Add ejabberd tweaks as snippets.

9 files changed, 258 insertions, 0 deletions

diff --git a/ejabberd/config.d/sip-sips.yml b/ejabberd/config.d/sip-sips.yml
new file mode 100644
index 0000000..70edfb6
--- /dev/null
+++ b/ejabberd/config.d/sip-sips.yml
@@ -0,0 +1,32 @@
+# SIP services (insecure + secure)
+#
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#
+# Sample DNS entries:
+#  @           IN NAPTR 10  0 "s" "SIPS+D2T" "" _sips._tcp
+#  @           IN NAPTR 20  0 "s" "SIP+D2U" "" _sip._udp
+#  @           IN NAPTR 30  0 "s" "SIP+D2T" "" _sip._tcp
+#  sip         IN A     192.0.2.1
+#  _sip._udp   IN SRV    0  0 5060 sip
+#  _sip._tcp   IN SRV    0  0 5060 sip
+#  _sips._tcp  IN SRV    0  0 5061 sip
+#  _sip._tls   IN SRV    0  0 5061 sip
+#
+# Depends: erlang-p1-sip
+
+listen:
+  -
+    port: 5060
+    transport: udp
+    module: ejabberd_sip
+  -
+    port: 5060
+    module: ejabberd_sip
+  -
+    port: 5061
+    module: ejabberd_sip
+    tls: true
+    certfile: 'CERT_PATH'
+
+modules:
+  mod_sip: {}
diff --git a/ejabberd/config.d/sips.yml b/ejabberd/config.d/sips.yml
new file mode 100644
index 0000000..c397f05
--- /dev/null
+++ b/ejabberd/config.d/sips.yml
@@ -0,0 +1,21 @@
+# SIP service (secure)
+#
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#
+# Sample DNS entries:
+#  @           IN NAPTR 10  0 "s" "SIPS+D2T" "" _sips._tcp
+#  sip         IN A     192.0.2.1
+#  _sips._tcp  IN SRV    0  0 5061 sip
+#  _sip._tls   IN SRV    0  0 5061 sip
+#
+# Depends: erlang-p1-sip
+
+listen:
+  -
+    port: 5061
+    module: ejabberd_sip
+    tls: true
+    certfile: 'CERT_PATH'
+
+modules:
+  mod_sip: {}
diff --git a/ejabberd/config.d/stun-turns.yml b/ejabberd/config.d/stun-turns.yml
new file mode 100644
index 0000000..eeef731
--- /dev/null
+++ b/ejabberd/config.d/stun-turns.yml
@@ -0,0 +1,36 @@
+# STUN/TURN services (insecure STUN + secure authenticated STUN/TURN)
+#
+#  * TURN_IP must be the public IP of the listening port
+#  * TURN relay requires authentication
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#  * stuns service (in DNS below) is legacy but maybe used in the wild
+#
+# Sample DNS entries:
+#  @            IN NAPTR 10  0 "s" "RELAY:turn.tls" "" stun
+#  stun         IN A     192.0.2.1
+#  _stun._udp   IN SRV    0  0 3478 stun
+#  _stun._tcp   IN SRV    0  0 3478 stun
+#  _stuns._tcp  IN SRV    0  0 5349 stun
+#  _stun._tls   IN SRV    0  0 5349 stun
+#  _turns._tcp  IN SRV    0  0 5349 stun
+#  _turn._tls   IN SRV    0  0 5349 stun
+#
+# Depends: erlang-p1-stun
+
+listen:
+  -
+    port: 3478
+    transport: udp
+    module: ejabberd_stun
+    use_turn: false
+  -
+    port: 3478
+    module: ejabberd_stun
+    use_turn: false
+  -
+    port: 5349
+    module: ejabberd_stun
+    tls: true
+    certfile: 'CERT_PATH'
+    auth_type: user
+    turn_ip: 'TURN_IP'
diff --git a/ejabberd/config.d/stuns-turns.yml b/ejabberd/config.d/stuns-turns.yml
new file mode 100644
index 0000000..a8e5e7a
--- /dev/null
+++ b/ejabberd/config.d/stuns-turns.yml
@@ -0,0 +1,25 @@
+# STUN/TURN services (secure authenticated)
+#
+#  * TURN_IP must be the public IP of the listening port
+#  * TURN relay requires authentication
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#  * stuns service (in DNS below) is legacy but maybe used in the wild
+#
+# Sample DNS entries:
+#  @            IN NAPTR 10  0 "s" "RELAY:turn.tls" "" stun
+#  stun         IN A     192.0.2.1
+#  _stuns._tcp  IN SRV    0  0 5349 stun
+#  _stun._tls   IN SRV    0  0 5349 stun
+#  _turns._tcp  IN SRV    0  0 5349 stun
+#  _turn._tls   IN SRV    0  0 5349 stun
+#
+# Depends: erlang-p1-stun
+
+listen:
+  -
+    port: 5349
+    module: ejabberd_stun
+    tls: true
+    certfile: 'CERT_PATH'
+    auth_type: user
+    turn_ip: 'TURN_IP'
diff --git a/ejabberd/config.d/xmpp-auth-pam.yml b/ejabberd/config.d/xmpp-auth-pam.yml
new file mode 100644
index 0000000..b10936f
--- /dev/null
+++ b/ejabberd/config.d/xmpp-auth-pam.yml
@@ -0,0 +1,14 @@
+# XMPP client service (secure)
+#
+# Depends: erlang-p1-pam
+
+auth_method: pam
+auth_password_format: plain
+
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+access_rules:
+  register:
+    - deny
diff --git a/ejabberd/config.d/xmpp-c2s.yml b/ejabberd/config.d/xmpp-c2s.yml
new file mode 100644
index 0000000..29d0163
--- /dev/null
+++ b/ejabberd/config.d/xmpp-c2s.yml
@@ -0,0 +1,61 @@
+# XMPP client service (secure)
+#
+#  * Custom Diffie-Hellman params needs to be created ahead, e.g. with
+#    /etc/local-COMMON/ejabberd/mkdhparams.sh
+#
+# Sample DNS entries:
+#  xmpp               IN A   192.0.2.1
+#  _xmpp-client._tcp  IN SRV  0  0 5222 xmpp
+#  _xmppconnect       IN TXT "_xmpp-client-xbosh=https://chat.example.org/http-bind"
+#  _xmppconnect       IN TXT "_xmpp-client-websocket=wss://chat.example.org/xmpp-websocket"
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    certfile: 'CERT_PATH'
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'
+    max_stanza_size: 65536
+    shaper: c2s_shaper
+    access: c2s
+    zlib: true
+    tls_compression: false
+    dhfile: 'DH_PATH'
+    ciphers: 'TLS_CIPHERS'
+    resend_on_timeout: if_offline
+
+modules:
+  mod_admin_extra: []
+  mod_adhoc: []
+  mod_announce:
+    access: announce
+  mod_caps: []
+  mod_disco: []
+  mod_http_bind: []
+  mod_last: []
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: []
+  mod_privacy: []
+  mod_private: []
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    ignore_pep_from_offline: false
+    last_item_cache: true
+    plugins:
+      - "flat"
+      - "hometree"
+      - "pep"
+  mod_roster:
+    versioning: true
+  mod_shared_roster: []
+  mod_stats: []
+  mod_time: []
+  mod_vcard: []
+  mod_version: []
+  mod_mam: []
+  mod_blocking: []
+  mod_client_state: []
+  mod_carboncopy: []
diff --git a/ejabberd/config.d/xmpp-muc.yml b/ejabberd/config.d/xmpp-muc.yml
new file mode 100644
index 0000000..637255b
--- /dev/null
+++ b/ejabberd/config.d/xmpp-muc.yml
@@ -0,0 +1,29 @@
+# XMPP MUC service
+#
+# Sample DNS entries:
+#  conference IN CNAME xmpp
+
+acl:
+  admin:
+     user:
+       - "@localhost"
+  local:
+    user_regexp: ""
+
+access_rules:
+  local:
+    - allow: local
+  muc_admin:
+    - allow: admin
+  muc_create:
+    - allow: local
+
+modules:
+  mod_muc:
+    host: "conference.@HOST@"
+    access:
+      - allow
+    access_admin: muc_admin
+    access_create: muc_create
+    access_persistent: muc_create
+  mod_muc_admin: {}
diff --git a/ejabberd/config.d/xmpp-muclog.yml b/ejabberd/config.d/xmpp-muclog.yml
new file mode 100644
index 0000000..2403a82
--- /dev/null
+++ b/ejabberd/config.d/xmpp-muclog.yml
@@ -0,0 +1,18 @@
+# XMPP MUC service (publicly logged)
+#
+#  * logfiles are not created public readable - fix with this cronjob:
+#    /etc/local-COMMON/ejabberd/cron.hourly/local-ejabberd-muc-publish
+#
+# Example Apache2 snippet:
+#  Alias /logs /var/www/vhosts/www-ejabberd/conference
+#  <Location /logs>
+#    Options Indexes
+#    DirectoryIndex index.html
+#  </Location>
+#
+# Depends: ejabberd-mod-muc-log-http
+
+modules:
+  mod_muc_log:
+    outdir: "/var/lib/ejabberd/logs"
+  mod_muc_log_http: {}
diff --git a/ejabberd/config.d/xmpp-s2s.yml b/ejabberd/config.d/xmpp-s2s.yml
new file mode 100644
index 0000000..a08bfc3
--- /dev/null
+++ b/ejabberd/config.d/xmpp-s2s.yml
@@ -0,0 +1,22 @@
+# XMPP server-to-server service (optionally secure)
+#
+#  * Custom Diffie-Hellman params needs to be created ahead, e.g. with
+#    /etc/local-COMMON/ejabberd/mkdhparams.sh
+#
+# Sample DNS entries:
+#  xmpp               IN A   192.0.2.1
+#  _xmpp-server._tcp  IN SRV  0  0 5222 xmpp
+
+listen:
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+
+s2s_use_starttls: optional
+s2s_certfile: 'CERT_PATH'
+s2s_dhfile: 'DH_PATH'
+s2s_ciphers: 'TLS_CIPHERS'
+s2s_protocol_options:
+  - "no_sslv2"
+  - "no_sslv3"