summaryrefslogtreecommitdiffstats
path: root/lass/3modules/ejabberd/config.nix
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules/ejabberd/config.nix')
-rw-r--r--lass/3modules/ejabberd/config.nix218
1 files changed, 127 insertions, 91 deletions
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index b1fca08d3..68bcfa340 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
- cfg = config.lass.ejabberd;
+with import <stockholm/lib>;
+{ config, ... }: let
- # XXX this is a placeholder that happens to work the default strings.
- toErlang = builtins.toJSON;
-in toFile "ejabberd.conf" ''
- {loglevel, 3}.
- {hosts, ${toErlang cfg.hosts}}.
- {listen,
- [
- {5222, ejabberd_c2s, [
- starttls,
- {certfile, ${toErlang cfg.certfile.path}},
- {access, c2s},
- {shaper, c2s_shaper},
- {max_stanza_size, 65536}
- ]},
- {5269, ejabberd_s2s_in, [
- {shaper, s2s_shaper},
- {max_stanza_size, 131072}
- ]},
- {5280, ejabberd_http, [
- captcha,
- http_bind,
- http_poll,
- web_admin
- ]}
- ]}.
- {s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
- {auth_method, internal}.
- {shaper, normal, {maxrate, 1000}}.
- {shaper, fast, {maxrate, 50000}}.
- {max_fsm_queue, 1000}.
- {acl, local, {user_regexp, ""}}.
- {access, max_user_sessions, [{10, all}]}.
- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
- {access, local, [{allow, local}]}.
- {access, c2s, [{deny, blocked},
- {allow, all}]}.
- {access, c2s_shaper, [{none, admin},
- {normal, all}]}.
- {access, s2s_shaper, [{fast, all}]}.
- {access, announce, [{allow, admin}]}.
- {access, configure, [{allow, admin}]}.
- {access, muc_admin, [{allow, admin}]}.
- {access, muc_create, [{allow, local}]}.
- {access, muc, [{allow, all}]}.
- {access, pubsub_createnode, [{allow, local}]}.
- {access, register, [{allow, local}]}.
- {language, "en"}.
- {modules,
- [
- {mod_adhoc, []},
- {mod_announce, [{access, announce}]},
- {mod_blocking,[]},
- {mod_caps, []},
- {mod_configure,[]},
- {mod_disco, []},
- {mod_irc, []},
- {mod_http_bind, []},
- {mod_last, []},
- {mod_muc, [
- {access, muc},
- {access_create, muc_create},
- {access_persistent, muc_create},
- {access_admin, muc_admin}
- ]},
- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
- {mod_ping, []},
- {mod_privacy, []},
- {mod_private, []},
- {mod_pubsub, [
- {access_createnode, pubsub_createnode},
- {ignore_pep_from_offline, true},
- {last_item_cache, false},
- {plugins, ["flat", "hometree", "pep"]}
- ]},
- {mod_register, [
- {welcome_message, {"Welcome!",
- "Hi.\nWelcome to this XMPP server."}},
- {ip_access, [{allow, "127.0.0.0/8"},
- {allow, "0.0.0.0/0"}]},
- {access, register}
- ]},
- {mod_roster, []},
- {mod_shared_roster,[]},
- {mod_stats, []},
- {mod_time, []},
- {mod_vcard, []},
- {mod_version, []}
- ]}.
+ # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
+
+ ciphers = concatStringsSep ":" [
+ "ECDHE-ECDSA-AES256-GCM-SHA384"
+ "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ "ECDHE-RSA-CHACHA20-POLY1305"
+ "ECDHE-ECDSA-AES128-GCM-SHA256"
+ "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-SHA384"
+ "ECDHE-RSA-AES256-SHA384"
+ "ECDHE-ECDSA-AES128-SHA256"
+ "ECDHE-RSA-AES128-SHA256"
+ ];
+
+ protocol_options = [
+ "no_sslv2"
+ "no_sslv3"
+ "no_tlsv1"
+ "no_tlsv1_10"
+ ];
+
+in /* yaml */ ''
+
+ access_rules:
+ announce:
+ - allow: admin
+ local:
+ - allow: local
+ configure:
+ - allow: admin
+ register:
+ - allow
+ s2s:
+ - allow
+ trusted_network:
+ - allow: loopback
+
+ acl:
+ local:
+ user_regexp: ""
+ loopback:
+ ip:
+ - "127.0.0.0/8"
+ - "::1/128"
+ - "::FFFF:127.0.0.1/128"
+
+ hosts: ${toJSON config.hosts}
+
+ language: "en"
+
+ listen:
+ -
+ port: 5222
+ ip: "::"
+ module: ejabberd_c2s
+ shaper: c2s_shaper
+ certfile: ${toJSON config.certfile.path}
+ ciphers: ${toJSON ciphers}
+ dhfile: ${toJSON config.dhfile.path}
+ protocol_options: ${toJSON protocol_options}
+ starttls: true
+ starttls_required: true
+ tls: false
+ tls_compression: false
+ max_stanza_size: 65536
+ -
+ port: 5269
+ ip: "::"
+ module: ejabberd_s2s_in
+ shaper: s2s_shaper
+ max_stanza_size: 131072
+
+ loglevel: 4
+
+ modules:
+ mod_adhoc: {}
+ mod_admin_extra: {}
+ mod_announce:
+ access: announce
+ mod_caps: {}
+ mod_carboncopy: {}
+ mod_client_state: {}
+ mod_configure: {}
+ mod_disco: {}
+ mod_echo: {}
+ mod_irc: {}
+ mod_bosh: {}
+ mod_last: {}
+ mod_offline:
+ access_max_user_messages: max_user_offline_messages
+ mod_ping: {}
+ mod_privacy: {}
+ mod_private: {}
+ mod_register:
+ access_from: deny
+ access: register
+ ip_access: trusted_network
+ registration_watchers: ${toJSON config.registration_watchers}
+ mod_roster: {}
+ mod_shared_roster: {}
+ mod_stats: {}
+ mod_time: {}
+ mod_vcard:
+ search: false
+ mod_version: {}
+ mod_http_api: {}
+
+ s2s_access: s2s
+ s2s_certfile: ${toJSON config.s2s_certfile.path}
+ s2s_ciphers: ${toJSON ciphers}
+ s2s_dhfile: ${toJSON config.dhfile.path}
+ s2s_protocol_options: ${toJSON protocol_options}
+ s2s_tls_compression: false
+ s2s_use_starttls: required
+
+ shaper_rules:
+ max_user_offline_messages:
+ - 5000: admin
+ - 100
+ max_user_sessions: 10
+ c2s_shaper:
+ - none: admin
+ - normal
+ s2s_shaper: fast
''
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 03:07:45 +0000