view docker/prosody/prosody.cfg.lua @ 84:8dc445c967e2

docker (base): create /usr/share/sat/certificates and tls-cert group to handle certificate + moved conf to /home/sat/.config/sat/sat.conf
author Goffi <goffi@goffi.org>
date Thu, 18 Feb 2016 17:23:08 +0100
parents 5824dee4ea2b
children 349cbfea2596
line wrap: on
line source

-- Prosody configuration for SàT Docker image

---------- Server-wide settings ----------

-- we use environment variable to get the domain
local domain = os.getenv("DOMAIN") or "libervia.int"
-- default admin is admin@DOMAIN
admins = { "admin@"..(domain) }

-- Enable use of libevent for better performance under high load
-- For more information see: http://prosody.im/doc/libevent
--use_libevent = true;

-- Documentation on modules can be found at: http://prosody.im/doc/modules
modules_enabled = {
		-- used by SàT

		-- SàT PubSub
				"delegation";
				"privilege";

		-- Not mandatory but neat
				"ipcheck";
				"http_upload";

		-- Generally required
				"roster"; -- Allow users to have a roster. Recommended ;)
				"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
				"tls"; -- Add support for secure TLS on c2s/s2s connections
				"dialback"; -- s2s dialback support
				"disco"; -- Service discovery

		-- Not essential, but recommended
				"private"; -- Private XML storage (for room bookmarks, etc.)
				"vcard"; -- Allow users to set vCards

		-- These are commented by default as they have a performance impact
				--"privacy"; -- Support privacy lists
				--"compression"; -- Stream compression (Debian: requires lua-zlib module to work)

		-- Nice to have
				"version"; -- Replies to server version requests
				"uptime"; -- Report how long server has been running
				"time"; -- Let others know the time here on this server
				"ping"; -- Replies to XMPP pings with pongs
				-- "pep"; -- Enables users to publish their mood, activity, playing music and more
				-- we don't want to allow self registering, this is managed by a SàT plugin
				--"register"; -- Allow users to register on this server using a client and change passwords

		-- Admin interfaces
				"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
				--"admin_telnet"; -- Opens telnet console interface on localhost port 5582

		-- HTTP modules
				--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
				--"http_files"; -- Serve static files from a directory over HTTP

		-- Other specific functionality
				"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
				--"groups"; -- Shared roster support
				-- announce is usefull on a Libervia instance
				"announce"; -- Send announcement to all online users
				--"welcome"; -- Welcome users who register accounts
				--"watchregistrations"; -- Alert admins of registrations
				--"motd"; -- Send a message to users when they log in
				--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};

-- to disable them then uncomment them here:
modules_disabled = {
		-- "offline"; -- Store offline messages
		-- "c2s"; -- Handle client connections
		-- "s2s"; -- Handle server-to-server connections
};

-- Disable account creation by default, for security
-- For more information see http://prosody.im/doc/creating_accounts
allow_registration = false;

-- We keep foreground for Docker
daemonize = false;

-- Debian:
--   Please, don't change this option since /var/run/prosody/
--   is one of the few directories Prosody is allowed to write to
--
pidfile = "/var/run/prosody/prosody.pid";

-- We want to use the certificat in /usr/share/sat
ssl = {
		key = "/usr/share/sat/certificates/libervia.key";
		certificate = "/usr/share/sat/certificates/libervia.crt";
}

c2s_require_encryption = true

-- Force certificate authentication for server-to-server connections?
-- This provides ideal security, but requires servers you communicate
-- with to support encryption AND present valid, trusted certificates.
-- NOTE: Your version of LuaSec must support certificate verification!
-- For more information see http://prosody.im/doc/s2s#security

s2s_secure_auth = false

-- Many servers don't support encryption or have invalid or self-signed
-- certificates. You can list domains here that will not be required to
-- authenticate using certificates. They will be authenticated using DNS.

--s2s_insecure_domains = { "gmail.com" }

-- Even if you leave s2s_secure_auth disabled, you can still require valid
-- certificates for some domains by specifying a list here.

--s2s_secure_domains = { "jabber.org" }

-- Select the authentication backend to use. The 'internal' providers
-- use Prosody's configured data storage to store the authentication data.
-- To allow Prosody to offer secure authentication mechanisms to clients, the
-- default provider stores passwords in plaintext. If you do not trust your
-- server please see http://prosody.im/doc/modules/mod_auth_internal_hashed
-- for information about using the hashed backend.

authentication = "internal_plain"

-- we listen to the world for components (but we do *NOT*
-- expose the port! It's just for linked containers)
component_interface="0.0.0.0"

-- we want default, unsplitted logs, so we have removed all logging stuff

VirtualHost (domain)
	privileged_entities = {
		["pubsub."..domain] = {
			roster = "get";
			message = "outgoing";
		},
	}

	delegations = {
		["urn:xmpp:mam:1"] = {
			filtering = {"node"};
			jid = "pubsub."..domain;
		},
		["http://jabber.org/protocol/pubsub"] = {
			jid = "pubsub."..domain;
		},
	}

------ Components ------

---Set up a MUC (multi-user chat) room server on conference.example.com:
Component ("chat."..domain) "muc"

-- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
Component ("proxy."..domain) "proxy65"

-- 50 MiB limit for upload
Component ("upload."..domain) "http_upload"
	http_upload_file_size_limit = 50 * 1024 * 1024

Component ("pubsub."..domain)
	component_secret = os.getenv("SAT_PUBSUB_SECRET")
	modules_enabled = {"privilege", "delegation"}

Component ("salut."..domain)
	component_secret = os.getenv("SAT_SALUT_SECRET")

------ Additional config files ------
-- For organizational purposes you may prefer to add VirtualHost and
-- Component definitions in their own config files. This line includes
-- all config files in /etc/prosody/conf.d/

-- conf.d is not used in this Docker image,
-- but if needed just uncomment the next line
-- Include "conf.d/*.cfg.lua"