update

6 files changed, 386 insertions, 50 deletions

diff --git a/terminaldweller.com/ejabberd/ejabberd.yml b/terminaldweller.com/ejabberd/ejabberd.yml
new file mode 100644
index 0000000..6257515
--- /dev/null
+++ b/terminaldweller.com/ejabberd/ejabberd.yml
@@ -0,0 +1,250 @@
+hosts:
+  - chat.terminaldweller.com
+
+loglevel: 4
+log_rotate_size: 10485760
+log_rotate_date: ''
+log_rotate_count: 1
+log_rate_limit: 100
+
+listen:
+  - port: 5222
+    ip: '::'
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+  - port: 5269
+    ip: '::'
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  - port: 5443
+    ip: '::'
+    module: ejabberd_http
+    request_handlers:
+      '/admin': ejabberd_web_admin
+      '/api': mod_http_api
+      '/bosh': mod_bosh
+      '/captcha': ejabberd_captcha
+      '/upload': mod_http_upload
+      '/ws': ejabberd_http_ws
+      '/oauth': ejabberd_oauth
+  - port: 5080
+    ip: '::'
+    module: ejabberd_http
+    request_handlers:
+      '/admin': ejabberd_web_admin
+  - port: 1883
+    ip: '::'
+    module: mod_mqtt
+    backlog: 1000
+  - port: 3478
+    transport: udp
+    module: ejabberd_stun
+    use_turn: true
+    turn_min_port: 49152
+    turn_max_port: 65535
+    turn_ip: 0.0.0.0
+  - port: 5349
+    transport: tcp
+    module: ejabberd_stun
+    use_turn: true
+    tls: true
+    turn_min_port: 49152
+    turn_max_port: 65535
+    ip: 0.0.0.0
+    turn_ip: 0.0.0.0
+  - port: 5280
+    module: ejabberd_http
+    tls: false
+    request_handlers:
+      /.well-known/acme-challenge: ejabberd_acme
+
+s2s_use_starttls: optional
+
+acl:
+  local:
+    user_regexp: ''
+  loopback:
+    ip:
+      - 127.0.0.0/8
+      - ::1/128
+      - ::FFFF:127.0.0.1/128
+  admin:
+    user:
+      - 'admin@localhost'
+
+access_rules:
+  local:
+    allow: local
+  c2s:
+    deny: blocked
+    allow: all
+  announce:
+    allow: admin
+  configure:
+    allow: admin
+  muc_create:
+    allow: local
+  pubsub_createnode:
+    allow: local
+  trusted_network:
+    allow: loopback
+
+api_permissions:
+  'console commands':
+    from:
+      - ejabberd_ctl
+    who: all
+    what: '*'
+  'admin access':
+    who:
+      access:
+        allow:
+          acl: admin
+      oauth:
+        scope: 'ejabberd:admin'
+        access:
+          allow:
+            acl: admin
+    what:
+      - '*'
+      - '!stop'
+      - '!start'
+  'public commands':
+    who:
+      ip: 127.0.0.1/8
+    what:
+      - '*'
+      - connected_users_number
+  'web admin':
+    who:
+      - access:
+          - allow:
+              - acl: loopback
+              - acl: admin
+      - oauth:
+          - scope: 'sasl_auth'
+          - access:
+              - allow:
+                  - acl: loopback
+                  - acl: admin
+    what:
+      - '*'
+      - '!stop'
+      - '!start'
+
+shaper:
+  normal: 1000
+  fast: 50000
+
+shaper_rules:
+  max_user_sessions: 10000
+  max_user_offline_messages:
+    5000: admin
+    100: all
+  c2s_shaper:
+    none: admin
+    normal: all
+  s2s_shaper: fast
+
+max_fsm_queue: 10000
+
+acme:
+  contact: 'mailto:devi@terminaldweller.com'
+  ca_url: 'https://acme-v01.api.letsencrypt.org'
+
+oauth_expire: 31536000
+oauth_access: all
+
+modules:
+  mod_stun_disco:
+    credentials_lifetime: 12h
+    services:
+      - host: 0.0.0.0
+        port: 3478
+        type: stun
+        transport: udp
+        restricted: false
+      - host: 0.0.0.0
+        port: 3478
+        type: turn
+        transport: udp
+        restricted: true
+      - host: rtcdev.site
+        port: 5349
+        type: stun
+        transport: tcp
+        restricted: false
+      - host: rtcdev.site
+        port: 5349
+        type: turn
+        transport: tcp
+        restricted: true
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    put_url: https://@HOST@:5443/upload
+  mod_last: {}
+  mod_mam:
+    db_type: sql
+    assume_mam_usage: true
+    default: never
+  mod_mqtt: {}
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    access_mam:
+      - allow
+    default_room_options:
+      allow_subscription: true
+      mam: false
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - flat
+      - pep
+    force_node_config:
+      storage:bookmarks:
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ip_access: trusted_network
+  mod_roster:
+    versioning: true
+  mod_sip: {}
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
diff --git a/terminaldweller.com/haproxy/certbot/Dockerfile b/terminaldweller.com/haproxy/certbot/Dockerfile
new file mode 100644
index 0000000..b6fb68a
--- /dev/null
+++ b/terminaldweller.com/haproxy/certbot/Dockerfile
@@ -0,0 +1,2 @@
+FROM certbot/certbot
+COPY ./certbot-entrypoint.sh /certbot-entrypoint.sh
diff --git a/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh b/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh
new file mode 100755
index 0000000..2be858f
--- /dev/null
+++ b/terminaldweller.com/haproxy/certbot/certbot-entrypoint.sh
@@ -0,0 +1,30 @@
+#!/bin/sh
+set -ex
+
+cat_cert() {
+  dir="/etc/letsencrypt/live/$1"
+  cat "$dir/privkey.pem" "$dir/fullchain.pem" > "/certs/$1.pem"
+}
+
+while :;do
+  echo starting...
+  if [ -e /certs/$DOMAIN.pem ]; then
+      certbot \
+      certonly \
+      --test-cert \
+      --webroot -w /webroot \
+      -d $DOMAIN \
+      --email $EMAIL \
+      --non-interactive \
+      --agree-tos
+
+    cat_cert $DOMAIN
+  else
+    certbot renew -w /webroot
+
+    for dir in /etc/letsencrypt/live/*/; do
+      cat_cert $(basename "$dir")
+    done
+  fi
+  sleep 12h
+done
diff --git a/terminaldweller.com/haproxy/docker-compose.yaml b/terminaldweller.com/haproxy/docker-compose.yaml
index 95752c8..571fa7c 100644
--- a/terminaldweller.com/haproxy/docker-compose.yaml
+++ b/terminaldweller.com/haproxy/docker-compose.yaml
@@ -1,12 +1,43 @@
-version: "3.4"
+version: "3.4" 
 services:
   haproxy:
     image: haproxy
     ports:
       - "80:80"
+      - "443:443"
     volumes:
       - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
+      - ./certs:/usr/local/etc/certs:ro
     networks:
       - haproxynet
+    restart: unless-stopped
+  certbot:
+    image: certbot
+    build:
+      context: ./certbot
+    ports:
+      - "127.0.0.1:9080:80"
+      - "127.0.0.1:9443:443"
+    networks:
+      - haproxynet
+    # restart: unless-stopped
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt
+      - ./webroot:/webroot
+      - ./certs:/certs
+    # command: ["certonly","--test-cert","--webroot","-w","/webroot","-d","chat.terminaldweller.com","--email","thabogre@gmail.com","--non-interactive","--agree-tos"]
+    entrypoint: ["/certbot-entrypoint.sh"]
+    environment:
+      - DOMAIN=chat.terminaldweller.com
+      - EMAIL=thabogre@gmail.com
+  nginx:
+    image: nginx
+    ports:
+      - "127.0.0.1:8080:80"
+    networks:
+      - haproxynet
+    restart: unless-stopped
+    volumes:
+      - ./webroot:/usr/share/nginx/html
 networks:
-  - haproxynet
+  haproxynet:
diff --git a/terminaldweller.com/haproxy/haproxy.cfg b/terminaldweller.com/haproxy/haproxy.cfg
index 19e7bac..f1c288e 100644
--- a/terminaldweller.com/haproxy/haproxy.cfg
+++ b/terminaldweller.com/haproxy/haproxy.cfg
@@ -1,60 +1,77 @@
 global
-log 127.0.0.1 local0
+  log 127.0.0.1 local0
+  ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
 
 defaults
-timeout connect 5000ms
-timeout client 50000ms
-timeout server 50000ms
-mode tcp
-option tcplog
-option dontlognull
+  timeout connect 5000ms
+  timeout client 50000ms
+  timeout server 50000ms
+  mode tcp
+  option tcplog
+  option dontlognull
+
+resolvers docker_resolver
+  nameserver dns 127.0.0.11:53
 
 #Frontends
 frontend front
-bind *:80
-bind: *.443
-mode tcp
-timeout client 60s
-
-#ACLs
-acl blog-host hdr_sub(host) -i blog.terminaldweller.com
-acl mail-host hdr_sub(host) -i mail.terminaldweller.com
-acl api-host hdr_sub(host) -i api.terminaldweller.com
-acl chat-host hdr_sub(host) -i chat.terminaldweller.com
-acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
-
-#Consitions
-use_backend blog-backend if blog-host
-use_backend mail-backend if mail-host
-use_backend api-backend if api-host
-use_backend chat-backend-s if chat-host-s
-default_backend blog-backend
+  bind *:80
+  bind *:443
+  mode tcp
+  timeout client 60s
+  #ACLs
+  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+  acl blog-host hdr_sub(host) -i blog.terminaldweller.com
+  acl mail-host hdr_sub(host) -i mail.terminaldweller.com
+  acl mail-host-s req.ssl_sni -i mail.terminaldweller.com
+  acl api-host hdr_sub(host) -i api.terminaldweller.com
+  acl chat-host hdr_sub(host) -i chat.terminaldweller.com
+  acl chat-host-s req.ssl_sni -i chat.terminaldweller.com
+  #Consitions
+  use_backend certbot-backend if letsencrypt-acl
+  use_backend blog-backend if blog-host
+  use_backend mail-backend if mail-host
+  use_backend mail-backend-s if mail-host-s
+  use_backend api-backend if api-host
+  use_backend chat-backend-s if chat-host-s
+  default_backend blog-backend
 
 #Backends
+backend certbot-backend
+  server nginx nginx:80 resolvers docker_resolver check init-addr none
+
 backend blog-backend
-mode http
-option forwardfor
-server blog-host 192.99.102.52:9000 check
+  mode http
+  option forwardfor
+  server blog-host 192.99.102.52:9000 check
 
 backend mail-backend
-mode http
-option forwardfor
-server mail-host 185.126.202.69:80 check
+  mode http
+  option forwardfor
+  server mail-host 185.126.202.69:80 check
+
+backend mail-backend-s
+  timeout server 60s
+  timeout client 60s
+  mode tcp
+  option forwardfor
+  option ssl-hello-chk
+  server mail-host-s 185.126.202.69:443 check
 
 backend api-backend
-mode http
-option forwardfor
-server api-host 192.99.102.52:8008 check
+  mode http
+  option forwardfor
+  server api-host 192.99.102.52:8008 check
 
 backend chat-backend
-mode http
-option forwardfor
-server chat-host 87.236.209.206:5280 check
+  mode http
+  option forwardfor
+  server chat-host 87.236.209.206:5280 check
 
 backend chat-backend-s
-timeout server 60s
-timeout client 60s
-mode tcp
-option forwardfor
-option ssl-hello-chk
-server chat-host 87.236.209.206:5281 check
+  timeout server 60s
+  timeout client 60s
+  mode tcp
+  option forwardfor
+  option ssl-hello-chk
+  server chat-host-s 87.236.209.206:5280 check
diff --git a/terminaldweller.com/prosody/config/prosody.cfg.lua b/terminaldweller.com/prosody/config/prosody.cfg.lua
index 38fd2f0..d2c5e7d 100644
--- a/terminaldweller.com/prosody/config/prosody.cfg.lua
+++ b/terminaldweller.com/prosody/config/prosody.cfg.lua
@@ -21,7 +21,7 @@ daemonize = false;
 -- for the server. Note that you must create the accounts separately
 -- (see https://prosody.im/doc/creating_accounts for info)
 -- Example: admins = { "user1@example.com", "user2@example.net" }
-admins = { }
+admins = {"devi@chat.terminaldweller.com"}
 
 -- Enable use of libevent for better performance under high load
 -- For more information see: https://prosody.im/doc/libevent
@@ -58,7 +58,7 @@ modules_enabled = {
                 "uptime"; -- Report how long server has been running
                 "time"; -- Let others know the time here on this server
                 "ping"; -- Replies to XMPP pings with pongs
-                "register"; -- Allow users to register on this server using a client and change passwords
+                --"register"; -- Allow users to register on this server using a client and change passwords
                 --"mam"; -- Store messages in an archive and allow users to access it
                 --"csi_simple"; -- Simple Mobile optimizations
 
@@ -67,7 +67,7 @@ modules_enabled = {
                 --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
 
         -- HTTP modules
-                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+                "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                 --"websocket"; -- XMPP over WebSockets
                 --"http_files"; -- Serve static files from a directory over HTTP
 
@@ -191,7 +191,12 @@ certificates = "certs"
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
 -- Settings under each VirtualHost entry apply *only* to that host.
 
-VirtualHost "terminaldweller.com"
+VirtualHost "chat.terminaldweller.com"
+        enabled = true
+        ssl = {
+                key = "/etc/letsencrypt/live/chat.terminaldweller.com/privkey.pem";
+                certificate = "/etc/letsencrypt/live/chat.terminaldweller.com/fullchain.pem";
+                }
 
 --VirtualHost "example.com"
 --      certificate = "/path/to/example.crt"
@@ -202,7 +207,8 @@ VirtualHost "terminaldweller.com"
 -- For more information on components, see https://prosody.im/doc/components
 
 ---Set up a MUC (multi-user chat) room server on conference.example.com:
---Component "conference.example.com" "muc"
+Component "conference.chat.terminaldweller.com" "muc"
+        restrict_room_creationi = "admin"
 --- Store MUC messages in an archive and allow users to access it
 --modules_enabled = { "muc_mam" }