hosts: - jabber.terminaldweller.com auth_method: internal auth_password_format: scram # pragma: allowlist secret # anonymous_protocol: both allow_multiple_connections: true loglevel: 5 log_rotate_size: 10485760 log_rotate_count: 1 define_macro: 'TLS_CIPHERS': "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" 'TLS_OPTIONS': - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_1" - "cipher_server_preference" - "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA" - "no_compression" 'DH_FILE': "/usr/local/etc/ejabberd/dh/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 c2s_dhfile: 'DH_FILE' s2s_dhfile: 'DH_FILE' c2s_ciphers: 'TLS_CIPHERS' s2s_ciphers: 'TLS_CIPHERS' c2s_protocol_options: 'TLS_OPTIONS' s2s_protocol_options: 'TLS_OPTIONS' certfiles: # - /usr/local/etc/self_signed/ej2.pem - /opt/ejabberd/certs/ejabberd.pem # cat privkey1.pem fullchain1.pem > ejabberd.pem #- '/var/lib/ejabberd/acme/fullchain1.pem' #- '/var/lib/ejabberd/acme/chain1.pem' #- '/var/lib/ejabberd/acme/cert1.pem' #- '/var/lib/ejabberd/acme/privkey1.pem' listen: - port: 5222 ip: '0.0.0.0' module: ejabberd_c2s max_stanza_size: 65536 shaper: c2s_shaper access: c2s starttls: true starttls_required: true #protocol_options: 'TLS_OPTIONS' #ciphers: 'TLS_CIPHERS' #dhfile: 'DH_FILE' zlib: false tls_compression: false - port: 5223 ip: '0.0.0.0' module: ejabberd_c2s max_stanza_size: 65536 shaper: c2s_shaper access: c2s tls: true tls_compression: false - port: 5269 ip: '0.0.0.0' module: ejabberd_s2s_in max_stanza_size: 524288 - port: 5443 ip: '0.0.0.0' module: ejabberd_http tls: true protocol_options: 'TLS_OPTIONS' ciphers: 'TLS_CIPHERS' dhfile: 'DH_FILE' request_handlers: '/admin': ejabberd_web_admin '/api': mod_http_api '/bosh': mod_bosh '/captcha': ejabberd_captcha '/upload': mod_http_upload '/ws': ejabberd_http_ws '/oauth': ejabberd_oauth - port: 5080 ip: '0.0.0.0' module: ejabberd_http request_handlers: '/admin': ejabberd_web_admin - port: 1883 ip: '0.0.0.0' module: mod_mqtt backlog: 1000 - port: 3478 transport: udp module: ejabberd_stun use_turn: true turn_min_port: 49152 turn_max_port: 65535 turn_ipv4_address: 0.0.0.0 - port: 5349 transport: tcp module: ejabberd_stun use_turn: true tls: true turn_min_port: 49152 turn_max_port: 65535 ip: 0.0.0.0 turn_ipv4_address: 0.0.0.0 - port: 80 module: ejabberd_http tls: false request_handlers: /.well-known/acme-challenge: ejabberd_acme s2s_use_starttls: optional acl: local: user_regexp: '' loopback: ip: - 127.0.0.0/8 - ::1/128 - ::FFFF:127.0.0.1/128 admin: user: - 'admin@jabber.terminaldweller.com' access_rules: local: allow: local c2s: deny: blocked allow: all announce: allow: admin configure: allow: admin muc_create: allow: local pubsub_createnode: allow: local trusted_network: allow: loopback api_permissions: 'console commands': from: - ejabberd_ctl who: all what: '*' 'admin access': who: access: allow: acl: admin oauth: scope: 'ejabberd:admin' access: allow: acl: admin what: - '*' - '!stop' - '!start' 'public commands': who: ip: 127.0.0.1/8 what: - '*' - connected_users_number 'web admin': who: - access: - allow: - acl: loopback - acl: admin - oauth: - scope: 'sasl_auth' - access: - allow: - acl: loopback - acl: admin what: - '*' - '!stop' - '!start' shaper: normal: 1000 fast: 50000 shaper_rules: max_user_sessions: 10000 max_user_offline_messages: 5000: admin 100: all c2s_shaper: none: admin normal: all s2s_shaper: fast max_fsm_queue: 10000 acme: # for auto ACME requests, we need this to be true auto: false contact: - mailto:devi@terminaldweller.com ca_url: https://acme-v02.api.letsencrypt.org/directory oauth_expire: 31536000 oauth_access: all modules: mod_stun_disco: credentials_lifetime: 12h services: - host: 0.0.0.0 port: 3478 type: stun transport: udp restricted: false - host: 0.0.0.0 port: 3478 type: turn transport: udp restricted: true - host: rtcdev.site port: 5349 type: stun transport: tcp restricted: false - host: rtcdev.site port: 5349 type: turn transport: tcp restricted: true mod_adhoc: {} mod_admin_extra: {} mod_announce: access: announce mod_avatar: {} mod_blocking: {} mod_bosh: {} mod_caps: {} mod_carboncopy: {} mod_client_state: {} mod_configure: {} mod_disco: {} mod_fail2ban: {} mod_http_api: {} mod_http_upload: put_url: https://@HOST@:5443/upload mod_last: {} mod_mam: db_type: sql assume_mam_usage: true default: never mod_mqtt: {} mod_muc: access: - allow access_admin: - allow: admin access_create: muc_create access_persistent: muc_create access_mam: - allow default_room_options: allow_subscription: true mam: false mod_muc_admin: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} mod_privacy: {} mod_private: {} mod_proxy65: access: local max_connections: 5 mod_pubsub: access_createnode: pubsub_createnode plugins: - flat - pep force_node_config: storage:bookmarks: access_model: whitelist mod_push: {} mod_push_keepalive: {} mod_register: ip_access: trusted_network mod_roster: versioning: true mod_sip: {} mod_s2s_dialback: {} mod_shared_roster: {} mod_stream_mgmt: resend_on_timeout: if_offline mod_vcard: {} mod_vcard_xupdate: {} mod_version: show_os: false