Better match with latest developpement (#24)
A few things that needed to be fixed (errors that you can see with `prosodyctl check` on prod) + better match with `prosody.cfg.lua.dist` example from trunk Co-authored-by: meaz <meaz@disroot.org> Co-authored-by: muppeth <muppeth@disroot.org> Reviewed-on: #24 Reviewed-by: muppeth <muppeth@no-reply@disroot.org>
This commit is contained in:
parent
f0f9851a08
commit
848f5e474e
12 changed files with 114 additions and 72 deletions
2
Vagrantfile
vendored
2
Vagrantfile
vendored
|
@ -8,7 +8,7 @@
|
|||
Vagrant.configure("2") do |config|
|
||||
#config.ssh.insert_key = false
|
||||
config.vm.define "prosody" do |prosody|
|
||||
prosody.vm.box = "generic/debian10"
|
||||
prosody.vm.box = "generic/debian11"
|
||||
prosody.vm.provider :libvirt do |libvirt|
|
||||
libvirt.memory = 256
|
||||
end
|
||||
|
|
|
@ -1,8 +1,6 @@
|
|||
## BOSH
|
||||
prosody_bosh_enabled: 'true' # used in configure.yml
|
||||
prosody_bosh_ports: '5281, 5280 '
|
||||
prosody_bosh_max_inactivity: '60'
|
||||
prosody_bosh_secure: 'true'
|
||||
prosody_bosh_cross_domain: 'true'
|
||||
prosody_ssl_key: '/path/to/key'
|
||||
prosody_ssl_cert: '/path/to/cert'
|
||||
|
|
|
@ -2,10 +2,25 @@
|
|||
prosody_http_file_share_enabled: 'true'
|
||||
|
||||
prosody_http_file_share_component: 'upload.example.org'
|
||||
prosody_http_file_share_size_limit: "10*1024*1024"
|
||||
prosody_http_file_share_daily_quota: "100*1024*1024 -- 100 MiB per day per user"
|
||||
prosody_http_file_share_global_quota: "1024*1024*1024 -- 1 GiB total"
|
||||
prosody_http_file_share_expires_after: "7 * 86400 -- 1 week"
|
||||
prosody_http_file_share_allowed_file_types: "{} -- Access control"
|
||||
prosody_http_file_share_safe_file_types: '{"image/*","video/*","audio/*","text/plain"} -- Safe to show in-line in e.g. browsers'
|
||||
prosody_http_file_share_access: "{} -- Access control"
|
||||
prosody_http_file_share_options:
|
||||
- name: 'http_file_share_size_limit'
|
||||
value: '10*1024*1024'
|
||||
description: '10MB file upload limit'
|
||||
- name: 'http_file_share_daily_quota'
|
||||
value: '100*1024*1024'
|
||||
description: '100 MiB per day per user'
|
||||
- name: 'http_file_share_global_quota'
|
||||
value: '1024*1024*1024'
|
||||
description: '1 GiB total'
|
||||
- name: 'http_file_share_expires_after'
|
||||
value: '7 * 86400'
|
||||
description: '1 week'
|
||||
- name: 'http_file_share_allowed_file_types'
|
||||
value: '{}'
|
||||
description: 'Access control'
|
||||
- name: 'http_file_share_safe_file_types'
|
||||
value: '{"image/*","video/*","audio/*","text/plain"}'
|
||||
description: 'Safe to show in-line in e.g. browsers'
|
||||
- name: 'http_file_share_access'
|
||||
value: '{}'
|
||||
description: 'Access control'
|
||||
|
|
|
@ -8,13 +8,12 @@ prosody_contact_info: "'support@example.org'"
|
|||
prosody_abuse_info: "'abuse@example.org'"
|
||||
prosody_core_modules_path: "/usr/lib/prosody/modules/"
|
||||
prosody_community_modules_path: "/usr/lib/prosody-modules"
|
||||
prosody_custom_script_path: '/etc/prosody/custom_scripts'
|
||||
prosody_installer_plugin_path: '/etc/prosody/custom_scripts'
|
||||
prosody_statistics: ''
|
||||
prosody_direct_tls_ports: 5223
|
||||
prosody_c2s_direct_tls_ports: 5223
|
||||
prosody_s2s_direct_tls_ports: 5269
|
||||
|
||||
|
||||
firewall_module_enabled: 'true'
|
||||
|
||||
## Firewall: list here what you want to block
|
||||
|
@ -42,6 +41,16 @@ prosody_storage: 'internal'
|
|||
prosody_network_backend: "epoll"
|
||||
prosody_http_host: "example.org"
|
||||
prosody_http_external_url: "https://example.org"
|
||||
prosody_http_interfaces: '*'
|
||||
prosody_http_ports: '5281, 5280 '
|
||||
prosody_http_paths:
|
||||
- name: 'files'
|
||||
path: '/files/'
|
||||
- name: 'bosh'
|
||||
path: '/http-bind'
|
||||
- name: 'file_share'
|
||||
path: '/upload'
|
||||
prosody_archive_expires_after: '1w'
|
||||
|
||||
#If using sql storage
|
||||
prosody_sql_driver: 'SQLite3' # postgresql sqlite3 or mysql
|
||||
|
|
|
@ -110,6 +110,10 @@ prosody_modules:
|
|||
- name: 'admin_adhoc'
|
||||
description: 'Allows administration via an XMPP client that supports ad-hoc commands'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'admin_shell'
|
||||
description: 'Allows administration via command shell'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'bosh'
|
||||
description: 'Enable BOSH clients'
|
||||
|
@ -120,7 +124,6 @@ prosody_modules:
|
|||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'consider_websocket_secure = true'
|
||||
- 'cross_domain_websocket = true'
|
||||
|
||||
- name: 'posix'
|
||||
description: 'POSIX functionality, sends server to background, enables syslog, etc.'
|
||||
|
@ -128,18 +131,7 @@ prosody_modules:
|
|||
|
||||
- name: 'limits'
|
||||
description: 'Enable bandwidth limiting for XMPP connections.'
|
||||
module_enabled: 'false'
|
||||
extra_options:
|
||||
- 'limits = {'
|
||||
- 'c2s = {'
|
||||
- 'rate = "10kb/s";'
|
||||
- 'burst = "2s";'
|
||||
- '};'
|
||||
- 's2sin = {'
|
||||
- 'rate = "30kb/s";'
|
||||
- 'burst = "2s";'
|
||||
- '};'
|
||||
- '}'
|
||||
module_enabled: 'true'
|
||||
|
||||
- name: 'groups'
|
||||
description: 'Shared roster support.'
|
||||
|
@ -181,7 +173,6 @@ prosody_modules:
|
|||
module_enabled: 'true'
|
||||
extra_options:
|
||||
- 'max_archive_query_results = 50;'
|
||||
- 'archive_expires_after = "6m"; -- six months'
|
||||
- 'default_archive_policy = true; -- default'
|
||||
- 'archive_cleanup_interval = 3600*24 -- how often it checks if there are messages older than archive_expires_after. In seconds.'
|
||||
|
||||
|
@ -239,20 +230,19 @@ prosody_modules:
|
|||
- 'support = { "mailto:{{ prosody_contact_info }}", "xmpp:{{ prosody_contact_info }}" };'
|
||||
- '};'
|
||||
|
||||
- name: 'turncredentials'
|
||||
description: 'Setup turnserver for viop'
|
||||
- name: 'turn_external'
|
||||
description: 'Audio/video call relay (STUN/TURN)'
|
||||
module_enabled: 'false'
|
||||
extra_options:
|
||||
- 'turncredentials_secret = mysecret'
|
||||
- 'turncredentials_host = turn.example.com'
|
||||
- 'turncredentials_port = 3478'
|
||||
- 'turncredentials_ttl = 86400;'
|
||||
- 'turn_external_host = mysecret'
|
||||
- 'turn_external_host = turn.example.com'
|
||||
- 'turn_external_port = 3478'
|
||||
|
||||
- name: 'firewall'
|
||||
description: 'Can efficiently block, bounce, drop, forward, copy, redirect stanzas and more.'
|
||||
module_enabled: '{{ firewall_module_enabled }}'
|
||||
extra_options:
|
||||
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_custom_script_path }}/servers_blocklist.pfw", "{{ prosody_custom_script_path }}/users_blocklist.pfw", "{{ prosody_custom_script_path }}/invite_from_muc.pfw" }'
|
||||
- 'firewall_scripts = { "{{ prosody_community_modules_path }}/mod_firewall/scripts/spam-blocking.pfw", "{{ prosody_installer_plugin_path }}/servers_blocklist.pfw", "{{ prosody_installer_plugin_path }}/users_blocklist.pfw", "{{ prosody_installer_plugin_path }}/invite_from_muc.pfw" }'
|
||||
# spam-blocking.pfw is the default Prosody one, needed by the two following
|
||||
|
||||
- name: 'http_altconnect'
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
- name: '[Firewall] - Make sure that script directory exists'
|
||||
file:
|
||||
path: "{{ prosody_custom_script_path }}"
|
||||
path: "{{ prosody_installer_plugin_path }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: prosody
|
||||
|
@ -11,7 +11,7 @@
|
|||
- name: '[Firewall] - Deploy Firewall scripts'
|
||||
template:
|
||||
src: "etc/prosody/custom_scripts/{{ item }}.j2"
|
||||
dest: "{{ prosody_custom_script_path }}/{{ item }}"
|
||||
dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
|
||||
owner: root
|
||||
group: prosody
|
||||
mode: 0644
|
||||
|
@ -24,7 +24,7 @@
|
|||
- name: '[Firewall] - Deploy Firewall lists'
|
||||
template:
|
||||
src: "etc/prosody/custom_scripts/{{ item }}.j2"
|
||||
dest: "{{ prosody_custom_script_path }}/{{ item }}"
|
||||
dest: "{{ prosody_installer_plugin_path }}/{{ item }}"
|
||||
owner: root
|
||||
group: prosody
|
||||
mode: 0644
|
||||
|
|
|
@ -1,10 +1,8 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
--BOSH setting
|
||||
bosh_ports = { {{ prosody_bosh_ports }} }
|
||||
bosh_max_inactivity = {{ prosody_bosh_max_inactivity }}
|
||||
consider_bosh_secure = {{ prosody_bosh_secure }} -- Use if proxying HTTPS->HTTP on the server side
|
||||
cross_domain_bosh = {{ prosody_bosh_cross_domain }} -- Allow access from scripts on any site with no proxy (requires a modern browser)
|
||||
|
||||
ssl = {
|
||||
key = "{{ prosody_ssl_key }}";
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
-- {{ ansible_managed }}
|
||||
|
||||
------ Components ------
|
||||
-- You can specify components to add hosts that provide special services,
|
||||
-- like multi-user conferences, and transports.
|
||||
-- For more information on components, see https://prosody.im/doc/components
|
||||
|
||||
Component "{{ item.name }}"
|
||||
component_secret = "{{ item.secret }}"
|
||||
|
||||
|
|
|
@ -3,10 +3,6 @@
|
|||
-- Component config for http_file_share
|
||||
Component "{{ prosody_http_file_share_component }}" "http_file_share"
|
||||
|
||||
http_file_share_size_limit = {{ prosody_http_file_share_size_limit }}
|
||||
http_file_share_daily_quota = {{ prosody_http_file_share_daily_quota }}
|
||||
http_file_share_global_quota = {{ prosody_http_file_share_global_quota }}
|
||||
http_file_share_expires_after = {{ prosody_http_file_share_expires_after }}
|
||||
http_file_share_allowed_file_types = {{ prosody_http_file_share_allowed_file_types }}
|
||||
http_file_share_safe_file_types = {{ prosody_http_file_share_safe_file_types }}
|
||||
http_file_share_access = {{ prosody_http_file_share_access }}
|
||||
{% for item in prosody_http_file_share_options %}
|
||||
{{ item.name }} = {{ item.value }} -- {{ item.description }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# rules will be checked against the blocklist.txt file
|
||||
# Check mod_firewall/scripts/spam-blocking.pfw
|
||||
|
||||
%LIST blocklist: file:{{ prosody_custom_script_path }}/servers_blocklist.txt
|
||||
%LIST blocklist: file:{{ prosody_installer_plugin_path }}/servers_blocklist.txt
|
||||
|
||||
::user/spam_handle_unknown_custom
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
# rules will be checked against the blocklist.txt file
|
||||
# Check mod_firewall/scripts/spam-blocking.pfw
|
||||
|
||||
%LIST blocklist: file:{{ prosody_custom_script_path }}/users_blocklist.txt
|
||||
%LIST blocklist: file:{{ prosody_installer_plugin_path }}/users_blocklist.txt
|
||||
|
||||
::user/spam_handle_unknown_custom
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
-- Prosody Example Configuration File
|
||||
--
|
||||
-- Information on configuring Prosody can be found on our
|
||||
-- website at http://prosody.im/doc/configure
|
||||
-- website at https://prosody.im/doc/configure
|
||||
--
|
||||
-- Tip: You can check that the syntax of this file is correct
|
||||
-- when you have finished by running this command:
|
||||
|
@ -21,7 +21,7 @@
|
|||
|
||||
-- This is a (by default, empty) list of accounts that are admins
|
||||
-- for the server. Note that you must create the accounts separately
|
||||
-- (see http://prosody.im/doc/creating_accounts for info)
|
||||
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||
admins = { {{ prosody_admins }} }
|
||||
|
||||
|
@ -35,24 +35,34 @@ contact_info = { {{ prosody_contact_info }} }
|
|||
|
||||
http_host = "{{ prosody_http_host }}"
|
||||
http_external_url = "{{ prosody_http_external_url }}"
|
||||
http_ports = "{{ prosody_http_ports }}"
|
||||
http_interfaces = { "{{ prosody_http_interfaces }}" }
|
||||
http_paths = {
|
||||
{% for item in prosody_http_paths %}
|
||||
{{ item.name }} = "{{ item.path }}";
|
||||
{% endfor %}
|
||||
}
|
||||
|
||||
-- See https://prosody.im/doc/configure
|
||||
c2s_direct_tls_ports = { {{ prosody_c2s_direct_tls_ports }} }
|
||||
s2s_direct_tls_ports = { {{ prosody_s2s_direct_tls_ports }} }
|
||||
|
||||
-- Enable use of libevent for better performance under high load
|
||||
-- For more information see: http://prosody.im/doc/libevent
|
||||
-- For more information see: https://prosody.im/doc/libevent
|
||||
network_backend = "{{ prosody_network_backend }}"
|
||||
|
||||
-- Prosody will always look in its source directory for modules, but
|
||||
-- this option allows you to specify additional locations where Prosody
|
||||
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||
-- These paths are searched in the order specified, and before the default path
|
||||
plugin_paths = { "{{ prosody_core_modules_path }}","{{ prosody_community_modules_path }}" }
|
||||
|
||||
-- Single directory for custom prosody plugins and/or Lua libraries installation
|
||||
-- This path takes priority over plugin_paths, when prosody is searching for modules
|
||||
installer_plugin_path = "{{ prosody_custom_script_path }}"
|
||||
-- Prosody Plugin Installer
|
||||
-- CHeck https://prosody.im/doc/plugin_installer
|
||||
-- By default plugins are installed into a directory custom_plugins under the data path. It can be customized by setting
|
||||
plugin_server = "https://modules.prosody.im/rocks/"
|
||||
installer_plugin_path = "{{ prosody_installer_plugin_path }}"
|
||||
-- This path MUST be readable by the user Prosody runs as, and should be writable for prosodyctl install to work.
|
||||
-- The installer path does not need to be added to plugin_paths.
|
||||
|
||||
-- This is the list of modules Prosody will load on startup.
|
||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||
modules_enabled = {
|
||||
|
||||
|
@ -61,7 +71,7 @@ modules_enabled = {
|
|||
"{{ item.name }}"; -- {{ item.description }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
};
|
||||
}
|
||||
|
||||
-- These modules are auto-loaded, but should you want
|
||||
-- to disable them then uncomment them here:
|
||||
|
@ -75,9 +85,22 @@ modules_disabled = {
|
|||
};
|
||||
|
||||
-- Disable account creation by default, for security
|
||||
-- For more information see http://prosody.im/doc/creating_accounts
|
||||
-- For more information see https://prosody.im/doc/creating_accounts
|
||||
allow_registration = {{ prosody_allow_registration }};
|
||||
|
||||
-- Rate limits
|
||||
-- Enable rate limits for incoming client and server connections. These help
|
||||
-- protect from excessive resource consumption and denial-of-service attacks.
|
||||
|
||||
limits = {
|
||||
c2s = {
|
||||
rate = "10kb/s";
|
||||
};
|
||||
s2sin = {
|
||||
rate = "30kb/s";
|
||||
};
|
||||
}
|
||||
|
||||
-- Debian:
|
||||
-- Please, don't change this option since /var/run/prosody/
|
||||
-- is one of the few directories Prosody is allowed to write to
|
||||
|
@ -89,6 +112,7 @@ pidfile = "/var/run/prosody/prosody.pid";
|
|||
|
||||
c2s_require_encryption = {{ prosody_c2s_encryption }}
|
||||
|
||||
-- See https://prosody.im/doc/modules/mod_c2s
|
||||
c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256kb
|
||||
|
||||
-- Force servers to use encrypted connections? This option will
|
||||
|
@ -96,33 +120,35 @@ c2s_stanza_size_limit = {{ prosody_c2s_stanza_size_limit }} -- 256 * 1024 -- 256
|
|||
|
||||
s2s_require_encryption = {{ prosody_s2s_encryption }}
|
||||
|
||||
-- Force certificate authentication for server-to-server connections?
|
||||
-- Server-to-server authentication
|
||||
-- Require valid certificates for server-to-server connections?
|
||||
-- If false, other methods such as dialback (DNS) may be used instead.
|
||||
|
||||
s2s_secure_auth = {{ prosody_s2s_auth }}
|
||||
|
||||
-- Some servers have invalid or self-signed certificates. You can list
|
||||
-- remote domains here that will not be required to authenticate using
|
||||
-- certificates. They will be authenticated using DNS instead, even
|
||||
-- when s2s_secure_auth is enabled.
|
||||
-- certificates. They will be authenticated using other methods instead,
|
||||
-- even when s2s_secure_auth is enabled.
|
||||
{% if prosody_insecure_domains is defined %}
|
||||
s2s_insecure_domains = { "{{ prosody_insecure_domains }}" }
|
||||
{% endif %}
|
||||
|
||||
-- Even if you leave s2s_secure_auth disabled, you can still require valid
|
||||
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||
-- certificates for some domains by specifying a list here.
|
||||
|
||||
--s2s_secure_domains = { "{{ prosody_secure_domains }}" }
|
||||
|
||||
-- See https://prosody.im/doc/s2s
|
||||
s2s_stanza_size_limit = {{ prosody_s2s_stanza_size_limit }} -- 512 * 1000 -- 512kb
|
||||
|
||||
|
||||
-- Storage
|
||||
-- Select the storage backend to use. By default Prosody uses flat files
|
||||
-- in its configured data directory, but it also supports more backends
|
||||
-- through modules. An "sql" backend is included by default, but requires
|
||||
-- additional dependencies. See http://prosody.im/doc/storage for more info.
|
||||
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||
|
||||
--storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
|
||||
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
|
||||
--storage = "sql" -- Default is "internal"
|
||||
|
||||
storage = "{{ prosody_storage }}"
|
||||
{% if prosody_storage == 'sql' %}
|
||||
|
@ -138,13 +164,21 @@ sql = { driver = "{{ prosody_sql_driver }}", database = "{{ prosody_sql_database
|
|||
{% endif %}
|
||||
{% endif %}
|
||||
|
||||
-- Archiving configuration
|
||||
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||
-- is used to synchronize conversations between multiple clients, even if
|
||||
-- they are offline. This setting controls how long Prosody will keep
|
||||
-- messages in the archive before removing them.
|
||||
|
||||
archive_expires_after = "{{ prosody_archive_expires_after }}" -- Remove archived messages after X weeks or months
|
||||
|
||||
-- You can also configure messages to be stored in-memory only. For more
|
||||
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||
|
||||
-- Logging configuration
|
||||
-- For advanced logging see http://prosody.im/doc/logging
|
||||
-- For advanced logging see https://prosody.im/doc/logging
|
||||
log = {
|
||||
-- Log files (change 'info' to 'debug' for debug logs):
|
||||
-- Log files:
|
||||
{{ prosody_loglevel }} = "{{ prosody_log_path }}"; -- Change 'info' to 'debug' for verbose logging
|
||||
error = "{{ prosody_err_log }}";
|
||||
-- "*syslog"; -- Uncomment this for logging to syslog
|
||||
|
@ -169,9 +203,6 @@ statistics = "{{ prosody_statistics }}"
|
|||
-- Location of directory to find certificates in (relative to main config file):
|
||||
certificates = "{{ prosody_certificates }}"
|
||||
|
||||
-- HTTPS currently only supports a single certificate, specify it here:
|
||||
--https_certificate = "certs/localhost.crt"
|
||||
|
||||
{% if prosody_component_interface is defined %}
|
||||
{% for item in prosody_component_interface %}
|
||||
-- Prosody external component ports
|
||||
|
|
Loading…
Reference in a new issue