ansible/roles/prosody/templates/prosody.cfg.lua.j2

-- Prosody XMPP Server Configuration
-- {{ ansible_managed }}

---------- Server-wide settings ----------
-- Settings in this section apply to the whole server and are the default settings
-- for any virtual hosts

-- This is a (by default, empty) list of accounts that are admins
-- for the server. Note that you must create the accounts separately
-- (see http://prosody.im/doc/creating_accounts for info)
-- Example: admins = { "user1@example.com", "user2@example.net" }
admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
use_libevent = false;

plugin_paths = { "/opt/prosody-modules" }

-- This is the list of modules Prosody will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
	{% for module in prosody_modules %}
	"{{ module }}";
	{% endfor %}
};

-- These modules are auto-loaded, should you
-- (for some mad reason) want to disable
-- them then uncomment them below
modules_disabled = {
	-- "presence"; -- Route user/contact status information
	-- "message"; -- Route messages
	-- "iq"; -- Route info queries
	-- "offline"; -- Store offline messages
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = {{ prosody_allow_registration }};

-- These are the SSL/TLS-related settings. If you don't want
-- to use SSL/TLS, you may comment or remove this
-- *** DUMMY CERT *** DO NOT CHANGE *** SET CERT IN HOST SECTION ***
ssl = {
	protocol = "sslv23";
	key = "{{ prosody_ssl_key }}";
	certificate = "{{ prosody_ssl_cert }}";
	dhparam = "/etc/prosody/certs/dh-2048.pem";
	options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
        ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
}
legacy_ssl_ports = { 5223 }
http_external_url = "https://{{ prosody_domain }}/"

-- Only allow encrypted streams? Encryption is already used when
-- available. These options will cause Prosody to deny connections that
-- are not encrypted. Note that some servers do not support s2s
-- encryption or have it disabled, including gmail.com and Google Apps
-- domains.

--c2s_require_encryption = false
--s2s_require_encryption = false

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_hashed"

-- Select the storage backend to use. By default Prosody uses flat files
-- in its configured data directory, but it also supports more backends
-- through modules. An "sql" backend is included by default, but requires
-- additional dependencies. See http://prosody.im/doc/storage for more info.

--storage = "sql" -- Default is "internal"

-- For the "sql" backend, you can uncomment *one* of the below to configure:
--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.
--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }


-- STUN/TURN
--turncredentials_host = "jabber.emma.ccchb.de"
turncredentials_host = "einstein.cskreie.de"
turncredentials_secret = "gabbagabbahey"


-- HTTP-UPLOAD
http_upload_file_size_limit = 10485760 -- 10M
http_max_content_size = 20971520 -- 20M
http_upload_quota =  104857600 -- 100M
http_upload_expire_after = 2592000 -- 30d

-- Logging configuration
-- For advanced logging see http://prosody.im/doc/logging
-- Hint: If you create a new log file or rename them, don't forget 
-- to update the logrotate config at /etc/logrotate.d/prosody
log = {
        -- Log all error messages to prosody.err
	error = "/var/log/prosody/prosody.err";
        -- Log everything of level "info" and higher (that is, all except "debug" messages)
        -- to prosody.log
        -- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
        -- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging
        --"*syslog"; -- Uncomment this for logging to syslog
}

-- Pidfile, used by prosodyctl and the init.d script
pidfile = "/var/run/prosody/prosody.pid";

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

VirtualHost "localhost"

VirtualHost "{{ prosody_domain }}"
	enabled = true -- Remove this line to enable this host

	-- Assign this host a certificate for TLS, otherwise it would use the one
	-- set in the global section (if any).
	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
	-- use the global one.
	ssl = {
		protocol = "sslv23";
		key = "{{ prosody_ssl_key }}";
		certificate = "{{ prosody_ssl_cert }}";
	       dhparam = "/etc/prosody/certs/dh-2048.pem";
	       options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
        	ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
	}

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.
-- For more information on components, see http://prosody.im/doc/components

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component "muc.{{ prosody_domain }}" "muc"
modules_enabled = {
  "vcard_muc", "muc_mam",
}
-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
--Component "proxy.example.com" "proxy65"

---Set up an external component (default component port is 5347)
--
-- External components allow adding various services, such as gateways/
-- transports to other networks like ICQ, MSN and Yahoo. For more info
-- see: http://prosody.im/doc/components#adding_an_external_component
--
--Component "gateway.example.com"
--	component_secret = "password"
First draft for a prosody role 2021-02-02 18:04:38 -06:00			`-- Prosody XMPP Server Configuration`
			`-- {{ ansible_managed }}`

			`---------- Server-wide settings ----------`
			`-- Settings in this section apply to the whole server and are the default settings`
			`-- for any virtual hosts`

			`-- This is a (by default, empty) list of accounts that are admins`
			`-- for the server. Note that you must create the accounts separately`
			`-- (see http://prosody.im/doc/creating_accounts for info)`
			`-- Example: admins = { "user1@example.com", "user2@example.net" }`
			`admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }`

			`-- Enable use of libevent for better performance under high load`
			`-- For more information see: http://prosody.im/doc/libevent`
			`use_libevent = false;`

			`plugin_paths = { "/opt/prosody-modules" }`

			`-- This is the list of modules Prosody will load on startup.`
			`-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.`
			`-- Documentation on modules can be found at: http://prosody.im/doc/modules`
			`modules_enabled = {`
			`{% for module in prosody_modules %}`
			`"{{ module }}";`
			`{% endfor %}`
			`};`

			`-- These modules are auto-loaded, should you`
			`-- (for some mad reason) want to disable`
			`-- them then uncomment them below`
			`modules_disabled = {`
			`-- "presence"; -- Route user/contact status information`
			`-- "message"; -- Route messages`
			`-- "iq"; -- Route info queries`
			`-- "offline"; -- Store offline messages`
			`};`

			`-- Disable account creation by default, for security`
			`-- For more information see http://prosody.im/doc/creating_accounts`
			`allow_registration = {{ prosody_allow_registration }};`

			`-- These are the SSL/TLS-related settings. If you don't want`
			`-- to use SSL/TLS, you may comment or remove this`
			`-- * DUMMY CERT * DO NOT CHANGE * SET CERT IN HOST SECTION *`
			`ssl = {`
			`protocol = "sslv23";`
			`key = "{{ prosody_ssl_key }}";`
			`certificate = "{{ prosody_ssl_cert }}";`
			`dhparam = "/etc/prosody/certs/dh-2048.pem";`
			`options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };`
			`ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";`
			`}`
			`legacy_ssl_ports = { 5223 }`
			`http_external_url = "https://{{ prosody_domain }}/"`

			`-- Only allow encrypted streams? Encryption is already used when`
			`-- available. These options will cause Prosody to deny connections that`
			`-- are not encrypted. Note that some servers do not support s2s`
			`-- encryption or have it disabled, including gmail.com and Google Apps`
			`-- domains.`

			`--c2s_require_encryption = false`
			`--s2s_require_encryption = false`

			`-- Select the authentication backend to use. The 'internal' providers`
			`-- use Prosody's configured data storage to store the authentication data.`
			`-- To allow Prosody to offer secure authentication mechanisms to clients, the`
			`-- default provider stores passwords in plaintext. If you do not trust your`
			`-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed`
			`-- for information about using the hashed backend.`

			`authentication = "internal_hashed"`

			`-- Select the storage backend to use. By default Prosody uses flat files`
			`-- in its configured data directory, but it also supports more backends`
			`-- through modules. An "sql" backend is included by default, but requires`
			`-- additional dependencies. See http://prosody.im/doc/storage for more info.`

			`--storage = "sql" -- Default is "internal"`

			`-- For the "sql" backend, you can uncomment one of the below to configure:`
			`--sql = { driver = "SQLite3", database = "prosody.sqlite" } -- Default. 'database' is the filename.`
			`--sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }`
			`--sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }`


			`-- STUN/TURN`
			`--turncredentials_host = "jabber.emma.ccchb.de"`
			`turncredentials_host = "einstein.cskreie.de"`
			`turncredentials_secret = "gabbagabbahey"`


			`-- HTTP-UPLOAD`
			`http_upload_file_size_limit = 10485760 -- 10M`
			`http_max_content_size = 20971520 -- 20M`
			`http_upload_quota = 104857600 -- 100M`
			`http_upload_expire_after = 2592000 -- 30d`

			`-- Logging configuration`
			`-- For advanced logging see http://prosody.im/doc/logging`
			`-- Hint: If you create a new log file or rename them, don't forget`
			`-- to update the logrotate config at /etc/logrotate.d/prosody`
			`log = {`
			`-- Log all error messages to prosody.err`
			`error = "/var/log/prosody/prosody.err";`
			`-- Log everything of level "info" and higher (that is, all except "debug" messages)`
			`-- to prosody.log`
			`-- info = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging`
			`-- debug = "/var/log/prosody/prosody.log"; -- Change 'info' to 'debug' for more verbose logging`
			`--"*syslog"; -- Uncomment this for logging to syslog`
			`}`

			`-- Pidfile, used by prosodyctl and the init.d script`
			`pidfile = "/var/run/prosody/prosody.pid";`

			`----------- Virtual hosts -----------`
			`-- You need to add a VirtualHost entry for each domain you wish Prosody to serve.`
			`-- Settings under each VirtualHost entry apply only to that host.`

			`VirtualHost "localhost"`

			`VirtualHost "{{ prosody_domain }}"`
			`enabled = true -- Remove this line to enable this host`

			`-- Assign this host a certificate for TLS, otherwise it would use the one`
			`-- set in the global section (if any).`
			`-- Note that old-style SSL on port 5223 only supports one certificate, and will always`
			`-- use the global one.`
			`ssl = {`
			`protocol = "sslv23";`
			`key = "{{ prosody_ssl_key }}";`
			`certificate = "{{ prosody_ssl_cert }}";`
			`dhparam = "/etc/prosody/certs/dh-2048.pem";`
			`options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };`
			`ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";`
			`}`

			`------ Components ------`
			`-- You can specify components to add hosts that provide special services,`
			`-- like multi-user conferences, and transports.`
			`-- For more information on components, see http://prosody.im/doc/components`

			`---Set up a MUC (multi-user chat) room server on conference.example.com:`
			`Component "muc.{{ prosody_domain }}" "muc"`
			`modules_enabled = {`
			`"vcard_muc", "muc_mam",`
			`}`
			`-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:`
			`--Component "proxy.example.com" "proxy65"`

			`---Set up an external component (default component port is 5347)`
			`--`
			`-- External components allow adding various services, such as gateways/`
			`-- transports to other networks like ICQ, MSN and Yahoo. For more info`
			`-- see: http://prosody.im/doc/components#adding_an_external_component`
			`--`
			`--Component "gateway.example.com"`
			`-- component_secret = "password"`