diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/50-disable-password-auth.conf | 5 | ||||
| -rw-r--r-- | files/nginx_conf.j2 | 31 | ||||
| -rw-r--r-- | files/prosody.cfg.lua.j2 | 22 | ||||
| -rw-r--r-- | files/virtual_host.cfg.lua.j2 | 20 |
4 files changed, 65 insertions, 13 deletions
diff --git a/files/50-disable-password-auth.conf b/files/50-disable-password-auth.conf new file mode 100644 index 0000000..6c684d3 --- /dev/null +++ b/files/50-disable-password-auth.conf @@ -0,0 +1,5 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev> +# +# SPDX-License-Identifier: AGPL-3.0-only + +PasswordAuthentication no diff --git a/files/nginx_conf.j2 b/files/nginx_conf.j2 new file mode 100644 index 0000000..fbddce8 --- /dev/null +++ b/files/nginx_conf.j2 @@ -0,0 +1,31 @@ +# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev> +# +# SPDX-License-Identifier: AGPL-3.0-only + +server { + listen 443 ssl; + listen [::]:443; + + ssl_certificate /etc/prosody/certs/{{ virtual_host }}.crt; + ssl_certificate_key /etc/prosody/certs/{{ virtual_host }}.key; + + server_name {{ delegate_host }}; + + location / { + proxy_pass https://localhost:5281; + proxy_set_header Host "{{ delegate_host }}"; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + tcp_nodelay on; + } +} + +server { + listen 80; + listen [::]:80; + + server_name {{ delegate_host }}; + + return 301 https://$host$request_uri; +} diff --git a/files/prosody.cfg.lua.j2 b/files/prosody.cfg.lua.j2 index b6d9fc1..e20ba4e 100644 --- a/files/prosody.cfg.lua.j2 +++ b/files/prosody.cfg.lua.j2 @@ -2,8 +2,6 @@ -- -- SPDX-License-Identifier: AGPL-3.0-only -admins = { } - plugin_paths = { "/usr/local/lib/prosody/modules" } modules_enabled = { @@ -17,6 +15,8 @@ modules_enabled = { "dialback"; "disco"; "external_services"; + "http"; + "http_libjs"; "limits"; "mam"; "mimicking"; @@ -25,9 +25,6 @@ modules_enabled = { "posix"; "private"; "proxy65"; - "register"; - "register_apps"; - "reload_modules"; "roster"; "saslauth"; "server_contact_info"; @@ -41,10 +38,6 @@ modules_enabled = { "version"; } -reload_modules = { - "tls"; -} - modules_disabled = { } pidfile = "/run/prosody/prosody.pid"; @@ -62,15 +55,18 @@ authentication = "internal_hashed" certificates = "certs" c2s_direct_tls_ports = { 5223 } s2s_direct_tls_ports = { 5270 } +use_dane = true -- From Monal considerations for XMPP server admins smacks_hibernation_time = 86400 allow_registration = true -site_apps_show = { - "conversations"; - "dino"; - "monal"; +invite_expiry = 86400 * 365 +registration_invite_only = true + +firewall_scripts = { + "module:scripts/spam-blocking.pfw"; + "module:script/spam-blocklists.pfw"; } limits = { diff --git a/files/virtual_host.cfg.lua.j2 b/files/virtual_host.cfg.lua.j2 index 6db9e98..272e24b 100644 --- a/files/virtual_host.cfg.lua.j2 +++ b/files/virtual_host.cfg.lua.j2 @@ -4,9 +4,27 @@ VirtualHost "{{ virtual_host }}" +admins = { "admin@{{ virtual_host }}" }; + +modules_enabled = { + "invites"; + "invites_adhoc"; + "invites_page"; + "invites_register"; + "register"; + "register_apps"; +} + +contact_info = { + abuse = { "xmpp:abuse@{{ virtual_host }}" }; + admin = { "xmpp:admin@{{ virtual_host }}" }; +} + turn_external_host = "turn.{{ virtual_host }}" turn_external_secret = "{{ turn_secret }}" +allow_user_invites = true +http_external_url = "https://{{ virtual_host }}/" site_name = "{{ virtual_host }}" Component "upload.{{ virtual_host }}" "http_file_share" @@ -19,3 +37,5 @@ modules_enabled = { log_all_rooms = true restrict_room_creation = "local" +muc_room_default_public = false +muc_room_default_public_jids = true |