diff --git a/.gitignore b/.gitignore index 8b16a803..2f6a1b85 100644 --- a/.gitignore +++ b/.gitignore @@ -1,57 +1,58 @@ -rebuild-images.sh -data/conf/sogo/sieve.creds +!data/conf/nginx/dynmaps.conf +!data/conf/nginx/meta_exporter.conf +!data/conf/nginx/site.conf +*.iml +.idea +.vscode/* +data/assets/ejabberd/sqlite/sqlite.db +data/assets/ssl-example/* +data/assets/ssl/* data/conf/clamav/whitelist.ign2 -data/conf/phpfpm/sogo-sso/sogo-sso.pass +data/conf/dovecot/acl_anyone data/conf/dovecot/dovecot-master.passwd data/conf/dovecot/dovecot-master.userdb -mailcow.conf -mailcow.conf_backup -data/conf/nginx/*.active -data/conf/postfix/sni.map -data/conf/postfix/sni.map.db -data/conf/postfix/extra.cf -data/conf/postfix/sql -data/conf/postfix/custom_transport.pcre -data/conf/postfix/custom_postscreen_whitelist.cidr -data/conf/postfix/allow_mailcow_local.regexp -data/conf/dovecot/sql -data/conf/dovecot/lua +data/conf/dovecot/extra.conf data/conf/dovecot/global_sieve_* -data/conf/dovecot/sogo_trusted_ip.conf -data/conf/nextcloud-*.bak -data/web/inc/vars.local.inc.php -data/web/css/build/0081-custom-mailcow.css -data/assets/ssl/* -data/assets/ssl-example/* -.vscode/* -.idea -*.iml -data/web/.well-known/acme-challenge -data/web/nextcloud*/ -data/web/rc*/ -data/conf/rspamd/local.d/* -data/conf/rspamd/override.d/* -!data/conf/nginx/dynmaps.conf -!data/conf/nginx/site.conf -!data/conf/nginx/meta_exporter.conf -data/conf/nginx/*.conf -data/conf/nginx/*.custom -data/conf/nginx/*.bak -data/conf/dovecot/acl_anyone -data/conf/dovecot/mail_plugins* data/conf/dovecot/last_login +data/conf/dovecot/lua +data/conf/dovecot/mail_plugins* +data/conf/dovecot/shared_namespace.conf data/conf/dovecot/sni.conf data/conf/dovecot/sogo-sso.conf -data/conf/dovecot/extra.conf -data/conf/dovecot/shared_namespace.conf -data/conf/rspamd/custom/* +data/conf/dovecot/sogo_trusted_ip.conf +data/conf/dovecot/sql +data/conf/ejabberd/autogen/* +data/conf/nextcloud-*.bak +data/conf/nginx/*.active +data/conf/nginx/*.bak +data/conf/nginx/*.conf +data/conf/nginx/*.custom +data/conf/phpfpm/sogo-sso/sogo-sso.pass data/conf/portainer/ -data/hooks/ +data/conf/postfix/allow_mailcow_local.regexp +data/conf/postfix/custom_postscreen_whitelist.cidr +data/conf/postfix/custom_transport.pcre +data/conf/postfix/extra.cf +data/conf/postfix/sni.map +data/conf/postfix/sni.map.db +data/conf/postfix/sql +data/conf/rspamd/custom/* +data/conf/rspamd/local.d/* +data/conf/rspamd/override.d/* +data/conf/sogo/plist_ldap +data/conf/sogo/sieve.creds +data/conf/sogo/sogo-full.svg data/gitea/ data/gogs/ -data/conf/sogo/plist_ldap -update_diffs/ +data/hooks/ +data/web/.well-known/acme-challenge +data/web/css/build/0081-custom-mailcow.css +data/web/inc/vars.local.inc.php +data/web/nextcloud*/ +data/web/rc*/ docker-compose.override.yml +mailcow.conf +mailcow.conf_backup +rebuild-images.sh refresh_images.sh -data/conf/sogo/sogo-full.svg -data/conf/ejabberd/autogen/* +update_diffs/ diff --git a/data/assets/ejabberd/sqlite/sqlite_template.db b/data/assets/ejabberd/sqlite/sqlite_template.db new file mode 100644 index 00000000..981ba6b9 Binary files /dev/null and b/data/assets/ejabberd/sqlite/sqlite_template.db differ diff --git a/data/conf/ejabberd/ejabberd.yml b/data/conf/ejabberd/ejabberd.yml new file mode 100644 index 00000000..d63bae3f --- /dev/null +++ b/data/conf/ejabberd/ejabberd.yml @@ -0,0 +1,218 @@ +loglevel: info + +auth_method: [external] +auth_use_cache: false +extauth_program: /var/www/authentication/authenticator + +include_config_file: + /ejabberd/ejabberd_api.yml + +include_config_file: + /ejabberd/ejabberd_acl.yml + +include_config_file: + /ejabberd/ejabberd_hosts.yml: + allow_only: + - hosts + +include_config_file: + /ejabberd/ejabberd_macros.yml: + allow_only: + - define_macro + +define_macro: + 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" + 'TLS_OPTIONS': + - "no_sslv3" + - "no_tlsv1" + - "no_tlsv1_1" + - "cipher_server_preference" + - "no_compression" + +new_sql_schema: true +sql_type: sqlite +sql_database: /sqlite/sqlite.db +default_db: sql + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + request_handlers: + /admin: ejabberd_web_admin + /api: mod_http_api + /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + /admin: ejabberd_web_admin + - + module: ejabberd_http + port: 5281 + request_handlers: + /.well-known/acme-challenge: ejabberd_acme + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + +s2s_use_starttls: optional + +acme: + auto: true + +acl: + admin: + user: + - "admin": "localhost" + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + put_url: https://@HOST@:5443/upload + docroot: /var/www/upload + custom_headers: + "Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + mod_mam: + clear_archive_on_room_destroy: true + default: roster + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false