🔧 prosody: Rework configuration for prosody v0.11
The previous configuration was copied over from helium.n39.eu for prosody v0.9 and did only work more or less by accident. The new configuration was done based on the upstream example configuration. Some modules we used for 0.9 were replaced, some are not necessary anymore, some modules are new for 0.11. The list was reviewed carefully on a test host, and proved to work for several months there. The VirtualHost 'localhost' is kept, but moved from a separate configuration file to the main configuration, because it's only one line and it's part of the example config anyways.
This commit is contained in:
parent
2c0d00bc28
commit
bd8500bf3a
3 changed files with 90 additions and 114 deletions
|
@ -1,5 +0,0 @@
|
||||||
-- Section for localhost
|
|
||||||
|
|
||||||
-- This allows clients to connect to localhost. No harm in it.
|
|
||||||
VirtualHost "localhost"
|
|
||||||
|
|
|
@ -131,18 +131,6 @@
|
||||||
dest: "{{ prosody_data_dir }}/etc/prosody/prosody.cfg.lua"
|
dest: "{{ prosody_data_dir }}/etc/prosody/prosody.cfg.lua"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
|
|
||||||
- name: Ensure prosody localhost config file is in place
|
|
||||||
ansible.builtin.copy:
|
|
||||||
src: "files/prosody/localhost.cfg.lua"
|
|
||||||
dest: "{{ prosody_data_dir }}/etc/prosody/conf.avail/localhost.cfg.lua"
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Ensure prosody localhost config symlink exists
|
|
||||||
ansible.builtin.file:
|
|
||||||
src: "../conf.avail/localhost.cfg.lua"
|
|
||||||
dest: "{{ prosody_data_dir }}/etc/prosody/conf.d/localhost.cfg.lua"
|
|
||||||
state: link
|
|
||||||
|
|
||||||
- name: "Ensure prosody config file is in place: {{ prosody_domain_name }}"
|
- name: "Ensure prosody config file is in place: {{ prosody_domain_name }}"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: "files/prosody/{{ prosody_domain_name }}.cfg.lua"
|
src: "files/prosody/{{ prosody_domain_name }}.cfg.lua"
|
||||||
|
|
|
@ -1,15 +1,18 @@
|
||||||
-- Prosody Example Configuration File
|
-- When running in Docker do not daemonize (for nice shutdown, logging etc.)
|
||||||
|
daemonize = false;
|
||||||
|
|
||||||
|
-- Prosody XMPP Server Configuration
|
||||||
--
|
--
|
||||||
-- Information on configuring Prosody can be found on our
|
-- Information on configuring Prosody can be found on our
|
||||||
-- website at http://prosody.im/doc/configure
|
-- website at https://prosody.im/doc/configure
|
||||||
--
|
--
|
||||||
-- Tip: You can check that the syntax of this file is correct
|
-- Tip: You can check that the syntax of this file is correct
|
||||||
-- when you have finished by running: luac -p prosody.cfg.lua
|
-- when you have finished by running this command:
|
||||||
|
-- prosodyctl check config
|
||||||
-- If there are any errors, it will let you know what and where
|
-- If there are any errors, it will let you know what and where
|
||||||
-- they are, otherwise it will keep quiet.
|
-- they are, otherwise it will keep quiet.
|
||||||
--
|
--
|
||||||
-- The only thing left to do is rename this file to remove the .dist ending, and fill in the
|
-- Good luck, and happy Jabbering!
|
||||||
-- blanks. Good luck, and happy Jabbering!
|
|
||||||
|
|
||||||
|
|
||||||
---------- Server-wide settings ----------
|
---------- Server-wide settings ----------
|
||||||
|
@ -18,17 +21,22 @@
|
||||||
|
|
||||||
-- This is a (by default, empty) list of accounts that are admins
|
-- This is a (by default, empty) list of accounts that are admins
|
||||||
-- for the server. Note that you must create the accounts separately
|
-- for the server. Note that you must create the accounts separately
|
||||||
-- (see http://prosody.im/doc/creating_accounts for info)
|
-- (see https://prosody.im/doc/creating_accounts for info)
|
||||||
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
-- Example: admins = { "user1@example.com", "user2@example.net" }
|
||||||
admins = { "alex@{{ prosody_domain_name }}", "tux@{{ prosody_domain_name }}" }
|
admins = { "alex@{{ prosody_domain_name }}", "tux@{{ prosody_domain_name }}" }
|
||||||
|
|
||||||
-- Enable use of libevent for better performance under high load
|
-- Enable use of libevent for better performance under high load
|
||||||
-- For more information see: http://prosody.im/doc/libevent
|
-- For more information see: https://prosody.im/doc/libevent
|
||||||
use_libevent = true;
|
use_libevent = true
|
||||||
|
|
||||||
|
-- Prosody will always look in its source directory for modules, but
|
||||||
|
-- this option allows you to specify additional locations where Prosody
|
||||||
|
-- will look for modules first. For community modules, see https://modules.prosody.im/
|
||||||
|
plugin_paths = { "/usr/local/lib/prosody-modules" }
|
||||||
|
|
||||||
-- This is the list of modules Prosody will load on startup.
|
-- This is the list of modules Prosody will load on startup.
|
||||||
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
|
||||||
-- Documentation on modules can be found at: http://prosody.im/doc/modules
|
-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
|
||||||
modules_enabled = {
|
modules_enabled = {
|
||||||
|
|
||||||
-- Generally required
|
-- Generally required
|
||||||
|
@ -39,20 +47,21 @@ modules_enabled = {
|
||||||
"disco"; -- Service discovery
|
"disco"; -- Service discovery
|
||||||
|
|
||||||
-- Not essential, but recommended
|
-- Not essential, but recommended
|
||||||
|
"carbons"; -- Keep multiple clients in sync
|
||||||
|
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
|
||||||
"private"; -- Private XML storage (for room bookmarks, etc.)
|
"private"; -- Private XML storage (for room bookmarks, etc.)
|
||||||
"vcard"; -- Allow users to set vCards
|
"blocklist"; -- Allow users to block communications with other users
|
||||||
|
"vcard4"; -- User profiles (stored in PEP)
|
||||||
-- These are commented by default as they have a performance impact
|
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
|
||||||
"privacy"; -- Support privacy lists
|
|
||||||
"compression"; -- Stream compression (Debian: requires lua-zlib module to work)
|
|
||||||
|
|
||||||
-- Nice to have
|
-- Nice to have
|
||||||
"version"; -- Replies to server version requests
|
"version"; -- Replies to server version requests
|
||||||
"uptime"; -- Report how long server has been running
|
"uptime"; -- Report how long server has been running
|
||||||
"time"; -- Let others know the time here on this server
|
"time"; -- Let others know the time here on this server
|
||||||
"ping"; -- Replies to XMPP pings with pongs
|
"ping"; -- Replies to XMPP pings with pongs
|
||||||
"pep"; -- Enables users to publish their mood, activity, playing music and more
|
|
||||||
"register"; -- Allow users to register on this server using a client and change passwords
|
"register"; -- Allow users to register on this server using a client and change passwords
|
||||||
|
--"mam"; -- Store messages in an archive and allow users to access it
|
||||||
|
--"csi_simple"; -- Simple Mobile optimizations
|
||||||
|
|
||||||
-- Admin interfaces
|
-- Admin interfaces
|
||||||
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
|
||||||
|
@ -60,28 +69,26 @@ modules_enabled = {
|
||||||
|
|
||||||
-- HTTP modules
|
-- HTTP modules
|
||||||
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
|
||||||
|
--"websocket"; -- XMPP over WebSockets
|
||||||
--"http_files"; -- Serve static files from a directory over HTTP
|
--"http_files"; -- Serve static files from a directory over HTTP
|
||||||
|
|
||||||
-- Other specific functionality
|
-- Other specific functionality
|
||||||
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
--"limits"; -- Enable bandwidth limiting for XMPP connections
|
||||||
--"groups"; -- Shared roster support
|
--"groups"; -- Shared roster support
|
||||||
|
--"server_contact_info"; -- Publish contact information for this service
|
||||||
"announce"; -- Send announcement to all online users
|
"announce"; -- Send announcement to all online users
|
||||||
--"welcome"; -- Welcome users who register accounts
|
--"welcome"; -- Welcome users who register accounts
|
||||||
"watchregistrations"; -- Alert admins of registrations
|
"watchregistrations"; -- Alert admins of registrations
|
||||||
--"motd"; -- Send a message to users when they log in
|
--"motd"; -- Send a message to users when they log in
|
||||||
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
|
||||||
|
--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
|
||||||
|
|
||||||
-- alex
|
-- alex
|
||||||
"smacks"; -- XEP-0198: Stream Management
|
"smacks"; -- XEP-0198: Stream Management
|
||||||
"carbons"; -- XEP-0280: Message Carbons
|
"csi"; -- XEP-0352: Client State Indication
|
||||||
|
"csi_battery_saver";
|
||||||
"csi"; -- XEP-0352: Client State Indication
|
|
||||||
"csi_compat";
|
|
||||||
"throttle_presence";
|
|
||||||
--"filter_chatstates"; -- triggers https://prosody.im/issues/issue/648 pre 0.9.11
|
|
||||||
"graceful_shutdown";
|
"graceful_shutdown";
|
||||||
"blocking"; -- XEP-0191: Simple Communications Blocking
|
}
|
||||||
};
|
|
||||||
|
|
||||||
-- These modules are auto-loaded, but should you want
|
-- These modules are auto-loaded, but should you want
|
||||||
-- to disable them then uncomment them here:
|
-- to disable them then uncomment them here:
|
||||||
|
@ -89,132 +96,118 @@ modules_disabled = {
|
||||||
-- "offline"; -- Store offline messages
|
-- "offline"; -- Store offline messages
|
||||||
-- "c2s"; -- Handle client connections
|
-- "c2s"; -- Handle client connections
|
||||||
-- "s2s"; -- Handle server-to-server connections
|
-- "s2s"; -- Handle server-to-server connections
|
||||||
};
|
-- "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
|
||||||
|
}
|
||||||
|
|
||||||
-- Disable account creation by default, for security
|
-- Disable account creation by default, for security
|
||||||
-- For more information see http://prosody.im/doc/creating_accounts
|
-- For more information see https://prosody.im/doc/creating_accounts
|
||||||
allow_registration = false;
|
allow_registration = false
|
||||||
registration_blacklist = { "127.0.0.1" };
|
|
||||||
min_seconds_between_registrations = 3600; -- Clients must wait 1 hour before they can register another account
|
|
||||||
|
|
||||||
-- Debian:
|
|
||||||
-- send the server to background.
|
|
||||||
--
|
|
||||||
daemonize = true;
|
|
||||||
|
|
||||||
-- Debian:
|
|
||||||
-- Please, don't change this option since /var/run/prosody/
|
|
||||||
-- is one of the few directories Prosody is allowed to write to
|
|
||||||
--
|
|
||||||
pidfile = "/var/run/prosody/prosody.pid";
|
|
||||||
|
|
||||||
-- These are the SSL/TLS-related settings. If you don't want
|
|
||||||
-- to use SSL/TLS, you may comment or remove this
|
|
||||||
ssl = {
|
|
||||||
key = "/etc/prosody/certs/localhost.key";
|
|
||||||
certificate = "/etc/prosody/certs/localhost.crt";
|
|
||||||
dhparam = "/etc/prosody/certs/dh-2048.pem";
|
|
||||||
-- TODO for post 0.10 see http://prosody.im/doc/advanced_ssl_config again
|
|
||||||
options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
|
|
||||||
}
|
|
||||||
|
|
||||||
-- Force clients to use encrypted connections? This option will
|
-- Force clients to use encrypted connections? This option will
|
||||||
-- prevent clients from authenticating unless they are using encryption.
|
-- prevent clients from authenticating unless they are using encryption.
|
||||||
|
|
||||||
c2s_require_encryption = true
|
c2s_require_encryption = true
|
||||||
|
|
||||||
|
-- Force servers to use encrypted connections? This option will
|
||||||
|
-- prevent servers from authenticating unless they are using encryption.
|
||||||
|
|
||||||
|
s2s_require_encryption = true
|
||||||
|
|
||||||
-- Force certificate authentication for server-to-server connections?
|
-- Force certificate authentication for server-to-server connections?
|
||||||
-- This provides ideal security, but requires servers you communicate
|
|
||||||
-- with to support encryption AND present valid, trusted certificates.
|
|
||||||
-- NOTE: Your version of LuaSec must support certificate verification!
|
|
||||||
-- For more information see http://prosody.im/doc/s2s#security
|
|
||||||
|
|
||||||
s2s_secure_auth = false
|
s2s_secure_auth = false
|
||||||
|
|
||||||
-- Many servers don't support encryption or have invalid or self-signed
|
-- Some servers have invalid or self-signed certificates. You can list
|
||||||
-- certificates. You can list domains here that will not be required to
|
-- remote domains here that will not be required to authenticate using
|
||||||
-- authenticate using certificates. They will be authenticated using DNS.
|
-- certificates. They will be authenticated using DNS instead, even
|
||||||
|
-- when s2s_secure_auth is enabled.
|
||||||
|
|
||||||
--s2s_insecure_domains = { "gmail.com" }
|
--s2s_insecure_domains = { "insecure.example" }
|
||||||
|
|
||||||
-- Even if you leave s2s_secure_auth disabled, you can still require valid
|
-- Even if you disable s2s_secure_auth, you can still require valid
|
||||||
-- certificates for some domains by specifying a list here.
|
-- certificates for some domains by specifying a list here.
|
||||||
|
|
||||||
--s2s_secure_domains = { "jabber.org" }
|
--s2s_secure_domains = { "jabber.org" }
|
||||||
|
|
||||||
|
-- Required for init scripts and prosodyctl
|
||||||
|
pidfile = "/var/run/prosody/prosody.pid"
|
||||||
|
|
||||||
-- Select the authentication backend to use. The 'internal' providers
|
-- Select the authentication backend to use. The 'internal' providers
|
||||||
-- use Prosody's configured data storage to store the authentication data.
|
-- use Prosody's configured data storage to store the authentication data.
|
||||||
-- To allow Prosody to offer secure authentication mechanisms to clients, the
|
|
||||||
-- default provider stores passwords in plaintext. If you do not trust your
|
|
||||||
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
|
|
||||||
-- for information about using the hashed backend.
|
|
||||||
|
|
||||||
authentication = "internal_hashed"
|
authentication = "internal_hashed"
|
||||||
|
|
||||||
-- Select the storage backend to use. By default Prosody uses flat files
|
-- Select the storage backend to use. By default Prosody uses flat files
|
||||||
-- in its configured data directory, but it also supports more backends
|
-- in its configured data directory, but it also supports more backends
|
||||||
-- through modules. An "sql" backend is included by default, but requires
|
-- through modules. An "sql" backend is included by default, but requires
|
||||||
-- additional dependencies. See http://prosody.im/doc/storage for more info.
|
-- additional dependencies. See https://prosody.im/doc/storage for more info.
|
||||||
|
|
||||||
storage = "sql" -- Default is "internal" (Debian: "sql" requires one of the
|
storage = "sql" -- Default is "internal"
|
||||||
-- lua-dbi-sqlite3, lua-dbi-mysql or lua-dbi-postgresql packages to work)
|
|
||||||
|
|
||||||
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
-- For the "sql" backend, you can uncomment *one* of the below to configure:
|
||||||
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
|
||||||
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
|
||||||
|
|
||||||
|
|
||||||
|
-- Archiving configuration
|
||||||
|
-- If mod_mam is enabled, Prosody will store a copy of every message. This
|
||||||
|
-- is used to synchronize conversations between multiple clients, even if
|
||||||
|
-- they are offline. This setting controls how long Prosody will keep
|
||||||
|
-- messages in the archive before removing them.
|
||||||
|
|
||||||
|
archive_expires_after = "1w" -- Remove archived messages after 1 week
|
||||||
|
|
||||||
|
-- You can also configure messages to be stored in-memory only. For more
|
||||||
|
-- archiving options, see https://prosody.im/doc/modules/mod_mam
|
||||||
|
|
||||||
-- Logging configuration
|
-- Logging configuration
|
||||||
-- For advanced logging see http://prosody.im/doc/logging
|
-- For advanced logging see https://prosody.im/doc/logging
|
||||||
--
|
|
||||||
-- Debian:
|
|
||||||
-- Logs info and higher to /var/log
|
|
||||||
-- Logs errors to syslog also
|
|
||||||
log = {
|
log = {
|
||||||
-- Log files (change 'info' to 'debug' for debug logs):
|
{levels = {min = "info"}, to = "console"};
|
||||||
info = "/var/log/prosody/prosody.log";
|
|
||||||
error = "/var/log/prosody/prosody.err";
|
|
||||||
-- Syslog:
|
|
||||||
{ levels = { "error" }; to = "syslog"; };
|
|
||||||
}
|
}
|
||||||
|
|
||||||
-- alex: security stuff, see
|
-- Uncomment to enable statistics
|
||||||
-- http://blog.prosody.im/mandatory-encryption-on-xmpp-starts-today/
|
-- For more info see https://prosody.im/doc/statistics
|
||||||
-- http://wiki.xmpp.org/web/Securing_XMPP and http://xmpp.net/
|
-- statistics = "internal"
|
||||||
s2s_require_encryption = true
|
|
||||||
|
-- Certificates
|
||||||
|
-- Every virtual host and component needs a certificate so that clients and
|
||||||
|
-- servers can securely verify its identity. Prosody will automatically load
|
||||||
|
-- certificates/keys from the directory specified here.
|
||||||
|
-- For more information, including how to use 'prosodyctl' to auto-import certificates
|
||||||
|
-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
|
||||||
|
|
||||||
|
-- Location of directory to find certificates in (relative to main config file):
|
||||||
|
certificates = "certs"
|
||||||
|
|
||||||
|
-- HTTPS currently only supports a single certificate, specify it here:
|
||||||
|
--https_certificate = "/etc/prosody/certs/localhost.crt"
|
||||||
|
|
||||||
----------- Virtual hosts -----------
|
----------- Virtual hosts -----------
|
||||||
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
|
||||||
-- Settings under each VirtualHost entry apply *only* to that host.
|
-- Settings under each VirtualHost entry apply *only* to that host.
|
||||||
|
|
||||||
VirtualHost "example.com"
|
VirtualHost "localhost"
|
||||||
enabled = false -- Remove this line to enable this host
|
|
||||||
|
|
||||||
-- Assign this host a certificate for TLS, otherwise it would use the one
|
--VirtualHost "example.com"
|
||||||
-- set in the global section (if any).
|
-- certificate = "/path/to/example.crt"
|
||||||
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
|
|
||||||
-- use the global one.
|
|
||||||
ssl = {
|
|
||||||
key = "/etc/prosody/certs/example.com.key";
|
|
||||||
certificate = "/etc/prosody/certs/example.com.crt";
|
|
||||||
}
|
|
||||||
|
|
||||||
------ Components ------
|
------ Components ------
|
||||||
-- You can specify components to add hosts that provide special services,
|
-- You can specify components to add hosts that provide special services,
|
||||||
-- like multi-user conferences, and transports.
|
-- like multi-user conferences, and transports.
|
||||||
-- For more information on components, see http://prosody.im/doc/components
|
-- For more information on components, see https://prosody.im/doc/components
|
||||||
|
|
||||||
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
---Set up a MUC (multi-user chat) room server on conference.example.com:
|
||||||
--Component "conference.example.com" "muc"
|
--Component "conference.example.com" "muc"
|
||||||
|
--- Store MUC messages in an archive and allow users to access it
|
||||||
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
|
--modules_enabled = { "muc_mam" }
|
||||||
--Component "proxy.example.com" "proxy65"
|
|
||||||
|
|
||||||
---Set up an external component (default component port is 5347)
|
---Set up an external component (default component port is 5347)
|
||||||
--
|
--
|
||||||
-- External components allow adding various services, such as gateways/
|
-- External components allow adding various services, such as gateways/
|
||||||
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
-- transports to other networks like ICQ, MSN and Yahoo. For more info
|
||||||
-- see: http://prosody.im/doc/components#adding_an_external_component
|
-- see: https://prosody.im/doc/components#adding_an_external_component
|
||||||
--
|
--
|
||||||
--Component "gateway.example.com"
|
--Component "gateway.example.com"
|
||||||
-- component_secret = "password"
|
-- component_secret = "password"
|
||||||
|
|
Loading…
Reference in a new issue