Better match with latest developpement (#24)

A few things that needed to be fixed (errors that you can see with `prosodyctl check` on prod) + better match with `prosody.cfg.lua.dist` example from trunk

Co-authored-by: meaz <meaz@disroot.org>
Co-authored-by: muppeth <muppeth@disroot.org>
Reviewed-on: #24
Reviewed-by: muppeth <muppeth@no-reply@disroot.org>
This commit is contained in:
meaz 2022-09-06 19:37:21 +00:00
parent f0f9851a08
commit 848f5e474e
12 changed files with 114 additions and 72 deletions

2
Vagrantfile vendored
View file

@ -8,7 +8,7 @@
Vagrant.configure("2") do |config|
#config.ssh.insert_key = false
config.vm.define "prosody" do |prosody|
prosody.vm.box = "generic/debian10"
prosody.vm.box = "generic/debian11"
prosody.vm.provider :libvirt do |libvirt|
libvirt.memory = 256
end

View file

@ -1,8 +1,6 @@
## BOSH
prosody_bosh_enabled: 'true' # used in configure.yml
prosody_bosh_ports: '5281, 5280 '
prosody_bosh_max_inactivity: '60'
prosody_bosh_secure: 'true'
prosody_bosh_cross_domain: 'true'
prosody_ssl_key: '/path/to/key'
prosody_ssl_cert: '/path/to/cert'

View file

@ -2,10 +2,25 @@
prosody_http_file_share_enabled: 'true'
prosody_http_file_share_component: 'upload.example.org'
prosody_http_file_share_size_limit: "10*1024*1024"
prosody_http_file_share_daily_quota: "100*1024*1024 -- 100 MiB per day per user"
prosody_http_file_share_global_quota: "1024*1024*1024 -- 1 GiB total"
prosody_http_file_share_expires_after: "7 * 86400 -- 1 week"
prosody_http_file_share_allowed_file_types: "{} -- Access control"
prosody_http_file_share_safe_file_types: '{"image/*","video/*","audio/*","text/plain"} -- Safe to show in-line in e.g. browsers'
prosody_http_file_share_access: "{} -- Access control"
prosody_http_file_share_options:
- name: 'http_file_share_size_limit'
value: '10*1024*1024'
description: '10MB file upload limit'
- name: 'http_file_share_daily_quota'
value: '100*1024*1024'
description: '100 MiB per day per user'
- name: 'http_file_share_global_quota'
value: '1024*1024*1024'
description: '1 GiB total'
- name: 'http_file_share_expires_after'
value: '7 * 86400'
description: '1 week'
- name: 'http_file_share_allowed_file_types'
value: '{}'
description: 'Access control'
- name: 'http_file_share_safe_file_types'
value: '{"image/*","video/*","audio/*","text/plain"}'
description: 'Safe to show in-line in e.g. browsers'
- name: 'http_file_share_access'
value: '{}'
description: 'Access control'

View file

@ -8,13 +8,12 @@ prosody_contact_info: "'support@example.org'"
prosody_abuse_info: "'abuse@example.org'"
prosody_core_modules_path: "/usr/lib/prosody/modules/"
prosody_community_modules_path: "/usr/lib/prosody-modules"
prosody_custom_script_path: '/etc/prosody/custom_scripts'
prosody_installer_plugin_path: '/etc/prosody/custom_scripts'
prosody_statistics: ''
prosody_direct_tls_ports: 5223
prosody_c2s_direct_tls_ports: 5223
prosody_s2s_direct_tls_ports: 5269
firewall_module_enabled: 'true'
## Firewall: list here what you want to block
@ -42,6 +41,16 @@ prosody_storage: 'internal'
prosody_network_backend: "epoll"
prosody_http_host: "example.org"
prosody_http_external_url: "https://example.org"
prosody_http_interfaces: '*'
prosody_http_ports: '5281, 5280 '
prosody_http_paths:
- name: 'files'
path: '/files/'
- name: 'bosh'
path: '/http-bind'
- name: 'file_share'
path: '/upload'
prosody_archive_expires_after: '1w'
#If using sql storage
prosody_sql_driver: 'SQLite3' # postgresql sqlite3 or mysql

View file

@ -110,6 +110,10 @@ prosody_modules:
- name: 'admin_adhoc'
description: 'Allows administration via an XMPP client that supports ad-hoc commands'
module_enabled: 'true'
- name: 'admin_shell'
description: 'Allows administration via command shell'
module_enabled: 'true'
- name: 'bosh'
description: 'Enable BOSH clients'
@ -120,7 +124,6 @@ prosody_modules:
module_enabled: 'true'
extra_options:
- 'consider_websocket_secure = true'
- 'cross_domain_websocket = true'
- name: 'posix'
description: 'POSIX functionality, sends server to background, enables syslog, etc.'
@ -128,18 +131,7 @@ prosody_modules:
- name: 'limits'
description: 'Enable bandwidth limiting for XMPP connections.'
module_enabled: 'false'
extra_options:
- 'limits = {'
- 'c2s = {'
- 'rate = "10kb/s";'
- 'burst = "2s";'
- '};'
- 's2sin = {'
- 'rate = "30kb/s";'
- 'burst = "2s";'
- '};'
- '}'
module_enabled: 'true'
- name: 'groups'
description: 'Shared roster support.'
@ -181,7 +173,6 @@ prosody_modules:
module_enabled: 'true'
extra_options:
- 'max_archive_query_results = 50;'
- 'archive_expires_after = "6m"; -- six months'
- 'default_archive_policy = true; -- default'
- 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
@ -239,20 +230,19 @@ prosody_modules:
- 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };'
- '};'
- name: 'turncredentials'
description: 'Setup turnserver for viop'
- name: 'turn_external'
description: 'Audio/video call relay (STUN/TURN)'
module_enabled: 'false'
extra_options:
- 'turncredentials_secret = mysecret'
- 'turncredentials_host = turn.example.com'
- 'turncredentials_port = 3478'
- 'turncredentials_ttl = 86400;'
- 'turn_external_host = mysecret'
- 'turn_external_host = turn.example.com'
- 'turn_external_port = 3478'
- name: 'firewall'
description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.'
module_enabled: '{{ firewall_module_enabled }}'
extra_options:
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw", "{{ prosody_custom_script_path }}/invite_from_muc.pfw" }'
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_installer_plugin_path }}/servers_blocklist.pfw", "{{ prosody_installer_plugin_path }}/users_blocklist.pfw", "{{ prosody_installer_plugin_path }}/invite_from_muc.pfw" }'
# spam-blocking.pfw is the default Prosody one, needed by the two following
- name: 'http_altconnect'

View file

@ -2,7 +2,7 @@
- name: '[Firewall] - Make sure that script directory exists'
file:
path: "{{ prosody_custom_script_path }}"
path: "{{ prosody_installer_plugin_path }}"
state: directory
owner: root
group: prosody
@ -11,7 +11,7 @@
- name: '[Firewall] - Deploy Firewall scripts'
template:
src: "etc/prosody/custom_scripts/{{ item }}.j2"
dest: "{{ prosody_custom_script_path }}/{{ item }}"
dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
owner: root
group: prosody
mode: 0644
@ -24,7 +24,7 @@
- name: '[Firewall] - Deploy Firewall lists'
template:
src: "etc/prosody/custom_scripts/{{ item }}.j2"
dest: "{{ prosody_custom_script_path }}/{{ item }}"
dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
owner: root
group: prosody
mode: 0644

View file

@ -1,10 +1,8 @@
-- {{ ansible_managed }}
--BOSH setting
bosh_ports = { {{ prosody_bosh_ports }} }
bosh_max_inactivity = {{ prosody_bosh_max_inactivity }}
consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side
cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser)
ssl = {
key = "{{ prosody_ssl_key }}";

View file

@ -1,5 +1,10 @@
-- {{ ansible_managed }}
------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see https://prosody.im/doc/components
Component "{{ item.name }}"
component_secret = "{{ item.secret }}"

View file

@ -3,10 +3,6 @@
-- Component config for http_file_share
Component "{{ prosody_http_file_share_component }}" "http_file_share"
http_file_share_size_limit = {{ prosody_http_file_share_size_limit }}
http_file_share_daily_quota = {{ prosody_http_file_share_daily_quota }}
http_file_share_global_quota = {{ prosody_http_file_share_global_quota }}
http_file_share_expires_after = {{ prosody_http_file_share_expires_after }}
http_file_share_allowed_file_types = {{ prosody_http_file_share_allowed_file_types }}
http_file_share_safe_file_types = {{ prosody_http_file_share_safe_file_types }}
http_file_share_access = {{ prosody_http_file_share_access }}
{% for item in prosody_http_file_share_options %}
{{ item.name }} = {{ item.value }} -- {{ item.description }}
{% endfor %}

View file

@ -3,7 +3,7 @@
# rules will be checked against the blocklist.txt file
# Check mod_firewall/scripts/spam-blocking.pfw
%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt
%LIST blocklist: file:{{ prosody_installer_plugin_path }}/servers_blocklist.txt
::user/spam_handle_unknown_custom

View file

@ -3,7 +3,7 @@
# rules will be checked against the blocklist.txt file
# Check mod_firewall/scripts/spam-blocking.pfw
%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt
%LIST blocklist: file:{{ prosody_installer_plugin_path }}/users_blocklist.txt
::user/spam_handle_unknown_custom

View file

@ -3,7 +3,7 @@
-- Prosody Example Configuration File
--
-- Information on configuring Prosody can be found on our
-- website at http://prosody.im/doc/configure
-- website at https://prosody.im/doc/configure
--
-- Tip: You can check that the syntax of this file is correct
-- when you have finished by running this command:
@ -21,7 +21,7 @@
-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- (see https://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { {{ prosody_admins }} }
@ -35,24 +35,34 @@ contact_info = { {{ prosody_contact_info }} }
http_host = "{{ prosody_http_host }}"
http_external_url = "{{ prosody_http_external_url }}"
http_ports = "{{ prosody_http_ports }}"
http_interfaces = { "{{ prosody_http_interfaces }}" }
http_paths = {
{% for item in prosody_http_paths %}
{{ item.name }} = "{{ item.path }}";
{% endfor %}
}
-- See https://prosody.im/doc/configure
c2s_direct_tls_ports = { {{ prosody_c2s_direct_tls_ports }} }
s2s_direct_tls_ports = { {{ prosody_s2s_direct_tls_ports }} }
-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
-- For more information see: https://prosody.im/doc/libevent
network_backend = "{{ prosody_network_backend }}"
-- Prosody will always look in its source directory for modules, but
-- this option allows you to specify additional locations where Prosody
-- will look for modules first. For community modules, see https://modules.prosody.im/
-- These paths are searched in the order specified, and before the default path
plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" }
-- Single directory for custom prosody plugins and/or Lua libraries installation
-- This path takes priority over plugin_paths, when prosody is searching for modules
installer_plugin_path = "{{ prosody_custom_script_path }}"
-- Prosody Plugin Installer
-- CHeck https://prosody.im/doc/plugin_installer
-- By default plugins are installed into a directory custom_plugins under the data path. It can be customized by setting
plugin_server = "https://modules.prosody.im/rocks/"
installer_plugin_path = "{{ prosody_installer_plugin_path }}"
-- This path MUST be readable by the user Prosody runs as, and should be writable for prosodyctl install to work.
-- The installer path does not need to be added to plugin_paths.
-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
modules_enabled = {
@ -61,7 +71,7 @@ modules_enabled = {
"{{ item.name }}"; -- {{ item.description }}
{% endif %}
{% endfor %}
};
}
-- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here:
@ -75,9 +85,22 @@ modules_disabled = {
};
-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
-- For more information see https://prosody.im/doc/creating_accounts
allow_registration = {{ prosody_allow_registration }};
-- Rate limits
-- Enable rate limits for incoming client and server connections. These help
-- protect from excessive resource consumption and denial-of-service attacks.
limits = {
c2s = {
rate = "10kb/s";
};
s2sin = {
rate = "30kb/s";
};
}
-- Debian:
-- Please, don't change this option since /var/run/prosody/
-- is one of the few directories Prosody is allowed to write to
@ -89,6 +112,7 @@ pidfile = "/var/run/prosody/prosody.pid";
c2s_require_encryption = {{ prosody_c2s_encryption }}
-- See https://prosody.im/doc/modules/mod_c2s
c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256kb
-- Force servers to use encrypted connections? This option will
@ -96,33 +120,35 @@ c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256
s2s_require_encryption = {{ prosody_s2s_encryption }}
-- Force certificate authentication for server-to-server connections?
-- Server-to-server authentication
-- Require valid certificates for server-to-server connections?
-- If false, other methods such as dialback (DNS) may be used instead.
s2s_secure_auth = {{ prosody_s2s_auth }}
-- Some servers have invalid or self-signed certificates. You can list
-- remote domains here that will not be required to authenticate using
-- certificates. They will be authenticated using DNS instead, even
-- when s2s_secure_auth is enabled.
-- certificates. They will be authenticated using other methods instead,
-- even when s2s_secure_auth is enabled.
{% if prosody_insecure_domains is defined %}
s2s_insecure_domains = { "{{ prosody_insecure_domains }}" }
{% endif %}
-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- Even if you disable s2s_secure_auth, you can still require valid
-- certificates for some domains by specifying a list here.
--s2s_secure_domains = { "{{ prosody_secure_domains }}" }
-- See https://prosody.im/doc/s2s
s2s_stanza_size_limit = {{ prosody_s2s_stanza_size_limit }} -- 512 * 1000 -- 512kb
-- Storage
-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.
-- additional dependencies. See https://prosody.im/doc/storage for more info.
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
--storage = "sql" -- Default is "internal"
storage = "{{ prosody_storage }}"
{% if prosody_storage == 'sql' %}
@ -138,13 +164,21 @@ sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_database
{% endif %}
{% endif %}
-- Archiving configuration
-- If mod_mam is enabled, Prosody will store a copy of every message. This
-- is used to synchronize conversations between multiple clients, even if
-- they are offline. This setting controls how long Prosody will keep
-- messages in the archive before removing them.
archive_expires_after = "{{ prosody_archive_expires_after }}" -- Remove archived messages after X weeks or months
-- You can also configure messages to be stored in-memory only. For more
-- archiving options, see https://prosody.im/doc/modules/mod_mam
-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
-- For advanced logging see https://prosody.im/doc/logging
log = {
-- Log files (change 'info' to 'debug' for debug logs):
-- Log files:
{{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging
error = "{{ prosody_err_log }}";
-- "*syslog"; -- Uncomment this for logging to syslog
@ -169,9 +203,6 @@ statistics = "{{ prosody_statistics }}"
-- Location of directory to find certificates in (relative to main config file):
certificates = "{{ prosody_certificates }}"
-- HTTPS currently only supports a single certificate, specify it here:
--https_certificate = "certs/localhost.crt"
{% if prosody_component_interface is defined %}
{% for item in prosody_component_interface %}
-- Prosody external component ports