Last active 1711393662

kris's Avatar kris revised this gist 1711393662. Go to revision

1 file changed, 1 insertion, 1 deletion

ejabberd.yml.movim.example

@@ -27,7 +27,7 @@ host_config:
27 27 ldap_uids:
28 28 - uid
29 29 ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=org"
30 - ldap_password: "thisisreadonly"
30 + ldap_password: "thisisareadonlysupersecurepassword"
31 31 ldap_base: "ou=people,dc=example,dc=org"
32 32 anon.example.org: #Todo: disable http_upload
33 33 auth_method: [anonymous]

kris's Avatar kris revised this gist 1711393633. Go to revision

1 file changed, 2 insertions, 2 deletions

ejabberd.yml.movim.example

@@ -26,9 +26,9 @@ host_config:
26 26 ldap_port: 389
27 27 ldap_uids:
28 28 - uid
29 - ldap_rootdn: "uid=lldap_readonly,ou=people,dc=f-hub,dc=org"
29 + ldap_rootdn: "uid=lldap_readonly,ou=people,dc=example,dc=org"
30 30 ldap_password: "thisisreadonly"
31 - ldap_base: "ou=people,dc=f-hub,dc=org"
31 + ldap_base: "ou=people,dc=example,dc=org"
32 32 anon.example.org: #Todo: disable http_upload
33 33 auth_method: [anonymous]
34 34 disable_sasl_mechanisms: [ "X-OAUTH2", "digest-md5" , "plain" ]

kris's Avatar kris revised this gist 1711393080. Go to revision

1 file changed, 466 insertions

ejabberd.yml.movim.example(file created)

@@ -0,0 +1,466 @@
1 + ###
2 + ### ejabberd configuration file
3 + ###
4 + ### The parameters used in this configuration file are explained at
5 + ###
6 + ### https://docs.ejabberd.im/admin/configuration
7 + ###
8 + ### The configuration file is written in YAML.
9 + ### *******************************************************
10 + ### ******* !!! WARNING !!! *******
11 + ### ******* YAML IS INDENTATION SENSITIVE *******
12 + ### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
13 + ### *******************************************************
14 + ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
15 + ###
16 +
17 + hosts:
18 + - example.org
19 + - anon.example.org
20 +
21 + host_config:
22 + example.org:
23 + auth_method: [ldap]
24 + ldap_servers:
25 + - 127.0.0.1
26 + ldap_port: 389
27 + ldap_uids:
28 + - uid
29 + ldap_rootdn: "uid=lldap_readonly,ou=people,dc=f-hub,dc=org"
30 + ldap_password: "thisisreadonly"
31 + ldap_base: "ou=people,dc=f-hub,dc=org"
32 + anon.example.org: #Todo: disable http_upload
33 + auth_method: [anonymous]
34 + disable_sasl_mechanisms: [ "X-OAUTH2", "digest-md5" , "plain" ]
35 + anonymous_protocol: sasl_anon
36 +
37 + append_host_config:
38 + example.org:
39 + modules:
40 + mod_http_upload:
41 + put_url: https://uploads.@HOST@/upload
42 + docroot: /data/exampleorg/xmpp/ejabberd/user-uploads
43 + #max_size: 104857600 # 100 MiB (default)
44 + file_mode: "0640"
45 + dir_mode: "2750"
46 + mod_http_upload_quota:
47 + max_days: 365
48 +
49 + loglevel: warning
50 +
51 + # rotation: Disable ejabberd's internal log rotation
52 + #log_rotate_count: 0
53 +
54 + ca_file: /opt/ejabberd/conf/cacert.pem
55 +
56 + #certfiles:
57 + # - /opt/ejabberd/conf/server.pem
58 +
59 + ## If you already have certificates, list them here
60 + certfiles:
61 + - /data/exampleorg/xmpp/ejabberd/certs/*/*.pem
62 +
63 + acme:
64 + auto: false
65 +
66 + # TLS configuration
67 + define_macro:
68 + 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
69 + 'TLS_OPTIONS':
70 + - "no_sslv3"
71 + - "no_tlsv1"
72 + - "no_tlsv1_1"
73 + - "cipher_server_preference"
74 + - "no_compression"
75 + 'DH_FILE': "/data/exampleorg/xmpp/ejabberd/certs/dhparams.pem"
76 + # generated with: openssl dhparam -out dhparams.pem 2048
77 +
78 + c2s_ciphers: 'TLS_CIPHERS'
79 + s2s_ciphers: 'TLS_CIPHERS'
80 + c2s_protocol_options: 'TLS_OPTIONS'
81 + s2s_protocol_options: 'TLS_OPTIONS'
82 + c2s_dhfile: 'DH_FILE'
83 + s2s_dhfile: 'DH_FILE'
84 +
85 + listen:
86 + -
87 + port: 5222
88 + ip: "::"
89 + module: ejabberd_c2s
90 + max_stanza_size: 262144
91 + shaper: c2s_shaper
92 + access: c2s
93 + starttls_required: true
94 + protocol_options: 'TLS_OPTIONS'
95 + -
96 + port: 5223
97 + ip: "::"
98 + tls: true
99 + module: ejabberd_c2s
100 + max_stanza_size: 262144
101 + shaper: c2s_shaper
102 + access: c2s
103 + starttls_required: true
104 + -
105 + port: 5269
106 + ip: "::"
107 + module: ejabberd_s2s_in
108 + max_stanza_size: 524288
109 + -
110 + port: 5280
111 + ip: "::"
112 + # ip: "127.0.0.1"
113 + protocol_options: 'TLS_OPTIONS'
114 + module: ejabberd_http
115 + request_handlers:
116 + /admin: ejabberd_web_admin
117 + /api: mod_http_api
118 + /bosh: mod_bosh
119 + # /captcha: ejabberd_captcha
120 + /upload: mod_http_upload
121 + /ws: ejabberd_http_ws
122 + # /.well-known/acme-challenge: ejabberd_acme
123 + custom_headers:
124 + "Access-Control-Allow-Origin": "*"
125 + "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
126 + "Access-Control-Allow-Headers": "Authorization"
127 + "Access-Control-Allow-Credentials": "true"
128 + ## STUN/TURN ToDo
129 + # -
130 + # port: 3478
131 + # ip: "::"
132 + # transport: udp
133 + # module: ejabberd_stun
134 + # use_turn: true
135 + ## The server's public IPv4 address:
136 + # turn_ipv4_address: "203.0.113.3"
137 + ## The server's public IPv6 address:
138 + # turn_ipv6_address: "2001:db8::3"
139 + # -
140 + # port: 5349
141 + # transport: tcp
142 + # module: ejabberd_stun
143 + # use_turn: true
144 + # tls: true
145 + # turn_min_port: 49152
146 + # turn_max_port: 65535
147 + # turn_ipv4_address: !!!!IP INTERFACE ADDRESS
148 + # -
149 + # port: 1883
150 + # ip: "::"
151 + # module: mod_mqtt
152 + # backlog: 1000
153 + ## Matrix gateway
154 + ## ToDo: change port to avoid conflict with nginx/synapse and reverse-proxy it
155 + # -
156 + # port: 8448
157 + # module: ejabberd_http
158 + # tls: false
159 + # request_handlers:
160 + # "/_matrix": mod_matrix_gw
161 + ## XMPP Components
162 + -
163 + port: 5347
164 + ip: "127.0.0.1"
165 + module: ejabberd_service
166 + global_routes: false
167 + hosts:
168 + # biboumi IRC gateways
169 + irc.example.org:
170 + password: "supersecretpasswordhere"
171 +
172 + ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
173 + ## password storage (see auth_password_format option).
174 + disable_sasl_mechanisms:
175 + - "digest-md5"
176 +
177 + ## Disable SASL SCRAM Downgrade Protection (XEP-0474)
178 + ## Todo: remove once Movim supports XEP-0474
179 + disable_sasl_scram_downgrade_protection: true
180 +
181 + s2s_use_starttls: required
182 +
183 + trusted_proxies:
184 + - "127.0.0.1"
185 + - "192.168.1.1"
186 +
187 + ## Postgresql database config
188 + sql_type: pgsql
189 + sql_database: 'ejabberd'
190 + sql_username: 'ejabberd'
191 + #sql_server: localhost
192 + # Postgres container systemd-ejabberd-psql
193 + sql_port: 5432
194 + sql_password: 'anothersupersecretpasswordhere'
195 + sql_prepared_statements: false
196 + #sql_pool_size: 2 #default 10
197 + new_sql_schema: true
198 + update_sql_schema: true
199 +
200 + # Use SQL as the default persistent database
201 + default_db: sql
202 +
203 + acl:
204 + admin:
205 + user:
206 + - "admin@example.org"
207 + local:
208 + user_regexp: ""
209 + loopback:
210 + ip:
211 + - 127.0.0.0/8
212 + - ::1/128
213 +
214 + access_rules:
215 + local:
216 + allow: local
217 + c2s:
218 + deny: blocked
219 + allow: all
220 + announce:
221 + allow: admin
222 + configure:
223 + allow: admin
224 + muc_create:
225 + allow: local
226 + pubsub_createnode:
227 + allow: local
228 + trusted_network:
229 + allow: loopback
230 +
231 + api_permissions:
232 + "console commands":
233 + from:
234 + - ejabberd_ctl
235 + who: all
236 + what: "*"
237 + "admin access":
238 + who:
239 + access:
240 + allow:
241 + - acl: loopback
242 + - acl: admin
243 + oauth:
244 + scope: "ejabberd:admin"
245 + access:
246 + allow:
247 + - acl: loopback
248 + - acl: admin
249 + what:
250 + - "*"
251 + - "!stop"
252 + - "!start"
253 + "public commands":
254 + who:
255 + ip: 127.0.0.1/8
256 + what:
257 + - status
258 + - connected_users_number
259 +
260 + shaper:
261 + normal:
262 + rate: 3000
263 + burst_size: 20000
264 + fast: 100000
265 +
266 + shaper_rules:
267 + max_user_sessions: 10
268 + max_user_offline_messages:
269 + 5000: admin
270 + 100: all
271 + c2s_shaper:
272 + none: admin
273 + normal: all
274 + s2s_shaper: fast
275 + soft_upload_quota:
276 + 250: all # MiB
277 + hard_upload_quota:
278 + 300: all # MiB
279 +
280 + modules:
281 + mod_adhoc: {}
282 + mod_admin_extra: {}
283 + mod_announce:
284 + access: announce
285 + mod_avatar: {}
286 + mod_blocking: {}
287 + mod_bosh: {}
288 + mod_caps: {}
289 + mod_carboncopy: {}
290 + mod_client_state: {}
291 + mod_configure: {}
292 + mod_disco:
293 + server_info:
294 + -
295 + modules: all
296 + name: "admin-addresses"
297 + urls:
298 + - "xmpp:admin@example.org"
299 + -
300 + modules: all
301 + name: "security-addresses"
302 + urls:
303 + - "xmpp:support@chat.example.org?join"
304 + -
305 + modules: all
306 + name: "abuse-addresses"
307 + urls:
308 + - "xmpp:support@chat.example.org?join"
309 + -
310 + modules: all
311 + name: "feedback-addresses"
312 + urls:
313 + - "xmpp:support@chat.example.org?join"
314 + -
315 + modules: all
316 + name: "support-addresses"
317 + urls:
318 + - "mailto:info@example.org"
319 + # mod_fail2ban: {}
320 + mod_host_meta:
321 + bosh_service_url: "https://chat.@HOST@/bosh"
322 + websocket_url: "wss://chat.@HOST@/ws"
323 + mod_http_api: {}
324 + # mod_http_upload:
325 + # put_url: https://uploads.@HOST@/upload
326 + # docroot: /data/exampleorg/xmpp/user-uploads
327 + # #max_size: 104857600 # 100 MiB (default)
328 + # file_mode: "0640"
329 + # dir_mode: "2750"
330 + # #custom_headers:
331 + # # "Access-Control-Allow-Origin": "https://@HOST@"
332 + # # "Access-Control-Allow-Origin": "*"
333 + # # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
334 + # # "Access-Control-Allow-Headers": "Content-Type"
335 + # # "Access-Control-Allow-Headers": "Authorization"
336 + # # "Access-Control-Allow-Credentials": "true"
337 + # #thumbnail: false # otherwise needs the identify command from ImageMagick installed
338 + # mod_http_upload_quota:
339 + # max_days: 365
340 + mod_last: {}
341 + mod_mam:
342 + db_type: sql
343 + assume_mam_usage: true
344 + default: always
345 + user_mucsub_from_muc_archive: true
346 + compress_xml: true
347 + # mod_matrix_gw:
348 + # host: "matrix.@HOST@"
349 + # matrix_domain: "@HOST@"
350 + # key_name: "somename"
351 + # key: "yourkeyinbase64"
352 + # matrix_id_as_jid: false
353 + # mod_mqtt: {}
354 + mod_muc:
355 + host: "chat.@HOST@"
356 + access:
357 + - allow
358 + access_admin:
359 + - allow: admin
360 + access_create: muc_create
361 + access_persistent: muc_create
362 + access_mam:
363 + - allow
364 + max_users: 400 #default 200
365 + max_users_presence: 2000 #default 1000
366 + min_message_interval: 0.4 #spam rate limit
367 + history_size: 50 #default 20
368 + default_room_options:
369 + allow_subscription: true
370 + allow_change_subj: false
371 + mam: true
372 + persistent: true
373 + anonymous: false
374 + members_only: true
375 + allow_user_invites: true
376 + public: false
377 + public_list: false
378 + lang: "en"
379 + mod_muc_admin: {}
380 + mod_muc_occupantid: {}
381 + mod_muc_rtbl: {}
382 + mod_offline:
383 + access_max_user_messages: max_user_offline_messages
384 + mod_ping: {}
385 + mod_pres_counter:
386 + count: 5
387 + interval: 60
388 + mod_privacy: {}
389 + mod_private: {}
390 + mod_proxy65:
391 + access: local
392 + max_connections: 5
393 + mod_pubsub:
394 + #access_createnode: pubsub_createnode
395 + access_createnode: local
396 + ignore_pep_from_offline: false
397 + last_item_cache: false
398 + max_items_node: 1000
399 + default_node_config:
400 + max_items: 1000
401 + plugins:
402 + - flat
403 + - pep
404 + force_node_config:
405 + ## Avoid buggy clients to make their bookmarks public
406 + "storage:bookmarks":
407 + access_model: whitelist
408 + persist_items: true
409 + ## Enforce pubsub config for Movim
410 + "eu.siacs.conversations.axolotl.*":
411 + access_model: open
412 + "urn:xmpp:bookmarks:0":
413 + access_model: whitelist
414 + send_last_published_item: never
415 + persist_items: true
416 + max_items: infinity
417 + "urn:xmpp:bookmarks:1":
418 + access_model: whitelist
419 + send_last_published_item: never
420 + persist_items: true
421 + max_items: infinity
422 + "urn:xmpp:pubsub:movim-public-subscription":
423 + access_model: whitelist
424 + persist_items: true
425 + max_items: infinity
426 + "urn:xmpp:microblog:0":
427 + max_items: infinity
428 + access_model: presence
429 + notify_retract: true
430 + persist_items: true
431 + "urn:xmpp:microblog:0:comments*":
432 + max_items: infinity
433 + access_model: open
434 + notify_retract: true
435 + persist_items: true
436 + mod_push: {}
437 + mod_push_keepalive: {}
438 + mod_register:
439 + ## No registration via XMPP supported, redirect to
440 + ## Todo: make vhost specific
441 + redirect_url: "https://example.org/"
442 + ## Only accept registration requests from the "trusted"
443 + ## network (see access_rules section above).
444 + ## Think twice before enabling registration from any
445 + ## address. See the Jabber SPAM Manifesto for details:
446 + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
447 + #ip_access: trusted_network
448 + mod_roster:
449 + versioning: true
450 + mod_s2s_dialback: {}
451 + mod_shared_roster: {}
452 + mod_stream_mgmt:
453 + resend_on_timeout: if_offline
454 + mod_stun_disco:
455 + credentials_lifetime: 6h
456 + mod_vcard:
457 + search: false
458 + mod_vcard_xupdate: {}
459 + mod_version:
460 + show_os: false
461 +
462 + allow_contrib_modules: true
463 + ### Local Variables:
464 + ### mode: yaml
465 + ### End:
466 + ### vim: set filetype=yaml tabstop=8
Newer Older