updates

author: terminaldweller <thabogre@gmail.com> 2022-07-11 15:52:42 +0000
committer: terminaldweller <thabogre@gmail.com> 2022-07-11 15:52:42 +0000
commit: 5e90dd671926af0bd30ad90c68a51f6a2fbd2490 (patch)
tree: 01bf38d628cc6e5d29882da5d7152c2259923f74
parent: updates (diff)
download: scripts-5e90dd671926af0bd30ad90c68a51f6a2fbd2490.tar.gz
scripts-5e90dd671926af0bd30ad90c68a51f6a2fbd2490.zip
4 files changed, 68 insertions, 25 deletions
diff --git a/.newsboat/urls b/.newsboat/urls
index fd81a24..dd06d10 100644
--- a/.newsboat/urls
+++ b/.newsboat/urls
@@ -4,6 +4,7 @@ https://www.cyberciti.biz/atom/atom.xml
 https://www.semicolonandsons.com/feed
 https://blog.terminaldweller.com/rss/feed
 https://suckless.org/atom.xml
+https://microservices.io/feed.xml
 
 # (Youtube)
 # Horror
diff --git a/terminaldweller.com/ejabberd/docker-compose.yaml b/terminaldweller.com/ejabberd/docker-compose.yaml
index 3e6de12..81c4c8d 100644
--- a/terminaldweller.com/ejabberd/docker-compose.yaml
+++ b/terminaldweller.com/ejabberd/docker-compose.yaml
@@ -5,25 +5,33 @@ services:
     networks:
       - ejabberdnet
     ports:
-      - "80:80"
+      #- "80:80"
       - "5222:5222"
-      - "127.0.0.1:5269:5269"
+      - "5223:5223"
+      #- "5269:5269"
       - "5280:5280"
       - "5443:5443"
-      - "1883:1883"
-      - "127.0.0.1:5080:5080"
+      #- "1883:1883"
+      #- "127.0.0.1:5080:5080"
     restart: unless-stopped
     volumes:
       - ./ejabberd.yml:/home/ejabberd/conf/ejabberd.yml
-      - ./acme:/var/lib/ejabberd/acme
-      - ./dh:/usr/local/etc/ejabberd
+      - /etc/letsencrypt/archive/chat.terminaldweller.com/:/opt/ejabberd/certs/
+      - ./dh:/usr/local/etc/ejabberd/dh
+      - ./acme:/usr/local/etc/self_signed/
       - confs_certs:/home/ejabberd/conf/
       - mnesia_db:/home/ejabberd/database/
+      - vault:/var/lib/ejabberd/
+    environment:
+      - XMPP_DOMAIN=chat.terminaldweller.com
+      - ERLANG_NODE=ejabberd
+    #entrypoint: ["tail", "-f", "/dev/null"]
 networks:
   ejabberdnet:
 volumes:
   confs_certs:
   mnesia_db:
+  vault:
 # openssl dhparam -out dhparams.pem 4096
-# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive --dry-run
+# certbot certonly --standlone -d chat.terminaldweller.com -e devi@terminaldweller.com --agree-tos --noninteractive
 # docker exec -it 6eebd16a2385 bin/ejabberdctl register admin chat.terminaldweller.com password
diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml
index 90d0207..11e4c57 100644
--- a/terminaldweller.com/ejabberd/ejabberd.yml
+++ b/terminaldweller.com/ejabberd/ejabberd.yml
@@ -1,47 +1,68 @@
 hosts:
   - chat.terminaldweller.com
 
-loglevel: 4
+auth_method: internal 
+auth_password_format: scram # pragma: allowlist secret
+# anonymous_protocol: both
+allow_multiple_connections: true
+loglevel: 5
 log_rotate_size: 10485760
 log_rotate_count: 1
 
 define_macro:
- 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+ 'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
  'TLS_OPTIONS':
-    - "no_sslv2, no_sslv3, no_tlsv1"
-    - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
+    - "no_sslv2"
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "no_tlsv1_3"
+    - "cipher_server_preference"
+    - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA"
     - "no_compression"
- 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
+ 'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096
 
-c2s_dhfile: 'DH_FILE'
-s2s_dhfile: 'DH_FILE'
+#c2s_dhfile: 'DH_FILE'
+#s2s_dhfile: 'DH_FILE'
 c2s_ciphers: 'TLS_CIPHERS'
 s2s_ciphers: 'TLS_CIPHERS'
 c2s_protocol_options: 'TLS_OPTIONS'
 s2s_protocol_options: 'TLS_OPTIONS'
-#certfiles:
-#  - '/var/lib/ejabberd/acme/ejabberd.pem'
+certfiles:
+  - /usr/local/etc/self_signed/ej2.pem
+  #- '/opt/ejabberd/certs/ejabberd.pem'
+  #- '/var/lib/ejabberd/acme/fullchain1.pem'
+  #- '/var/lib/ejabberd/acme/chain1.pem'
+  #- '/var/lib/ejabberd/acme/cert1.pem'
+  #- '/var/lib/ejabberd/acme/privkey1.pem'
 
 listen:
   - port: 5222
-    ip: '::'
+    ip: '0.0.0.0'
     module: ejabberd_c2s
-    max_stanza_size: 262144
+    max_stanza_size: 65536
     shaper: c2s_shaper
     access: c2s
     starttls: true
     starttls_required: true
-    protocol_options: 'TLS_OPTIONS'
-    ciphers: 'TLS_CIPHERS'
-    dhfile: 'DH_FILE'
+    #protocol_options: 'TLS_OPTIONS'
+    #ciphers: 'TLS_CIPHERS'
+    #dhfile: 'DH_FILE'
     zlib: false
     tls_compression: false
+  - port: 5223
+    ip: '0.0.0.0'
+    module: ejabberd_c2s
+    max_stanza_size: 65536
+    shaper: c2s_shaper
+    access: c2s
+    tls: true
+    tls_compression: false
   - port: 5269
-    ip: '::'
+    ip: '0.0.0.0'
     module: ejabberd_s2s_in
     max_stanza_size: 524288
   - port: 5443
-    ip: '::'
+    ip: '0.0.0.0'
     module: ejabberd_http
     tls: true
     protocol_options: 'TLS_OPTIONS'
@@ -56,12 +77,12 @@ listen:
       '/ws': ejabberd_http_ws
       '/oauth': ejabberd_oauth
   - port: 5080
-    ip: '::'
+    ip: '0.0.0.0'
     module: ejabberd_http
     request_handlers:
       '/admin': ejabberd_web_admin
   - port: 1883
-    ip: '::'
+    ip: '0.0.0.0'
     module: mod_mqtt
     backlog: 1000
   - port: 3478
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index ddc8b82..b21026d 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -123,6 +123,15 @@ frontend jabbber5222
   mode http
   acl chat-host hdr_sub(host) -i chat.terminaldweller.com
   use_backend chat-backend-c2s if chat-host
+frontend jabber5223
+  bind *:5223
+  timeout client 60s
+  mode tcp
+  tcp-request inspect-delay 5s
+  tcp-request content accept if { req.ssl_hello_type 1 }
+  tcp-request content reject
+  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
+  use_backend chat-auth-backend-s if chat-host-s
 frontend jabber5280
   bind *:5280
   mode http
@@ -291,6 +300,10 @@ backend chat-backend-c2s
   mode http
   option forwardfor
   server chat-host 130.185.121.80:5222
+backend chat-auth-backend-s
+  mode tcp
+  option ssl-hello-chk
+  server chat-host 130.185.121.80:5223
 #backend chat-cert-backend
 #  mode http
 #  server chat-cert-server 130.185.121.80:8880
author	terminaldweller <thabogre@gmail.com>	2022-07-11 15:52:42 +0000
committer	terminaldweller <thabogre@gmail.com>	2022-07-11 15:52:42 +0000
commit	5e90dd671926af0bd30ad90c68a51f6a2fbd2490 (patch)
tree	01bf38d628cc6e5d29882da5d7152c2259923f74
parent	updates (diff)
download	scripts-5e90dd671926af0bd30ad90c68a51f6a2fbd2490.tar.gz scripts-5e90dd671926af0bd30ad90c68a51f6a2fbd2490.zip