ejabberd.yml

1. ###
2. ### ejabberd configuration file
3. ###
4. ### The parameters used in this configuration file are explained at
5. ###
6. ### https://docs.ejabberd.im/admin/configuration
7. ###
8. ### The configuration file is written in YAML.
9. ### *******************************************************
10. ### ******* !!! WARNING !!! *******
11. ### ******* YAML IS INDENTATION SENSITIVE *******
12. ### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
13. ### *******************************************************
14. ### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
15. ###
16.  
17. hosts:
18. - "XXX"
19.  
20. loglevel: 4
21. log_rotate_count: 1
22. log_rotate_size: 10485760
23. hide_sensitive_log_data: false
24.  
25. ## If you already have certificates, list them here
26. certfiles:
27. # - /etc/letsencrypt/live/domain.tld/fullchain.pem
28. # - /etc/letsencrypt/live/domain.tld/privkey.pem
29. - "/etc/letsencrypt/live/XXX/fullchain.pem"
30. - "/etc/letsencrypt/live/XXX/privkey.pem"
31. # - /usr/local/etc/ejabberd/ejabberd.pem
32.  
33. ## TLS configuration
34. define_macro:
35. 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
36. 'TLS_OPTIONS':
37. - "no_sslv3"
38. - "no_tlsv1"
39. - "no_tlsv1_1"
40. - "cipher_server_preference"
41. - "no_compression"
42.  
43. c2s_ciphers: 'TLS_CIPHERS'
44. s2s_ciphers: 'TLS_CIPHERS'
45. c2s_protocol_options: 'TLS_OPTIONS'
46. s2s_protocol_options: 'TLS_OPTIONS'
47.  
48. ## Database configuration
49. sql_type: sqlite
50. sql_database: "/home/XXX/ejabberd/ejabberd.db"
51. default_db: sql
52.  
53. auth_method: sql
54.  
55. listen:
56. -
57. port: 5222
58. ip: "::"
59. module: ejabberd_c2s
60. max_stanza_size: 262144
61. shaper: c2s_shaper
62. access: c2s
63. starttls_required: true
64. -
65. port: 5269
66. ip: "::"
67. module: ejabberd_s2s_in
68. max_stanza_size: 524288
69. -
70. port: 5443
71. ip: "::"
72. module: ejabberd_http
73. tls: true
74. register: false
75. captcha: false
76. request_handlers:
77. /admin: ejabberd_web_admin
78. /api: mod_http_api
79. /bosh: mod_bosh
80. /upload: mod_http_upload
81. /ws: ejabberd_http_ws
82. -
83. port: 5280
84. ip: "::"
85. module: ejabberd_http
86. register: false
87. request_handlers:
88. /admin: ejabberd_web_admin
89. /.well-known/acme-challenge: ejabberd_acme
90. -
91. port: 3478
92. transport: udp
93. module: ejabberd_stun
94. use_turn: true
95. turn_min_port: 60000
96. turn_max_port: 65000
97. ## The server's public IPv4 address:
98. turn_ipv4_address: "XXX"
99. -
100. port: 3478
101. transport: tcp
102. module: ejabberd_stun
103. use_turn: true
104. turn_min_port: 60000
105. turn_max_port: 65000
106. ## The server's public IPv4 address:
107. turn_ipv4_address: "XXX"
108. -
109. port: 5349
110. transport: tcp
111. module: ejabberd_stun
112. use_turn: true
113. tls: true
114. turn_min_port: 60000
115. turn_max_port: 65000
116. turn_ipv4_address: "XXX"
117.  
118. ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
119. ## password storage (see auth_password_format option).
120. disable_sasl_mechanisms:
121. - "digest-md5"
122. - "X-OAUTH2"
123.  
124. s2s_use_starttls: required
125. s2s_cafile: /etc/ssl/certs/ca-certificates.crt
126. s2s_dns_timeout: 60
127. s2s_dns_retries: 5
128. outgoing_s2s_timeout: 600
129.  
130. ## Disable automated mode for acme (certificate management)
131. acme:
132. auto: false
133.  
134. ## Store the plain passwords or hashed for SCRAM:
135. auth_password_format: scram
136.  
137. acl:
138. admin:
139. user:
140. - "XXX@XXX"
141. biguploader:
142. user:
143. - "XXX@XXX"
144.  
145. local:
146. user_regexp: ""
147. loopback:
148. ip:
149. - 127.0.0.0/8
150. - ::1/128
151. - "::FFFF:127.0.0.1/128"
152.  
153. access_rules:
154. local:
155. allow: local
156. c2s:
157. deny: blocked
158. allow: all
159. announce:
160. allow: admin
161. configure:
162. allow: admin
163. muc_create:
164. allow: local
165. pubsub_createnode:
166. allow: local
167. trusted_network:
168. allow: loopback
169.  
170. api_permissions:
171. "console commands":
172. from:
173. - ejabberd_ctl
174. who: all
175. what: "*"
176. "admin access":
177. who:
178. access:
179. allow:
180. - acl: loopback
181. - acl: admin
182. oauth:
183. scope: "ejabberd:admin"
184. access:
185. allow:
186. - acl: loopback
187. - acl: admin
188. what:
189. - "*"
190. - "!stop"
191. - "!start"
192. "public commands":
193. who:
194. ip: 127.0.0.1/8
195. what:
196. - status
197. - connected_users_number
198.  
199. shaper:
200. normal:
201. rate: 3000
202. burst_size: 20000
203. fast: 100000
204.  
205. shaper_rules:
206. max_user_sessions: 10
207. max_user_offline_messages:
208. 5000: admin
209. 100: all
210. c2s_shaper:
211. none: admin
212. normal: all
213. s2s_shaper: fast
214.  
215. modules:
216. mod_adhoc: {}
217. mod_admin_extra: {}
218. mod_announce:
219. access: announce
220. mod_avatar: {}
221. mod_blocking: {}
222. mod_bosh: {}
223. mod_caps: {}
224. mod_carboncopy: {}
225. mod_client_state: {}
226. mod_configure: {}
227. mod_disco:
228. server_info:
229. -
230. modules: all
231. name: "abuse-addresses"
232. urls: ["mailto:reportabuse@XXX"]
233. mod_fail2ban: {}
234. mod_http_api: {}
235. mod_http_upload:
236. put_url: https://@HOST@:5443/upload
237. custom_headers:
238. "Access-Control-Allow-Origin": "https://@HOST@"
239. "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
240. "Access-Control-Allow-Headers": "Content-Type"
241. max_size: infinity
242. mod_last: {}
243. mod_mam:
244. ## Mnesia is limited to 2GB, better to use an SQL backend
245. ## For small servers SQLite is a good fit and is very easy
246. ## to configure. Uncomment this when you have SQL configured:
247. db_type: sql
248. assume_mam_usage: true
249. default: always
250. mod_muc:
251. access:
252. - allow
253. access_admin:
254. - allow: admin
255. access_create: muc_create
256. access_persistent: muc_create
257. access_mam:
258. - allow
259. default_room_options:
260. mam: true
261. mod_muc_admin: {}
262. mod_offline:
263. access_max_user_messages: max_user_offline_messages
264. mod_ping: {}
265. mod_privacy: {}
266. mod_private: {}
267. mod_pubsub:
268. access_createnode: pubsub_createnode
269. plugins:
270. - flat
271. - pep
272. force_node_config:
273. ## Avoid buggy clients to make their bookmarks public
274. storage:bookmarks:
275. access_model: whitelist
276. mod_push:
277. include_body: "New message"
278. mod_push_keepalive: {}
279. mod_register:
280. ## Only accept registration requests from the "trusted"
281. ## network (see access_rules section above).
282. ## Think twice before enabling registration from any
283. ## address. See the Jabber SPAM Manifesto for details:
284. ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
285. ip_access: trusted_network
286. mod_roster:
287. versioning: true
288. mod_s2s_dialback: {}
289. mod_shared_roster: {}
290. mod_stream_mgmt:
291. resend_on_timeout: if_offline
292. mod_stun_disco:
293. credentials_lifetime: 12h
294. services:
295. -
296. host: XXX
297. port: 3478
298. type: stun
299. transport: udp
300. restricted: false
301. -
302. host: XXX
303. port: 3478
304. type: turn
305. transport: udp
306. restricted: true
307. -
308. host: XXX
309. port: 3478
310. type: stun
311. transport: tcp
312. restricted: false
313. -
314. host: XXX
315. port: 3478
316. type: turn
317. transport: tcp
318. restricted: true
319. -
320. host: XXX
321. port: 5349
322. type: stuns
323. transport: tcp
324. restricted: false
325. -
326. host: XXX
327. port: 5349
328. type: turns
329. transport: tcp
330. restricted: true
331. mod_vcard: {}
332. mod_vcard_xupdate: {}
333. mod_version:
334. show_os: false
335.  
336. ### Local Variables:
337. ### mode: yaml
338. ### End:
339. ### vim: set filetype=yaml tabstop=8
340.