bosh_service_url: "https://chat.@HOST@/bosh" websocket_url: "wss://chat.@HOST@/ws" mod_http_api: {} # mod_http_upload: # put_url: https://uploads.@HOST@/upload # docroot: /data/exampleorg/xmpp/user-uploads # #max_size: 104857600 # 100 MiB (default) # file_mode: "0640" # dir_mode: "2750" # #custom_headers: # # "Access-Control-Allow-Origin": "https://@HOST@" # # "Access-Control-Allow-Origin": "*" # # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" # # "Access-Control-Allow-Headers": "Content-Type" # # "Access-Control-Allow-Headers": "Authorization" # # "Access-Control-Allow-Credentials": "true" # #thumbnail: false # otherwise needs the identify command from ImageMagick installed # mod_http_upload_quota: # max_days: 365 mod_last: {} mod_mam: db_type: sql assume_mam_usage: true default: always user_mucsub_from_muc_archive: true compress_xml: true # mod_matrix_gw: # host: "matrix.@HOST@" # matrix_domain: "@HOST@" # key_name: "somename" # key: "yourkeyinbase64" # matrix_id_as_jid: false # mod_mqtt: {} mod_muc: host: "chat.@HOST@" access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create access_mam: - allow max_users: 400 #default 200 max_users_presence: 2000 #default 1000 min_message_interval: 0.4 #spam rate limit history_size: 50 #default 20 default_room_options: allow_subscription: true allow_change_subj: false mam: true persistent: true anonymous: false members_only: true allow_user_invites: true public: false public_list: false lang: "en" mod_muc_admin: {} mod_muc_occupantid: {} mod_muc_rtbl: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_pres_counter: count: 5 interval: 60 mod_privacy: {} mod_private: {} mod_proxy65: access: local max_connections: 5 mod_pubsub: #access_createnode: pubsub_createnode access_createnode: local ignore_pep_from_offline: false last_item_cache: false max_items_node: 1000 default_node_config: max_items: 1000 plugins: - flat - pep force_node_config: ## Avoid buggy clients to make their bookmarks public "storage:bookmarks": access_model: whitelist persist_items: true ## Enforce pubsub config for Movim "eu.siacs.conversations.axolotl.*": access_model: open "urn:xmpp:bookmarks:0": access_model: whitelist send_last_published_item: never persist_items: true max_items: infinity "urn:xmpp:bookmarks:1": access_model: whitelist send_last_published_item: never persist_items: true max_items: infinity "urn:xmpp:pubsub:movim-public-subscription": access_model: whitelist persist_items: true max_items: infinity "urn:xmpp:microblog:0": max_items: infinity access_model: presence notify_retract: true persist_items: true "urn:xmpp:microblog:0:comments*": max_items: infinity access_model: open notify_retract: true persist_items: true mod_push: {} mod_push_keepalive: {} mod_register: ## No registration via XMPP supported, redirect to ## Todo: make vhost specific redirect_url: "https://example.org/" ## Only accept registration requests from the "trusted" ## network (see access_rules section above). ## Think twice before enabling registration from any ## address. See the Jabber SPAM Manifesto for details: ## https://github.com/ge0rg/jabber-spam-fighting-manifesto #ip_access: trusted_network mod_roster: versioning: true mod_s2s_dialback: {} mod_shared_roster: {} mod_stream_mgmt: resend_on_timeout: if_offline mod_stun_disco: credentials_lifetime: 6h mod_vcard: search: false mod_vcard_xupdate: {} mod_version: show_os: false allow_contrib_modules: true ### Local Variables: ### mode: yaml ### End: ### vim: set filetype=yaml tabstop=8

1	###
2	### ejabberd configuration file
3	###
4	### The parameters used in this configuration file are explained at
5	###
6	### https://docs.ejabberd.im/admin/configuration
7	###
8	### The configuration file is written in YAML.
9	### *******************************************************
10	### ***** !!! WARNING !!! *****
11	### ***** YAML IS INDENTATION SENSITIVE *****
12	### ***** MAKE SURE YOU INDENT SECTIONS CORRECTLY *****
13	### *******************************************************
14	### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
15	###
16
17	hosts:
18	- example.org
19	- anon.example.org
20
21	host_config:
22	example.org:
23	auth_method: [ldap]
24	ldap_servers:
25	- 127.0.0.1
26	ldap_port: 389
27	ldap_uids:
28	- uid
29	ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=org"
30	ldap_password: "thisisareadonlysupersecurepassword"
31	ldap_base: "ou=people,dc=example,dc=org"
32	anon.example.org: #Todo: disable http_upload
33	auth_method: [anonymous]
34	disable_sasl_mechanisms: [ "X-OAUTH2", "digest-md5" , "plain" ]
35	anonymous_protocol: sasl_anon
36
37	append_host_config:
38	example.org:
39	modules:
40	mod_http_upload:
41	put_url: https://uploads.@HOST@/upload
42	docroot: /data/exampleorg/xmpp/ejabberd/user-uploads
43	#max_size: 104857600 # 100 MiB (default)
44	file_mode: "0640"
45	dir_mode: "2750"
46	mod_http_upload_quota:
47	max_days: 365
48
49	loglevel: warning
50
51	# rotation: Disable ejabberd's internal log rotation
52	#log_rotate_count: 0
53
54	ca_file: /opt/ejabberd/conf/cacert.pem
55
56	#certfiles:
57	# - /opt/ejabberd/conf/server.pem
58
59	## If you already have certificates, list them here
60	certfiles:
61	- /data/exampleorg/xmpp/ejabberd/certs//.pem
62
63	acme:
64	auto: false
65
66	# TLS configuration
67	define_macro:
68	'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
69	'TLS_OPTIONS':
70	- "no_sslv3"
71	- "no_tlsv1"
72	- "no_tlsv1_1"
73	- "cipher_server_preference"
74	- "no_compression"
75	'DH_FILE': "/data/exampleorg/xmpp/ejabberd/certs/dhparams.pem"
76	# generated with: openssl dhparam -out dhparams.pem 2048
77
78	c2s_ciphers: 'TLS_CIPHERS'
79	s2s_ciphers: 'TLS_CIPHERS'
80	c2s_protocol_options: 'TLS_OPTIONS'
81	s2s_protocol_options: 'TLS_OPTIONS'
82	c2s_dhfile: 'DH_FILE'
83	s2s_dhfile: 'DH_FILE'
84
85	listen:
86	-
87	port: 5222
88	ip: "::"
89	module: ejabberd_c2s
90	max_stanza_size: 262144
91	shaper: c2s_shaper
92	access: c2s
93	starttls_required: true
94	protocol_options: 'TLS_OPTIONS'
95	-
96	port: 5223
97	ip: "::"
98	tls: true
99	module: ejabberd_c2s
100	max_stanza_size: 262144
101	shaper: c2s_shaper
102	access: c2s
103	starttls_required: true
104	-
105	port: 5269
106	ip: "::"
107	module: ejabberd_s2s_in
108	max_stanza_size: 524288
109	-
110	port: 5280
111	ip: "::"
112	# ip: "127.0.0.1"
113	protocol_options: 'TLS_OPTIONS'
114	module: ejabberd_http
115	request_handlers:
116	/admin: ejabberd_web_admin
117	/api: mod_http_api
118	/bosh: mod_bosh
119	# /captcha: ejabberd_captcha
120	/upload: mod_http_upload
121	/ws: ejabberd_http_ws
122	# /.well-known/acme-challenge: ejabberd_acme
123	custom_headers:
124	"Access-Control-Allow-Origin": "*"
125	"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
126	"Access-Control-Allow-Headers": "Authorization"
127	"Access-Control-Allow-Credentials": "true"
128	## STUN/TURN ToDo
129	# -
130	# port: 3478
131	# ip: "::"
132	# transport: udp
133	# module: ejabberd_stun
134	# use_turn: true
135	## The server's public IPv4 address:
136	# turn_ipv4_address: "203.0.113.3"
137	## The server's public IPv6 address:
138	# turn_ipv6_address: "2001:db8::3"
139	# -
140	# port: 5349
141	# transport: tcp
142	# module: ejabberd_stun
143	# use_turn: true
144	# tls: true
145	# turn_min_port: 49152
146	# turn_max_port: 65535
147	# turn_ipv4_address: !!!!IP INTERFACE ADDRESS
148	# -
149	# port: 1883
150	# ip: "::"
151	# module: mod_mqtt
152	# backlog: 1000
153	## Matrix gateway
154	## ToDo: change port to avoid conflict with nginx/synapse and reverse-proxy it
155	# -
156	# port: 8448
157	# module: ejabberd_http
158	# tls: false
159	# request_handlers:
160	# "/_matrix": mod_matrix_gw
161	## XMPP Components
162	-
163	port: 5347
164	ip: "127.0.0.1"
165	module: ejabberd_service
166	global_routes: false
167	hosts:
168	# biboumi IRC gateways
169	irc.example.org:
170	password: "supersecretpasswordhere"
171
172	## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
173	## password storage (see auth_password_format option).
174	disable_sasl_mechanisms:
175	- "digest-md5"
176
177	## Disable SASL SCRAM Downgrade Protection (XEP-0474)
178	## Todo: remove once Movim supports XEP-0474
179	disable_sasl_scram_downgrade_protection: true
180
181	s2s_use_starttls: required
182
183	trusted_proxies:
184	- "127.0.0.1"
185	- "192.168.1.1"
186
187	## Postgresql database config
188	sql_type: pgsql
189	sql_database: 'ejabberd'
190	sql_username: 'ejabberd'
191	#sql_server: localhost
192	# Postgres container systemd-ejabberd-psql
193	sql_port: 5432
194	sql_password: 'anothersupersecretpasswordhere'
195	sql_prepared_statements: false
196	#sql_pool_size: 2 #default 10
197	new_sql_schema: true
198	update_sql_schema: true
199
200	# Use SQL as the default persistent database
201	default_db: sql
202
203	acl:
204	admin:
205	user:
206	- "admin@example.org"
207	local:
208	user_regexp: ""
209	loopback:
210	ip:
211	- 127.0.0.0/8
212	- ::1/128
213
214	access_rules:
215	local:
216	allow: local
217	c2s:
218	deny: blocked
219	allow: all
220	announce:
221	allow: admin
222	configure:
223	allow: admin
224	muc_create:
225	allow: local
226	pubsub_createnode:
227	allow: local
228	trusted_network:
229	allow: loopback
230
231	api_permissions:
232	"console commands":
233	from:
234	- ejabberd_ctl
235	who: all
236	what: "*"
237	"admin access":
238	who:
239	access:
240	allow:
241	- acl: loopback
242	- acl: admin
243	oauth:
244	scope: "ejabberd:admin"
245	access:
246	allow:
247	- acl: loopback
248	- acl: admin
249	what:
250	- "*"
251	- "!stop"
252	- "!start"
253	"public commands":
254	who:
255	ip: 127.0.0.1/8
256	what:
257	- status
258	- connected_users_number
259
260	shaper:
261	normal:
262	rate: 3000
263	burst_size: 20000
264	fast: 100000
265
266	shaper_rules:
267	max_user_sessions: 10
268	max_user_offline_messages:
269	5000: admin
270	100: all
271	c2s_shaper:
272	none: admin
273	normal: all
274	s2s_shaper: fast
275	soft_upload_quota:
276	250: all # MiB
277	hard_upload_quota:
278	300: all # MiB
279
280	modules:
281	mod_adhoc: {}
282	mod_admin_extra: {}
283	mod_announce:
284	access: announce
285	mod_avatar: {}
286	mod_blocking: {}
287	mod_bosh: {}
288	mod_caps: {}
289	mod_carboncopy: {}
290	mod_client_state: {}
291	mod_configure: {}
292	mod_disco:
293	server_info:
294	-
295	modules: all
296	name: "admin-addresses"
297	urls:
298	- "xmpp:admin@example.org"
299	-
300	modules: all
301	name: "security-addresses"
302	urls:
303	- "xmpp:support@chat.example.org?join"
304	-
305	modules: all
306	name: "abuse-addresses"
307	urls:
308	- "xmpp:support@chat.example.org?join"
309	-
310	modules: all
311	name: "feedback-addresses"
312	urls:
313	- "xmpp:support@chat.example.org?join"
314	-
315	modules: all
316	name: "support-addresses"
317	urls:
318	- "mailto:info@example.org"
319	# mod_fail2ban: {}
320	mod_host_meta:
321	bosh_service_url: "https://chat.@HOST@/bosh"
322	websocket_url: "wss://chat.@HOST@/ws"
323	mod_http_api: {}
324	# mod_http_upload:
325	# put_url: https://uploads.@HOST@/upload
326	# docroot: /data/exampleorg/xmpp/user-uploads
327	# #max_size: 104857600 # 100 MiB (default)
328	# file_mode: "0640"
329	# dir_mode: "2750"
330	# #custom_headers:
331	# # "Access-Control-Allow-Origin": "https://@HOST@"
332	# # "Access-Control-Allow-Origin": "*"
333	# # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
334	# # "Access-Control-Allow-Headers": "Content-Type"
335	# # "Access-Control-Allow-Headers": "Authorization"
336	# # "Access-Control-Allow-Credentials": "true"
337	# #thumbnail: false # otherwise needs the identify command from ImageMagick installed
338	# mod_http_upload_quota:
339	# max_days: 365
340	mod_last: {}
341	mod_mam:
342	db_type: sql
343	assume_mam_usage: true
344	default: always
345	user_mucsub_from_muc_archive: true
346	compress_xml: true
347	# mod_matrix_gw:
348	# host: "matrix.@HOST@"
349	# matrix_domain: "@HOST@"
350	# key_name: "somename"
351	# key: "yourkeyinbase64"
352	# matrix_id_as_jid: false
353	# mod_mqtt: {}
354	mod_muc:
355	host: "chat.@HOST@"
356	access:
357	- allow
358	access_admin:
359	- allow: admin
360	access_create: muc_create
361	access_persistent: muc_create
362	access_mam:
363	- allow
364	max_users: 400 #default 200
365	max_users_presence: 2000 #default 1000
366	min_message_interval: 0.4 #spam rate limit
367	history_size: 50 #default 20
368	default_room_options:
369	allow_subscription: true
370	allow_change_subj: false
371	mam: true
372	persistent: true
373	anonymous: false
374	members_only: true
375	allow_user_invites: true
376	public: false
377	public_list: false
378	lang: "en"
379	mod_muc_admin: {}
380	mod_muc_occupantid: {}
381	mod_muc_rtbl: {}
382	mod_offline:
383	access_max_user_messages: max_user_offline_messages
384	mod_ping: {}
385	mod_pres_counter:
386	count: 5
387	interval: 60
388	mod_privacy: {}
389	mod_private: {}
390	mod_proxy65:
391	access: local
392	max_connections: 5
393	mod_pubsub:
394	#access_createnode: pubsub_createnode
395	access_createnode: local
396	ignore_pep_from_offline: false
397	last_item_cache: false
398	max_items_node: 1000
399	default_node_config:
400	max_items: 1000
401	plugins:
402	- flat
403	- pep
404	force_node_config:
405	## Avoid buggy clients to make their bookmarks public
406	"storage:bookmarks":
407	access_model: whitelist
408	persist_items: true
409	## Enforce pubsub config for Movim
410	"eu.siacs.conversations.axolotl.*":
411	access_model: open
412	"urn:xmpp:bookmarks:0":
413	access_model: whitelist
414	send_last_published_item: never
415	persist_items: true
416	max_items: infinity
417	"urn:xmpp:bookmarks:1":
418	access_model: whitelist
419	send_last_published_item: never
420	persist_items: true
421	max_items: infinity
422	"urn:xmpp:pubsub:movim-public-subscription":
423	access_model: whitelist
424	persist_items: true
425	max_items: infinity
426	"urn:xmpp:microblog:0":
427	max_items: infinity
428	access_model: presence
429	notify_retract: true
430	persist_items: true
431	"urn:xmpp:microblog:0:comments*":
432	max_items: infinity
433	access_model: open
434	notify_retract: true
435	persist_items: true
436	mod_push: {}
437	mod_push_keepalive: {}
438	mod_register:
439	## No registration via XMPP supported, redirect to
440	## Todo: make vhost specific
441	redirect_url: "https://example.org/"
442	## Only accept registration requests from the "trusted"
443	## network (see access_rules section above).
444	## Think twice before enabling registration from any
445	## address. See the Jabber SPAM Manifesto for details:
446	## https://github.com/ge0rg/jabber-spam-fighting-manifesto
447	#ip_access: trusted_network
448	mod_roster:
449	versioning: true
450	mod_s2s_dialback: {}
451	mod_shared_roster: {}
452	mod_stream_mgmt:
453	resend_on_timeout: if_offline
454	mod_stun_disco:
455	credentials_lifetime: 6h
456	mod_vcard:
457	search: false
458	mod_vcard_xupdate: {}
459	mod_version:
460	show_os: false
461
462	allow_contrib_modules: true
463	### Local Variables:
464	### mode: yaml
465	### End:
466	### vim: set filetype=yaml tabstop=8
467