Files @ c1abe824342c
Branch filter:

Location: majic-ansible-roles/roles/xmpp_server/templates/prosody.cfg.lua.j2

c1abe824342c 4.3 KiB text/plain Show Annotation Show as Raw Download as Raw
branko
MAR-192: Added support for Debian 12 Bookworm to xmpp_server role:

- Some of the tests are still failing, namely the ones centered around
the sendxmpp tool (which seems completely broken at this point in
Debian 12 Bookworm)
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
-- List of server administrators.
admins = { {% for admin in xmpp_administrators %}"{{ admin }}", {% endfor %} }

-- List of modules to load on startup.
modules_enabled = {

  -- Generally required
    "roster"; -- Allow users to have a roster. Recommended ;)
    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
    "tls"; -- Add support for secure TLS on c2s/s2s connections
    "dialback"; -- s2s dialback support
    "disco"; -- Service discovery
    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.

  -- Not essential, but recommended
    "private"; -- Private XML storage (for room bookmarks, etc.)
    "blocklist"; -- Allow users to block communications with other users
    "vcard"; -- Allow users to set vCards
    "carbons"; -- Keep multiple clients in sync

  -- Nice to have
    "version"; -- Replies to server version requests
    "uptime"; -- Report how long server has been running
    "time"; -- Let others know the time here on this server
    "ping"; -- Replies to XMPP pings with pongs
    "pep"; -- Enables users to publish their mood, activity, playing music and more
    "register"; -- Allow users to register on this server using a client and change passwords
    "mam"; -- Store messages in an archive and allow users to access it

  -- Admin interfaces
    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands

  -- Other specific functionality
    "announce"; -- Send announcement to all online users
    "legacyauth"; -- Allow legacy authentication and SSL
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

-- Set global settings for SSL/TLS.
ssl = {
  key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
  certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
  dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
}

-- Configure TLS protocol and ciphers for client-to-server
-- connections (STARTTLS).
c2s_ssl = {
  protocol = "{{ xmpp_server_tls_protocol }}";
  ciphers = "{{ xmpp_server_tls_ciphers }}";
}

-- Configure TLS protocol and ciphers for client-to-server
-- connections (direct TLS).
{% if ansible_distribution_release == "bullseye" %}
legacy_ssl_ssl = {
  protocol = "{{ xmpp_server_tls_protocol }}";
  ciphers = "{{ xmpp_server_tls_ciphers }}";
}
{% else %}
c2s_direct_tls_ssl = {
  protocol = "{{ xmpp_server_tls_protocol }}";
  ciphers = "{{ xmpp_server_tls_ciphers }}";
  -- @WORKAROUND: No DHE ciphers because dhparam is getting reset
  --
  --    There is a bug in Prosody 0.12.3 resulting in dhparam value
  --    from from global config getting ignored when domain SNI
  --    context is initalised on TCP port 5223. Define the parameter
  --    in within this configuration context as well to fix the issue.
  dhparam = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem";
}
{% endif %}

-- Ports on which to have direct TLS/SSL.
{% if ansible_distribution_release == "bullseye" %}
legacy_ssl_ports = { 5223 }
{% else %}
c2s_direct_tls_ports = { 5223 }
{% endif %}

-- Force clients to use encrypted connection.
c2s_require_encryption = true

-- Disable certificate validation for server-to-server connections.
s2s_secure_auth = false

-- Path to Prosody's PID file.
pidfile = "/run/prosody/prosody.pid"

-- Authentication backend.
authentication = "ldap"
ldap_server = "{{ xmpp_ldap_server }}"
ldap_rootdn = "cn=prosody,ou=services,{{ xmpp_ldap_base_dn }}"
ldap_password = "{{ xmpp_ldap_password }}"
ldap_filter = "(&(mail=$user@$host)(memberOf=cn=xmpp,ou=groups,{{xmpp_ldap_base_dn}}))"
ldap_scope = "onelevel"
ldap_tls = true
ldap_base = "ou=people,{{ xmpp_ldap_base_dn }}"

-- Message Archives (mod_mam) configuration.
archive_expires_after = "{{ xmpp_server_archive_expiration }}"

-- Storage backend.
storage = "internal"

-- Logging configuration.
log = {
  info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for verbose logging
  error = "/var/log/prosody/prosody.err";
  "*syslog";
}

-- Domains which should be handled by Prosody, with dedicated MUC and file
-- proxying components.
{% for domain in xmpp_domains -%}
VirtualHost "{{ domain }}"
Component "conference.{{ domain }}" "muc"
  restrict_room_creation = "local"
Component "proxy.{{ domain }}" "proxy65"
  proxy65_acl = { "{{ domain }}" }
{% endfor -%}
This site is powered by Kallithea 0.7.0, which is © 2010–2023 by various authors & licensed under GPLv3.