Add ejabberd tweaks as snippets.

16 files changed, 347 insertions, 822 deletions

diff --git a/ejabberd/addons.yml b/ejabberd/addons.yml
new file mode 100644
index 0000000..e936476
--- /dev/null
+++ b/ejabberd/addons.yml
@@ -0,0 +1,4 @@
+include_config_file:
+  "/etc/local-COMMON/ejabberd/config.d/xmpp-c2s.yml": []
+  "/etc/local-COMMON/ejabberd/config.d/xmpp-muc.yml": []
+  "/etc/local-COMMON/ejabberd/config.d/xmpp-s2s.yml": []
diff --git a/ejabberd/append.yml b/ejabberd/append.yml
new file mode 100644
index 0000000..9773216
--- /dev/null
+++ b/ejabberd/append.yml
@@ -0,0 +1,11 @@
+# include additive settings (e.g. modules) and last-wins settings (e.g. ports)
+#
+# Include this file at end of main ejabberd config file:
+#  include_config_file:
+#    "/etc/local-REDPILL/ejabberd/append.yml": []
+
+include_config_file:
+  "/etc/local-COMMON/ejabberd/addons.yml": []
+  "/etc/local-REDPILL/ejabberd/addons.yml": []
+  "/etc/local-ORG/ejabberd/addons.yml": []
+  "/etc/local/ejabberd/addons.yml": []
diff --git a/ejabberd/config.d/sip-sips.yml b/ejabberd/config.d/sip-sips.yml
new file mode 100644
index 0000000..70edfb6
--- /dev/null
+++ b/ejabberd/config.d/sip-sips.yml
@@ -0,0 +1,32 @@
+# SIP services (insecure + secure)
+#
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#
+# Sample DNS entries:
+#  @           IN NAPTR 10  0 "s" "SIPS+D2T" "" _sips._tcp
+#  @           IN NAPTR 20  0 "s" "SIP+D2U" "" _sip._udp
+#  @           IN NAPTR 30  0 "s" "SIP+D2T" "" _sip._tcp
+#  sip         IN A     192.0.2.1
+#  _sip._udp   IN SRV    0  0 5060 sip
+#  _sip._tcp   IN SRV    0  0 5060 sip
+#  _sips._tcp  IN SRV    0  0 5061 sip
+#  _sip._tls   IN SRV    0  0 5061 sip
+#
+# Depends: erlang-p1-sip
+
+listen:
+  -
+    port: 5060
+    transport: udp
+    module: ejabberd_sip
+  -
+    port: 5060
+    module: ejabberd_sip
+  -
+    port: 5061
+    module: ejabberd_sip
+    tls: true
+    certfile: 'CERT_PATH'
+
+modules:
+  mod_sip: {}
diff --git a/ejabberd/config.d/sips.yml b/ejabberd/config.d/sips.yml
new file mode 100644
index 0000000..c397f05
--- /dev/null
+++ b/ejabberd/config.d/sips.yml
@@ -0,0 +1,21 @@
+# SIP service (secure)
+#
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#
+# Sample DNS entries:
+#  @           IN NAPTR 10  0 "s" "SIPS+D2T" "" _sips._tcp
+#  sip         IN A     192.0.2.1
+#  _sips._tcp  IN SRV    0  0 5061 sip
+#  _sip._tls   IN SRV    0  0 5061 sip
+#
+# Depends: erlang-p1-sip
+
+listen:
+  -
+    port: 5061
+    module: ejabberd_sip
+    tls: true
+    certfile: 'CERT_PATH'
+
+modules:
+  mod_sip: {}
diff --git a/ejabberd/config.d/stun-turns.yml b/ejabberd/config.d/stun-turns.yml
new file mode 100644
index 0000000..eeef731
--- /dev/null
+++ b/ejabberd/config.d/stun-turns.yml
@@ -0,0 +1,36 @@
+# STUN/TURN services (insecure STUN + secure authenticated STUN/TURN)
+#
+#  * TURN_IP must be the public IP of the listening port
+#  * TURN relay requires authentication
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#  * stuns service (in DNS below) is legacy but maybe used in the wild
+#
+# Sample DNS entries:
+#  @            IN NAPTR 10  0 "s" "RELAY:turn.tls" "" stun
+#  stun         IN A     192.0.2.1
+#  _stun._udp   IN SRV    0  0 3478 stun
+#  _stun._tcp   IN SRV    0  0 3478 stun
+#  _stuns._tcp  IN SRV    0  0 5349 stun
+#  _stun._tls   IN SRV    0  0 5349 stun
+#  _turns._tcp  IN SRV    0  0 5349 stun
+#  _turn._tls   IN SRV    0  0 5349 stun
+#
+# Depends: erlang-p1-stun
+
+listen:
+  -
+    port: 3478
+    transport: udp
+    module: ejabberd_stun
+    use_turn: false
+  -
+    port: 3478
+    module: ejabberd_stun
+    use_turn: false
+  -
+    port: 5349
+    module: ejabberd_stun
+    tls: true
+    certfile: 'CERT_PATH'
+    auth_type: user
+    turn_ip: 'TURN_IP'
diff --git a/ejabberd/config.d/stuns-turns.yml b/ejabberd/config.d/stuns-turns.yml
new file mode 100644
index 0000000..a8e5e7a
--- /dev/null
+++ b/ejabberd/config.d/stuns-turns.yml
@@ -0,0 +1,25 @@
+# STUN/TURN services (secure authenticated)
+#
+#  * TURN_IP must be the public IP of the listening port
+#  * TURN relay requires authentication
+#  * _tls proto (in DNS below) is nonstandard but maybe used in the wild
+#  * stuns service (in DNS below) is legacy but maybe used in the wild
+#
+# Sample DNS entries:
+#  @            IN NAPTR 10  0 "s" "RELAY:turn.tls" "" stun
+#  stun         IN A     192.0.2.1
+#  _stuns._tcp  IN SRV    0  0 5349 stun
+#  _stun._tls   IN SRV    0  0 5349 stun
+#  _turns._tcp  IN SRV    0  0 5349 stun
+#  _turn._tls   IN SRV    0  0 5349 stun
+#
+# Depends: erlang-p1-stun
+
+listen:
+  -
+    port: 5349
+    module: ejabberd_stun
+    tls: true
+    certfile: 'CERT_PATH'
+    auth_type: user
+    turn_ip: 'TURN_IP'
diff --git a/ejabberd/config.d/xmpp-auth-pam.yml b/ejabberd/config.d/xmpp-auth-pam.yml
new file mode 100644
index 0000000..b10936f
--- /dev/null
+++ b/ejabberd/config.d/xmpp-auth-pam.yml
@@ -0,0 +1,14 @@
+# XMPP client service (secure)
+#
+# Depends: erlang-p1-pam
+
+auth_method: pam
+auth_password_format: plain
+
+disable_sasl_mechanisms:
+  - "digest-md5"
+  - "X-OAUTH2"
+
+access_rules:
+  register:
+    - deny
diff --git a/ejabberd/config.d/xmpp-c2s.yml b/ejabberd/config.d/xmpp-c2s.yml
new file mode 100644
index 0000000..29d0163
--- /dev/null
+++ b/ejabberd/config.d/xmpp-c2s.yml
@@ -0,0 +1,61 @@
+# XMPP client service (secure)
+#
+#  * Custom Diffie-Hellman params needs to be created ahead, e.g. with
+#    /etc/local-COMMON/ejabberd/mkdhparams.sh
+#
+# Sample DNS entries:
+#  xmpp               IN A   192.0.2.1
+#  _xmpp-client._tcp  IN SRV  0  0 5222 xmpp
+#  _xmppconnect       IN TXT "_xmpp-client-xbosh=https://chat.example.org/http-bind"
+#  _xmppconnect       IN TXT "_xmpp-client-websocket=wss://chat.example.org/xmpp-websocket"
+
+listen:
+  -
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    certfile: 'CERT_PATH'
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'
+    max_stanza_size: 65536
+    shaper: c2s_shaper
+    access: c2s
+    zlib: true
+    tls_compression: false
+    dhfile: 'DH_PATH'
+    ciphers: 'TLS_CIPHERS'
+    resend_on_timeout: if_offline
+
+modules:
+  mod_admin_extra: []
+  mod_adhoc: []
+  mod_announce:
+    access: announce
+  mod_caps: []
+  mod_disco: []
+  mod_http_bind: []
+  mod_last: []
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: []
+  mod_privacy: []
+  mod_private: []
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    ignore_pep_from_offline: false
+    last_item_cache: true
+    plugins:
+      - "flat"
+      - "hometree"
+      - "pep"
+  mod_roster:
+    versioning: true
+  mod_shared_roster: []
+  mod_stats: []
+  mod_time: []
+  mod_vcard: []
+  mod_version: []
+  mod_mam: []
+  mod_blocking: []
+  mod_client_state: []
+  mod_carboncopy: []
diff --git a/ejabberd/config.d/xmpp-muc.yml b/ejabberd/config.d/xmpp-muc.yml
new file mode 100644
index 0000000..637255b
--- /dev/null
+++ b/ejabberd/config.d/xmpp-muc.yml
@@ -0,0 +1,29 @@
+# XMPP MUC service
+#
+# Sample DNS entries:
+#  conference IN CNAME xmpp
+
+acl:
+  admin:
+     user:
+       - "@localhost"
+  local:
+    user_regexp: ""
+
+access_rules:
+  local:
+    - allow: local
+  muc_admin:
+    - allow: admin
+  muc_create:
+    - allow: local
+
+modules:
+  mod_muc:
+    host: "conference.@HOST@"
+    access:
+      - allow
+    access_admin: muc_admin
+    access_create: muc_create
+    access_persistent: muc_create
+  mod_muc_admin: {}
diff --git a/ejabberd/config.d/xmpp-muclog.yml b/ejabberd/config.d/xmpp-muclog.yml
new file mode 100644
index 0000000..2403a82
--- /dev/null
+++ b/ejabberd/config.d/xmpp-muclog.yml
@@ -0,0 +1,18 @@
+# XMPP MUC service (publicly logged)
+#
+#  * logfiles are not created public readable - fix with this cronjob:
+#    /etc/local-COMMON/ejabberd/cron.hourly/local-ejabberd-muc-publish
+#
+# Example Apache2 snippet:
+#  Alias /logs /var/www/vhosts/www-ejabberd/conference
+#  <Location /logs>
+#    Options Indexes
+#    DirectoryIndex index.html
+#  </Location>
+#
+# Depends: ejabberd-mod-muc-log-http
+
+modules:
+  mod_muc_log:
+    outdir: "/var/lib/ejabberd/logs"
+  mod_muc_log_http: {}
diff --git a/ejabberd/config.d/xmpp-s2s.yml b/ejabberd/config.d/xmpp-s2s.yml
new file mode 100644
index 0000000..a08bfc3
--- /dev/null
+++ b/ejabberd/config.d/xmpp-s2s.yml
@@ -0,0 +1,22 @@
+# XMPP server-to-server service (optionally secure)
+#
+#  * Custom Diffie-Hellman params needs to be created ahead, e.g. with
+#    /etc/local-COMMON/ejabberd/mkdhparams.sh
+#
+# Sample DNS entries:
+#  xmpp               IN A   192.0.2.1
+#  _xmpp-server._tcp  IN SRV  0  0 5222 xmpp
+
+listen:
+  -
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+
+s2s_use_starttls: optional
+s2s_certfile: 'CERT_PATH'
+s2s_dhfile: 'DH_PATH'
+s2s_ciphers: 'TLS_CIPHERS'
+s2s_protocol_options:
+  - "no_sslv2"
+  - "no_sslv3"
diff --git a/ejabberd/defs.yml b/ejabberd/defs.yml
new file mode 100644
index 0000000..aeb08f9
--- /dev/null
+++ b/ejabberd/defs.yml
@@ -0,0 +1,16 @@
+# Origin: https://github.com/jabber-at/config
+# Origin: https://gitlab.com/hanno/ejabberd-config
+
+# The default ciphers-setting is found here:
+#    https://github.com/processone/tls/blob/master/c_src/p1_tls_drv.c
+# We use the default and exclude a few additional ciphers classified as weak
+# by xmpp.net.
+define_macro:
+  'TLS_OPTIONS':
+    - "no_sslv2"
+    - "no_sslv3"
+    - "no_tlsv1"
+  'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"
+  #'TLS_CIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL:!RSA@STRENGTH"
+  #'TLS_CIPHERS': "HIGH:!3DES:!aNULL:!SSLv2:@STRENGTH"
+  CERT_PATH: "/etc/ejabberd/ejabberd.pem"
diff --git a/ejabberd/ejabberd.yml b/ejabberd/ejabberd.yml
deleted file mode 100644
index 5cbe8de..0000000
--- a/ejabberd/ejabberd.yml
+++ /dev/null
@@ -1,683 +0,0 @@
-###
-###               ejabberd configuration file
-###
-###
-
-### The parameters used in this configuration file are explained in more detail
-### in the ejabberd Installation and Operation Guide.
-### Please consult the Guide in case of doubts, it is included with
-### your copy of ejabberd, and is also available online at
-### http://www.process-one.net/en/ejabberd/docs/
-
-### The configuration file is written in YAML.
-### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
-### However, ejabberd treats different literals as different types:
-###
-### - unquoted or single-quoted strings. They are called "atoms".
-###   Example: dog, 'Jupiter', '3.14159', YELLOW
-###
-### - numeric literals. Example: 3, -45.0, .0
-###
-### - quoted or folded strings.
-###   Examples of quoted string: "Lizzard", "orange".
-###   Example of folded string:
-###   > Art thou not Romeo,
-###     and a Montague?
-
-###   =======
-###   LOGGING
-
-##
-## loglevel: Verbosity of log files generated by ejabberd.
-## 0: No ejabberd log at all (not recommended)
-## 1: Critical
-## 2: Error
-## 3: Warning
-## 4: Info
-## 5: Debug
-##
-loglevel: 4
-
-##
-## rotation: Disable ejabberd's internal log rotation, as the Debian package
-## uses logrotate(8).
-log_rotate_size: 0
-log_rotate_date: ""
-
-##
-## overload protection: If you want to limit the number of messages per second
-## allowed from error_logger, which is a good idea if you want to avoid a flood
-## of messages when system is overloaded, you can set a limit.
-## 100 is ejabberd's default.
-log_rate_limit: 100
-
-##
-## watchdog_admins: Only useful for developers: if an ejabberd process
-## consumes a lot of memory, send live notifications to these XMPP
-## accounts.
-##
-## watchdog_admins:
-##   - "bob@example.com"
-
-
-###   ================
-###   SERVED HOSTNAMES
-
-##
-## hosts: Domains served by ejabberd.
-## You can define one or several, for example:
-## hosts: 
-##   - "example.net"
-##   - "example.com"
-##   - "example.org"
-##
-hosts:
-  - "example.org"
-  - "guest.example.org"
-
-##
-## route_subdomains: Delegate subdomains to other XMPP servers.
-## For example, if this ejabberd serves example.org and you want
-## to allow communication with an XMPP server called im.example.org.
-##
-## route_subdomains: s2s
-
-###   ===============
-###   LISTENING PORTS
-
-##
-## listen: The ports ejabberd will listen on, which service each is handled
-## by and what options to start it with.
-##
-listen: 
-  - 
-    port: 5222
-    ip: "::"
-    module: ejabberd_c2s
-    ##
-    ## If TLS is compiled in and you installed a SSL
-    ## certificate, specify the full path to the
-    ## file and uncomment this line:
-    ##
-    certfile: "/etc/ejabberd/chat.example.org.pem"
-    starttls_required: true
-    ##
-    ## Custom OpenSSL options
-    ##
-    protocol_options:
-      - "no_sslv3"
-      - "no_tlsv1"
-    max_stanza_size: 65536
-    shaper: c2s_shaper
-    access: c2s
-  - 
-    port: 5269
-    ip: "::"
-    module: ejabberd_s2s_in
-  ##
-  ## ejabberd_service: Interact with external components (transports, ...)
-  ##
-  ## - 
-  ##   port: 8888
-  ##   module: ejabberd_service
-  ##   access: all
-  ##   shaper_rule: fast
-  ##   ip: "127.0.0.1"
-  ##   hosts:
-  ##     "icq.example.org":
-  ##       password: "secret"
-  ##     "sms.example.org":
-  ##       password: "secret"
-
-  ##
-  ## ejabberd_stun: Handles STUN Binding requests
-  ##
-  ## - 
-  ##   port: 3478
-  ##   transport: udp
-  ##   module: ejabberd_stun
-
-  ##
-  ## To handle XML-RPC requests that provide admin credentials:
-  ##
-  ## - 
-  ##   port: 4560
-  ##   module: ejabberd_xmlrpc
-  - 
-    port: 5280
-    ip: "::"
-    module: ejabberd_http
-    ## request_handlers:
-    ##   "/pub/archive": mod_http_fileserver
-    web_admin: false
-    http_poll: false
-    http_bind: true
-    ## register: true
-    captcha: false
-
-  -
-    port: 3478
-    transport: udp
-    module: ejabberd_stun
-  -
-    port: 3478
-    module: ejabberd_stun
-  -
-    port: 5349
-    module: ejabberd_stun
-    certfile: "/etc/ejabberd/chat.example.org.pem"
-    tls: true
-    turn_ip: "188.183.5.254"
-    auth_type: user
-    auth_realm: "EXAMPLE.ORG"
-##  -
-##    port: 5060
-##    transport: udp
-##    module: ejabberd_sip
-##  -
-##    port: 5060
-##    module: ejabberd_sip
-  -
-    port: 5061
-    module: ejabberd_sip
-    certfile: "/etc/ejabberd/chat.example.org.pem"
-    tls: true
-
-##
-## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
-## Allowed values are: false optional required required_trusted
-## You must specify a certificate file.
-##
-## s2s_use_starttls: optional
-s2s_use_starttls: optional
-
-##
-## s2s_certfile: Specify a certificate file.
-##
-## s2s_certfile: "/path/to/ssl.pem"
-s2s_certfile: "/etc/ejabberd/chat.example.org.pem"
-
-## Custom OpenSSL options
-##
-## s2s_protocol_options:
-##   - "no_sslv3"
-##   - "no_tlsv1"
-s2s_protocol_options:
-  - "no_sslv3"
-  - "no_tlsv1"
-
-##
-## domain_certfile: Specify a different certificate for each served hostname.
-##
-## host_config:
-##   "example.org":
-##     domain_certfile: "/path/to/example_org.pem"
-##   "example.com":
-##     domain_certfile: "/path/to/example_com.pem"
-
-##
-## S2S whitelist or blacklist
-##
-## Default s2s policy for undefined hosts.
-##
-## s2s_access: s2s
-
-##
-## Outgoing S2S options
-##
-## Preferred address families (which to try first) and connect timeout
-## in milliseconds.
-##
-## outgoing_s2s_families:
-##   - ipv4
-##   - ipv6
-## outgoing_s2s_timeout: 10000
-
-###   ==============
-###   AUTHENTICATION
-
-##
-## auth_method: Method used to authenticate the users.
-## The default method is the internal.
-## If you want to use a different method,
-## comment this line and enable the correct ones.
-##
-auth_method: internal
-
-##
-## Store the plain passwords or hashed for SCRAM:
-## auth_password_format: plain
-## auth_password_format: scram
-##
-## Define the FQDN if ejabberd doesn't detect it:
-## fqdn: "server3.example.com"
-
-##
-## Authentication using external script
-## Make sure the script is executable by ejabberd.
-##
-## auth_method: external
-## extauth_program: "/path/to/authentication/script"
-
-##
-## Authentication using ODBC
-## Remember to setup a database in the next section.
-##
-## auth_method: odbc
-
-##
-## Authentication using PAM
-##
-## auth_method: pam
-## pam_service: "pamservicename"
-
-##
-## Authentication using LDAP
-##
-## auth_method: ldap
-##
-## List of LDAP servers:
-## ldap_servers:
-##   - "localhost"
-##
-## Encryption of connection to LDAP servers:
-## ldap_encrypt: none
-## ldap_encrypt: tls
-##
-## Port to connect to on LDAP servers:
-## ldap_port: 389
-## ldap_port: 636
-##
-## LDAP manager:
-## ldap_rootdn: "dc=example,dc=com"
-##
-## Password of LDAP manager:
-## ldap_password: "******"
-##
-## Search base of LDAP directory:
-## ldap_base: "dc=example,dc=com"
-##
-## LDAP attribute that holds user ID:
-## ldap_uids:
-##   - "mail": "%u@mail.example.org"
-##
-## LDAP filter:
-## ldap_filter: "(objectClass=shadowAccount)"
-
-##
-## Anonymous login support:
-##   auth_method: anonymous
-##   anonymous_protocol: sasl_anon | login_anon | both
-##   allow_multiple_connections: true | false
-##
-## host_config:
-##   "public.example.org":
-##     auth_method: anonymous
-##     allow_multiple_connections: false
-##     anonymous_protocol: sasl_anon
-##
-## To use both anonymous and internal authentication:
-##
-## host_config:
-##   "public.example.org":
-##     auth_method:
-##       - internal
-##       - anonymous
-host_config:
-  "example.org":
-    auth_method:
-      - pam
-  "guest.example.org":
-    auth_method: anonymous
-    allow_multiple_connections: true
-    anonymous_protocol: both
-
-###   ==============
-###   DATABASE SETUP
-
-## ejabberd by default uses the internal Mnesia database,
-## so you do not necessarily need this section.
-## This section provides configuration examples in case
-## you want to use other database backends.
-## Please consult the ejabberd Guide for details on database creation.
-
-##
-## MySQL server:
-##
-## odbc_type: mysql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
-##
-## If you want to specify the port:
-## odbc_port: 1234
-
-##
-## PostgreSQL server:
-##
-## odbc_type: pgsql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
-##
-## If you want to specify the port:
-## odbc_port: 1234
-##
-## If you use PostgreSQL, have a large database, and need a
-## faster but inexact replacement for "select count(*) from users"
-##
-## pgsql_users_number_estimate: true
-
-##
-## ODBC compatible or MSSQL server:
-##
-## odbc_type: odbc
-## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
-
-##
-## Number of connections to open to the database for each virtual host
-##
-## odbc_pool_size: 10
-
-##
-## Interval to make a dummy SQL request to keep the connections to the
-## database alive. Specify in seconds: for example 28800 means 8 hours
-##
-## odbc_keepalive_interval: undefined
-
-###   ===============
-###   TRAFFIC SHAPERS
-
-shaper:
-  ##
-  ## The "normal" shaper limits traffic speed to 1000 B/s
-  ##
-  normal: 1000
-
-  ##
-  ## The "fast" shaper limits traffic speed to 50000 B/s
-  ##
-  fast: 50000
-
-##
-## This option specifies the maximum number of elements in the queue
-## of the FSM. Refer to the documentation for details.
-##
-max_fsm_queue: 1000
-
-###.   ====================
-###'   ACCESS CONTROL LISTS
-acl:
-  ##
-  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
-  ## You can put here as many accounts as you want.
-  ##
-  admin:
-     user:
-         - "": "localhost"
-
-  ##
-  ## Blocked users
-  ##
-  ## blocked:
-  ##   user:
-  ##     - "baduser": "example.org"
-  ##     - "test"
-
-  ## Local users: don't modify this.
-  ##
-  local: 
-    user_regexp: ""
-
-  ##
-  ## More examples of ACLs
-  ##
-  ## jabberorg:
-  ##   server:
-  ##     - "jabber.org"
-  ## aleksey:
-  ##   user:
-  ##     - "aleksey": "jabber.ru"
-  ## test:
-  ##   user_regexp: "^test"
-  ##   user_glob: "test*"
-
-  ##
-  ## Loopback network
-  ##
-  loopback:
-    ip:
-      - "127.0.0.0/8"
-
-  ##
-  ## Bad XMPP servers
-  ##
-  ## bad_servers:
-  ##   server:
-  ##     - "xmpp.zombie.org"
-  ##     - "xmpp.spam.com"
-
-##
-## Define specific ACLs in a virtual host.
-##
-## host_config:
-##   "localhost":
-##     acl:
-##       admin:
-##         user:
-##           - "bob-local": "localhost"
-
-###   ============
-###   ACCESS RULES
-access:
-  ## Maximum number of simultaneous sessions allowed for a single user:
-  max_user_sessions: 
-    all: 10
-  ## Maximum number of offline messages that users can have:
-  max_user_offline_messages: 
-    admin: 5000
-    all: 100
-  ## This rule allows access only for local users:
-  local: 
-    local: allow
-  ## Only non-blocked users can use c2s connections:
-  c2s: 
-    blocked: deny
-    all: allow
-  ## For C2S connections, all users except admins use the "normal" shaper
-  c2s_shaper: 
-    admin: none
-    all: normal
-  ## All S2S connections use the "fast" shaper
-  s2s_shaper: 
-    all: fast
-  ## Only admins can send announcement messages:
-  announce: 
-    admin: allow
-  ## Only admins can use the configuration interface:
-  configure: 
-    admin: allow
-  ## Admins of this server are also admins of the MUC service:
-  muc_admin: 
-    admin: allow
-  ## Only accounts of the local ejabberd server can create rooms:
-  muc_create: 
-    local: allow
-  ## All users are allowed to use the MUC service:
-  muc: 
-    all: allow
-  ## Only accounts on the local ejabberd server can create Pubsub nodes:
-  pubsub_createnode: 
-    local: allow
-  ## In-band registration allows registration of any possible username.
-  ## To disable in-band registration, replace 'allow' with 'deny'.
-  register: 
-    all: deny
-  ## Only allow to register from localhost
-  trusted_network: 
-    loopback: allow
-  ## Do not establish S2S connections with bad servers
-  ## s2s: 
-  ##   bad_servers: deny
-  ##   all: allow
-
-## By default the frequency of account registrations from the same IP
-## is limited to 1 account every 10 minutes. To disable, specify: infinity
-## registration_timeout: 600
-  
-##
-## Define specific Access Rules in a virtual host.
-##
-## host_config:
-##   "localhost":
-##     access:
-##       c2s:
-##         admin: allow
-##         all: deny
-##       register:
-##         all: deny
-
-###   ================
-###   DEFAULT LANGUAGE
-
-##
-## language: Default language used for server messages.
-##
-language: "en"
-
-##
-## Set a different default language in a virtual host.
-##
-## host_config:
-##   "localhost":
-##     language: "ru"
-
-###   =======
-###   CAPTCHA
-
-##
-## Full path to a script that generates the image.
-##
-## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"
-
-##
-## Host for the URL and port where ejabberd listens for CAPTCHA requests.
-##
-## captcha_host: "example.org:5280"
-
-##
-## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
-##
-## captcha_limit: 5
-
-###   =======
-###   MODULES
-
-##
-## Modules enabled in all ejabberd virtual hosts.
-##
-modules: 
-  mod_adhoc: {}
-  mod_announce: # recommends mod_adhoc
-    access: announce
-  mod_blocking: {} # requires mod_privacy
-  mod_caps: {}
-  mod_carboncopy: {}
-  mod_configure: {} # requires mod_adhoc
-  mod_disco: {}
-  ## mod_echo: {}
-  mod_irc: {}
-  mod_http_bind: {}
-  ## mod_http_fileserver:
-  ##   docroot: "/var/www"
-  ##   accesslog: "/var/log/ejabberd/access.log"
-  mod_last: {}
-  mod_muc: 
-    host: "conference.example.org"
-    access: muc
-    access_create: muc_create
-    access_persistent: muc_create
-    access_admin: muc_admin
-  ## mod_muc_log: {}
-  mod_offline: 
-    access_max_user_messages: max_user_offline_messages
-  mod_ping: {}
-  ## mod_pres_counter:
-  ##   count: 5
-  ##   interval: 60
-  mod_privacy: {}
-  mod_private: {}
-  ## mod_proxy65: {}
-  mod_pubsub: 
-    access_createnode: pubsub_createnode
-    ## reduces resource comsumption, but XEP incompliant
-    ignore_pep_from_offline: true
-    ## XEP compliant, but increases resource comsumption
-    ## ignore_pep_from_offline: false
-    last_item_cache: false
-    plugins: 
-      - "flat"
-      - "hometree"
-      - "pep" # pep requires mod_caps
-  mod_register: 
-    ##
-    ## Protect In-Band account registrations with CAPTCHA.
-    ##
-    ## captcha_protected: true
-
-    ##
-    ## Set the minimum informational entropy for passwords.
-    ##
-    ## password_strength: 32
-
-    ##
-    ## After successful registration, the user receives
-    ## a message with this subject and body.
-    ##
-    welcome_message: 
-      subject: "Welcome!"
-      body: |-
-        Hi.
-        Welcome to this XMPP server.
-
-    ##
-    ## When a user registers, send a notification to
-    ## these XMPP accounts.
-    ##
-    ## registration_watchers:
-    ##   - "admin1@example.org"
-
-    ##
-    ## Only clients in the server machine can register accounts
-    ##
-    ip_access: trusted_network
-
-    ##
-    ## Local c2s or remote s2s users cannot register accounts
-    ##
-    access_from: deny
-
-    access: register
-  mod_roster: {}
-  mod_shared_roster: {}
-  mod_sip: {}
-  mod_stats: {}
-  mod_time: {}
-  mod_vcard: {}
-  mod_version: {}
-
-##
-## Enable modules with custom options in a specific virtual host
-##
-## append_host_config:
-##   "localhost":
-##     modules:
-##       mod_echo:
-##         host: "mirror.localhost"
-
-### Local Variables:
-### mode: yaml
-### End:
-### vim: set filetype=yaml tabstop=8
diff --git a/ejabberd/ejabberd.yml.diff b/ejabberd/ejabberd.yml.diff
index ac19670..b99c6c8 100644
--- a/ejabberd/ejabberd.yml.diff
+++ b/ejabberd/ejabberd.yml.diff
@@ -1,145 +1,46 @@
---- ejabberd.yml.orig	2014-11-21 13:06:14.000000000 +0100
-+++ ejabberd.yml	2016-02-27 18:34:12.000000000 +0100
-@@ -72,7 +72,8 @@
- ##   - "example.org"
- ##
- hosts:
--  - "localhost"
-+  - "example.org"
-+  - "guest.example.org"
+--- a/ejabberd.yml
++++ b/ejabberd.yml
+@@ -2,6 +2,8 @@
+ ###'              ejabberd configuration file
+ ###
+ ###
++include_config_file:
++  "/etc/local-COMMON/ejabberd/prepend.yml": []
  
- ##
- ## route_subdomains: Delegate subdomains to other XMPP servers.
-@@ -98,14 +99,14 @@
-     ## certificate, specify the full path to the
-     ## file and uncomment this line:
-     ##
--    certfile: "/etc/ejabberd/ejabberd.pem"
--    starttls: true
-+    certfile: "/etc/ejabberd/chat.example.org.pem"
-+    starttls_required: true
-     ##
-     ## Custom OpenSSL options
-     ##
-     protocol_options:
-       - "no_sslv3"
--    ##   - "no_tlsv1"
-+      - "no_tlsv1"
-     max_stanza_size: 65536
-     shaper: c2s_shaper
-     access: c2s
-@@ -148,29 +149,62 @@
-     module: ejabberd_http
-     ## request_handlers:
-     ##   "/pub/archive": mod_http_fileserver
+ ### The parameters used in this configuration file are explained in more detail
+ ### in the ejabberd Installation and Operation Guide.
+@@ -168,23 +170,11 @@
+   ##   port: 4560
+   ##   module: ejabberd_xmlrpc
+   ##   access_commands: {}
+-  - 
+-    port: 5280
+-    ip: "::"
+-    module: ejabberd_http
+-    request_handlers:
+-      "/websocket": ejabberd_http_ws
+-    ##  "/pub/archive": mod_http_fileserver
 -    web_admin: true
--    http_poll: true
-+    web_admin: false
-+    http_poll: false
-     http_bind: true
-     ## register: true
--    captcha: true
-+    captcha: false
-+
-+  -
-+    port: 3478
-+    transport: udp
-+    module: ejabberd_stun
-+  -
-+    port: 3478
-+    module: ejabberd_stun
-+  -
-+    port: 5349
-+    module: ejabberd_stun
-+    certfile: "/etc/ejabberd/chat.example.org.pem"
-+    tls: true
-+    turn_ip: "188.183.5.254"
-+    auth_type: user
-+    auth_realm: "EXAMPLE.ORG"
-+##  -
-+##    port: 5060
-+##    transport: udp
-+##    module: ejabberd_sip
-+##  -
-+##    port: 5060
-+##    module: ejabberd_sip
-+  -
-+    port: 5061
-+    module: ejabberd_sip
-+    certfile: "/etc/ejabberd/chat.example.org.pem"
-+    tls: true
- 
- ##
- ## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
- ## Allowed values are: false optional required required_trusted
- ## You must specify a certificate file.
- ##
-+## s2s_use_starttls: optional
- s2s_use_starttls: optional
- 
- ##
- ## s2s_certfile: Specify a certificate file.
- ##
--s2s_certfile: "/etc/ejabberd/ejabberd.pem"
-+## s2s_certfile: "/path/to/ssl.pem"
-+s2s_certfile: "/etc/ejabberd/chat.example.org.pem"
+-    http_bind: true
+-    ## register: true
+-    ## captcha: true
+-    tls: true
+-    certfile: "/etc/ejabberd/ejabberd.pem"
  
- ## Custom OpenSSL options
- ##
-+## s2s_protocol_options:
-+##   - "no_sslv3"
-+##   - "no_tlsv1"
- s2s_protocol_options:
-   - "no_sslv3"
--##   - "no_tlsv1"
-+  - "no_tlsv1"
+ ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
+ ## password storage (see auth_password_format option).
+-disable_sasl_mechanisms: "digest-md5"
++disable_sasl_mechanisms:
++  - "digest-md5"
  
- ##
- ## domain_certfile: Specify a different certificate for each served hostname.
-@@ -289,6 +323,14 @@
- ##     auth_method:
- ##       - internal
- ##       - anonymous
-+host_config:
-+  "example.org":
-+    auth_method:
-+      - pam
-+  "guest.example.org":
-+    auth_method: anonymous
-+    allow_multiple_connections: true
-+    anonymous_protocol: both
+ ###.  ==================
+ ###'  S2S GLOBAL OPTIONS
+@@ -685,6 +675,8 @@
  
- ###   ==============
- ###   DATABASE SETUP
-@@ -472,7 +514,7 @@
-   ## In-band registration allows registration of any possible username.
-   ## To disable in-band registration, replace 'allow' with 'deny'.
-   register: 
--    all: allow
-+    all: deny
-   ## Only allow to register from localhost
-   trusted_network: 
-     loopback: allow
-@@ -553,7 +595,7 @@
-   ##   accesslog: "/var/log/ejabberd/access.log"
-   mod_last: {}
-   mod_muc: 
--    ## host: "conference.@HOST@"
-+    host: "conference.example.org"
-     access: muc
-     access_create: muc_create
-     access_persistent: muc_create
-@@ -615,11 +657,12 @@
-     ##
-     ## Local c2s or remote s2s users cannot register accounts
-     ##
--    ## access_from: deny
-+    access_from: deny
+ allow_contrib_modules: true
  
-     access: register
-   mod_roster: {}
-   mod_shared_roster: {}
-+  mod_sip: {}
-   mod_stats: {}
-   mod_time: {}
-   mod_vcard: {}
++include_config_file:
++  "/etc/local-COMMON/ejabberd/append.yml": []
+ ###.
+ ###'
+ ### Local Variables:
diff --git a/ejabberd/mkdhparams.sh b/ejabberd/mkdhparams.sh
new file mode 100644
index 0000000..7623141
--- /dev/null
+++ b/ejabberd/mkdhparams.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+
+CONTEXT=${1:-ejabberd}
+
+openssl dhparam -out "/etc/ejabberd/$CONTEXT.dh.pem" 4096
diff --git a/ejabberd/prepend.yml b/ejabberd/prepend.yml
new file mode 100644
index 0000000..5659295
--- /dev/null
+++ b/ejabberd/prepend.yml
@@ -0,0 +1,11 @@
+# include (first-wins settings (e.g. macros)
+#
+# Include this file at start of main ejabberd config file:
+#  include_config_file:
+#    "/etc/local-REDPILL/ejabberd/prepend.yml": []
+
+include_config_file:
+  "/etc/local/ejabberd/defs.yml": []
+  "/etc/local-ORG/ejabberd/defs.yml": []
+  "/etc/local-REDPILL/ejabberd/defs.yml": []
+  "/etc/local-COMMON/ejabberd/defs.yml": []