├── .gitignore
├── CHANGELOG.md
├── LICENSE
├── News.md
├── README.md
├── conf
├── ejabberd
│ ├── ejabberd-17.08.yml
│ ├── ejabberd-18.01.yml
│ ├── ejabberd-18.03.yml
│ ├── ejabberd-18.04.yml
│ ├── ejabberd-18.06.yml
│ ├── ejabberd-18.09.yml
│ ├── ejabberd-18.12.yml
│ ├── ejabberd-19.02.yml
│ ├── ejabberd-19.05.yml
│ └── ejabberd-19.08.yml
├── gpg
│ └── process-one.asc
├── letsencrypt
│ └── post-renewal-hook
├── nginx
│ ├── additional_domain
│ ├── domain
│ └── onion
├── sslh
│ ├── etc-init.d.sslh
│ └── etc-sslh.cfg
├── tor
│ └── hidden_service
└── web
│ ├── extra
│ └── index.html
│ └── global
│ └── index.html
├── functions
├── install
├── logo
├── aenigma_logo-full-blue-blue-blck-nobg-4x.png
├── aenigma_logo-sqre-blue-blue-xxxx-nobg-4x.png
├── aenigma_logo.png
├── aenigma_logo_evolution.pdf
└── aenigma_logo_old.png
├── restore.sh
├── setup
└── tools
├── aenigma-backup
├── aenigma-clusterize
├── aenigma-create-push-certs
├── aenigma-env
├── aenigma-exec
├── aenigma-perform-dns-checks
├── aenigma-push_routing_info
├── aenigma-restore
├── aenigma-resync_cluster
├── aenigma-test-online-nodes
├── aenigma-upgrade
└── aenigma-version
/.gitignore:
--------------------------------------------------------------------------------
1 | *.DS_Store
2 | ._.DS_Store
3 | **/.DS_Store
4 | **/._.DS_Store
5 |
--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
1 | # aenigma changelog
2 |
3 | ## Newer changes not listed.
4 | ## See the [releases page](https://github.com/openspace42/aenigma/releases) for change tracking.
5 |
6 | ## v0.6.x [2018-10]
7 |
8 | 1. Completely restructured code. More neatly organized aenigma functions. More functions integrated into or sourced from dna.
9 | 2. Removed the 3 installation options in favour of a single option [formerly #1] that works for everyone.
10 | 2. Leverage the use of LetsEncrypt's new wildcard TLS certificates that works for every service we need. This massively simplify the codebase and the end-user setup itself.
11 | 3. Entirely new DNS checks now part of dna.
12 | 4. New DNS provider functionality [also part of dna] for automated DNS record configuration from the aforementioned DNS checks function.
13 | 5. aenigma is now clusterizable in a simple and straightforward fashion. Every new instance installed is ready to clusterized in the future from now on. This is known as multi-master multi-server functionality.
14 | 6. Removed reliance on EasyEngine and instead directly provision the wildcard LE cert, install nginx, and configure hostname website.
15 | 7. aenigma can now finally be installed on Debian 9 [stretch] [in addition to Ubuntu 18.04 LTS]!
16 |
17 | ## [...]
18 |
19 | ## v0.47 [2018-01-16]
20 |
21 | 1. Added testing mode for Ubuntu 17.10 [artful] [and therefore - currently - ejabberd 18.01 as per the repo we use] to prepare for Ubuntu 18.04 and ejabberd 18.xx:
22 | 1.1: Re-introduced per-ejabberd-version ejabberd.yml config files [falls back to v17.08 config file if ejabberd version being installed doesn't have a version-specific aenigma config file]
23 | 1.2: Enabled mod_push in ejabberd.yml for versions 18.01 and later
24 | 1.3: Requires user to place any external TLS certificate for $domain inside the aenigma /etc/ssl/aenigma TLS certificates folder as other arbitrary directories are blocked in newer versions.
25 |
26 | 2. Added use of git versioning following [EasyEngine-Backup-Restore](https://github.com/openspace42/EasyEngine-Backup-Restore). The old installer.sh is now called "setup" and the old installer-vx.yz is now simply called "install".
27 |
28 | 3. Added use of the "functions" file and [openspace Bash Functions](https://github.com/openspace42/bash-functions) to modularize and standardize everything we do across openspace projects.
29 |
30 | 4. Allowed APT to fail during installation up to the last step, where instead any errors are caught by the script as usual.
31 | This way the installation can proceed until the end and possibly fix any errors causing APT to previously fail, and - if that doesn't work - at least the user can attempt to fix things manually once the installation is actually complete, before running it again and making everything go back to normal.
32 |
33 | ## v0.46 [2017-12-19]
34 |
35 | 1. Validate S3 connection details
36 | 2. Allow "bootstrap mode" to restore aenigma [and therefore source all previous settings] before running the installation on a new machine
37 | 3. Alert in case of reinstall and prompt for backup
38 | 4. Suggest adding CNAMES instead of A/AAAA records
39 | 5. Added error in case of LetsEncrypt failure
40 | 6. Added DPKG lock detection / waiting
41 | 7. Fixed and improved SRV records DNS checks
42 | 8. All bash code audited with ShellCheck
43 | 9. Improved backup / restore functionality by pulling the newest code from [easyengine-backup-restore](https://github.com/openspace42/easyengine-backup-restore)
44 |
45 | ## v0.45 [2017-11-18]
46 |
47 | 1. Changed installation directory to /root/openspace42/aenigma/
48 | 2. Build SSLH from source to use v1.18 [for ALPN functionality]
49 | 3. Added c2s listener on port 5223
50 | 4. Added LetsEncrypt TLS certificate generation for xu.$domain
51 | 5. Tunneled HTTP Uploads via SSLH on port 443 [at least until a better solution]
52 | 6. New "tools" directory with automated ejabberd backup/restore scripts with S3 options.
53 | 7. Nightly backup to local machine / S3 with backup script cron job.
54 | 8. Added admin email address setting for error notifications [backup failures, etc...]
55 | 9. Added incomplete install checker
56 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 |
2 | ______________________________________________________________
3 | | |
4 | | LibreLicense |
5 | | v0.4 | Nz |
6 | | 14-10-2017 | 27-09-2018 |
7 | | openspace.xxx |
8 | |______________________________________________________________|
9 |
10 |
11 | This work of art is a product of the universe.
12 | The result of an entropic synthesis that originated
13 | somewhere in the dark vastness of space.
14 | An instance of existence
15 | that is now everywhere and everyone's.
16 | It and all derived creations
17 | are and always will be
18 | free and open to all.
19 |
20 | ______________________________________________________________
21 | | |
22 | | Nam medium nihil esse potest |
23 | | quando omnia constant infinita... |
24 | |______________________________________________________________|
25 |
--------------------------------------------------------------------------------
/News.md:
--------------------------------------------------------------------------------
1 | # News posts archive
2 |
3 | Follow our development updates together with the aenigma community on our chatroom at [aenigma@xc.aenigma.xyz](xmpp:aenigma@xc.aenigma.xyz).
4 |
5 | If you have an operational aenigma server, definitely subscribe for new release notifications and other important heads-up alerts.
6 |
7 | ### 2019-07-30 | v0.7.2-beta.1 release
8 |
9 | ```
10 | Hi all, aenigma with working backups is almost out, and will ship with what is now synthia v4, with an entirely re-curated codebase
11 |
12 | Making every function faster and easier to read, and standardized spacing and commenting. Some DNA functions have been improved, and, most importantly for you guys, every action previously performed by a script like a aenigma-clusterize has now been made into a function of itself that can be ran standalone from aenigma-env
13 |
14 | The installer will now handle user denial conditions more gracefully asking them to re-specify parameters rather then exit the script entirely.
15 |
16 | Also, side note, a new project was born called nimbo, it will completely automate the installation of a nextcloud server, with dedicated database, redis caching, and one day even clustering capabilities, of course with our stable and now super stable S3 backup/restore capabilities.
17 |
18 | A nice addition to your project team, school, or workplace, if you like aenigma and are looking to host your own cloud. If you like the idea, give it a test when the first beta is out.
19 |
20 | As always, you can test out this specific beta with:
21 |
22 | aenigma-upgrade -dt -pt
23 |
24 | or try out the latest bleeding_edge version up to HEAD with:
25 |
26 | aenigma-upgrade -db -pb
27 |
28 | or simply wait for this stable release to be published - after which you'll be able to upgrade normally with:
29 |
30 | aenigma-upgrade
31 |
32 | Thanks for following our project and please consider becoming a supporter if you're finding it interesting, useful, or both!
33 |
34 | Nz
35 | ```
36 |
37 | ### 2019-06-20 | v0.7.1 stable release
38 |
39 | ```
40 | Hi there!
41 |
42 | aenigma v0.7.1 stable is out with the following improvements:
43 |
44 | - ejabberd v19.05 [from the previous v18.12.1] now installed from DEB-package-file directly from the process-one website.
45 | - NGINX-handled ejabberd uploads. This is another feature [after the PostgreSQL database integration in the previous release] that is highly recommended by the ejabberd team and which brings the robustness of this feature to a new level.
46 | - the new set_mam_disabled function, which - especially when combined with set_loglevel_zero - further turns your server's "stealth mode" on, limiting the amount of user data stored onto it, which is a good idea if you believe your server might be compromised or seized in the future.
47 | - removed mod_echo as it's deprecated
48 | - refined nginx websocket revproxy config for .onion version of converse.js
49 | - enable mod_proxy65 for continued 100% compliance with caas
50 | - enabled an option in synthia+dna to install the project from a custom git branch on origin
51 | - stability and notable speed improvements when reclustering PostgreSQL
52 | - very many bugfixes and general retouches
53 |
54 | aenigma v0.7.1 also ships with dna v0.3.14 which includes fixes a couple of small issues and introduces the following improvements:
55 |
56 | - fix postfix not enabling during install_mail_notifications
57 | - added include_hostname in log_script
58 | - Fix https://github.com/openspace42/aenigma/issues/58
59 |
60 | **This upgrade will delete any existing ejabberd uploads** as we now handle them with NGINX.
61 |
62 | If you're running on Ubuntu 18.04 make sure you follow the upgrade guide [here](https://github.com/openspace42/aenigma/wiki/aenigma-upgrades-on-Ubuntu-18.04-are-temporarily-broken.-Here's-how-to-fix-them.) for this specific release because of the 2019/06/12 openssl incident.
63 |
64 | After that, or if you're running on Debian, you can upgrade with:
65 |
66 | aenigma-upgrade
67 |
68 | Thanks for following our project and please consider becoming a supporter if you're finding it interesting, useful, or both!
69 |
70 | Nz
71 | ```
72 |
73 | ### 2019-06-19 | v0.7.1-beta.3 release
74 |
75 | ```
76 | After the [openssl-v1.1.1 incident](https://github.com/openspace42/aenigma/wiki/aenigma-upgrades-on-Ubuntu-18.04-are-temporarily-broken.-Here's-how-to-fix-them.) we seem to be back on track with v0.7.1 release and aenigma in general.
77 | If you haven't followed, the news is that we were forced to rapidly switch to a DEB-package-file ejabberd installation moving on from the old jabber.at APT repo installation strategy, as the version provided by that repo was too old [v18.12.1] with respect to the current stable release of ejabberd [v19.05], and an update to openssl in the Ubuntu 18.04 built-in canonical repository broke TLS in ejabberd, therefore forcing us to moving to DEB-package installation earlier than schedule.
78 | Fortunately, after a week of work, both installation of DEB-file version *and* migration from old to new version seem to work, and you can now test it out for yourself if you'd like.
79 | Please note that:
80 | 1. upgrading v0.7.1 [and related betas] will *not* preserve existing ejabberd uploads. All existing ejabberd uploads will be lost.
81 | 2. If you're running any version of aenigma prior to v0.7.1-beta.2 you *must* follow [this guide](https://github.com/openspace42/aenigma/wiki/aenigma-upgrades-on-Ubuntu-18.04-are-temporarily-broken.-Here's-how-to-fix-them.#how-to-work-your-way-out-of-this-and-upgrade-beyond-) before you do anything else.
82 | After you follow the above step you can upgrade to v0.7.1-beta.3 with `bash aenigma/setup -db -pb` after re-cloning from origin.
83 | ```
84 |
85 | ### 2019-06-11 | v0.7.1 beta release
86 |
87 | ```
88 | Hi there!
89 |
90 | aenigma v0.7.1-beta.1 is out with the following improvements:
91 |
92 | - NGINX-handled ejabberd uploads. This is another feature [after the PostgreSQL database integration in the previous release] that is highly recommended by the ejabberd team and which brings the robustness of this feature to a new level.
93 | - the new set_mam_disabled function, which - especially when combined with set_loglevel_zero - further turns your server's "stealth mode" on, limiting the amount of user data stored onto it, which is a good idea if you believe your server might be compromised or seized in the future.
94 | - removed mod_echo as it's deprecated
95 | - refined nginx websocket revproxy config for .onion version of converse.js
96 | - enable mod_proxy65 for continued 100% compliance with caas
97 | - enabled an option in synthia+dna to install the project from a custom git branch on origin
98 | - stability and notable speed improvements when reclustering PostgreSQL
99 | - very many bugfixes and general retouches
100 |
101 | aenigma v0.7.1 will also ship with dna v0.3.14 which fixes a couple of small issues.
102 |
103 | As always, you can test out this specific beta with:
104 |
105 | aenigma-upgrade -dt -pt
106 |
107 | or try out the latest bleeding_edge version up to HEAD with:
108 |
109 | aenigma-upgrade -db -pb
110 |
111 | or simply wait for this stable release to be published - after which you'll be able to upgrade normally with:
112 |
113 | aenigma-upgrade
114 |
115 | Thanks for following our project and please consider becoming a supporter if you're finding it interesting, useful, or both!
116 |
117 | Nz
118 | ```
119 |
120 | ### 2019-06-05 | v0.7.0 stable release
121 |
122 | ```
123 | Hi all!
124 |
125 | aenigma v0.7.0 is out with full postgresql single / cluster support
126 |
127 | you can finally upgrade with "aenigma-upgrade". there are also several improvements:
128 |
129 | - every aenigma node can now resolve .onion domains and route them correctly through tor so that aurora@abcd01.onion can speak to ilena@abcd02.onion on completely separate servers, entirely via Tor [c2s, s2s, c2s].
130 | - the new loglevel_zero function will make your server not store any user connection / disconnection traffic data to limit the amount of data leaked in the event the server were compromised or seized in the future
131 | - converse.js now uses websocket connection to ejabberd rather than bosh, for a very notable speed improvement. converse.js accessed via .onion domain from tor will now use .onion websocket endpoint to conceal the clearnet domain used on that machine.
132 |
133 | This release also ships with dna v0.3.13 with a bunch of fixes and improvements, and the following new functions:
134 |
135 | - provision_self_signed_wildcard_cert
136 | - nginx_increase_names_hash_bucket_size_128
137 | - check_s3_connection
138 |
139 | Locale setting was also completely re-written.
140 |
141 | A release of v0.7.1 will bring ejabberd uploads handled by nginx, improvements in loglevel_zero function, and more small improvements, and that should come out in about a week.
142 |
143 | Nz
144 | ```
145 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-17.08.yml:
--------------------------------------------------------------------------------
1 | ### aenigma server
2 | ### an openspace project [openspace.xxx]
3 | ### initial commit by nk on 20170923
4 | ### aenigma.xyz
5 |
6 | ### aenigma.xyz ejabberd configuration file
7 |
8 | loglevel: 4
9 |
10 | log_rotate_size: 10485760
11 | log_rotate_date: ""
12 | log_rotate_count: 1
13 | log_rate_limit: 100
14 |
15 | # watchdog_admins:
16 | # - "admin@domain.xyz"
17 |
18 | ## net_ticktime: 60
19 |
20 | hosts:
21 | - "domain.xyz"
22 |
23 | ## route_subdomains: s2s
24 |
25 | ### aenigma notice
26 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
27 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
28 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
29 |
30 | define_macro:
31 |
32 | 'CERTFILE': "/etc/ssl/aenigma/hostname.pem"
33 | 'XUCERTFILE': "/etc/ssl/aenigma/xu.pem"
34 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
35 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
36 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
37 | 'TLSOPTS':
38 | - "no_sslv3"
39 | - "no_tlsv1"
40 | - "no_tlsv1_1"
41 | - "cipher_server_preference"
42 | - "no_compression"
43 | 'S2STLSOPTS':
44 | - "no_sslv3"
45 | - "cipher_server_preference"
46 | - "no_compression"
47 |
48 | listen:
49 | -
50 | port: 5222
51 | ip: "::"
52 | module: ejabberd_c2s
53 | starttls: true
54 | certfile: 'CERTFILE'
55 | protocol_options: 'TLSOPTS'
56 | dhfile: 'DHFILE'
57 | ciphers: 'CIPHERS'
58 | starttls_required: true
59 | zlib: true
60 | max_stanza_size: 65536
61 | shaper: c2s_shaper
62 | access: c2s
63 | resend_on_timeout: if_offline
64 | -
65 | port: 5223
66 | ip: "::"
67 | module: ejabberd_c2s
68 | certfile: 'CERTFILE'
69 | protocol_options: 'TLSOPTS'
70 | dhfile: 'DHFILE'
71 | ciphers: 'CIPHERS'
72 | tls: true
73 | zlib: true
74 | max_stanza_size: 65536
75 | shaper: c2s_shaper
76 | access: c2s
77 | resend_on_timeout: if_offline
78 | -
79 | port: 5269
80 | ip: "::"
81 | module: ejabberd_s2s_in
82 | max_stanza_size: 131072
83 | shaper: s2s_shaper
84 | -
85 | port: 5280
86 | ip: "::"
87 | module: ejabberd_http
88 | request_handlers:
89 | "/websocket": ejabberd_http_ws
90 | "/api": mod_http_api
91 | ## "/pub/archive": mod_http_fileserver
92 | web_admin: true
93 | http_poll: true
94 | http_bind: true
95 | ## register: true
96 | captcha: false
97 | ## -
98 | ## port: 8888
99 | ## ip: "::"
100 | ## module: ejabberd_service
101 | ## access: all
102 | ## shaper_rule: fast
103 | ## ip: "127.0.0.1"
104 | ## privilege_access:
105 | ## roster: "both"
106 | ## message: "outgoing"
107 | ## presence: "roster"
108 | ## delegations:
109 | ## "urn:xmpp:mam:1":
110 | ## filtering: ["node"]
111 | ## "http://jabber.org/protocol/pubsub":
112 | ## filtering: []
113 | ## hosts:
114 | ## "icq.example.org":
115 | ## password: "secret"
116 | ## "sms.example.org":
117 | ## password: "secret"
118 |
119 |
120 | ## -
121 | ## port: 3478
122 | ## transport: udp
123 | ## module: ejabberd_stun
124 |
125 |
126 | ## -
127 | ## port: 4560
128 | ## ip: "::"
129 | ## module: ejabberd_xmlrpc
130 | ## maxsessions: 10
131 | ## timeout: 5000
132 | ## access_commands:
133 | ## admin:
134 | ## commands: all
135 | ## options: []
136 |
137 |
138 | -
139 | port: 5444
140 | ip: "::"
141 | module: ejabberd_http
142 | request_handlers:
143 | "": mod_http_upload
144 | tls: true
145 | certfile: 'XUCERTFILE'
146 | protocol_options: 'TLSOPTS'
147 | dhfile: 'DHFILE'
148 | ciphers: 'CIPHERS'
149 |
150 | disable_sasl_mechanisms: "digest-md5"
151 |
152 | s2s_use_starttls: required
153 | s2s_certfile: 'CERTFILE'
154 | s2s_dhfile: 'DHFILE'
155 | s2s_protocol_options: 'S2STLSOPTS'
156 | s2s_ciphers: 'S2SCIPHERS'
157 |
158 | ## host_config:
159 | ## "example.org":
160 | ## domain_certfile: "/path/to/example_org.pem"
161 | ## "example.com":
162 | ## domain_certfile: "/path/to/example_com.pem"
163 |
164 | ## aenigma_host_config_domain_placeholder_start:
165 | ## aenigma_host_config_domain_placeholder_end:
166 |
167 | ## aenigma_host_config_xu_placeholder_start:
168 | ## aenigma_host_config_xu_placeholder_end:
169 |
170 | ## s2s_access: s2s
171 |
172 | ## outgoing_s2s_families:
173 | ## - ipv4
174 | ## - ipv6
175 | ## outgoing_s2s_timeout: 190
176 |
177 | auth_method: internal
178 |
179 | auth_password_format: scram
180 |
181 | ## fqdn: "server3.example.com"
182 |
183 | ## auth_method: external
184 | ## extauth_program: "/path/to/authentication/script"
185 | ## auth_method: sql
186 | ## auth_method: pam
187 | ## pam_service: "pamservicename"
188 |
189 | ## auth_method: ldap
190 | ## ldap_servers:
191 | ## - "localhost"
192 | ## ldap_encrypt: none
193 | ## ldap_encrypt: tls
194 | ## ldap_port: 389
195 | ## ldap_port: 636
196 | ## ldap_rootdn: "dc=example,dc=com"
197 | ## ldap_password: "******"
198 | ## ldap_base: "dc=example,dc=com"
199 | ## ldap_uids:
200 | ## - "mail": "%u@mail.example.org"
201 | ## ldap_filter: "(objectClass=shadowAccount)"
202 |
203 | ## auth_method: anonymous
204 | ## anonymous_protocol: sasl_anon | login_anon | both
205 | ## allow_multiple_connections: true | false
206 |
207 | ## host_config:
208 | ## "public.example.org":
209 | ## auth_method: anonymous
210 | ## allow_multiple_connections: false
211 | ## anonymous_protocol: sasl_anon
212 |
213 | ## host_config:
214 | ## "public.example.org":
215 | ## auth_method:
216 | ## - internal
217 | ## - anonymous
218 |
219 | ## pgsql_users_number_estimate: true
220 |
221 | shaper:
222 | normal: 1000
223 | fast: 50000
224 |
225 | max_fsm_queue: 1000
226 |
227 | acl:
228 | ##
229 | ## The 'admin' ACL grants administrative privileges to XMPP accounts.
230 | ## You can put here as many accounts as you want.
231 | ##
232 | admin:
233 | user:
234 | - "admin@domain.xyz"
235 |
236 | ## blocked:
237 | ## user:
238 | ## - "baduser@example.org"
239 | ## - "test"
240 |
241 | local:
242 | user_regexp: ""
243 |
244 | ## jabberorg:
245 | ## server:
246 | ## - "jabber.org"
247 | ## aleksey:
248 | ## user:
249 | ## - "aleksey@jabber.ru"
250 | ## test:
251 | ## user_regexp: "^test"
252 | ## user_glob: "test*"
253 |
254 | loopback:
255 | ip:
256 | - "127.0.0.0/8"
257 |
258 | ## bad_servers:
259 | ## server:
260 | ## - "xmpp.zombie.org"
261 | ## - "xmpp.spam.com"
262 |
263 | ## host_config:
264 | ## "localhost":
265 | ## acl:
266 | ## admin:
267 | ## user:
268 | ## - "bob-local@localhost"
269 |
270 | shaper_rules:
271 | ## Maximum number of simultaneous sessions allowed for a single user:
272 | max_user_sessions: 24
273 | ## Maximum number of offline messages that users can have:
274 | max_user_offline_messages:
275 | - 5000: admin
276 | - 1000
277 | ## For C2S connections, all users except admins use the "normal" shaper
278 | c2s_shaper:
279 | - none: admin
280 | - normal
281 | ## All S2S connections use the "fast" shaper
282 | s2s_shaper: fast
283 |
284 | access_rules:
285 | ## This rule allows access only for local users:
286 | local:
287 | - allow: local
288 | ## Only non-blocked users can use c2s connections:
289 | c2s:
290 | - deny: blocked
291 | - allow
292 | ## Only admins can send announcement messages:
293 | announce:
294 | - allow: admin
295 | ## Only admins can use the configuration interface:
296 | configure:
297 | - allow: admin
298 | ## Only accounts of the local ejabberd server can create rooms:
299 | muc_create:
300 | - allow: local
301 | ## Only accounts on the local ejabberd server can create Pubsub nodes:
302 | pubsub_createnode:
303 | - allow: local
304 | ## In-band registration allows registration of any possible username.
305 | ## To disable in-band registration, replace 'allow' with 'deny'.
306 | register:
307 | - allow
308 | ## Only allow to register from localhost
309 | trusted_network:
310 | - allow: loopback
311 | ## Do not establish S2S connections with bad servers
312 | ## If you enable this you also have to uncomment "s2s_access: s2s"
313 | ## s2s:
314 | ## - deny:
315 | ## - ip: "XXX.XXX.XXX.XXX/32"
316 | ## - deny:
317 | ## - ip: "XXX.XXX.XXX.XXX/32"
318 | ## - allow
319 |
320 | api_permissions:
321 | "console commands":
322 | from:
323 | - ejabberd_ctl
324 | who: all
325 | what: "*"
326 | "admin access":
327 | who:
328 | - access:
329 | - allow:
330 | - ip: "127.0.0.1/8"
331 | - acl: admin
332 | - oauth:
333 | - scope: "ejabberd:admin"
334 | - access:
335 | - allow:
336 | - ip: "127.0.0.1/8"
337 | - acl: admin
338 | what:
339 | - "*"
340 | - "!stop"
341 | - "!start"
342 | "public commands":
343 | who:
344 | - ip: "127.0.0.1/8"
345 | what:
346 | - "status"
347 | - "connected_users_number"
348 | ## registration_timeout: 600
349 |
350 | ## host_config:
351 | ## "localhost":
352 | ## access:
353 | ## c2s:
354 | ## - allow: admin
355 | ## - deny
356 | ## register:
357 | ## - deny
358 |
359 | language: "en"
360 |
361 | ## host_config:
362 | ## "localhost":
363 | ## language: "ru"
364 |
365 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
366 |
367 | ## captcha_host: "domain.xyz:5280"
368 |
369 | ## captcha_limit: 5
370 |
371 | modules:
372 | mod_adhoc: {}
373 | mod_admin_extra: {}
374 | mod_announce: # recommends mod_adhoc
375 | access: announce
376 | mod_blocking: {} # requires mod_privacy
377 | mod_caps: {}
378 | mod_carboncopy: {}
379 | mod_client_state: {}
380 | mod_configure: {} # requires mod_adhoc
381 | ## mod_delegation: {} # for xep0356
382 | mod_disco: {}
383 | mod_echo:
384 | host: "xe.@HOST@"
385 | mod_irc:
386 | host: "xi.@HOST@"
387 | mod_bosh: {}
388 | mod_http_bind: {}
389 | mod_http_fileserver:
390 | docroot: "/var/www/ejabberd/"
391 | accesslog: "/var/log/ejabberd/www_access.log"
392 | mod_http_upload:
393 | host: "xu.@HOST@"
394 | docroot: "@HOME@/uploads"
395 | put_url: "https://xu.@HOST@:443"
396 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
397 | max_size: 262144000
398 | file_mode: "0640"
399 | dir_mode: "2750"
400 | access:
401 | - allow
402 | mod_http_upload_quota:
403 | max_days: 30
404 | mod_last: {}
405 | mod_mix:
406 | host: "xm.@HOST@"
407 | mod_muc:
408 | host: "xc.@HOST@"
409 | access:
410 | - allow
411 | access_admin:
412 | - allow: admin
413 | access_create: muc_create
414 | access_persistent: muc_create
415 | history_size: 0
416 | default_room_options:
417 | mam: true
418 | allow_subscription: true
419 | mod_muc_admin: {}
420 | ## mod_muc_log: {}
421 | ## mod_multicast: {}
422 | mod_offline:
423 | access_max_user_messages: max_user_offline_messages
424 | mod_ping: {}
425 | ## mod_pres_counter:
426 | ## count: 5
427 | ## interval: 60
428 | mod_privacy: {}
429 | mod_private: {}
430 | ## mod_proxy65: {}
431 | mod_pubsub:
432 | host: "xp.@HOST@"
433 | access_createnode: pubsub_createnode
434 | ignore_pep_from_offline: false
435 | last_item_cache: false
436 | max_items_node: 1000
437 | default_node_config:
438 | max_items: 1000
439 | plugins:
440 | - "flat"
441 | - "hometree"
442 | - "pep" # pep requires mod_caps
443 | mod_register:
444 | ## captcha_protected: true
445 | ## password_strength: 32
446 | welcome_message:
447 | subject: "Hello world"
448 | body: |-
449 | Hi there!
450 | Happy to see you onboard.
451 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
452 | The admin for this instance is admin@domain.xyz.
453 | https://aenigma.xyz
454 |
455 | registration_watchers:
456 | - "admin@domain.xyz"
457 |
458 | ### ip_access: trusted_network
459 |
460 | access_from: allow
461 |
462 | access: register
463 | mod_roster:
464 | versioning: true
465 | store_current_id: true
466 | mod_shared_roster: {}
467 | mod_stats: {}
468 | mod_time: {}
469 | mod_vcard:
470 | search: false
471 | mod_version: {}
472 | mod_stream_mgmt: {}
473 | mod_mam:
474 | default: always
475 | cache_size: 1048576
476 | cache_life_time: 2678400
477 | mod_s2s_dialback: {}
478 | mod_http_api: {}
479 |
480 | ## host_config:
481 | ## "localhost":
482 | ## modules:
483 | ## mod_echo:
484 | ## host: "mirror.localhost"
485 |
486 | allow_contrib_modules: true
487 |
488 | ### Local Variables:
489 | ### mode: yaml
490 | ### End:
491 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
492 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.01.yml:
--------------------------------------------------------------------------------
1 | ### aenigma server
2 | ### an openspace project [openspace.xxx]
3 | ### initial commit by nk on 20170923
4 | ### aenigma.xyz
5 |
6 | ### aenigma.xyz ejabberd configuration file
7 |
8 | ###. =======
9 | ###' LOGGING
10 |
11 | loglevel: 4
12 |
13 | log_rotate_size: 10485760
14 | log_rotate_date: ""
15 | log_rotate_count: 1
16 | log_rate_limit: 100
17 |
18 | ###. ===============
19 | ###' NODE PARAMETERS
20 |
21 | ## net_ticktime: 60
22 |
23 | ###. ================
24 | ###' SERVED HOSTNAMES
25 |
26 | hosts:
27 | - "domain.xyz"
28 |
29 | ## route_subdomains: s2s
30 |
31 | ###. ============
32 | ###' Certificates
33 |
34 | certfiles:
35 | - "/etc/ssl/aenigma/*.pem"
36 |
37 | ###. =================
38 | ###' TLS configuration
39 |
40 | ### aenigma notice
41 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
42 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
43 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
44 | ###. ===============
45 | ###' LISTENING PORTS
46 |
47 |
48 | define_macro:
49 |
50 | 'CERTFILE': "/etc/ssl/aenigma/hostname.pem"
51 | 'XUCERTFILE': "/etc/ssl/aenigma/xu.pem"
52 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
53 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
54 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
55 | 'TLSOPTS':
56 | - "no_sslv3"
57 | - "no_tlsv1"
58 | - "no_tlsv1_1"
59 | - "cipher_server_preference"
60 | - "no_compression"
61 | 'S2STLSOPTS':
62 | - "no_sslv3"
63 | - "cipher_server_preference"
64 | - "no_compression"
65 |
66 | listen:
67 | -
68 | port: 5222
69 | ip: "::"
70 | module: ejabberd_c2s
71 | starttls: true
72 | certfile: 'CERTFILE'
73 | protocol_options: 'TLSOPTS'
74 | dhfile: 'DHFILE'
75 | ciphers: 'CIPHERS'
76 | starttls_required: true
77 | zlib: true
78 | max_stanza_size: 65536
79 | shaper: c2s_shaper
80 | access: c2s
81 | resend_on_timeout: if_offline
82 | -
83 | port: 5223
84 | ip: "::"
85 | module: ejabberd_c2s
86 | certfile: 'CERTFILE'
87 | protocol_options: 'TLSOPTS'
88 | dhfile: 'DHFILE'
89 | ciphers: 'CIPHERS'
90 | tls: true
91 | zlib: true
92 | max_stanza_size: 65536
93 | shaper: c2s_shaper
94 | access: c2s
95 | resend_on_timeout: if_offline
96 | -
97 | port: 5269
98 | ip: "::"
99 | module: ejabberd_s2s_in
100 | max_stanza_size: 131072
101 | shaper: s2s_shaper
102 | -
103 | port: 5280
104 | ip: "::"
105 | module: ejabberd_http
106 | request_handlers:
107 | "/ws": ejabberd_http_ws
108 | "/bosh": mod_bosh
109 | "/api": mod_http_api
110 | ## "/pub/archive": mod_http_fileserver
111 | web_admin: true
112 | http_poll: true
113 | http_bind: true
114 | ## register: true
115 | captcha: false
116 | ## -
117 | ## port: 8888
118 | ## ip: "::"
119 | ## module: ejabberd_service
120 | ## access: all
121 | ## shaper_rule: fast
122 | ## ip: "127.0.0.1"
123 | ## privilege_access:
124 | ## roster: "both"
125 | ## message: "outgoing"
126 | ## presence: "roster"
127 | ## delegations:
128 | ## "urn:xmpp:mam:1":
129 | ## filtering: ["node"]
130 | ## "http://jabber.org/protocol/pubsub":
131 | ## filtering: []
132 | ## hosts:
133 | ## "icq.example.org":
134 | ## password: "secret"
135 | ## "sms.example.org":
136 | ## password: "secret"
137 |
138 |
139 | ## -
140 | ## port: 3478
141 | ## transport: udp
142 | ## module: ejabberd_stun
143 |
144 |
145 | ## -
146 | ## port: 4560
147 | ## ip: "::"
148 | ## module: ejabberd_xmlrpc
149 | ## maxsessions: 10
150 | ## timeout: 5000
151 | ## access_commands:
152 | ## admin:
153 | ## commands: all
154 | ## options: []
155 |
156 |
157 | -
158 | port: 5444
159 | ip: "::"
160 | module: ejabberd_http
161 | request_handlers:
162 | "": mod_http_upload
163 | tls: true
164 | certfile: 'XUCERTFILE'
165 | protocol_options: 'TLSOPTS'
166 | dhfile: 'DHFILE'
167 | ciphers: 'CIPHERS'
168 |
169 | disable_sasl_mechanisms: "digest-md5"
170 |
171 | ###. ==================
172 | ###' S2S GLOBAL OPTIONS
173 |
174 |
175 | s2s_use_starttls: required
176 | s2s_certfile: 'CERTFILE'
177 | s2s_dhfile: 'DHFILE'
178 | s2s_protocol_options: 'S2STLSOPTS'
179 | s2s_ciphers: 'S2SCIPHERS'
180 |
181 | ## host_config:
182 | ## "example.org":
183 | ## domain_certfile: "/path/to/example_org.pem"
184 | ## "example.com":
185 | ## domain_certfile: "/path/to/example_com.pem"
186 |
187 | ## aenigma_host_config_domain_placeholder_start:
188 | ## aenigma_host_config_domain_placeholder_end:
189 |
190 | ## aenigma_host_config_xu_placeholder_start:
191 | ## aenigma_host_config_xu_placeholder_end:
192 |
193 | ## s2s_access: s2s
194 |
195 | ## outgoing_s2s_families:
196 | ## - ipv4
197 | ## - ipv6
198 | ## outgoing_s2s_timeout: 190
199 |
200 | ###. ==============
201 | ###' AUTHENTICATION
202 |
203 | auth_method: internal
204 |
205 | auth_password_format: scram
206 |
207 | ## fqdn: "server3.example.com"
208 |
209 | ## auth_method: external
210 | ## extauth_program: "/path/to/authentication/script"
211 | ## auth_method: sql
212 | ## auth_method: pam
213 | ## pam_service: "pamservicename"
214 |
215 | ## auth_method: ldap
216 | ## ldap_servers:
217 | ## - "localhost"
218 | ## ldap_encrypt: none
219 | ## ldap_encrypt: tls
220 | ## ldap_port: 389
221 | ## ldap_port: 636
222 | ## ldap_rootdn: "dc=example,dc=com"
223 | ## ldap_password: "******"
224 | ## ldap_base: "dc=example,dc=com"
225 | ## ldap_uids:
226 | ## - "mail": "%u@mail.example.org"
227 | ## ldap_filter: "(objectClass=shadowAccount)"
228 |
229 | ## auth_method: anonymous
230 | ## anonymous_protocol: sasl_anon | login_anon | both
231 | ## allow_multiple_connections: true | false
232 |
233 | ## host_config:
234 | ## "public.example.org":
235 | ## auth_method: anonymous
236 | ## allow_multiple_connections: false
237 | ## anonymous_protocol: sasl_anon
238 |
239 | ## host_config:
240 | ## "public.example.org":
241 | ## auth_method:
242 | ## - internal
243 | ## - anonymous
244 |
245 | ###. ==============
246 | ###' DATABASE SETUP
247 |
248 | ## pgsql_users_number_estimate: true
249 |
250 | ###. ===============
251 | ###' TRAFFIC SHAPERS
252 |
253 | shaper:
254 | normal: 1000
255 | fast: 50000
256 |
257 | max_fsm_queue: 1000
258 | ###. ====================
259 | ###' ACCESS CONTROL LISTS
260 | acl:
261 | ##
262 | ## The 'admin' ACL grants administrative privileges to XMPP accounts.
263 | ## You can put here as many accounts as you want.
264 | ##
265 | admin:
266 | user:
267 | - "admin@domain.xyz"
268 |
269 | ## blocked:
270 | ## user:
271 | ## - "baduser@example.org"
272 | ## - "test"
273 |
274 | local:
275 | user_regexp: ""
276 |
277 | ## jabberorg:
278 | ## server:
279 | ## - "jabber.org"
280 | ## aleksey:
281 | ## user:
282 | ## - "aleksey@jabber.ru"
283 | ## test:
284 | ## user_regexp: "^test"
285 | ## user_glob: "test*"
286 |
287 | loopback:
288 | ip:
289 | - "127.0.0.0/8"
290 | - "::1/128"
291 | - "::FFFF:127.0.0.1/128"
292 |
293 | ## bad_servers:
294 | ## server:
295 | ## - "xmpp.zombie.org"
296 | ## - "xmpp.spam.com"
297 |
298 | ## host_config:
299 | ## "localhost":
300 | ## acl:
301 | ## admin:
302 | ## user:
303 | ## - "bob-local@localhost"
304 |
305 | ###. ============
306 | ###' SHAPER RULES
307 |
308 | shaper_rules:
309 | ## Maximum number of simultaneous sessions allowed for a single user:
310 | max_user_sessions: 24
311 | ## Maximum number of offline messages that users can have:
312 | max_user_offline_messages:
313 | - 16384: admin
314 | - 4096
315 | ## For C2S connections, all users except admins use the "normal" shaper
316 | c2s_shaper:
317 | - none: admin
318 | - normal
319 | ## All S2S connections use the "fast" shaper
320 | s2s_shaper: fast
321 |
322 | ###. ============
323 | ###' ACCESS RULES
324 | access_rules:
325 | ## This rule allows access only for local users:
326 | local:
327 | - allow: local
328 | ## Only non-blocked users can use c2s connections:
329 | c2s:
330 | - deny: blocked
331 | - allow
332 | ## Only admins can send announcement messages:
333 | announce:
334 | - allow: admin
335 | ## Only admins can use the configuration interface:
336 | configure:
337 | - allow: admin
338 | ## Only accounts of the local ejabberd server can create rooms:
339 | muc_create:
340 | - allow: local
341 | ## Only accounts on the local ejabberd server can create Pubsub nodes:
342 | pubsub_createnode:
343 | - allow: local
344 | ## In-band registration allows registration of any possible username.
345 | ## To disable in-band registration, replace 'allow' with 'deny'.
346 | register:
347 | - allow
348 | ## Only allow to register from localhost
349 | trusted_network:
350 | - allow: loopback
351 | ## Do not establish S2S connections with bad servers
352 | ## If you enable this you also have to uncomment "s2s_access: s2s"
353 | ## s2s:
354 | ## - deny:
355 | ## - ip: "XXX.XXX.XXX.XXX/32"
356 | ## - deny:
357 | ## - ip: "XXX.XXX.XXX.XXX/32"
358 | ## - allow
359 |
360 | api_permissions:
361 | "console commands":
362 | from:
363 | - ejabberd_ctl
364 | who: all
365 | what: "*"
366 | "admin access":
367 | who:
368 | - access:
369 | - allow:
370 | - acl: loopback
371 | - acl: admin
372 | - oauth:
373 | - scope: "ejabberd:admin"
374 | - access:
375 | - allow:
376 | - acl: loopback
377 | - acl: admin
378 | what:
379 | - "*"
380 | - "!stop"
381 | - "!start"
382 | "public commands":
383 | who:
384 | - ip: "127.0.0.1/8"
385 | what:
386 | - "status"
387 | - "connected_users_number"
388 | ## registration_timeout: 600
389 |
390 | ## host_config:
391 | ## "localhost":
392 | ## access:
393 | ## c2s:
394 | ## - allow: admin
395 | ## - deny
396 | ## register:
397 | ## - deny
398 |
399 | ###. ================
400 | ###' DEFAULT LANGUAGE
401 | language: "en"
402 |
403 | ## host_config:
404 | ## "localhost":
405 | ## language: "ru"
406 |
407 | ###. =======
408 | ###' CAPTCHA
409 |
410 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
411 |
412 | ## captcha_host: "domain.xyz:5280"
413 |
414 | ## captcha_limit: 5
415 |
416 | ###. ====
417 | ###' ACME
418 | ##
419 | ## In order to use the acme certificate acquiring through "Let's Encrypt"
420 | ## an http listener has to be configured to listen to port 80 so that
421 | ## the authorization challenges posed by "Let's Encrypt" can be solved.
422 | ##
423 | ## A simple way of doing this would be to add the following in the listening
424 | ## section and to configure port forwarding from 80 to 5280 either via NAT
425 | ## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
426 | ## -
427 | ## port: 5280
428 | ## ip: "::"
429 | ## module: ejabberd_http
430 |
431 | ## acme:
432 |
433 | ## A contact mail that the ACME Certificate Authority can contact in case of
434 | ## an authorization issue, such as a server-initiated certificate revocation.
435 | ## It is not mandatory to provide an email address but it is highly suggested.
436 | ## contact: "mailto:example-admin@example.com"
437 |
438 |
439 | ## The ACME Certificate Authority URL.
440 | ## This could either be:
441 | ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
442 | ## - https://acme-staging.api.letsencrypt.org - for the staging CA
443 | ## - http://localhost:4000 - for a local version of the CA
444 | ## ca_url: "https://acme-v01.api.letsencrypt.org"
445 | ###. =======
446 | ###' MODULES
447 | modules:
448 | mod_adhoc: {}
449 | mod_admin_extra: {}
450 | mod_announce: # recommends mod_adhoc
451 | access: announce
452 | mod_blocking: {} # requires mod_privacy
453 | mod_caps: {}
454 | mod_carboncopy: {}
455 | mod_client_state: {}
456 | mod_configure: {} # requires mod_adhoc
457 | ## mod_delegation: {} # for xep0356
458 | mod_disco: {}
459 | mod_echo:
460 | host: "xe.@HOST@"
461 | mod_irc:
462 | host: "xi.@HOST@"
463 | mod_bosh: {}
464 | mod_http_bind: {}
465 | mod_http_fileserver:
466 | docroot: "/var/www/ejabberd/"
467 | accesslog: "/var/log/ejabberd/www_access.log"
468 | mod_http_upload:
469 | host: "xu.@HOST@"
470 | docroot: "@HOME@/uploads"
471 | put_url: "https://xu.@HOST@:443"
472 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
473 | max_size: 262144000
474 | file_mode: "0640"
475 | dir_mode: "2750"
476 | access:
477 | - allow
478 | mod_http_upload_quota:
479 | max_days: 30
480 | mod_last: {}
481 | mod_mix:
482 | host: "xm.@HOST@"
483 | mod_muc:
484 | host: "xc.@HOST@"
485 | access:
486 | - allow
487 | access_admin:
488 | - allow: admin
489 | access_create: muc_create
490 | access_persistent: muc_create
491 | history_size: 42
492 | default_room_options:
493 | mam: true
494 | allow_subscription: true
495 | mod_muc_admin: {}
496 | ## mod_muc_log: {}
497 | ## mod_multicast: {}
498 | mod_offline:
499 | access_max_user_messages: max_user_offline_messages
500 | mod_ping: {}
501 | ## mod_pres_counter:
502 | ## count: 5
503 | ## interval: 60
504 | mod_privacy: {}
505 | mod_private: {}
506 | ## mod_proxy65: {}
507 | mod_pubsub:
508 | host: "xp.@HOST@"
509 | access_createnode: pubsub_createnode
510 | ignore_pep_from_offline: false
511 | last_item_cache: false
512 | max_items_node: 1000
513 | default_node_config:
514 | max_items: 1000
515 | plugins:
516 | - "flat"
517 | - "hometree"
518 | - "pep" # pep requires mod_caps
519 | mod_push: {}
520 | mod_push_keepalive: {}
521 | mod_register:
522 | ## captcha_protected: true
523 | ## password_strength: 32
524 | welcome_message:
525 | subject: "Hello world"
526 | body: |-
527 | Hi there!
528 | Happy to see you onboard.
529 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
530 | The admin for this instance is admin@domain.xyz.
531 | https://aenigma.xyz
532 |
533 | registration_watchers:
534 | - "admin@domain.xyz"
535 |
536 | ### ip_access: trusted_network
537 |
538 | access_from: allow
539 |
540 | access: register
541 | mod_roster:
542 | versioning: true
543 | store_current_id: true
544 | mod_shared_roster: {}
545 | mod_stats: {}
546 | mod_time: {}
547 | mod_vcard:
548 | search: false
549 | mod_vcard_xupdate: {}
550 | mod_avatar: {}
551 | mod_version: {}
552 | mod_stream_mgmt: {}
553 | mod_mam:
554 | default: always
555 | cache_size: 1048576
556 | cache_life_time: 2678400
557 | mod_s2s_dialback: {}
558 | mod_http_api: {}
559 |
560 | ## host_config:
561 | ## "localhost":
562 | ## modules:
563 | ## mod_echo:
564 | ## host: "mirror.localhost"
565 |
566 | allow_contrib_modules: true
567 |
568 | ###.
569 | ###'
570 | ### Local Variables:
571 | ### mode: yaml
572 | ### End:
573 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
574 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.03.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v18.03
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | ###. =======
18 | ###' LOGGING
19 |
20 | loglevel: 4
21 |
22 | log_rotate_size: 10485760
23 | log_rotate_date: ""
24 | log_rotate_count: 1
25 | log_rate_limit: 100
26 |
27 | ###. ===============
28 | ###' NODE PARAMETERS
29 |
30 | ## net_ticktime: 60
31 |
32 | ###. ================
33 | ###' SERVED HOSTNAMES
34 |
35 | hosts:
36 | - "domain.xyz"
37 |
38 | ## route_subdomains: s2s
39 |
40 | ###. ============
41 | ###' Certificates
42 |
43 | certfiles:
44 | - "/etc/ssl/aenigma/*.pem"
45 |
46 | ###. =================
47 | ###' TLS configuration
48 |
49 | ### aenigma notice
50 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
51 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
52 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
53 | ###. ===============
54 | ###' LISTENING PORTS
55 |
56 |
57 | define_macro:
58 |
59 | 'CERTFILE': "/etc/ssl/aenigma/hostname.pem"
60 | 'XUCERTFILE': "/etc/ssl/aenigma/xu.pem"
61 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
62 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
63 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
64 | 'TLSOPTS':
65 | - "no_sslv3"
66 | - "no_tlsv1"
67 | - "no_tlsv1_1"
68 | - "cipher_server_preference"
69 | - "no_compression"
70 | 'S2STLSOPTS':
71 | - "no_sslv3"
72 | - "cipher_server_preference"
73 | - "no_compression"
74 |
75 | listen:
76 | -
77 | port: 5222
78 | ip: "::"
79 | module: ejabberd_c2s
80 | starttls: true
81 | certfile: 'CERTFILE'
82 | protocol_options: 'TLSOPTS'
83 | dhfile: 'DHFILE'
84 | ciphers: 'CIPHERS'
85 | starttls_required: true
86 | zlib: true
87 | max_stanza_size: 65536
88 | shaper: c2s_shaper
89 | access: c2s
90 | resend_on_timeout: if_offline
91 | -
92 | port: 5223
93 | ip: "::"
94 | module: ejabberd_c2s
95 | certfile: 'CERTFILE'
96 | protocol_options: 'TLSOPTS'
97 | dhfile: 'DHFILE'
98 | ciphers: 'CIPHERS'
99 | tls: true
100 | zlib: true
101 | max_stanza_size: 65536
102 | shaper: c2s_shaper
103 | access: c2s
104 | resend_on_timeout: if_offline
105 | -
106 | port: 5269
107 | ip: "::"
108 | module: ejabberd_s2s_in
109 | max_stanza_size: 131072
110 | shaper: s2s_shaper
111 | -
112 | port: 5280
113 | ip: "::"
114 | module: ejabberd_http
115 | request_handlers:
116 | "/ws": ejabberd_http_ws
117 | "/bosh": mod_bosh
118 | "/api": mod_http_api
119 | ## "/pub/archive": mod_http_fileserver
120 | web_admin: true
121 | http_poll: true
122 | http_bind: true
123 | ## register: true
124 | captcha: false
125 | ## -
126 | ## port: 8888
127 | ## ip: "::"
128 | ## module: ejabberd_service
129 | ## access: all
130 | ## shaper_rule: fast
131 | ## ip: "127.0.0.1"
132 | ## privilege_access:
133 | ## roster: "both"
134 | ## message: "outgoing"
135 | ## presence: "roster"
136 | ## delegations:
137 | ## "urn:xmpp:mam:1":
138 | ## filtering: ["node"]
139 | ## "http://jabber.org/protocol/pubsub":
140 | ## filtering: []
141 | ## hosts:
142 | ## "icq.example.org":
143 | ## password: "secret"
144 | ## "sms.example.org":
145 | ## password: "secret"
146 |
147 |
148 | ## -
149 | ## port: 3478
150 | ## transport: udp
151 | ## module: ejabberd_stun
152 |
153 |
154 | ## -
155 | ## port: 4560
156 | ## ip: "::"
157 | ## module: ejabberd_xmlrpc
158 | ## maxsessions: 10
159 | ## timeout: 5000
160 | ## access_commands:
161 | ## admin:
162 | ## commands: all
163 | ## options: []
164 |
165 |
166 | -
167 | port: 5444
168 | ip: "::"
169 | module: ejabberd_http
170 | request_handlers:
171 | "": mod_http_upload
172 | tls: true
173 | certfile: 'XUCERTFILE'
174 | protocol_options: 'TLSOPTS'
175 | dhfile: 'DHFILE'
176 | ciphers: 'CIPHERS'
177 |
178 | disable_sasl_mechanisms: "digest-md5"
179 |
180 | ###. ==================
181 | ###' S2S GLOBAL OPTIONS
182 |
183 |
184 | s2s_use_starttls: required
185 | s2s_certfile: 'CERTFILE'
186 | s2s_dhfile: 'DHFILE'
187 | s2s_protocol_options: 'S2STLSOPTS'
188 | s2s_ciphers: 'S2SCIPHERS'
189 |
190 | ## host_config:
191 | ## "example.org":
192 | ## domain_certfile: "/path/to/example_org.pem"
193 | ## "example.com":
194 | ## domain_certfile: "/path/to/example_com.pem"
195 |
196 | ## aenigma_host_config_domain_placeholder_start:
197 | ## aenigma_host_config_domain_placeholder_end:
198 |
199 | ## aenigma_host_config_xu_placeholder_start:
200 | ## aenigma_host_config_xu_placeholder_end:
201 |
202 | ## s2s_access: s2s
203 |
204 | ## outgoing_s2s_families:
205 | ## - ipv4
206 | ## - ipv6
207 | ## outgoing_s2s_timeout: 190
208 |
209 | ###. ==============
210 | ###' AUTHENTICATION
211 |
212 | auth_method: internal
213 |
214 | auth_password_format: scram
215 |
216 | ## fqdn: "server3.example.com"
217 |
218 | ## auth_method: external
219 | ## extauth_program: "/path/to/authentication/script"
220 | ## auth_method: sql
221 | ## auth_method: pam
222 | ## pam_service: "pamservicename"
223 |
224 | ## auth_method: ldap
225 | ## ldap_servers:
226 | ## - "localhost"
227 | ## ldap_encrypt: none
228 | ## ldap_encrypt: tls
229 | ## ldap_port: 389
230 | ## ldap_port: 636
231 | ## ldap_rootdn: "dc=example,dc=com"
232 | ## ldap_password: "******"
233 | ## ldap_base: "dc=example,dc=com"
234 | ## ldap_uids:
235 | ## - "mail": "%u@mail.example.org"
236 | ## ldap_filter: "(objectClass=shadowAccount)"
237 |
238 | ## auth_method: anonymous
239 | ## anonymous_protocol: sasl_anon | login_anon | both
240 | ## allow_multiple_connections: true | false
241 |
242 | ## host_config:
243 | ## "public.example.org":
244 | ## auth_method: anonymous
245 | ## allow_multiple_connections: false
246 | ## anonymous_protocol: sasl_anon
247 |
248 | ## host_config:
249 | ## "public.example.org":
250 | ## auth_method:
251 | ## - internal
252 | ## - anonymous
253 |
254 | ###. ==============
255 | ###' DATABASE SETUP
256 |
257 | ## pgsql_users_number_estimate: true
258 |
259 | ###. ===============
260 | ###' TRAFFIC SHAPERS
261 |
262 | shaper:
263 | normal: 1000
264 | fast: 50000
265 |
266 | max_fsm_queue: 10000
267 | ###. ====================
268 | ###' ACCESS CONTROL LISTS
269 | acl:
270 | ##
271 | ## The 'admin' ACL grants administrative privileges to XMPP accounts.
272 | ## You can put here as many accounts as you want.
273 | ##
274 | admin:
275 | user:
276 | - "admin@domain.xyz"
277 |
278 | ## blocked:
279 | ## user:
280 | ## - "baduser@example.org"
281 | ## - "test"
282 |
283 | local:
284 | user_regexp: ""
285 |
286 | ## jabberorg:
287 | ## server:
288 | ## - "jabber.org"
289 | ## aleksey:
290 | ## user:
291 | ## - "aleksey@jabber.ru"
292 | ## test:
293 | ## user_regexp: "^test"
294 | ## user_glob: "test*"
295 |
296 | loopback:
297 | ip:
298 | - "127.0.0.0/8"
299 | - "::1/128"
300 | - "::FFFF:127.0.0.1/128"
301 |
302 | ## bad_servers:
303 | ## server:
304 | ## - "xmpp.zombie.org"
305 | ## - "xmpp.spam.com"
306 |
307 | ## host_config:
308 | ## "localhost":
309 | ## acl:
310 | ## admin:
311 | ## user:
312 | ## - "bob-local@localhost"
313 |
314 | ###. ============
315 | ###' SHAPER RULES
316 |
317 | shaper_rules:
318 | ## Maximum number of simultaneous sessions allowed for a single user:
319 | max_user_sessions: 24
320 | ## Maximum number of offline messages that users can have:
321 | max_user_offline_messages:
322 | - 16384: admin
323 | - 8192
324 | ## For C2S connections, all users except admins use the "normal" shaper
325 | c2s_shaper:
326 | - none: admin
327 | - normal
328 | ## All S2S connections use the "fast" shaper
329 | s2s_shaper: fast
330 |
331 | ###. ============
332 | ###' ACCESS RULES
333 | access_rules:
334 | ## This rule allows access only for local users:
335 | local:
336 | - allow: local
337 | ## Only non-blocked users can use c2s connections:
338 | c2s:
339 | - deny: blocked
340 | - allow
341 | ## Only admins can send announcement messages:
342 | announce:
343 | - allow: admin
344 | ## Only admins can use the configuration interface:
345 | configure:
346 | - allow: admin
347 | ## Only accounts of the local ejabberd server can create rooms:
348 | muc_create:
349 | - allow: local
350 | ## Only accounts on the local ejabberd server can create Pubsub nodes:
351 | pubsub_createnode:
352 | - allow: local
353 | ## In-band registration allows registration of any possible username.
354 | ## To disable in-band registration, replace 'allow' with 'deny'.
355 | register:
356 | - allow
357 | ## Only allow to register from localhost
358 | trusted_network:
359 | - allow: loopback
360 | ## Do not establish S2S connections with bad servers
361 | ## If you enable this you also have to uncomment "s2s_access: s2s"
362 | ## s2s:
363 | ## - deny:
364 | ## - ip: "XXX.XXX.XXX.XXX/32"
365 | ## - deny:
366 | ## - ip: "XXX.XXX.XXX.XXX/32"
367 | ## - allow
368 |
369 | api_permissions:
370 | "console commands":
371 | from:
372 | - ejabberd_ctl
373 | who: all
374 | what: "*"
375 | "admin access":
376 | who:
377 | - access:
378 | - allow:
379 | - acl: loopback
380 | - acl: admin
381 | - oauth:
382 | - scope: "ejabberd:admin"
383 | - access:
384 | - allow:
385 | - acl: loopback
386 | - acl: admin
387 | what:
388 | - "*"
389 | - "!stop"
390 | - "!start"
391 | "public commands":
392 | who:
393 | - ip: "127.0.0.1/8"
394 | what:
395 | - "status"
396 | - "connected_users_number"
397 | ## registration_timeout: 600
398 |
399 | ## host_config:
400 | ## "localhost":
401 | ## access:
402 | ## c2s:
403 | ## - allow: admin
404 | ## - deny
405 | ## register:
406 | ## - deny
407 |
408 | ###. ================
409 | ###' DEFAULT LANGUAGE
410 | language: "en"
411 |
412 | ## host_config:
413 | ## "localhost":
414 | ## language: "ru"
415 |
416 | ###. =======
417 | ###' CAPTCHA
418 |
419 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
420 |
421 | ## captcha_host: "domain.xyz:5280"
422 |
423 | ## captcha_limit: 5
424 |
425 | ###. ====
426 | ###' ACME
427 | ##
428 | ## In order to use the acme certificate acquiring through "Let's Encrypt"
429 | ## an http listener has to be configured to listen to port 80 so that
430 | ## the authorization challenges posed by "Let's Encrypt" can be solved.
431 | ##
432 | ## A simple way of doing this would be to add the following in the listening
433 | ## section and to configure port forwarding from 80 to 5280 either via NAT
434 | ## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
435 | ## -
436 | ## port: 5280
437 | ## ip: "::"
438 | ## module: ejabberd_http
439 |
440 | ## acme:
441 |
442 | ## A contact mail that the ACME Certificate Authority can contact in case of
443 | ## an authorization issue, such as a server-initiated certificate revocation.
444 | ## It is not mandatory to provide an email address but it is highly suggested.
445 | ## contact: "mailto:example-admin@example.com"
446 |
447 |
448 | ## The ACME Certificate Authority URL.
449 | ## This could either be:
450 | ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
451 | ## - https://acme-staging.api.letsencrypt.org - for the staging CA
452 | ## - http://localhost:4000 - for a local version of the CA
453 | ## ca_url: "https://acme-v01.api.letsencrypt.org"
454 | ###. =======
455 | ###' MODULES
456 | modules:
457 | mod_adhoc: {}
458 | mod_admin_extra: {}
459 | mod_announce: # recommends mod_adhoc
460 | access: announce
461 | mod_blocking: {} # requires mod_privacy
462 | mod_caps: {}
463 | mod_carboncopy: {}
464 | mod_client_state: {}
465 | mod_configure: {} # requires mod_adhoc
466 | ## mod_delegation: {} # for xep0356
467 | mod_disco: {}
468 | mod_echo:
469 | host: "xe.@HOST@"
470 | mod_irc:
471 | host: "xi.@HOST@"
472 | mod_bosh: {}
473 | mod_http_bind: {}
474 | mod_http_fileserver:
475 | docroot: "/var/www/ejabberd/"
476 | accesslog: "/var/log/ejabberd/www_access.log"
477 | mod_http_upload:
478 | host: "xu.@HOST@"
479 | docroot: "@HOME@/uploads"
480 | put_url: "https://xu.@HOST@:443"
481 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
482 | max_size: 262144000
483 | file_mode: "0640"
484 | dir_mode: "2750"
485 | access:
486 | - allow
487 | mod_http_upload_quota:
488 | max_days: 120
489 | mod_last: {}
490 | mod_mix:
491 | host: "xm.@HOST@"
492 | mod_muc:
493 | host: "xc.@HOST@"
494 | access:
495 | - allow
496 | access_admin:
497 | - allow: admin
498 | access_create: muc_create
499 | access_persistent: muc_create
500 | history_size: 42
501 | default_room_options:
502 | mam: true
503 | allow_subscription: true
504 | mod_muc_admin: {}
505 | ## mod_muc_log: {}
506 | ## mod_multicast: {}
507 | mod_offline:
508 | access_max_user_messages: max_user_offline_messages
509 | mod_ping: {}
510 | ## mod_pres_counter:
511 | ## count: 5
512 | ## interval: 60
513 | mod_privacy: {}
514 | mod_private: {}
515 | ## mod_proxy65: {}
516 | mod_pubsub:
517 | host: "xp.@HOST@"
518 | access_createnode: pubsub_createnode
519 | ignore_pep_from_offline: false
520 | last_item_cache: false
521 | max_items_node: 1000
522 | default_node_config:
523 | max_items: 1000
524 | plugins:
525 | - "flat"
526 | - "hometree"
527 | - "pep" # pep requires mod_caps
528 | mod_push: {}
529 | mod_push_keepalive: {}
530 | mod_register:
531 | ## captcha_protected: true
532 | ## password_strength: 32
533 | welcome_message:
534 | subject: "Hello world"
535 | body: |-
536 | Hi there!
537 | Happy to see you onboard.
538 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
539 | The admin for this instance is admin@domain.xyz.
540 | https://aenigma.xyz
541 |
542 | registration_watchers:
543 | - "admin@domain.xyz"
544 |
545 | ### ip_access: trusted_network
546 |
547 | access_from: allow
548 |
549 | access: register
550 | mod_roster:
551 | versioning: true
552 | store_current_id: true
553 | mod_shared_roster: {}
554 | mod_stats: {}
555 | mod_time: {}
556 | mod_vcard:
557 | search: false
558 | mod_vcard_xupdate: {}
559 | mod_avatar: {}
560 | mod_version: {}
561 | mod_stream_mgmt: {}
562 | mod_mam:
563 | default: always
564 | cache_size: 1048576
565 | cache_life_time: 2678400
566 | mod_s2s_dialback: {}
567 | mod_http_api: {}
568 | mod_fail2ban: {}
569 |
570 | ## host_config:
571 | ## "localhost":
572 | ## modules:
573 | ## mod_echo:
574 | ## host: "mirror.localhost"
575 |
576 | allow_contrib_modules: true
577 |
578 | ###.
579 | ###'
580 | ### Local Variables:
581 | ### mode: yaml
582 | ### End:
583 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
584 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.04.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v18.04
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | ###. =======
18 | ###' LOGGING
19 |
20 | loglevel: 4
21 |
22 | log_rotate_size: 10485760
23 | log_rotate_date: ""
24 | log_rotate_count: 1
25 | log_rate_limit: 100
26 |
27 | ###. ===============
28 | ###' NODE PARAMETERS
29 |
30 | ## net_ticktime: 60
31 |
32 | ###. ================
33 | ###' SERVED HOSTNAMES
34 |
35 | hosts:
36 | - "domain.xyz"
37 |
38 | ## route_subdomains: s2s
39 |
40 | ###. ============
41 | ###' Certificates
42 |
43 | certfiles:
44 | - "/etc/ssl/aenigma/*.pem"
45 |
46 | ###. =================
47 | ###' TLS configuration
48 |
49 | ### aenigma notice
50 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
51 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
52 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
53 |
54 | ###. ===============
55 | ###' LISTENING PORTS
56 |
57 |
58 | define_macro:
59 |
60 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
61 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
62 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
63 | 'TLSOPTS':
64 | - "no_sslv3"
65 | - "no_tlsv1"
66 | - "no_tlsv1_1"
67 | - "cipher_server_preference"
68 | - "no_compression"
69 | 'S2STLSOPTS':
70 | - "no_sslv3"
71 | - "cipher_server_preference"
72 | - "no_compression"
73 |
74 | listen:
75 | -
76 | port: 5222
77 | ip: "::"
78 | module: ejabberd_c2s
79 | starttls: true
80 | protocol_options: 'TLSOPTS'
81 | dhfile: 'DHFILE'
82 | ciphers: 'CIPHERS'
83 | starttls_required: true
84 | zlib: true
85 | max_stanza_size: 65536
86 | shaper: c2s_shaper
87 | access: c2s
88 | -
89 | port: 5223
90 | ip: "::"
91 | module: ejabberd_c2s
92 | protocol_options: 'TLSOPTS'
93 | dhfile: 'DHFILE'
94 | ciphers: 'CIPHERS'
95 | tls: true
96 | zlib: true
97 | max_stanza_size: 65536
98 | shaper: c2s_shaper
99 | access: c2s
100 | -
101 | port: 5269
102 | ip: "::"
103 | module: ejabberd_s2s_in
104 | max_stanza_size: 131072
105 | shaper: s2s_shaper
106 | -
107 | port: 5280
108 | ip: "::"
109 | module: ejabberd_http
110 | request_handlers:
111 | "/ws": ejabberd_http_ws
112 | "/bosh": mod_bosh
113 | "/api": mod_http_api
114 | ## "/pub/archive": mod_http_fileserver
115 | web_admin: true
116 | http_poll: true
117 | http_bind: true
118 | ## register: true
119 | captcha: false
120 |
121 | ## -
122 | ## port: 8888
123 | ## ip: "::"
124 | ## module: ejabberd_service
125 | ## access: all
126 | ## shaper_rule: fast
127 | ## ip: "127.0.0.1"
128 | ## privilege_access:
129 | ## roster: "both"
130 | ## message: "outgoing"
131 | ## presence: "roster"
132 | ## delegations:
133 | ## "urn:xmpp:mam:1":
134 | ## filtering: ["node"]
135 | ## "http://jabber.org/protocol/pubsub":
136 | ## filtering: []
137 | ## hosts:
138 | ## "icq.example.org":
139 | ## password: "secret"
140 | ## "sms.example.org":
141 | ## password: "secret"
142 |
143 | ## -
144 | ## port: 3478
145 | ## transport: udp
146 | ## module: ejabberd_stun
147 |
148 | ## -
149 | ## port: 4560
150 | ## ip: "::"
151 | ## module: ejabberd_xmlrpc
152 | ## maxsessions: 10
153 | ## timeout: 5000
154 | ## access_commands:
155 | ## admin:
156 | ## commands: all
157 | ## options: []
158 |
159 | -
160 | port: 5444
161 | ip: "::"
162 | module: ejabberd_http
163 | request_handlers:
164 | "": mod_http_upload
165 | tls: true
166 | protocol_options: 'TLSOPTS'
167 | dhfile: 'DHFILE'
168 | ciphers: 'CIPHERS'
169 |
170 | disable_sasl_mechanisms: "digest-md5"
171 |
172 | ###. ==================
173 | ###' S2S GLOBAL OPTIONS
174 |
175 | s2s_use_starttls: required
176 | s2s_dhfile: 'DHFILE'
177 | s2s_protocol_options: 'S2STLSOPTS'
178 | s2s_ciphers: 'S2SCIPHERS'
179 |
180 | ## s2s_access: s2s
181 |
182 | ## outgoing_s2s_families:
183 | ## - ipv4
184 | ## - ipv6
185 | ## outgoing_s2s_timeout: 190
186 |
187 | ###. ==============
188 | ###' AUTHENTICATION
189 |
190 | auth_method: internal
191 |
192 | auth_password_format: scram
193 |
194 | ## fqdn: "server3.example.com"
195 |
196 | ## auth_method: external
197 | ## extauth_program: "/path/to/authentication/script"
198 | ## auth_method: sql
199 | ## auth_method: pam
200 | ## pam_service: "pamservicename"
201 |
202 | ## auth_method: ldap
203 | ## ldap_servers:
204 | ## - "localhost"
205 | ## ldap_encrypt: none
206 | ## ldap_encrypt: tls
207 | ## ldap_port: 389
208 | ## ldap_port: 636
209 | ## ldap_rootdn: "dc=example,dc=com"
210 | ## ldap_password: "******"
211 | ## ldap_base: "dc=example,dc=com"
212 | ## ldap_uids:
213 | ## - "mail": "%u@mail.example.org"
214 | ## ldap_filter: "(objectClass=shadowAccount)"
215 |
216 | ## auth_method: anonymous
217 | ## anonymous_protocol: sasl_anon | login_anon | both
218 | ## allow_multiple_connections: true | false
219 |
220 | ## host_config:
221 | ## "public.example.org":
222 | ## auth_method: anonymous
223 | ## allow_multiple_connections: false
224 | ## anonymous_protocol: sasl_anon
225 |
226 | ## host_config:
227 | ## "public.example.org":
228 | ## auth_method:
229 | ## - internal
230 | ## - anonymous
231 |
232 | ###. ==============
233 | ###' DATABASE SETUP
234 |
235 | ## pgsql_users_number_estimate: true
236 |
237 | ###. ===============
238 | ###' TRAFFIC SHAPERS
239 |
240 | shaper:
241 | normal: 1000
242 | fast: 50000
243 |
244 | max_fsm_queue: 10000
245 | ###. ====================
246 | ###' ACCESS CONTROL LISTS
247 | acl:
248 | ##
249 | ## The 'admin' ACL grants administrative privileges to XMPP accounts.
250 | ## You can put here as many accounts as you want.
251 | ##
252 | admin:
253 | user:
254 | - "admin@domain.xyz"
255 |
256 | ## blocked:
257 | ## user:
258 | ## - "baduser@example.org"
259 | ## - "test"
260 |
261 | local:
262 | user_regexp: ""
263 |
264 | ## jabberorg:
265 | ## server:
266 | ## - "jabber.org"
267 | ## aleksey:
268 | ## user:
269 | ## - "aleksey@jabber.ru"
270 | ## test:
271 | ## user_regexp: "^test"
272 | ## user_glob: "test*"
273 |
274 | loopback:
275 | ip:
276 | - "127.0.0.0/8"
277 | - "::1/128"
278 | - "::FFFF:127.0.0.1/128"
279 |
280 | ## bad_servers:
281 | ## server:
282 | ## - "xmpp.zombie.org"
283 | ## - "xmpp.spam.com"
284 |
285 | ## host_config:
286 | ## "localhost":
287 | ## acl:
288 | ## admin:
289 | ## user:
290 | ## - "bob-local@localhost"
291 |
292 | ###. ============
293 | ###' SHAPER RULES
294 |
295 | shaper_rules:
296 | ## Maximum number of simultaneous sessions allowed for a single user:
297 | max_user_sessions: 24
298 | ## Maximum number of offline messages that users can have:
299 | max_user_offline_messages:
300 | - 16384: admin
301 | - 8192
302 | ## For C2S connections, all users except admins use the "normal" shaper
303 | c2s_shaper:
304 | - none: admin
305 | - normal
306 | ## All S2S connections use the "fast" shaper
307 | s2s_shaper: fast
308 |
309 | ###. ============
310 | ###' ACCESS RULES
311 | access_rules:
312 | ## This rule allows access only for local users:
313 | local:
314 | - allow: local
315 | ## Only non-blocked users can use c2s connections:
316 | c2s:
317 | - deny: blocked
318 | - allow
319 | ## Only admins can send announcement messages:
320 | announce:
321 | - allow: admin
322 | ## Only admins can use the configuration interface:
323 | configure:
324 | - allow: admin
325 | ## Only accounts of the local ejabberd server can create rooms:
326 | muc_create:
327 | - allow: local
328 | ## Only accounts on the local ejabberd server can create Pubsub nodes:
329 | pubsub_createnode:
330 | - allow: local
331 | ## In-band registration allows registration of any possible username.
332 | ## To disable in-band registration, replace 'allow' with 'deny'.
333 | register:
334 | - allow
335 | ## Only allow to register from localhost
336 | trusted_network:
337 | - allow: loopback
338 | ## Do not establish S2S connections with bad servers
339 | ## If you enable this you also have to uncomment "s2s_access: s2s"
340 | ## s2s:
341 | ## - deny:
342 | ## - ip: "XXX.XXX.XXX.XXX/32"
343 | ## - deny:
344 | ## - ip: "XXX.XXX.XXX.XXX/32"
345 | ## - allow
346 |
347 | api_permissions:
348 | "console commands":
349 | from:
350 | - ejabberd_ctl
351 | who: all
352 | what: "*"
353 | "admin access":
354 | who:
355 | - access:
356 | - allow:
357 | - acl: loopback
358 | - acl: admin
359 | - oauth:
360 | - scope: "ejabberd:admin"
361 | - access:
362 | - allow:
363 | - acl: loopback
364 | - acl: admin
365 | what:
366 | - "*"
367 | - "!stop"
368 | - "!start"
369 | "public commands":
370 | who:
371 | - ip: "127.0.0.1/8"
372 | what:
373 | - "status"
374 | - "connected_users_number"
375 | ## registration_timeout: 600
376 |
377 | ## host_config:
378 | ## "localhost":
379 | ## access:
380 | ## c2s:
381 | ## - allow: admin
382 | ## - deny
383 | ## register:
384 | ## - deny
385 |
386 | ###. ================
387 | ###' DEFAULT LANGUAGE
388 | language: "en"
389 |
390 | ## host_config:
391 | ## "localhost":
392 | ## language: "ru"
393 |
394 | ###. =======
395 | ###' CAPTCHA
396 |
397 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
398 |
399 | ## captcha_host: "domain.xyz:5280"
400 |
401 | ## captcha_limit: 5
402 |
403 | ###. ====
404 | ###' ACME
405 | ##
406 | ## In order to use the acme certificate acquiring through "Let's Encrypt"
407 | ## an http listener has to be configured to listen to port 80 so that
408 | ## the authorization challenges posed by "Let's Encrypt" can be solved.
409 | ##
410 | ## A simple way of doing this would be to add the following in the listening
411 | ## section and to configure port forwarding from 80 to 5280 either via NAT
412 | ## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
413 | ## -
414 | ## port: 5280
415 | ## ip: "::"
416 | ## module: ejabberd_http
417 |
418 | ## acme:
419 |
420 | ## A contact mail that the ACME Certificate Authority can contact in case of
421 | ## an authorization issue, such as a server-initiated certificate revocation.
422 | ## It is not mandatory to provide an email address but it is highly suggested.
423 | ## contact: "mailto:example-admin@example.com"
424 |
425 |
426 | ## The ACME Certificate Authority URL.
427 | ## This could either be:
428 | ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
429 | ## - https://acme-staging.api.letsencrypt.org - for the staging CA
430 | ## - http://localhost:4000 - for a local version of the CA
431 | ## ca_url: "https://acme-v01.api.letsencrypt.org"
432 | ###. =======
433 | ###' MODULES
434 | modules:
435 | mod_adhoc: {}
436 | mod_admin_extra: {}
437 | mod_announce: # recommends mod_adhoc
438 | access: announce
439 | mod_blocking: {} # requires mod_privacy
440 | mod_caps: {}
441 | mod_carboncopy: {}
442 | mod_client_state: {}
443 | mod_configure: {} # requires mod_adhoc
444 | ## mod_delegation: {} # for xep0356
445 | mod_disco: {}
446 | mod_echo:
447 | host: "xe.@HOST@"
448 | mod_irc:
449 | host: "xi.@HOST@"
450 | mod_bosh: {}
451 | mod_http_fileserver:
452 | docroot: "/var/www/ejabberd/"
453 | accesslog: "/var/log/ejabberd/www_access.log"
454 | mod_http_upload:
455 | host: "xu.@HOST@"
456 | docroot: "@HOME@/uploads"
457 | put_url: "https://xu.@HOST@:443"
458 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
459 | max_size: 262144000
460 | file_mode: "0640"
461 | dir_mode: "2750"
462 | access:
463 | - allow
464 | mod_http_upload_quota:
465 | max_days: 120
466 | mod_last: {}
467 | mod_mix:
468 | host: "xm.@HOST@"
469 | mod_muc:
470 | host: "xc.@HOST@"
471 | access:
472 | - allow
473 | access_admin:
474 | - allow: admin
475 | access_create: muc_create
476 | access_persistent: muc_create
477 | history_size: 42
478 | default_room_options:
479 | mam: true
480 | allow_subscription: true
481 | mod_muc_admin: {}
482 | ## mod_muc_log: {}
483 | ## mod_multicast: {}
484 | mod_offline:
485 | access_max_user_messages: max_user_offline_messages
486 | mod_ping: {}
487 | ## mod_pres_counter:
488 | ## count: 5
489 | ## interval: 60
490 | mod_privacy: {}
491 | mod_private: {}
492 | ## mod_proxy65: {}
493 | mod_pubsub:
494 | host: "xp.@HOST@"
495 | access_createnode: pubsub_createnode
496 | ignore_pep_from_offline: false
497 | last_item_cache: false
498 | max_items_node: 1000
499 | default_node_config:
500 | max_items: 1000
501 | plugins:
502 | - "flat"
503 | - "hometree"
504 | - "pep" # pep requires mod_caps
505 | mod_push:
506 | include_sender: true
507 | include_body: true
508 | mod_push_keepalive: {}
509 | mod_register:
510 | ## captcha_protected: true
511 | ## password_strength: 32
512 | welcome_message:
513 | subject: "Hello world"
514 | body: |-
515 | Hi there!
516 | Happy to see you onboard.
517 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
518 | The admin for this instance is admin@domain.xyz.
519 | https://aenigma.xyz
520 |
521 | registration_watchers:
522 | - "admin@domain.xyz"
523 |
524 | ### ip_access: trusted_network
525 |
526 | access_from: allow
527 |
528 | access: register
529 | mod_roster:
530 | versioning: true
531 | store_current_id: true
532 | mod_shared_roster: {}
533 | mod_stats: {}
534 | mod_time: {}
535 | mod_vcard:
536 | search: false
537 | mod_vcard_xupdate: {}
538 | mod_avatar: {}
539 | mod_version: {}
540 | mod_stream_mgmt:
541 | resend_on_timeout: if_offline
542 | mod_mam:
543 | default: always
544 | cache_size: 1048576
545 | cache_life_time: 2678400
546 | mod_s2s_dialback: {}
547 | mod_http_api: {}
548 | mod_fail2ban: {}
549 |
550 | ## host_config:
551 | ## "localhost":
552 | ## modules:
553 | ## mod_echo:
554 | ## host: "mirror.localhost"
555 |
556 | allow_contrib_modules: true
557 |
558 | ###.
559 | ###'
560 | ### Local Variables:
561 | ### mode: yaml
562 | ### End:
563 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
564 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.06.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v18.06
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | ###. =======
18 | ###' LOGGING
19 |
20 | loglevel: 4
21 |
22 | log_rotate_size: 10485760
23 | log_rotate_date: ""
24 | log_rotate_count: 1
25 | log_rate_limit: 100
26 |
27 | ###. ===============
28 | ###' NODE PARAMETERS
29 |
30 | ## net_ticktime: 60
31 |
32 | ###. ================
33 | ###' SERVED HOSTNAMES
34 |
35 | hosts:
36 | - "domain.xyz"
37 |
38 | ## route_subdomains: s2s
39 |
40 | ###. ============
41 | ###' Certificates
42 |
43 | certfiles:
44 | - "/etc/ssl/aenigma/*.pem"
45 |
46 | ###. =================
47 | ###' TLS configuration
48 |
49 | ### aenigma notice
50 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
51 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
52 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
53 |
54 | ###. ===============
55 | ###' LISTENING PORTS
56 |
57 |
58 | define_macro:
59 |
60 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
61 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
62 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
63 | 'TLSOPTS':
64 | - "no_sslv3"
65 | - "no_tlsv1"
66 | - "no_tlsv1_1"
67 | - "cipher_server_preference"
68 | - "no_compression"
69 | 'S2STLSOPTS':
70 | - "no_sslv3"
71 | - "cipher_server_preference"
72 | - "no_compression"
73 |
74 | listen:
75 | -
76 | port: 5222
77 | ip: "::"
78 | module: ejabberd_c2s
79 | starttls: true
80 | protocol_options: 'TLSOPTS'
81 | ### dhfile: 'DHFILE'
82 | ciphers: 'CIPHERS'
83 | starttls_required: true
84 | zlib: true
85 | max_stanza_size: 65536
86 | shaper: c2s_shaper
87 | access: c2s
88 | -
89 | port: 5223
90 | ip: "::"
91 | module: ejabberd_c2s
92 | protocol_options: 'TLSOPTS'
93 | ### dhfile: 'DHFILE'
94 | ciphers: 'CIPHERS'
95 | tls: true
96 | zlib: true
97 | max_stanza_size: 65536
98 | shaper: c2s_shaper
99 | access: c2s
100 | -
101 | port: 5269
102 | ip: "::"
103 | module: ejabberd_s2s_in
104 | max_stanza_size: 131072
105 | shaper: s2s_shaper
106 | -
107 | port: 5280
108 | ip: "::"
109 | module: ejabberd_http
110 | request_handlers:
111 | "/ws": ejabberd_http_ws
112 | "/bosh": mod_bosh
113 | "/api": mod_http_api
114 | ## "/pub/archive": mod_http_fileserver
115 | web_admin: true
116 | http_poll: true
117 | http_bind: true
118 | ## register: true
119 | captcha: false
120 |
121 | ## -
122 | ## port: 8888
123 | ## ip: "::"
124 | ## module: ejabberd_service
125 | ## access: all
126 | ## shaper_rule: fast
127 | ## ip: "127.0.0.1"
128 | ## privilege_access:
129 | ## roster: "both"
130 | ## message: "outgoing"
131 | ## presence: "roster"
132 | ## delegations:
133 | ## "urn:xmpp:mam:1":
134 | ## filtering: ["node"]
135 | ## "http://jabber.org/protocol/pubsub":
136 | ## filtering: []
137 | ## hosts:
138 | ## "icq.example.org":
139 | ## password: "secret"
140 | ## "sms.example.org":
141 | ## password: "secret"
142 |
143 | ## -
144 | ## port: 3478
145 | ## transport: udp
146 | ## module: ejabberd_stun
147 |
148 | ## -
149 | ## port: 4560
150 | ## ip: "::"
151 | ## module: ejabberd_xmlrpc
152 | ## maxsessions: 10
153 | ## timeout: 5000
154 | ## access_commands:
155 | ## admin:
156 | ## commands: all
157 | ## options: []
158 |
159 | -
160 | port: 5444
161 | ip: "::"
162 | module: ejabberd_http
163 | request_handlers:
164 | "": mod_http_upload
165 | tls: true
166 | protocol_options: 'TLSOPTS'
167 | ### dhfile: 'DHFILE'
168 | ciphers: 'CIPHERS'
169 |
170 | disable_sasl_mechanisms: "digest-md5"
171 |
172 | ###. ==================
173 | ###' S2S GLOBAL OPTIONS
174 |
175 | s2s_use_starttls: required
176 | ### s2s_dhfile: 'DHFILE'
177 | s2s_protocol_options: 'S2STLSOPTS'
178 | s2s_ciphers: 'S2SCIPHERS'
179 |
180 | ## s2s_access: s2s
181 |
182 | ## outgoing_s2s_families:
183 | ## - ipv4
184 | ## - ipv6
185 | ## outgoing_s2s_timeout: 190
186 |
187 | ###. ==============
188 | ###' AUTHENTICATION
189 |
190 | auth_method: internal
191 |
192 | auth_password_format: scram
193 |
194 | ## fqdn: "server3.example.com"
195 |
196 | ## auth_method: external
197 | ## extauth_program: "/path/to/authentication/script"
198 | ## auth_method: sql
199 | ## auth_method: pam
200 | ## pam_service: "pamservicename"
201 |
202 | ## auth_method: ldap
203 | ## ldap_servers:
204 | ## - "localhost"
205 | ## ldap_encrypt: none
206 | ## ldap_encrypt: tls
207 | ## ldap_port: 389
208 | ## ldap_port: 636
209 | ## ldap_rootdn: "dc=example,dc=com"
210 | ## ldap_password: "******"
211 | ## ldap_base: "dc=example,dc=com"
212 | ## ldap_uids:
213 | ## - "mail": "%u@mail.example.org"
214 | ## ldap_filter: "(objectClass=shadowAccount)"
215 |
216 | ## auth_method: anonymous
217 | ## anonymous_protocol: sasl_anon | login_anon | both
218 | ## allow_multiple_connections: true | false
219 |
220 | ## host_config:
221 | ## "public.example.org":
222 | ## auth_method: anonymous
223 | ## allow_multiple_connections: false
224 | ## anonymous_protocol: sasl_anon
225 |
226 | ## host_config:
227 | ## "public.example.org":
228 | ## auth_method:
229 | ## - internal
230 | ## - anonymous
231 |
232 | ###. ==============
233 | ###' DATABASE SETUP
234 |
235 | ## pgsql_users_number_estimate: true
236 |
237 | ###. ===============
238 | ###' TRAFFIC SHAPERS
239 |
240 | shaper:
241 | normal: 1000
242 | fast: 50000
243 |
244 | max_fsm_queue: 10000
245 | ###. ====================
246 | ###' ACCESS CONTROL LISTS
247 | acl:
248 | ##
249 | ## The 'admin' ACL grants administrative privileges to XMPP accounts.
250 | ## You can put here as many accounts as you want.
251 | ##
252 | admin:
253 | user:
254 | - "admin@domain.xyz"
255 |
256 | ## blocked:
257 | ## user:
258 | ## - "baduser@example.org"
259 | ## - "test"
260 |
261 | local:
262 | user_regexp: ""
263 |
264 | ## jabberorg:
265 | ## server:
266 | ## - "jabber.org"
267 | ## aleksey:
268 | ## user:
269 | ## - "aleksey@jabber.ru"
270 | ## test:
271 | ## user_regexp: "^test"
272 | ## user_glob: "test*"
273 |
274 | loopback:
275 | ip:
276 | - "127.0.0.0/8"
277 | - "::1/128"
278 | - "::FFFF:127.0.0.1/128"
279 |
280 | ## bad_servers:
281 | ## server:
282 | ## - "xmpp.zombie.org"
283 | ## - "xmpp.spam.com"
284 |
285 | ## host_config:
286 | ## "localhost":
287 | ## acl:
288 | ## admin:
289 | ## user:
290 | ## - "bob-local@localhost"
291 |
292 | ###. ============
293 | ###' SHAPER RULES
294 |
295 | shaper_rules:
296 | ## Maximum number of simultaneous sessions allowed for a single user:
297 | max_user_sessions: 24
298 | ## Maximum number of offline messages that users can have:
299 | max_user_offline_messages:
300 | - 16384: admin
301 | - 8192
302 | ## For C2S connections, all users except admins use the "normal" shaper
303 | c2s_shaper:
304 | - none: admin
305 | - normal
306 | ## All S2S connections use the "fast" shaper
307 | s2s_shaper: fast
308 |
309 | ###. ============
310 | ###' ACCESS RULES
311 | access_rules:
312 | ## This rule allows access only for local users:
313 | local:
314 | - allow: local
315 | ## Only non-blocked users can use c2s connections:
316 | c2s:
317 | - deny: blocked
318 | - allow
319 | ## Only admins can send announcement messages:
320 | announce:
321 | - allow: admin
322 | ## Only admins can use the configuration interface:
323 | configure:
324 | - allow: admin
325 | ## Only accounts of the local ejabberd server can create rooms:
326 | muc_create:
327 | - allow: local
328 | ## Only accounts on the local ejabberd server can create Pubsub nodes:
329 | pubsub_createnode:
330 | - allow: local
331 | ## In-band registration allows registration of any possible username.
332 | ## To disable in-band registration, replace 'allow' with 'deny'.
333 | register:
334 | - allow
335 | ## Only allow to register from localhost
336 | trusted_network:
337 | - allow: loopback
338 | ## Do not establish S2S connections with bad servers
339 | ## If you enable this you also have to uncomment "s2s_access: s2s"
340 | ## s2s:
341 | ## - deny:
342 | ## - ip: "XXX.XXX.XXX.XXX/32"
343 | ## - deny:
344 | ## - ip: "XXX.XXX.XXX.XXX/32"
345 | ## - allow
346 |
347 | api_permissions:
348 | "console commands":
349 | from:
350 | - ejabberd_ctl
351 | who: all
352 | what: "*"
353 | "admin access":
354 | who:
355 | - access:
356 | - allow:
357 | - acl: loopback
358 | - acl: admin
359 | - oauth:
360 | - scope: "ejabberd:admin"
361 | - access:
362 | - allow:
363 | - acl: loopback
364 | - acl: admin
365 | what:
366 | - "*"
367 | - "!stop"
368 | - "!start"
369 | "public commands":
370 | who:
371 | - ip: "127.0.0.1/8"
372 | what:
373 | - "status"
374 | - "connected_users_number"
375 | ## registration_timeout: 600
376 |
377 | ## host_config:
378 | ## "localhost":
379 | ## access:
380 | ## c2s:
381 | ## - allow: admin
382 | ## - deny
383 | ## register:
384 | ## - deny
385 |
386 | ###. ================
387 | ###' DEFAULT LANGUAGE
388 | language: "en"
389 |
390 | ## host_config:
391 | ## "localhost":
392 | ## language: "ru"
393 |
394 | ###. =======
395 | ###' CAPTCHA
396 |
397 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
398 |
399 | ## captcha_host: "domain.xyz:5280"
400 |
401 | ## captcha_limit: 5
402 |
403 | ###. ====
404 | ###' ACME
405 | ##
406 | ## In order to use the acme certificate acquiring through "Let's Encrypt"
407 | ## an http listener has to be configured to listen to port 80 so that
408 | ## the authorization challenges posed by "Let's Encrypt" can be solved.
409 | ##
410 | ## A simple way of doing this would be to add the following in the listening
411 | ## section and to configure port forwarding from 80 to 5280 either via NAT
412 | ## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
413 | ## -
414 | ## port: 5280
415 | ## ip: "::"
416 | ## module: ejabberd_http
417 |
418 | ## acme:
419 |
420 | ## A contact mail that the ACME Certificate Authority can contact in case of
421 | ## an authorization issue, such as a server-initiated certificate revocation.
422 | ## It is not mandatory to provide an email address but it is highly suggested.
423 | ## contact: "mailto:example-admin@example.com"
424 |
425 |
426 | ## The ACME Certificate Authority URL.
427 | ## This could either be:
428 | ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
429 | ## - https://acme-staging.api.letsencrypt.org - for the staging CA
430 | ## - http://localhost:4000 - for a local version of the CA
431 | ## ca_url: "https://acme-v01.api.letsencrypt.org"
432 | ###. =======
433 | ###' MODULES
434 | modules:
435 | mod_adhoc: {}
436 | mod_admin_extra: {}
437 | mod_announce: # recommends mod_adhoc
438 | access: announce
439 | mod_blocking: {} # requires mod_privacy
440 | mod_caps: {}
441 | mod_carboncopy: {}
442 | mod_client_state: {}
443 | mod_configure: {} # requires mod_adhoc
444 | ## mod_delegation: {} # for xep0356
445 | mod_disco: {}
446 | mod_echo:
447 | host: "xe.@HOST@"
448 | mod_bosh: {}
449 | mod_http_fileserver:
450 | docroot: "/var/www/ejabberd/"
451 | accesslog: "/var/log/ejabberd/www_access.log"
452 | mod_http_upload:
453 | host: "xu.@HOST@"
454 | docroot: "@HOME@/uploads"
455 | put_url: "https://xu.@HOST@:443"
456 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
457 | max_size: 262144000
458 | file_mode: "0640"
459 | dir_mode: "2750"
460 | access:
461 | - allow
462 | mod_http_upload_quota:
463 | max_days: 120
464 | mod_last: {}
465 | mod_mix:
466 | host: "xm.@HOST@"
467 | mod_muc:
468 | host: "xc.@HOST@"
469 | access:
470 | - allow
471 | access_admin:
472 | - allow: admin
473 | access_create: muc_create
474 | access_persistent: muc_create
475 | history_size: 42
476 | default_room_options:
477 | mam: true
478 | allow_subscription: true
479 | mod_muc_admin: {}
480 | ## mod_muc_log: {}
481 | ## mod_multicast: {}
482 | mod_offline:
483 | access_max_user_messages: max_user_offline_messages
484 | mod_ping: {}
485 | ## mod_pres_counter:
486 | ## count: 5
487 | ## interval: 60
488 | mod_privacy: {}
489 | mod_private: {}
490 | ## mod_proxy65: {}
491 | mod_pubsub:
492 | host: "xp.@HOST@"
493 | access_createnode: pubsub_createnode
494 | ignore_pep_from_offline: false
495 | last_item_cache: false
496 | max_items_node: 1000
497 | default_node_config:
498 | max_items: 1000
499 | plugins:
500 | - "flat"
501 | - "hometree"
502 | - "pep" # pep requires mod_caps
503 | mod_push:
504 | include_sender: true
505 | include_body: true
506 | mod_push_keepalive: {}
507 | mod_register:
508 | ## captcha_protected: true
509 | ## password_strength: 32
510 | welcome_message:
511 | subject: "Hello world"
512 | body: |-
513 | Hi there!
514 | Happy to see you onboard.
515 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
516 | The admin for this instance is admin@domain.xyz.
517 | https://aenigma.xyz
518 |
519 | registration_watchers:
520 | - "admin@domain.xyz"
521 |
522 | ### ip_access: trusted_network
523 |
524 | access_from: allow
525 |
526 | access: register
527 | mod_roster:
528 | versioning: true
529 | store_current_id: true
530 | mod_shared_roster: {}
531 | mod_stats: {}
532 | mod_time: {}
533 | mod_vcard:
534 | search: false
535 | mod_vcard_xupdate: {}
536 | mod_avatar: {}
537 | mod_version: {}
538 | mod_stream_mgmt:
539 | resend_on_timeout: if_offline
540 | mod_mam:
541 | default: always
542 | cache_size: 1048576
543 | cache_life_time: 2678400
544 | mod_s2s_dialback: {}
545 | mod_http_api: {}
546 | mod_fail2ban: {}
547 |
548 | ## host_config:
549 | ## "localhost":
550 | ## modules:
551 | ## mod_echo:
552 | ## host: "mirror.localhost"
553 |
554 | allow_contrib_modules: true
555 |
556 | ###.
557 | ###'
558 | ### Local Variables:
559 | ### mode: yaml
560 | ### End:
561 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
562 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.09.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v18.09
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | hosts:
18 | - "domain.xyz"
19 |
20 | loglevel: 4
21 | log_rotate_size: 10485760
22 | log_rotate_date: ""
23 | log_rotate_count: 1
24 | log_rate_limit: 100
25 |
26 | certfiles:
27 | - "/etc/ssl/aenigma/*.pem"
28 |
29 | ### aenigma notice
30 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
31 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
32 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
33 |
34 | define_macro:
35 |
36 | 'DHFILE': "/etc/ssl/aenigma/dh.pem"
37 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
38 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
39 | 'TLSOPTS':
40 | - "no_sslv3"
41 | - "no_tlsv1"
42 | - "no_tlsv1_1"
43 | - "cipher_server_preference"
44 | - "no_compression"
45 | 'S2STLSOPTS':
46 | - "no_sslv3"
47 | - "cipher_server_preference"
48 | - "no_compression"
49 |
50 | listen:
51 | -
52 | port: 5222
53 | ip: "::"
54 | module: ejabberd_c2s
55 | max_stanza_size: 262144
56 | shaper: c2s_shaper
57 | access: c2s
58 | starttls_required: true
59 | starttls: true
60 | protocol_options: 'TLSOPTS'
61 | ### dhfile: 'DHFILE'
62 | ciphers: 'CIPHERS'
63 | zlib: true
64 | -
65 | port: 5223
66 | ip: "::"
67 | module: ejabberd_c2s
68 | max_stanza_size: 262144
69 | shaper: c2s_shaper
70 | access: c2s
71 | tls: true
72 | protocol_options: 'TLSOPTS'
73 | ### dhfile: 'DHFILE'
74 | ciphers: 'CIPHERS'
75 | zlib: true
76 | -
77 | port: 5269
78 | ip: "::"
79 | module: ejabberd_s2s_in
80 | max_stanza_size: 524288
81 | shaper: s2s_shaper
82 | -
83 | port: 5280
84 | ip: "::"
85 | module: ejabberd_http
86 | request_handlers:
87 | "/api": mod_http_api
88 | "/bosh": mod_bosh
89 | "/upload": mod_http_upload
90 | "/ws": ejabberd_http_ws
91 | web_admin: true
92 | captcha: true
93 | http_bind: true
94 |
95 | ## -
96 | ## port: 8888
97 | ## ip: "::"
98 | ## module: ejabberd_service
99 | ## access: all
100 | ## shaper_rule: fast
101 | ## ip: "127.0.0.1"
102 | ## privilege_access:
103 | ## roster: "both"
104 | ## message: "outgoing"
105 | ## presence: "roster"
106 | ## delegations:
107 | ## "urn:xmpp:mam:1":
108 | ## filtering: ["node"]
109 | ## "http://jabber.org/protocol/pubsub":
110 | ## filtering: []
111 | ## hosts:
112 | ## "icq.example.org":
113 | ## password: "secret"
114 | ## "sms.example.org":
115 | ## password: "secret"
116 |
117 | ## -
118 | ## port: 3478
119 | ## transport: udp
120 | ## module: ejabberd_stun
121 |
122 | ## -
123 | ## port: 4560
124 | ## ip: "::"
125 | ## module: ejabberd_xmlrpc
126 | ## maxsessions: 10
127 | ## timeout: 5000
128 | ## access_commands:
129 | ## admin:
130 | ## commands: all
131 | ## options: []
132 |
133 | -
134 | port: 5444
135 | ip: "::"
136 | module: ejabberd_http
137 | request_handlers:
138 | "": mod_http_upload
139 | tls: true
140 | protocol_options: 'TLSOPTS'
141 | ### dhfile: 'DHFILE'
142 | ciphers: 'CIPHERS'
143 |
144 | disable_sasl_mechanisms: "digest-md5"
145 |
146 | acl:
147 | admin:
148 | user:
149 | - "admin@domain.xyz"
150 | local:
151 | user_regexp: ""
152 | loopback:
153 | ip:
154 | - "127.0.0.0/8"
155 | - "::1/128"
156 | - "::FFFF:127.0.0.1/128"
157 |
158 | s2s_use_starttls: required
159 | ### s2s_dhfile: 'DHFILE'
160 | s2s_protocol_options: 'S2STLSOPTS'
161 | s2s_ciphers: 'S2SCIPHERS'
162 |
163 | ## s2s_access: s2s
164 |
165 | ## outgoing_s2s_families:
166 | ## - ipv4
167 | ## - ipv6
168 | ## outgoing_s2s_timeout: 190
169 |
170 | auth_method: internal
171 |
172 | auth_password_format: scram
173 |
174 | ## fqdn: "server3.example.com"
175 |
176 | ## auth_method: external
177 | ## extauth_program: "/path/to/authentication/script"
178 | ## auth_method: sql
179 | ## auth_method: pam
180 | ## pam_service: "pamservicename"
181 |
182 | ## auth_method: ldap
183 | ## ldap_servers:
184 | ## - "localhost"
185 | ## ldap_encrypt: none
186 | ## ldap_encrypt: tls
187 | ## ldap_port: 389
188 | ## ldap_port: 636
189 | ## ldap_rootdn: "dc=example,dc=com"
190 | ## ldap_password: "******"
191 | ## ldap_base: "dc=example,dc=com"
192 | ## ldap_uids:
193 | ## - "mail": "%u@mail.example.org"
194 | ## ldap_filter: "(objectClass=shadowAccount)"
195 |
196 | ## auth_method: anonymous
197 | ## anonymous_protocol: sasl_anon | login_anon | both
198 | ## allow_multiple_connections: true | false
199 |
200 | ## host_config:
201 | ## "public.example.org":
202 | ## auth_method: anonymous
203 | ## allow_multiple_connections: false
204 | ## anonymous_protocol: sasl_anon
205 |
206 | ## host_config:
207 | ## "public.example.org":
208 | ## auth_method:
209 | ## - internal
210 | ## - anonymous
211 |
212 | ## pgsql_users_number_estimate: true
213 |
214 | access_rules:
215 | local:
216 | - allow: local
217 | c2s:
218 | - deny: blocked
219 | - allow
220 | announce:
221 | - allow: admin
222 | configure:
223 | - allow: admin
224 | muc_create:
225 | - allow: local
226 | pubsub_createnode:
227 | - allow: local
228 | register:
229 | - allow
230 | trusted_network:
231 | - allow: loopback
232 |
233 | api_permissions:
234 | "console commands":
235 | from:
236 | - ejabberd_ctl
237 | who: all
238 | what: "*"
239 | "admin access":
240 | who:
241 | - access:
242 | - allow:
243 | - acl: loopback
244 | - acl: admin
245 | - oauth:
246 | - scope: "ejabberd:admin"
247 | - access:
248 | - allow:
249 | - acl: loopback
250 | - acl: admin
251 | what:
252 | - "*"
253 | - "!stop"
254 | - "!start"
255 | "public commands":
256 | who:
257 | - ip: "127.0.0.1/8"
258 | what:
259 | - "status"
260 | - "connected_users_number"
261 | ## registration_timeout: 600
262 |
263 | ## host_config:
264 | ## "localhost":
265 | ## access:
266 | ## c2s:
267 | ## - allow: admin
268 | ## - deny
269 | ## register:
270 | ## - deny
271 |
272 | shaper:
273 | normal: 1000
274 | fast: 50000
275 |
276 | max_fsm_queue: 10000
277 |
278 | shaper_rules:
279 | max_user_sessions: 24
280 | max_user_offline_messages:
281 | - 16384: admin
282 | - 8192
283 | c2s_shaper:
284 | - none: admin
285 | - normal
286 | s2s_shaper: fast
287 |
288 | language: "en"
289 |
290 | ## host_config:
291 | ## "localhost":
292 | ## language: "ru"
293 |
294 | ## captcha_cmd: "/opt/ejabberd-17.09/lib/ejabberd-17.09/priv/bin/captcha.sh"
295 |
296 | ## captcha_host: "domain.xyz:5280"
297 |
298 | ## captcha_limit: 5
299 |
300 | modules:
301 | mod_adhoc: {}
302 | mod_admin_extra: {}
303 | mod_announce:
304 | access: announce
305 | mod_avatar: {}
306 | mod_blocking: {}
307 | mod_bosh: {}
308 | mod_caps: {}
309 | mod_carboncopy: {}
310 | mod_client_state: {}
311 | mod_configure: {}
312 | mod_disco:
313 | server_info:
314 | -
315 | modules: all
316 | name: "abuse-addresses"
317 | urls: ["mailto:admin_mail"]
318 | mod_fail2ban: {}
319 | mod_http_api: {}
320 | mod_echo:
321 | host: "xe.@HOST@"
322 | mod_http_fileserver:
323 | docroot: "/var/www/ejabberd/"
324 | accesslog: "/var/log/ejabberd/www_access.log"
325 | mod_http_upload:
326 | host: "xu.@HOST@"
327 | docroot: "@HOME@/uploads"
328 | put_url: "https://xu.@HOST@:443"
329 | thumbnail: false # otherwise needs the identify command from ImageMagick installed
330 | max_size: 262144000
331 | file_mode: "0640"
332 | dir_mode: "2750"
333 | access:
334 | - allow
335 | custom_headers:
336 | "Access-Control-Allow-Origin": "*"
337 | "Access-Control-Allow-Credentials": "true"
338 | "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
339 | "Access-Control-Allow-Headers": "Authorization, Content-Type"
340 | mod_http_upload_quota:
341 | max_days: 3650
342 | mod_last: {}
343 | mod_mam:
344 | ## db_type: sql
345 | assume_mam_usage: true
346 | default: always
347 | cache_size: 1048576
348 | cache_life_time: 2678400
349 | mod_mix:
350 | host: "xm.@HOST@"
351 | mod_muc:
352 | host: "xc.@HOST@"
353 | access:
354 | - allow
355 | access_admin:
356 | - allow: admin
357 | access_create: muc_create
358 | access_persistent: muc_create
359 | history_size: 42
360 | default_room_options:
361 | mam: true
362 | allow_subscription: true
363 | mod_muc_admin: {}
364 | ## mod_muc_log: {}
365 | ## mod_multicast: {}
366 | mod_offline:
367 | access_max_user_messages: max_user_offline_messages
368 | mod_ping: {}
369 | ## mod_pres_counter:
370 | ## count: 5
371 | ## interval: 60
372 | mod_privacy: {}
373 | mod_private: {}
374 | ## mod_proxy65: {}
375 | mod_pubsub:
376 | host: "xp.@HOST@"
377 | access_createnode: pubsub_createnode
378 | ignore_pep_from_offline: false
379 | last_item_cache: false
380 | max_items_node: 1000
381 | default_node_config:
382 | max_items: 1000
383 | plugins:
384 | - "flat"
385 | - "hometree"
386 | - "pep"
387 | force_node_config:
388 | "storage:bookmarks":
389 | access_model: whitelist
390 | mod_push:
391 | include_sender: true
392 | include_body: true
393 | mod_push_keepalive: {}
394 | mod_register:
395 | ## captcha_protected: true
396 | ## password_strength: 32
397 | welcome_message:
398 | subject: "Hello world"
399 | body: |-
400 | Hi there!
401 | Happy to see you onboard.
402 | This is the aenigma XMPP server at hostname.xyz hosting domain domain.xyz.
403 | The admin for this instance is admin@domain.xyz.
404 | https://aenigma.xyz
405 | registration_watchers:
406 | - "admin@domain.xyz"
407 | access_from: allow
408 | access: register
409 | mod_roster:
410 | versioning: true
411 | store_current_id: true
412 | mod_s2s_dialback: {}
413 | mod_shared_roster: {}
414 | mod_stats: {}
415 | mod_time: {}
416 | mod_stream_mgmt:
417 | resend_on_timeout: if_offline
418 | mod_vcard:
419 | host: "xv.@HOST@"
420 | search: true
421 | matches: infinity
422 | allow_return_all: true
423 | mod_vcard_xupdate: {}
424 | mod_version:
425 | show_os: false
426 |
427 | ## host_config:
428 | ## "localhost":
429 | ## modules:
430 | ## mod_echo:
431 | ## host: "mirror.localhost"
432 |
433 | allow_contrib_modules: true
434 |
435 | ### Local Variables:
436 | ### mode: yaml
437 | ### End:
438 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
439 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-18.12.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v18.12
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | hosts:
18 | - "domain.xyz"
19 |
20 | loglevel: 4
21 | log_rotate_size: 10485760
22 | log_rotate_date: ""
23 | log_rotate_count: 1
24 | log_rate_limit: 100
25 |
26 | certfiles:
27 | - "/etc/ssl/aenigma/*.pem"
28 |
29 | ### aenigma notice
30 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
31 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
32 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
33 |
34 | define_macro:
35 |
36 | 'DHFILE': "/etc/ssl/dhparam.pem"
37 | 'CIPHERS': "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
38 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
39 | 'TLSOPTS':
40 | - "no_sslv3"
41 | - "no_tlsv1"
42 | - "no_tlsv1_1"
43 | - "cipher_server_preference"
44 | - "no_compression"
45 | 'S2STLSOPTS':
46 | - "no_sslv3"
47 | - "cipher_server_preference"
48 | - "no_compression"
49 |
50 | listen:
51 | -
52 | port: 5222
53 | ip: "::"
54 | module: ejabberd_c2s
55 | max_stanza_size: 262144
56 | shaper: c2s_shaper
57 | access: c2s
58 | starttls_required: true
59 | starttls: true
60 | protocol_options: 'TLSOPTS'
61 | ### dhfile: 'DHFILE'
62 | ciphers: 'CIPHERS'
63 | zlib: true
64 | -
65 | port: 5223
66 | ip: "::"
67 | module: ejabberd_c2s
68 | max_stanza_size: 262144
69 | shaper: c2s_shaper
70 | access: c2s
71 | tls: true
72 | protocol_options: 'TLSOPTS'
73 | ### dhfile: 'DHFILE'
74 | ciphers: 'CIPHERS'
75 | zlib: true
76 | -
77 | port: 5269
78 | ip: "::"
79 | module: ejabberd_s2s_in
80 | max_stanza_size: 524288
81 | shaper: s2s_shaper
82 | -
83 | port: 5443
84 | ip: "::"
85 | module: ejabberd_http
86 | request_handlers:
87 | "/api": mod_http_api
88 | "/bosh": mod_bosh
89 | "/upload": mod_http_upload
90 | "/ws": ejabberd_http_ws
91 | "/oauth": ejabberd_oauth
92 | web_admin: true
93 | captcha: true
94 | http_bind: true
95 | tls: true
96 | protocol_options: 'TLSOPTS'
97 | ### dhfile: 'DHFILE'
98 | ciphers: 'CIPHERS'
99 | ## zlib: true ##re-enable if 1902 supports zlib here
100 |
101 | ## -
102 | ## port: 8888
103 | ## ip: "::"
104 | ## module: ejabberd_service
105 | ## access: all
106 | ## shaper_rule: fast
107 | ## ip: "127.0.0.1"
108 | ## privilege_access:
109 | ## roster: "both"
110 | ## message: "outgoing"
111 | ## presence: "roster"
112 | ## delegations:
113 | ## "urn:xmpp:mam:1":
114 | ## filtering: ["node"]
115 | ## "http://jabber.org/protocol/pubsub":
116 | ## filtering: []
117 | ## hosts:
118 | ## "icq.example.org":
119 | ## password: "secret"
120 | ## "sms.example.org":
121 | ## password: "secret"
122 |
123 | ## -
124 | ## port: 3478
125 | ## transport: udp
126 | ## module: ejabberd_stun
127 |
128 | ## -
129 | ## port: 4560
130 | ## ip: "::"
131 | ## module: ejabberd_xmlrpc
132 | ## maxsessions: 10
133 | ## timeout: 5000
134 | ## access_commands:
135 | ## admin:
136 | ## commands: all
137 | ## options: []
138 |
139 | s2s_use_starttls: required
140 | ### s2s_dhfile: 'DHFILE'
141 | s2s_protocol_options: 'S2STLSOPTS'
142 | s2s_ciphers: 'S2SCIPHERS'
143 |
144 | ## s2s_access: s2s
145 |
146 | ## outgoing_s2s_families:
147 | ## - ipv4
148 | ## - ipv6
149 | ## outgoing_s2s_timeout: 190
150 |
151 | disable_sasl_mechanisms: "digest-md5"
152 |
153 | acl:
154 | admin:
155 | user:
156 | - "admin@domain.xyz"
157 | local:
158 | user_regexp: ""
159 | loopback:
160 | ip:
161 | - "127.0.0.0/8"
162 | - "::1/128"
163 | - "::FFFF:127.0.0.1/128"
164 |
165 | auth_method: sql
166 |
167 | auth_password_format: scram
168 |
169 | default_db: sql
170 | new_sql_schema: true
171 | sql_type: pgsql
172 | sql_server: "public_ipv4-var"
173 | sql_port: 5000
174 | sql_database: "ejabberd"
175 | sql_username: "ejabberd"
176 | sql_password: "ejabberd-psql-user-password-var"
177 |
178 | ## auth_method: ldap
179 | ## ldap_servers:
180 | ## - "localhost"
181 | ## ldap_encrypt: none
182 | ## ldap_encrypt: tls
183 | ## ldap_port: 389
184 | ## ldap_port: 636
185 | ## ldap_rootdn: "dc=example,dc=com"
186 | ## ldap_password: "******"
187 | ## ldap_base: "dc=example,dc=com"
188 | ## ldap_uids:
189 | ## - "mail": "%u@mail.example.org"
190 | ## ldap_filter: "(objectClass=shadowAccount)"
191 |
192 | ## auth_method: anonymous
193 | ## anonymous_protocol: sasl_anon | login_anon | both
194 | ## allow_multiple_connections: true | false
195 |
196 | ## host_config:
197 | ## "public.example.org":
198 | ## auth_method: anonymous
199 | ## allow_multiple_connections: false
200 | ## anonymous_protocol: sasl_anon
201 |
202 | ## host_config:
203 | ## "public.example.org":
204 | ## auth_method:
205 | ## - internal
206 | ## - anonymous
207 |
208 | pgsql_users_number_estimate: true
209 |
210 | access_rules:
211 | local:
212 | - allow: local
213 | c2s:
214 | - deny: blocked
215 | - allow
216 | announce:
217 | - allow: admin
218 | configure:
219 | - allow: admin
220 | muc_create:
221 | - allow: local
222 | pubsub_createnode:
223 | - allow: local
224 | register:
225 | - allow
226 | trusted_network:
227 | - allow: loopback
228 |
229 | api_permissions:
230 | "console commands":
231 | from:
232 | - ejabberd_ctl
233 | who: all
234 | what: "*"
235 | "admin access":
236 | who:
237 | - access:
238 | - allow:
239 | - acl: loopback
240 | - acl: admin
241 | - oauth:
242 | - scope: "ejabberd:admin"
243 | - access:
244 | - allow:
245 | - acl: loopback
246 | - acl: admin
247 | what:
248 | - "*"
249 | - "!stop"
250 | - "!start"
251 | "public commands":
252 | who:
253 | - ip: "127.0.0.1/8"
254 | what:
255 | - "status"
256 | - "connected_users_number"
257 |
258 | ## registration_timeout: 600
259 |
260 | ## host_config:
261 | ## "localhost":
262 | ## access:
263 | ## c2s:
264 | ## - allow: admin
265 | ## - deny
266 | ## register:
267 | ## - deny
268 |
269 | shaper:
270 | normal: 1000
271 | fast: 50000
272 |
273 | max_fsm_queue: 10000
274 |
275 | shaper_rules:
276 | max_user_sessions: 24
277 | max_user_offline_messages:
278 | - 16384: admin
279 | - 8192
280 | c2s_shaper:
281 | - none: admin
282 | - normal
283 | s2s_shaper: fast
284 |
285 | language: "en"
286 |
287 | ## host_config:
288 | ## "localhost":
289 | ## language: "ru"
290 |
291 | captcha_cmd: "/etc/ejabberd/captcha.sh"
292 | captcha_host: "127.0.0.1:5443"
293 | captcha_limit: 5
294 |
295 | modules:
296 | mod_adhoc: {}
297 | mod_admin_extra: {}
298 | mod_announce:
299 | access: announce
300 | mod_avatar: {}
301 | mod_blocking: {}
302 | mod_bosh: {}
303 | mod_caps: {}
304 | mod_carboncopy: {}
305 | mod_client_state: {}
306 | mod_configure: {}
307 | mod_disco:
308 | server_info:
309 | -
310 | modules: all
311 | name: "abuse-addresses"
312 | urls: ["mailto:admin_mail"]
313 | mod_fail2ban: {}
314 | mod_http_api: {}
315 | mod_http_upload:
316 | # host: "xh.@HOST@"
317 | # docroot: "@HOME@/uploads"
318 | put_url: "https://ae.@HOST@/upload"
319 | max_size: 262144000
320 | external_secret: "nginx_ejabberd_uploads_external_secret-var"
321 | # file_mode: "0640"
322 | # dir_mode: "2750"
323 | # access:
324 | # - allow
325 | # custom_headers:
326 | # "Access-Control-Allow-Origin": "*"
327 | # "Access-Control-Allow-Credentials": "true"
328 | # "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
329 | # "Access-Control-Allow-Headers": "Authorization, Content-Type"
330 | mod_http_upload_quota:
331 | max_days: 3650
332 | mod_last: {}
333 | mod_mam:
334 | db_type: sql
335 | assume_mam_usage: true
336 | default: always
337 | cache_size: 1048576
338 | cache_life_time: 2678400
339 | mod_mix:
340 | host: "xm.@HOST@"
341 | mod_muc:
342 | host: "xc.@HOST@"
343 | access:
344 | - allow
345 | access_admin:
346 | - allow: admin
347 | access_create: muc_create
348 | access_persistent: muc_create
349 | history_size: 42
350 | default_room_options:
351 | mam: true
352 | allow_subscription: true
353 | mod_muc_admin: {}
354 | ## mod_muc_log: {}
355 | ## mod_multicast: {}
356 | mod_offline:
357 | access_max_user_messages: max_user_offline_messages
358 | mod_ping: {}
359 | ## mod_pres_counter:
360 | ## count: 5
361 | ## interval: 60
362 | mod_privacy: {}
363 | mod_private: {}
364 | mod_proxy65:
365 | host: "xr.@HOST@"
366 | mod_pubsub:
367 | host: "xp.@HOST@"
368 | access_createnode: pubsub_createnode
369 | ignore_pep_from_offline: false
370 | last_item_cache: false
371 | max_items_node: 1000
372 | default_node_config:
373 | max_items: 1000
374 | plugins:
375 | - "flat"
376 | - "hometree"
377 | - "pep"
378 | force_node_config:
379 | "eu.siacs.conversations.axolotl.*":
380 | access_model: open
381 | "storage:bookmarks":
382 | access_model: whitelist
383 | mod_push:
384 | include_sender: true
385 | include_body: true
386 | mod_push_keepalive: {}
387 | mod_register:
388 | captcha_protected: true
389 | ## password_strength: 32
390 | welcome_message:
391 | subject: "Hello world"
392 | body: |-
393 | Hi there!
394 | Happy to see you onboard.
395 | This is the aenigma ejabberd XMPP server at hostname.xyz.
396 | The admin for this instance is admin@domain.xyz.
397 | Follow aenigma devs and community at xmpp:aenigma@xc.os.vu.
398 | Find us online at: https://aenigma.xyz
399 | registration_watchers:
400 | - "admin@domain.xyz"
401 | access_from: allow
402 | access: register
403 | mod_roster:
404 | versioning: true
405 | store_current_id: true
406 | mod_s2s_dialback: {}
407 | mod_shared_roster: {}
408 | mod_stats: {}
409 | mod_time: {}
410 | mod_stream_mgmt:
411 | resend_on_timeout: if_offline
412 | mod_vcard:
413 | host: "xv.@HOST@"
414 | search: true
415 | matches: infinity
416 | allow_return_all: true
417 | mod_vcard_xupdate: {}
418 | mod_version:
419 | show_os: false
420 |
421 | ## host_config:
422 | ## "localhost":
423 | ## modules:
424 | ## mod_echo:
425 | ## host: "mirror.localhost"
426 |
427 | allow_contrib_modules: true
428 |
429 | ### Local Variables:
430 | ### mode: yaml
431 | ### End:
432 | ### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker:
433 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-19.02.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v19.02
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by Nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | hosts:
18 | - "domain.xyz"
19 |
20 | loglevel: 4
21 | log_rotate_size: 10485760
22 | log_rotate_date: ""
23 | log_rotate_count: 1
24 | log_rate_limit: 100
25 |
26 | certfiles:
27 | - "/etc/ssl/aenigma/*.pem"
28 |
29 | ### aenigma notice
30 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
31 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
32 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
33 |
34 | define_macro:
35 |
36 | 'DHFILE': "/etc/ssl/dhparam.pem"
37 | 'CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
38 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
39 | 'TLSOPTS':
40 | - "no_sslv3"
41 | - "no_tlsv1"
42 | - "no_tlsv1_1"
43 | - "cipher_server_preference"
44 | - "no_compression"
45 | 'S2STLSOPTS':
46 | - "no_sslv3"
47 | - "cipher_server_preference"
48 | - "no_compression"
49 |
50 | listen:
51 | -
52 | port: 5222
53 | ip: "::"
54 | module: ejabberd_c2s
55 | max_stanza_size: 262144
56 | shaper: c2s_shaper
57 | access: c2s
58 | starttls_required: true
59 | starttls: true
60 | protocol_options: 'TLSOPTS'
61 | ### dhfile: 'DHFILE'
62 | ciphers: 'CIPHERS'
63 | zlib: true
64 | -
65 | port: 5223
66 | ip: "::"
67 | module: ejabberd_c2s
68 | max_stanza_size: 262144
69 | shaper: c2s_shaper
70 | access: c2s
71 | tls: true
72 | protocol_options: 'TLSOPTS'
73 | ### dhfile: 'DHFILE'
74 | ciphers: 'CIPHERS'
75 | zlib: true
76 | -
77 | port: 5269
78 | ip: "::"
79 | module: ejabberd_s2s_in
80 | max_stanza_size: 524288
81 | shaper: s2s_shaper
82 | -
83 | port: 5443
84 | ip: "::"
85 | module: ejabberd_http
86 | request_handlers:
87 | "/api": mod_http_api
88 | "/bosh": mod_bosh
89 | "/upload": mod_http_upload
90 | "/ws": ejabberd_http_ws
91 | "/oauth": ejabberd_oauth
92 | web_admin: true
93 | captcha: true
94 | http_bind: true
95 | tls: true
96 | protocol_options: 'TLSOPTS'
97 | ### dhfile: 'DHFILE'
98 | ciphers: 'CIPHERS'
99 | ## zlib: true ##re-enable if 1902 supports zlib here
100 | -
101 | port: 1883
102 | ip: "::"
103 | module: mod_mqtt
104 | backlog: 1000
105 |
106 | ## -
107 | ## port: 8888
108 | ## ip: "::"
109 | ## module: ejabberd_service
110 | ## access: all
111 | ## shaper_rule: fast
112 | ## ip: "127.0.0.1"
113 | ## privilege_access:
114 | ## roster: "both"
115 | ## message: "outgoing"
116 | ## presence: "roster"
117 | ## delegations:
118 | ## "urn:xmpp:mam:1":
119 | ## filtering: ["node"]
120 | ## "http://jabber.org/protocol/pubsub":
121 | ## filtering: []
122 | ## hosts:
123 | ## "icq.example.org":
124 | ## password: "secret"
125 | ## "sms.example.org":
126 | ## password: "secret"
127 |
128 | ## -
129 | ## port: 3478
130 | ## transport: udp
131 | ## module: ejabberd_stun
132 |
133 | ## -
134 | ## port: 4560
135 | ## ip: "::"
136 | ## module: ejabberd_xmlrpc
137 | ## maxsessions: 10
138 | ## timeout: 5000
139 | ## access_commands:
140 | ## admin:
141 | ## commands: all
142 | ## options: []
143 |
144 | s2s_use_starttls: required
145 | ### s2s_dhfile: 'DHFILE'
146 | s2s_protocol_options: 'S2STLSOPTS'
147 | s2s_ciphers: 'S2SCIPHERS'
148 |
149 | ## s2s_access: s2s
150 |
151 | ## outgoing_s2s_families:
152 | ## - ipv4
153 | ## - ipv6
154 | ## outgoing_s2s_timeout: 190
155 |
156 | disable_sasl_mechanisms: "digest-md5"
157 |
158 | acl:
159 | admin:
160 | user:
161 | - "admin@domain.xyz"
162 | local:
163 | user_regexp: ""
164 | loopback:
165 | ip:
166 | - "127.0.0.0/8"
167 | - "::1/128"
168 | - "::FFFF:127.0.0.1/128"
169 |
170 | auth_method: sql
171 |
172 | auth_password_format: scram
173 |
174 | default_db: sql
175 | new_sql_schema: true
176 | sql_type: pgsql
177 | sql_server: "public_ipv4-var"
178 | sql_port: 5000
179 | sql_database: "ejabberd"
180 | sql_username: "ejabberd"
181 | sql_password: "ejabberd-psql-user-password-var"
182 |
183 | ## auth_method: ldap
184 | ## ldap_servers:
185 | ## - "localhost"
186 | ## ldap_encrypt: none
187 | ## ldap_encrypt: tls
188 | ## ldap_port: 389
189 | ## ldap_port: 636
190 | ## ldap_rootdn: "dc=example,dc=com"
191 | ## ldap_password: "******"
192 | ## ldap_base: "dc=example,dc=com"
193 | ## ldap_uids:
194 | ## - "mail": "%u@mail.example.org"
195 | ## ldap_filter: "(objectClass=shadowAccount)"
196 |
197 | ## auth_method: anonymous
198 | ## anonymous_protocol: sasl_anon | login_anon | both
199 | ## allow_multiple_connections: true | false
200 |
201 | ## host_config:
202 | ## "public.example.org":
203 | ## auth_method: anonymous
204 | ## allow_multiple_connections: false
205 | ## anonymous_protocol: sasl_anon
206 |
207 | ## host_config:
208 | ## "public.example.org":
209 | ## auth_method:
210 | ## - internal
211 | ## - anonymous
212 |
213 | pgsql_users_number_estimate: true
214 |
215 | access_rules:
216 | local:
217 | - allow: local
218 | c2s:
219 | - deny: blocked
220 | - allow
221 | announce:
222 | - allow: admin
223 | configure:
224 | - allow: admin
225 | muc_create:
226 | - allow: local
227 | pubsub_createnode:
228 | - allow: local
229 | register:
230 | - allow
231 | trusted_network:
232 | - allow: loopback
233 |
234 | api_permissions:
235 | "console commands":
236 | from:
237 | - ejabberd_ctl
238 | who: all
239 | what: "*"
240 | "admin access":
241 | who:
242 | - access:
243 | - allow:
244 | - acl: loopback
245 | - acl: admin
246 | - oauth:
247 | - scope: "ejabberd:admin"
248 | - access:
249 | - allow:
250 | - acl: loopback
251 | - acl: admin
252 | what:
253 | - "*"
254 | - "!stop"
255 | - "!start"
256 | "public commands":
257 | who:
258 | - ip: "127.0.0.1/8"
259 | what:
260 | - "status"
261 | - "connected_users_number"
262 |
263 | ## registration_timeout: 600
264 |
265 | ## host_config:
266 | ## "localhost":
267 | ## access:
268 | ## c2s:
269 | ## - allow: admin
270 | ## - deny
271 | ## register:
272 | ## - deny
273 |
274 | shaper:
275 | normal: 1000
276 | fast: 50000
277 |
278 | max_fsm_queue: 10000
279 |
280 | shaper_rules:
281 | max_user_sessions: 24
282 | max_user_offline_messages:
283 | - 16384: admin
284 | - 8192
285 | c2s_shaper:
286 | - none: admin
287 | - normal
288 | s2s_shaper: fast
289 |
290 | language: "en"
291 |
292 | ## host_config:
293 | ## "localhost":
294 | ## language: "ru"
295 |
296 | captcha_cmd: "/opt/ejabberd/captcha.sh"
297 | captcha_host: "127.0.0.1:5443"
298 | captcha_limit: 5
299 |
300 | modules:
301 | mod_adhoc: {}
302 | mod_admin_extra: {}
303 | mod_announce:
304 | access: announce
305 | mod_avatar: {}
306 | mod_blocking: {}
307 | mod_bosh: {}
308 | mod_caps: {}
309 | mod_carboncopy: {}
310 | mod_client_state: {}
311 | mod_configure: {}
312 | mod_disco:
313 | server_info:
314 | -
315 | modules: all
316 | name: "abuse-addresses"
317 | urls: ["mailto:admin_mail"]
318 | mod_fail2ban: {}
319 | mod_http_api: {}
320 | mod_http_upload:
321 | # host: "xh.@HOST@"
322 | # docroot: "@HOME@/uploads"
323 | put_url: "https://ae.@HOST@/upload"
324 | max_size: 262144000
325 | external_secret: "nginx_ejabberd_uploads_external_secret-var"
326 | # file_mode: "0640"
327 | # dir_mode: "2750"
328 | # access:
329 | # - allow
330 | # custom_headers:
331 | # "Access-Control-Allow-Origin": "*"
332 | # "Access-Control-Allow-Credentials": "true"
333 | # "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT"
334 | # "Access-Control-Allow-Headers": "Authorization, Content-Type"
335 | mod_http_upload_quota:
336 | max_days: 3650
337 | mod_last: {}
338 | mod_mam:
339 | db_type: sql
340 | assume_mam_usage: true
341 | default: always
342 | cache_size: 1048576
343 | cache_life_time: 2678400
344 | mod_mix:
345 | host: "xm.@HOST@"
346 | mod_mqtt: {}
347 | mod_muc:
348 | host: "xc.@HOST@"
349 | access:
350 | - allow
351 | access_admin:
352 | - allow: admin
353 | access_create: muc_create
354 | access_persistent: muc_create
355 | access_mam:
356 | - allow
357 | history_size: 42
358 | default_room_options:
359 | mam: true
360 | allow_subscription: true
361 | mod_muc_admin: {}
362 | ## mod_muc_log: {}
363 | ## mod_multicast: {}
364 | mod_offline:
365 | access_max_user_messages: max_user_offline_messages
366 | mod_ping: {}
367 | ## mod_pres_counter:
368 | ## count: 5
369 | ## interval: 60
370 | mod_privacy: {}
371 | mod_private: {}
372 | mod_proxy65:
373 | host: "xr.@HOST@"
374 | mod_pubsub:
375 | host: "xp.@HOST@"
376 | access_createnode: pubsub_createnode
377 | ignore_pep_from_offline: false
378 | last_item_cache: false
379 | max_items_node: 1000
380 | default_node_config:
381 | max_items: 1000
382 | plugins:
383 | - "flat"
384 | - "hometree"
385 | - "pep"
386 | force_node_config:
387 | "eu.siacs.conversations.axolotl.*":
388 | access_model: open
389 | "storage:bookmarks":
390 | access_model: whitelist
391 | mod_push:
392 | include_sender: true
393 | include_body: true
394 | mod_push_keepalive: {}
395 | mod_register:
396 | captcha_protected: true
397 | ## password_strength: 32
398 | welcome_message:
399 | subject: "Hello world"
400 | body: |-
401 | Hi there!
402 | Happy to see you onboard.
403 | This is the aenigma ejabberd XMPP server at hostname.xyz.
404 | The admin for this instance is admin@domain.xyz.
405 | Follow aenigma devs and community at xmpp:aenigma@xc.os.vu.
406 | Find us online at: https://aenigma.xyz
407 | registration_watchers:
408 | - "admin@domain.xyz"
409 | access_from: allow
410 | access: register
411 | mod_roster:
412 | versioning: true
413 | store_current_id: true
414 | mod_s2s_dialback: {}
415 | mod_shared_roster: {}
416 | mod_stats: {}
417 | mod_time: {}
418 | mod_stream_mgmt:
419 | resend_on_timeout: if_offline
420 | mod_vcard:
421 | host: "xv.@HOST@"
422 | search: true
423 | matches: infinity
424 | allow_return_all: true
425 | mod_vcard_xupdate: {}
426 | mod_version:
427 | show_os: false
428 |
429 | ## host_config:
430 | ## "localhost":
431 | ## modules:
432 | ## mod_echo:
433 | ## host: "mirror.localhost"
434 |
435 | allow_contrib_modules: true
436 |
437 | ### Local Variables:
438 | ### mode: yaml
439 | ### End:
440 | ### vim: set filetype=yaml tabstop=8
441 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-19.05.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v19.05
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by Nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | hosts:
18 | - "domain.xyz"
19 |
20 | language: "en"
21 |
22 | loglevel: 4
23 | log_rotate_size: 10485760
24 | log_rotate_date: ""
25 | log_rotate_count: 1
26 | log_rate_limit: 100
27 |
28 | certfiles:
29 | - "/etc/ssl/aenigma/*.pem"
30 |
31 | ### aenigma notice
32 | ### to enable state-of-the-art, NOT backwards-compatible TLS encryption
33 | ### [breaking all bridges with legacy servers and therefore the rest of XMPP community]
34 | ### simply set: | s2s_protocol_options: 'TLSOPTS' | and | s2s_ciphers: 'CIPHERS' |
35 |
36 | define_macro:
37 |
38 | 'DHFILE': "/etc/ssl/dhparam.pem"
39 | 'CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
40 | 'S2SCIPHERS': "HIGH:!MEDIUM:!LOW:!3DES:!CAMELLIA:!aNULL@STRENGTH"
41 | 'TLSOPTS':
42 | - "no_sslv3"
43 | - "no_tlsv1"
44 | - "no_tlsv1_1"
45 | - "cipher_server_preference"
46 | - "no_compression"
47 | 'S2STLSOPTS':
48 | - "no_sslv3"
49 | - "cipher_server_preference"
50 | - "no_compression"
51 |
52 | listen:
53 | -
54 | port: 5222
55 | ip: "::"
56 | module: ejabberd_c2s
57 | max_stanza_size: 262144
58 | shaper: c2s_shaper
59 | access: c2s
60 | starttls_required: true
61 | starttls: true
62 | protocol_options: 'TLSOPTS'
63 | ### dhfile: 'DHFILE'
64 | ciphers: 'CIPHERS'
65 | zlib: true
66 | -
67 | port: 5223
68 | ip: "::"
69 | module: ejabberd_c2s
70 | max_stanza_size: 262144
71 | shaper: c2s_shaper
72 | access: c2s
73 | tls: true
74 | protocol_options: 'TLSOPTS'
75 | ### dhfile: 'DHFILE'
76 | ciphers: 'CIPHERS'
77 | zlib: true
78 | -
79 | port: 5269
80 | ip: "::"
81 | module: ejabberd_s2s_in
82 | max_stanza_size: 524288
83 | shaper: s2s_shaper
84 | -
85 | port: 5443
86 | ip: "::"
87 | module: ejabberd_http
88 | tls: true
89 | request_handlers:
90 | "/admin": ejabberd_web_admin
91 | "/api": mod_http_api
92 | "/bosh": mod_bosh
93 | "/upload": mod_http_upload
94 | "/ws": ejabberd_http_ws
95 | "/oauth": ejabberd_oauth
96 | web_admin: true
97 | captcha: true
98 | http_bind: true
99 | protocol_options: 'TLSOPTS'
100 | ### dhfile: 'DHFILE'
101 | ciphers: 'CIPHERS'
102 | ## zlib: true ##re-enable if 1902 supports zlib here
103 | -
104 | port: 1883
105 | ip: "::"
106 | module: mod_mqtt
107 | backlog: 1000
108 |
109 | ## -
110 | ## port: 8888
111 | ## ip: "::"
112 | ## module: ejabberd_service
113 | ## access: all
114 | ## shaper_rule: fast
115 | ## ip: "127.0.0.1"
116 | ## privilege_access:
117 | ## roster: "both"
118 | ## message: "outgoing"
119 | ## presence: "roster"
120 | ## delegations:
121 | ## "urn:xmpp:mam:1":
122 | ## filtering: ["node"]
123 | ## "http://jabber.org/protocol/pubsub":
124 | ## filtering: []
125 | ## hosts:
126 | ## "icq.example.org":
127 | ## password: "secret"
128 | ## "sms.example.org":
129 | ## password: "secret"
130 |
131 | ## -
132 | ## port: 3478
133 | ## transport: udp
134 | ## module: ejabberd_stun
135 |
136 | ## -
137 | ## port: 4560
138 | ## ip: "::"
139 | ## module: ejabberd_xmlrpc
140 | ## maxsessions: 10
141 | ## timeout: 5000
142 | ## access_commands:
143 | ## admin:
144 | ## commands: all
145 | ## options: []
146 |
147 | s2s_use_starttls: required
148 | ### s2s_dhfile: 'DHFILE'
149 | s2s_protocol_options: 'S2STLSOPTS'
150 | s2s_ciphers: 'S2SCIPHERS'
151 |
152 | ## s2s_access: s2s
153 |
154 | disable_sasl_mechanisms: "digest-md5"
155 |
156 | acl:
157 | admin:
158 | user:
159 | - "admin@domain.xyz"
160 | local:
161 | user_regexp: ""
162 | loopback:
163 | ip:
164 | - "127.0.0.0/8"
165 | - "::1/128"
166 | - "::FFFF:127.0.0.1/128"
167 |
168 | auth_method: sql
169 |
170 | auth_password_format: scram
171 |
172 | default_db: sql
173 | new_sql_schema: true
174 | sql_type: pgsql
175 | sql_server: "public_ipv4-var"
176 | sql_port: 5000
177 | sql_database: "ejabberd"
178 | sql_username: "ejabberd"
179 | sql_password: "ejabberd-psql-user-password-var"
180 |
181 | ## auth_method: ldap
182 | ## ldap_servers:
183 | ## - "localhost"
184 | ## ldap_encrypt: none
185 | ## ldap_encrypt: tls
186 | ## ldap_port: 389
187 | ## ldap_port: 636
188 | ## ldap_rootdn: "dc=example,dc=com"
189 | ## ldap_password: "******"
190 | ## ldap_base: "dc=example,dc=com"
191 | ## ldap_uids:
192 | ## - "mail": "%u@mail.example.org"
193 | ## ldap_filter: "(objectClass=shadowAccount)"
194 |
195 | ## auth_method: anonymous
196 | ## anonymous_protocol: sasl_anon | login_anon | both
197 | ## allow_multiple_connections: true | false
198 |
199 | ## host_config:
200 | ## "public.example.org":
201 | ## auth_method: anonymous
202 | ## allow_multiple_connections: false
203 | ## anonymous_protocol: sasl_anon
204 |
205 | ## host_config:
206 | ## "public.example.org":
207 | ## auth_method:
208 | ## - internal
209 | ## - anonymous
210 |
211 | pgsql_users_number_estimate: true
212 |
213 | access_rules:
214 | local:
215 | - allow: local
216 | c2s:
217 | - deny: blocked
218 | - allow
219 | announce:
220 | - allow: admin
221 | configure:
222 | - allow: admin
223 | muc_create:
224 | - allow: local
225 | pubsub_createnode:
226 | - allow: local
227 | register:
228 | - allow
229 | trusted_network:
230 | - allow: loopback
231 |
232 | api_permissions:
233 | "console commands":
234 | from:
235 | - ejabberd_ctl
236 | who: all
237 | what: "*"
238 | "admin access":
239 | who:
240 | - access:
241 | - allow:
242 | - acl: loopback
243 | - acl: admin
244 | - oauth:
245 | - scope: "ejabberd:admin"
246 | - access:
247 | - allow:
248 | - acl: loopback
249 | - acl: admin
250 | what:
251 | - "*"
252 | - "!stop"
253 | - "!start"
254 | "public commands":
255 | who:
256 | - ip: "127.0.0.1/8"
257 | what:
258 | - "status"
259 | - "connected_users_number"
260 |
261 | shaper:
262 | normal: 1000
263 | fast: 50000
264 |
265 | shaper_rules:
266 | max_user_sessions: 24
267 | max_user_offline_messages:
268 | - 16384: admin
269 | - 8192
270 | c2s_shaper:
271 | - none: admin
272 | - normal
273 | s2s_shaper: fast
274 |
275 | max_fsm_queue: 10000
276 |
277 | captcha_cmd: "/opt/ejabberd/captcha.sh"
278 | captcha_host: "127.0.0.1:5443"
279 | captcha_limit: 5
280 |
281 | modules:
282 | mod_adhoc: {}
283 | mod_admin_extra: {}
284 | mod_announce:
285 | access: announce
286 | mod_avatar: {}
287 | mod_blocking: {}
288 | mod_bosh: {}
289 | mod_caps: {}
290 | mod_carboncopy: {}
291 | mod_client_state: {}
292 | mod_configure: {}
293 | mod_disco:
294 | server_info:
295 | -
296 | modules: all
297 | name: "abuse-addresses"
298 | urls: ["mailto:admin_mail"]
299 | mod_fail2ban: {}
300 | mod_http_api: {}
301 | mod_http_upload:
302 | put_url: "https://ae.@HOST@/upload"
303 | max_size: 262144000
304 | external_secret: "nginx_ejabberd_uploads_external_secret-var"
305 | mod_http_upload_quota:
306 | max_days: 3650
307 | mod_last: {}
308 | mod_mam:
309 | db_type: sql
310 | assume_mam_usage: true
311 | default: always
312 | cache_size: 1048576
313 | cache_life_time: 2678400
314 | mod_mix:
315 | host: "xm.@HOST@"
316 | mod_mqtt: {}
317 | mod_muc:
318 | host: "xc.@HOST@"
319 | access:
320 | - allow
321 | access_admin:
322 | - allow: admin
323 | access_create: muc_create
324 | access_persistent: muc_create
325 | access_mam:
326 | - allow
327 | history_size: 42
328 | default_room_options:
329 | mam: true
330 | allow_subscription: true
331 | mod_muc_admin: {}
332 | mod_offline:
333 | access_max_user_messages: max_user_offline_messages
334 | mod_ping: {}
335 | ## mod_pres_counter:
336 | ## count: 5
337 | ## interval: 60
338 | mod_privacy: {}
339 | mod_private: {}
340 | mod_proxy65:
341 | host: "xr.@HOST@"
342 | mod_pubsub:
343 | host: "xp.@HOST@"
344 | access_createnode: pubsub_createnode
345 | ignore_pep_from_offline: false
346 | last_item_cache: false
347 | max_items_node: 1000
348 | default_node_config:
349 | max_items: 1000
350 | plugins:
351 | - "flat"
352 | - "hometree"
353 | - "pep"
354 | force_node_config:
355 | "eu.siacs.conversations.axolotl.*":
356 | access_model: open
357 | "storage:bookmarks":
358 | access_model: whitelist
359 | mod_push:
360 | include_sender: true
361 | include_body: true
362 | mod_push_keepalive: {}
363 | mod_register:
364 | captcha_protected: true
365 | ## password_strength: 32
366 | welcome_message:
367 | subject: "Hello world"
368 | body: |-
369 | Hi there!
370 | Happy to see you onboard.
371 | This is the aenigma ejabberd XMPP server at hostname.xyz.
372 | The admin for this instance is admin@domain.xyz.
373 | Follow aenigma devs and community at xmpp:aenigma@xc.os.vu.
374 | Find us online at: https://aenigma.xyz
375 | registration_watchers:
376 | - "admin@domain.xyz"
377 | access_from: allow
378 | access: register
379 | mod_roster:
380 | versioning: true
381 | store_current_id: true
382 | mod_s2s_dialback: {}
383 | mod_shared_roster: {}
384 | mod_stats: {}
385 | mod_time: {}
386 | mod_stream_mgmt:
387 | resend_on_timeout: if_offline
388 | mod_vcard:
389 | host: "xv.@HOST@"
390 | search: true
391 | matches: infinity
392 | allow_return_all: true
393 | mod_vcard_xupdate: {}
394 | mod_version:
395 | show_os: false
396 |
397 | allow_contrib_modules: true
398 |
399 | ### Local Variables:
400 | ### mode: yaml
401 | ### End:
402 | ### vim: set filetype=yaml tabstop=8
403 |
--------------------------------------------------------------------------------
/conf/ejabberd/ejabberd-19.08.yml:
--------------------------------------------------------------------------------
1 | ################################################################################
2 | ################################################################################
3 | ################################################################################
4 |
5 | ### This is the configuration file for an instance of
6 | ### aenigma: The | state-of-the-art | secure-by-default | one-touch-deployed | XMPP server for everyone.
7 | ### for ejabberd XMPP server v19.08
8 |
9 | ### aenigma is an openspace project [openspace.xxx]
10 | ### initial commit by Nz on 2017-09-23
11 | ### https://aenigma.xyz | https://github.com/openspace42/aenigma/
12 |
13 | ################################################################################
14 | ################################################################################
15 | ################################################################################
16 |
17 | hosts:
18 | - domain.xyz
19 |
20 | language: "en"
21 |
22 | loglevel: 4
23 | log_rotate_size: 10485760
24 | log_rotate_date: ""
25 | log_rotate_count: 1
26 | log_rate_limit: 100
27 |
28 | certfiles:
29 | - /etc/ssl/aenigma/*.pem
30 |
31 | define_macro:
32 |
33 | 'DHFILE': "/etc/ssl/dhparam.pem"
34 | 'TLSOPTS':
35 | - "no_sslv3"
36 | - "no_tlsv1"
37 | - "no_tlsv1_1"
38 | - "cipher_server_preference"
39 | - "no_compression"
40 | 'S2STLSOPTS':
41 | - "no_sslv3"
42 | - "cipher_server_preference"
43 | - "no_compression"
44 |
45 | listen:
46 | -
47 | port: 5222
48 | ip: "::"
49 | module: ejabberd_c2s
50 | max_stanza_size: 262144
51 | shaper: c2s_shaper
52 | access: c2s
53 | starttls_required: true
54 | starttls: true
55 | ### dhfile: 'DHFILE'
56 | zlib: true
57 | -
58 | port: 5223
59 | ip: "::"
60 | module: ejabberd_c2s
61 | max_stanza_size: 262144
62 | shaper: c2s_shaper
63 | access: c2s
64 | tls: true
65 | ### dhfile: 'DHFILE'
66 | zlib: true
67 | -
68 | port: 5269
69 | ip: "::"
70 | module: ejabberd_s2s_in
71 | max_stanza_size: 524288
72 | shaper: s2s_shaper
73 | -
74 | port: 5443
75 | ip: "::"
76 | module: ejabberd_http
77 | tls: true
78 | request_handlers:
79 | "/admin": ejabberd_web_admin
80 | "/api": mod_http_api
81 | "/bosh": mod_bosh
82 | "/captcha": ejabberd_captcha
83 | "/upload": mod_http_upload
84 | "/ws": ejabberd_http_ws
85 | "/oauth": ejabberd_oauth
86 | ### dhfile: 'DHFILE'
87 | -
88 | port: 1883
89 | ip: "::"
90 | module: mod_mqtt
91 | backlog: 1000
92 |
93 | s2s_use_starttls: required
94 | ### s2s_dhfile: 'DHFILE'
95 |
96 | disable_sasl_mechanisms: "digest-md5"
97 |
98 | acl:
99 | admin:
100 | user:
101 | - "admin@domain.xyz"
102 | local:
103 | user_regexp: ""
104 | loopback:
105 | ip:
106 | - 127.0.0.0/8
107 | - ::1/128
108 |
109 | auth_method: sql
110 |
111 | auth_password_format: scram
112 |
113 | default_db: sql
114 | new_sql_schema: true
115 | sql_type: pgsql
116 | sql_server: "public_ipv4-var"
117 | sql_port: 5000
118 | sql_database: "ejabberd"
119 | sql_username: "ejabberd"
120 | sql_password: "ejabberd-psql-user-password-var"
121 |
122 | ## auth_method: ldap
123 | ## ldap_servers:
124 | ## - "localhost"
125 | ## ldap_encrypt: none
126 | ## ldap_encrypt: tls
127 | ## ldap_port: 389
128 | ## ldap_port: 636
129 | ## ldap_rootdn: "dc=example,dc=com"
130 | ## ldap_password: "******"
131 | ## ldap_base: "dc=example,dc=com"
132 | ## ldap_uids:
133 | ## - "mail": "%u@mail.example.org"
134 | ## ldap_filter: "(objectClass=shadowAccount)"
135 |
136 | ## host_config:
137 | ## "public.example.org":
138 | ## auth_method: anonymous
139 | ## allow_multiple_connections: false
140 | ## anonymous_protocol: sasl_anon
141 |
142 | ## host_config:
143 | ## "public.example.org":
144 | ## auth_method:
145 | ## - internal
146 | ## - anonymous
147 |
148 | pgsql_users_number_estimate: true
149 |
150 | access_rules:
151 | local:
152 | allow: local
153 | c2s:
154 | deny: blocked
155 | allow: all
156 | announce:
157 | allow: admin
158 | configure:
159 | allow: admin
160 | muc_create:
161 | allow: local
162 | pubsub_createnode:
163 | allow: local
164 | trusted_network:
165 | allow: loopback
166 |
167 | api_permissions:
168 | "console commands":
169 | from:
170 | - ejabberd_ctl
171 | who: all
172 | what: "*"
173 | "admin access":
174 | who:
175 | access:
176 | allow:
177 | acl: loopback
178 | acl: admin
179 | oauth:
180 | scope: "ejabberd:admin"
181 | access:
182 | allow:
183 | acl: loopback
184 | acl: admin
185 | what:
186 | - "*"
187 | - "!stop"
188 | - "!start"
189 | "public commands":
190 | who:
191 | ip: 127.0.0.1/8
192 | what:
193 | - status
194 | - connected_users_number
195 |
196 | shaper:
197 | normal: 1000
198 | fast: 50000
199 |
200 | shaper_rules:
201 | max_user_sessions: 24
202 | max_user_offline_messages:
203 | 16384: admin
204 | 8192: all
205 | c2s_shaper:
206 | none: admin
207 | normal: all
208 | s2s_shaper: fast
209 |
210 | max_fsm_queue: 10000
211 |
212 | captcha_cmd: /opt/ejabberd/captcha.sh
213 | captcha_url: https://127.0.0.1:5443
214 | captcha_limit: 5
215 |
216 | modules:
217 | mod_adhoc: {}
218 | mod_admin_extra: {}
219 | mod_announce:
220 | access: announce
221 | mod_avatar: {}
222 | mod_blocking: {}
223 | mod_bosh: {}
224 | mod_caps: {}
225 | mod_carboncopy: {}
226 | mod_client_state: {}
227 | mod_configure: {}
228 | mod_disco:
229 | server_info:
230 | -
231 | modules: all
232 | name: "abuse-addresses"
233 | urls: ["mailto:admin_mail"]
234 | mod_fail2ban: {}
235 | mod_http_api: {}
236 | mod_http_upload:
237 | put_url: https://ae.@HOST@/upload
238 | max_size: 262144000
239 | external_secret: "nginx_ejabberd_uploads_external_secret-var"
240 | mod_http_upload_quota:
241 | max_days: 3650
242 | mod_last: {}
243 | mod_mam:
244 | db_type: sql
245 | assume_mam_usage: true
246 | default: always
247 | cache_size: 1048576
248 | cache_life_time: 2678400
249 | mod_mix:
250 | host: xm.@HOST@
251 | mod_mqtt: {}
252 | mod_muc:
253 | host: xc.@HOST@
254 | access:
255 | - allow
256 | access_admin:
257 | - allow: admin
258 | access_create: muc_create
259 | access_persistent: muc_create
260 | access_mam:
261 | - allow
262 | history_size: 42
263 | default_room_options:
264 | mam: true
265 | allow_subscription: true
266 | mod_muc_admin: {}
267 | mod_offline:
268 | access_max_user_messages: max_user_offline_messages
269 | mod_ping: {}
270 | ## mod_pres_counter:
271 | ## count: 5
272 | ## interval: 60
273 | mod_privacy: {}
274 | mod_private: {}
275 | mod_proxy65:
276 | host: xr.@HOST@
277 | mod_pubsub:
278 | host: xp.@HOST@
279 | access_createnode: pubsub_createnode
280 | ignore_pep_from_offline: false
281 | last_item_cache: false
282 | max_items_node: 1000
283 | default_node_config:
284 | max_items: 1000
285 | plugins:
286 | - flat
287 | - pep
288 | force_node_config:
289 | storage:bookmarks:
290 | access_model: whitelist
291 | mod_push:
292 | include_sender: true
293 | include_body: true
294 | mod_push_keepalive: {}
295 | mod_register:
296 | captcha_protected: true
297 | ## password_strength: 32
298 | welcome_message:
299 | subject: "Hello world"
300 | body: |-
301 | Hi there!
302 | Happy to see you onboard.
303 | This is the aenigma ejabberd XMPP server at hostname.xyz.
304 | The admin for this instance is admin@domain.xyz.
305 | Follow aenigma devs and community at xmpp:aenigma@xc.os.vu.
306 | Find us online at: https://aenigma.xyz
307 | registration_watchers:
308 | - "admin@domain.xyz"
309 | ## aenigma notice: uncomment to only allow registrations from trusted
310 | ## networks, even though we and our config do adhere to the spam manifesto.
311 | ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
312 | ## ip_access: trusted_network
313 | mod_roster:
314 | versioning: true
315 | store_current_id: true
316 | mod_s2s_dialback: {}
317 | mod_shared_roster: {}
318 | mod_stats: {}
319 | mod_time: {}
320 | mod_stream_mgmt:
321 | resend_on_timeout: if_offline
322 | mod_vcard:
323 | host: xv.@HOST@
324 | search: true
325 | matches: infinity
326 | allow_return_all: true
327 | mod_vcard_xupdate: {}
328 | mod_version:
329 | show_os: false
330 |
331 | allow_contrib_modules: true
332 |
333 | ### Local Variables:
334 | ### mode: yaml
335 | ### End:
336 | ### vim: set filetype=yaml tabstop=8
337 |
--------------------------------------------------------------------------------
/conf/gpg/process-one.asc:
--------------------------------------------------------------------------------
1 | -----BEGIN PGP PUBLIC KEY BLOCK-----
2 | Version: GnuPG v1.2.5 (GNU/Linux)
3 |
4 | mQGiBEJmhJURBADL5MHpMCLLxp/4wykVdHop/Wc6EU+xPnrptCBmNzlav/QPN5XL
5 | UnGdjS9+dHuwa0k6ZutBHxi9b6UHsTXM8TSiIeuW6u/6GfzoCY2XhbN2qg6VQlnp
6 | LjJICEZS7qs+Fszwhr9LnF8DEVhilqqMgfxZlIJiNfTs+qcBCunPgxO6mwCg7NMO
7 | oN2zfjQj5YW15yz2ZXItXEMEAIH1fpPdHKsJAocv3WuqTAS6/pwaXFvnY+s3GOnX
8 | hnZgedsEqHGXQLuhEK8n+A6NgtVy+AevLuF0+CBOsB3cxM383e6KXQkMPuVLs197
9 | bBR9hgooovJ8DCGsAh+gCniJKcrrVb2UaaRsnqwBcVY5EpO+UyR2guoUFyWhOk4V
10 | gswqA/oC44sP6J4BEdPAi1cwL6faR7urQIJuAKkUr6MmarVeAIHS4NRzz/AT7Let
11 | jsS753Jkkfzw4LElS/0soROncFUtU1G2vFM5d+zjnLwzq0OMPNzsiZbXeDqLB8rs
12 | dlxAp4OsVlmbIZPEF6TmpgZIzOb01iyvu0Xk0BQg3xSXHZLrOrQlUHJvY2Vzcy1v
13 | bmUgPGNvbnRhY3RAcHJvY2Vzcy1vbmUubmV0PoheBBMRAgAeBQJCZoSVAhsDBgsJ
14 | CAcDAgMVAgMDFgIBAh4BAheAAAoJEI7KRpQZwJMRUGYAn0EYyIVUZ1+0RNGjsada
15 | iZZGjpioAKDihDlD2HPgegOTh9gsKYSNwfd/JLkBDQRCZoSWEAQAldFsRbtopqPx
16 | s3mx1pvmiGbLsP5wJTdxsXD2/Of7dWHTDnXjL0epK3/oIdt+bHR41LcnOFsSPInF
17 | ZGqBoWSNdMsxrSuKUEWHnTxemTONXs1E8J3U007o9c8jOy04krajt5/pnS7ygGyB
18 | NWx/af/iDKyM6L+Vf6YRZhXIsNaL1s8AAwUD/0DlbQF+vVdnVQXeo3M6zZ9BjlIe
19 | KhWTCuh8NXngbbaGDSCL0YIemWPgYNwt7b0h/ooyBD2+Pa/k44Ts1Xywy/u3TtVJ
20 | pXEnJoWjSioaUXzQ5ICtSwKR+qFhX+heOlT/N4r89Ax5ExAg2WGYL6r4cBFcIW3i
21 | XLBxAuWz/JlyYWk8iEkEGBECAAkFAkJmhJYCGwwACgkQjspGlBnAkxHJ6ACfWvPn
22 | vGVH2Yde6BrZ4lE87L8OwWIAnR0Ouy06Y39vo6uzAgS7EKr4DHiJ
23 | =1ZnI
24 | -----END PGP PUBLIC KEY BLOCK-----
25 |
--------------------------------------------------------------------------------
/conf/letsencrypt/post-renewal-hook:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | set -eu
4 |
5 | cd /root/
6 | bash openspace42/aenigma/tools/aenigma-create-push-certs
7 |
--------------------------------------------------------------------------------
/conf/nginx/additional_domain:
--------------------------------------------------------------------------------
1 | server {
2 |
3 | listen 127.0.0.1:443 ssl http2;
4 | listen [::1]:443 ssl http2;
5 |
6 | server_name additional_domain-var .additional_domain-var *.additional_domain-var;
7 |
8 | access_log /var/log/nginx/additional_domain-var.access.log;
9 | error_log /var/log/nginx/additional_domain-var.error.log;
10 |
11 | root /var/www/aenigma;
12 |
13 | index index.html index.htm;
14 |
15 | ssl_certificate /etc/ssl/aenigma/additional_domain-var.d/fullchain.pem;
16 | ssl_certificate_key /etc/ssl/aenigma/additional_domain-var.d/privkey.pem;
17 |
18 | #ssl_protocols TLSv1.3 TLSv1.2;
19 | ssl_protocols TLSv1.2;
20 | ssl_prefer_server_ciphers on;
21 | ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
22 | ssl_ecdh_curve auto;
23 | ssl_session_timeout 10m;
24 | # ssl_session_cache shared:SSL:10m;
25 | ssl_session_tickets off;
26 |
27 | ssl_stapling on;
28 | ssl_stapling_verify on;
29 | resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com
30 |
31 | add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
32 |
33 | add_header X-Frame-Options DENY;
34 | add_header X-Content-Type-Options nosniff;
35 | add_header X-XSS-Protection "1; mode=block";
36 | add_header X-Robots-Tag none;
37 | add_header Referrer-Policy "no-referrer";
38 |
39 | location / {
40 | try_files $uri $uri/ =404;
41 | }
42 |
43 | location ^~ /upload {
44 | alias /var/www/upload;
45 | perl upload::handle;
46 | client_max_body_size 100m;
47 | }
48 |
49 | add_header X-Proxy-Cache $upstream_cache_status;
50 | location ^~ /admin {
51 | proxy_pass https://127.0.0.1:5443/admin/;
52 | proxy_redirect off;
53 | proxy_set_header Host $host;
54 | proxy_set_header X-Real-IP $remote_addr;
55 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
56 | }
57 |
58 | # Basic locations files
59 | location = /favicon.ico {
60 | access_log off;
61 | log_not_found off;
62 | expires max;
63 | }
64 |
65 | # Cache static files
66 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
67 | add_header "Access-Control-Allow-Origin" "*";
68 | access_log off;
69 | log_not_found off;
70 | expires max;
71 | }
72 |
73 | # Security settings for better privacy
74 | # Deny hidden files
75 | location ~ /\.well-known {
76 | allow all;
77 | }
78 |
79 | location ~ /\. {
80 | deny all;
81 | access_log off;
82 | log_not_found off;
83 | }
84 |
85 | # Deny backup extensions & log files
86 | location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
87 | deny all;
88 | access_log off;
89 | log_not_found off;
90 | }
91 |
92 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
93 | if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
94 | return 403;
95 | }
96 |
97 | }
98 |
--------------------------------------------------------------------------------
/conf/nginx/domain:
--------------------------------------------------------------------------------
1 | server {
2 |
3 | listen 80 default_server;
4 | listen [::]:80 default_server;
5 |
6 | server_name domain.xyz .domain.xyz *.domain.xyz;
7 |
8 | rewrite ^ https://$host$request_uri? permanent;
9 |
10 | }
11 |
12 | server {
13 |
14 | listen 127.0.0.1:443 default_server ssl http2;
15 | listen [::1]:443 default_server ssl http2;
16 |
17 | server_name domain.xyz .domain.xyz *.domain.xyz;
18 |
19 | access_log /var/log/nginx/hostname.xyz.access.log;
20 | error_log /var/log/nginx/hostname.xyz.error.log;
21 |
22 | root /var/www/aenigma;
23 |
24 | index index.html index.htm;
25 |
26 | ssl_certificate /etc/ssl/aenigma/domain.xyz.d/fullchain.pem;
27 | ssl_certificate_key /etc/ssl/aenigma/domain.xyz.d/privkey.pem;
28 |
29 | #ssl_protocols TLSv1.3 TLSv1.2;
30 | ssl_protocols TLSv1.2;
31 | ssl_prefer_server_ciphers on;
32 | ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
33 | ssl_ecdh_curve auto;
34 | ssl_session_timeout 10m;
35 | # ssl_session_cache shared:SSL:10m;
36 | ssl_session_tickets off;
37 |
38 | ssl_stapling on;
39 | ssl_stapling_verify on;
40 | resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com
41 |
42 | add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
43 |
44 | add_header X-Frame-Options DENY;
45 | add_header X-Content-Type-Options nosniff;
46 | add_header X-XSS-Protection "1; mode=block";
47 | add_header X-Robots-Tag none;
48 | add_header Referrer-Policy "no-referrer";
49 |
50 | location / {
51 | try_files $uri $uri/ =404;
52 | }
53 |
54 | location ^~ /upload {
55 | alias /var/www/upload;
56 | perl upload::handle;
57 | client_max_body_size 100m;
58 | }
59 |
60 | add_header X-Proxy-Cache $upstream_cache_status;
61 | location ^~ /admin {
62 | proxy_pass https://127.0.0.1:5443/admin/;
63 | proxy_redirect off;
64 | proxy_set_header Host $host;
65 | proxy_set_header X-Real-IP $remote_addr;
66 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
67 | }
68 |
69 | # Basic locations files
70 | location = /favicon.ico {
71 | access_log off;
72 | log_not_found off;
73 | expires max;
74 | }
75 |
76 | # Cache static files
77 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
78 | add_header "Access-Control-Allow-Origin" "*";
79 | access_log off;
80 | log_not_found off;
81 | expires max;
82 | }
83 |
84 | # Security settings for better privacy
85 | # Deny hidden files
86 | location ~ /\.well-known {
87 | allow all;
88 | }
89 |
90 | location ~ /\. {
91 | deny all;
92 | access_log off;
93 | log_not_found off;
94 | }
95 |
96 | # Deny backup extensions & log files
97 | location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
98 | deny all;
99 | access_log off;
100 | log_not_found off;
101 | }
102 |
103 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
104 | if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
105 | return 403;
106 | }
107 |
108 | }
109 |
--------------------------------------------------------------------------------
/conf/nginx/onion:
--------------------------------------------------------------------------------
1 | server {
2 |
3 | listen 127.0.0.1:443 ssl http2;
4 | listen [::1]:443 ssl http2;
5 |
6 | server_name tor_hidden_service_hostname-var .tor_hidden_service_hostname-var *.tor_hidden_service_hostname-var;
7 |
8 | access_log /var/log/nginx/tor_hidden_service_hostname-var.access.log;
9 | error_log /var/log/nginx/tor_hidden_service_hostname-var.error.log;
10 |
11 | root /var/www/onion;
12 |
13 | index index.html index.htm;
14 |
15 | ssl_certificate /etc/ssl/aenigma/tor_hidden_service_hostname-var.cert.pem;
16 | ssl_certificate_key /etc/ssl/aenigma/tor_hidden_service_hostname-var.privkey.pem;
17 |
18 | #ssl_protocols TLSv1.3 TLSv1.2;
19 | ssl_protocols TLSv1.2;
20 | ssl_prefer_server_ciphers on;
21 | ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
22 | ssl_ecdh_curve auto;
23 | ssl_session_timeout 10m;
24 | # ssl_session_cache shared:SSL:10m;
25 | ssl_session_tickets off;
26 |
27 | # ssl_stapling on;
28 | # ssl_stapling_verify on;
29 | # resolver 1.1.1.1; # 1dot1dot1dot1.cloudflare-dns.com
30 |
31 | add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
32 |
33 | add_header X-Frame-Options DENY;
34 | add_header X-Content-Type-Options nosniff;
35 | add_header X-XSS-Protection "1; mode=block";
36 | add_header X-Robots-Tag none;
37 | add_header Referrer-Policy "no-referrer";
38 |
39 | location / {
40 | try_files $uri $uri/ =404;
41 | }
42 |
43 | location ^~ /upload {
44 | alias /var/www/upload;
45 | perl upload::handle;
46 | client_max_body_size 100m;
47 | }
48 |
49 | add_header X-Proxy-Cache $upstream_cache_status;
50 | location ^~ /admin {
51 | proxy_pass https://127.0.0.1:5443/admin/;
52 | proxy_redirect off;
53 | proxy_set_header Host $host;
54 | proxy_set_header X-Real-IP $remote_addr;
55 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
56 | }
57 |
58 | location /ws/ {
59 | proxy_pass https://127.0.0.1:5443/ws;
60 | proxy_http_version 1.1;
61 | proxy_set_header Upgrade $http_upgrade;
62 | proxy_set_header Connection "Upgrade";
63 | proxy_set_header Host $host;
64 | proxy_read_timeout 180s;
65 | proxy_send_timeout 180s;
66 | }
67 |
68 | # Basic locations files
69 | location = /favicon.ico {
70 | access_log off;
71 | log_not_found off;
72 | expires max;
73 | }
74 |
75 | # Cache static files
76 | location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
77 | add_header "Access-Control-Allow-Origin" "*";
78 | access_log off;
79 | log_not_found off;
80 | expires max;
81 | }
82 |
83 | # Security settings for better privacy
84 | # Deny hidden files
85 | location ~ /\.well-known {
86 | allow all;
87 | }
88 |
89 | location ~ /\. {
90 | deny all;
91 | access_log off;
92 | log_not_found off;
93 | }
94 |
95 | # Deny backup extensions & log files
96 | location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ {
97 | deny all;
98 | access_log off;
99 | log_not_found off;
100 | }
101 |
102 | # Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html)
103 | if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
104 | return 403;
105 | }
106 |
107 | }
108 |
--------------------------------------------------------------------------------
/conf/sslh/etc-init.d.sslh:
--------------------------------------------------------------------------------
1 | #! /bin/sh
2 |
3 | ### BEGIN INIT INFO
4 | # Provides: sslh
5 | # Required-Start: $remote_fs $syslog
6 | # Required-Stop: $remote_fs $syslog
7 | # Default-Start: 2 3 4 5
8 | # Default-Stop: 1
9 | # Short-Description: sslh proxy ssl & ssh connections
10 | ### END INIT INFO
11 |
12 | set -e
13 | tag=sslh
14 | facility=user.info
15 |
16 | # /etc/init.d/sslh: start and stop the sslh proxy daemon
17 |
18 | if test -f /etc/default/sslh; then
19 | . /etc/default/sslh
20 | fi
21 |
22 | # The prefix is normally filled by make install. If
23 | # installing by hand, fill it in yourself!
24 | PREFIX=/usr/local
25 | DAEMON=$PREFIX/sbin/sslh
26 |
27 | start()
28 | {
29 | echo "Start services: sslh"
30 | mkdir -p /var/run/sslh/
31 | touch /var/run/sslh/sslh.pid
32 | $DAEMON -F/etc/sslh.cfg
33 | logger -t ${tag} -p ${facility} -i 'Started sslh'
34 | }
35 |
36 | stop()
37 | {
38 | echo "Stop services: sslh"
39 | killall $DAEMON
40 | logger -t ${tag} -p ${facility} -i 'Stopped sslh'
41 | }
42 |
43 |
44 | case "$1" in
45 | start)
46 | start
47 | ;;
48 | stop)
49 | stop
50 | ;;
51 | restart)
52 | stop
53 | sleep 5
54 | start
55 | ;;
56 | *)
57 | echo "Usage: /etc/init.d/sslh {start|stop|restart}" >&2
58 | ;;
59 | esac
60 |
61 | exit 0
62 |
--------------------------------------------------------------------------------
/conf/sslh/etc-sslh.cfg:
--------------------------------------------------------------------------------
1 | foreground: false;
2 | inetd: false;
3 | numeric: false;
4 | transparent: false;
5 | timeout: 2;
6 | user: "nobody";
7 | pidfile: "/var/run/sslh.pid";
8 |
9 | syslog_facility: "auth";
10 |
11 | listen:
12 | (
13 | { host: "public_ipv4-var"; port: "443"; }#ipv6_comma
14 | #ipv6_line { host: "this_ipv6-var"; port: "443"; }
15 | );
16 |
17 | protocols:
18 | (
19 | { name: "ssh"; service: "ssh"; host: "localhost"; port: "ssh_port-var"; keepalive: true; fork: true; log_level: 1; },
20 | { name: "tls"; host: "localhost"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; log_level: 1; },
21 | { name: "tls"; host: "localhost"; port: "5443"; sni_hostnames: [ "xh.domain-var"]; log_level: 1; },
22 | { name: "tls"; host: "localhost"; port: "443"; alpn_protocols: [ "h2", "http/1.1", "spdy/1", "spdy/2", "spdy/3" ]; log_level: 1; },
23 | { name: "tls"; host: "localhost"; port: "5223"; sni_hostnames: [ "hostname-var" ]; log_level: 1; },
24 | { name: "xmpp"; host: "localhost"; port: "5222"; log_level: 1; },
25 | { name: "regex"; host: "localhost"; port: "5222"; regex_patterns: [ "jabber" ]; log_level: 1; },
26 | { name: "regex"; host: "localhost"; port: "443"; regex_patterns: [ "jabber" ]; log_level: 1; },
27 | { name: "tls"; host: "localhost"; port: "443"; log_level: 1;},
28 | { name: "timeout"; host: "localhost"; port: "443"; log_level: 1; }
29 | );
30 |
31 | on-timeout: "timeout";
32 |
--------------------------------------------------------------------------------
/conf/tor/hidden_service:
--------------------------------------------------------------------------------
1 | HiddenServiceDir /var/lib/tor/hidden_service/
2 | HiddenServicePort 80 127.0.0.1:80
3 | HiddenServicePort 443 public_ipv4-var:443
4 | HiddenServicePort 5222 127.0.0.1:5222
5 | HiddenServicePort 5223 127.0.0.1:5223
6 | HiddenServicePort 5269 127.0.0.1:5269
7 | HiddenServicePort 5443 127.0.0.1:5443
8 |
--------------------------------------------------------------------------------
/conf/web/extra/index.html:
--------------------------------------------------------------------------------
1 |
2 | domain
3 |
4 | Hi! This is the website for domain hosted on the aenigma server at hostname!
5 | You're free to use this space to actually host your website [docroot is inside /var/www/domain/htdocs/] or to point your domain to a new server if you whish to do so!
6 | In that case, simply remember to re-run the aenigma installer afterwards, to be guided through the slightly different setup.
7 | Thanks!
8 | The aenigma team [https://aenigma.xyz]
9 |
10 |
11 |
--------------------------------------------------------------------------------
/conf/web/global/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/install:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | ### ############################################################################
12 |
13 | ### evaluate arguments.
14 |
15 | ### ############################################################################
16 |
17 | if [ "${custom_output-null}" = "v" ]
18 | then
19 | echo "Printing verbose output as per | -o v |."
20 | echo
21 | set -x
22 | fi
23 |
24 | if [[ "${@#--return-check}" = "$@" ]]
25 | then
26 | echo "This script must not be run directly."
27 | echo
28 | echo "You should instead run the | setup | script and it will take care of the installation itself."
29 | echo
30 | echo "Exiting..."
31 | echo
32 | exit 1
33 | fi
34 |
35 | ### ############################################################################
36 |
37 | ### continue script initialization.
38 |
39 | ### ############################################################################
40 |
41 | #### 2 | locate execution environment and perform synthia-bound operations.
42 |
43 | #### ###########################################################################
44 |
45 | ##### set bash environment error management.
46 |
47 | set -eu
48 |
49 | ##### determine script execution directory and install directory.
50 |
51 | if [ -L "${BASH_SOURCE}" ]
52 | then
53 |
54 | ###### this file is being executed via a symlink.
55 | ###### therefore identify the parent directory of the target file.
56 |
57 | link_target="$(readlink ${BASH_SOURCE})"
58 | exec_dir="${link_target%/*}"
59 |
60 | else
61 |
62 | ###### this file is being directly executed.
63 | ###### therefore identify our parent directory.
64 |
65 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
66 |
67 | fi
68 |
69 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
70 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
71 |
72 | if [ -f "${exec_dir_trim_2}/functions" ]
73 | then
74 | exec_dir_root="${exec_dir_trim_2}"
75 | else
76 | if [ -f "${exec_dir_trim_3}/functions" ]
77 | then
78 | exec_dir_root="${exec_dir_trim_3}"
79 | else
80 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
81 | echo
82 | echo "Exiting..."
83 | echo
84 | exit 1
85 | fi
86 | fi
87 |
88 | ##### source local functions file.
89 |
90 | . "$exec_dir_root/functions"
91 |
92 | ##### define formatting.
93 |
94 | synthia-define_formatting
95 |
96 | ##### check for root user runtime.
97 |
98 | synthia-check_root
99 |
100 | #### ###########################################################################
101 |
102 | #### 3 | source dna and perform dna-bound operations.
103 |
104 | #### ###########################################################################
105 |
106 | ##### ensure that the dna version required hasn't changed due to a new version
107 | ##### of this very project being installed.
108 |
109 | if [ -z "${custom_dna_version-}" ]
110 | then
111 |
112 | ## no custom dna version was requested upon running the setup script.
113 | ## let's check if an upgrade to the project itself has changed the required
114 | ## dna version.
115 |
116 | dna_selected_vers="$(cat "${os_base_dir}/dna/version_installed")"
117 |
118 | if [ "${dna_version}" != "${dna_selected_vers}" ]
119 | then
120 |
121 | echo "${l-}${b-}Now upgrading version of dna as required by the newly upgraded version of this very project which was just fetched...${x-}"
122 | echo
123 |
124 | synthia-download_dna
125 |
126 | echo
127 |
128 | fi
129 |
130 | fi
131 |
132 | ##### source dna.
133 |
134 | synthia-source_dna
135 |
136 | ##### define variables.
137 |
138 | synthia-define_vars
139 |
140 | ##### read conf settings.
141 |
142 | dna-read_conf_settings
143 |
144 | ##### touch temp dir.
145 |
146 | dna-touch_tmp_project_dir
147 |
148 | #### ###########################################################################
149 |
150 | #### 4 | head/log script.
151 |
152 | dna-log_script -i
153 |
154 | ### ############################################################################
155 |
156 | ### actually start script operations.
157 |
158 | ### ############################################################################
159 |
160 | #### preflight checks.
161 |
162 | #### ###########################################################################
163 |
164 | ##### check for any already existing installation.
165 |
166 | dna-check_install_version
167 |
168 | ##### install repo contents into destination dir.
169 |
170 | dna-echo_operation -h "installing repository contents into destination directory"
171 |
172 | ##### install rsync if it isn't yet [like in debian].
173 |
174 | if ! dpkg -s rsync &> /dev/null
175 | then
176 | dna-install_dependencies -p "rsync"
177 | fi
178 |
179 | ##### proceed with rsync.
180 |
181 | rsync -aAXx "${source_dir}/" "${install_dir}/" --include=tools*** --include=functions --exclude="*"
182 |
183 | dna-echo_operation -t
184 |
185 | #### ###########################################################################
186 |
187 | #### proceed with installation.
188 |
189 | #### ###########################################################################
190 |
191 | ##### echo install initialization.
192 |
193 | dna-echo -m "Initiating install..."
194 |
195 | ##### perform installation.
196 |
197 | synthia-perform_installation
198 |
199 | #### ###########################################################################
200 |
201 | #### post-install.
202 |
203 | #### ###########################################################################
204 |
205 | ##### mark installer as completed successfully.
206 |
207 | touch "$source_dir/install_complete"
208 |
209 | #### ###########################################################################
210 |
211 | ### ############################################################################
212 |
--------------------------------------------------------------------------------
/logo/aenigma_logo-full-blue-blue-blck-nobg-4x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openspace42/aenigma/11a6bdd877aeaaebb857e3e21db06682d5196367/logo/aenigma_logo-full-blue-blue-blck-nobg-4x.png
--------------------------------------------------------------------------------
/logo/aenigma_logo-sqre-blue-blue-xxxx-nobg-4x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openspace42/aenigma/11a6bdd877aeaaebb857e3e21db06682d5196367/logo/aenigma_logo-sqre-blue-blue-xxxx-nobg-4x.png
--------------------------------------------------------------------------------
/logo/aenigma_logo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openspace42/aenigma/11a6bdd877aeaaebb857e3e21db06682d5196367/logo/aenigma_logo.png
--------------------------------------------------------------------------------
/logo/aenigma_logo_evolution.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openspace42/aenigma/11a6bdd877aeaaebb857e3e21db06682d5196367/logo/aenigma_logo_evolution.pdf
--------------------------------------------------------------------------------
/logo/aenigma_logo_old.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/openspace42/aenigma/11a6bdd877aeaaebb857e3e21db06682d5196367/logo/aenigma_logo_old.png
--------------------------------------------------------------------------------
/restore.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | set -e
4 | set -u
5 |
6 | r=$(tput setaf 1)
7 | g=$(tput setaf 2)
8 | l=$(tput setaf 4)
9 | m=$(tput setaf 5)
10 | x=$(tput sgr0)
11 | b=$(tput bold)
12 |
13 | basedir=/root/openspace42 # Don't change! | No trailing slash!
14 | installdir=$basedir/aenigma # Don't change! | No trailing slash!
15 | configdir=$installdir/config # Don't change! | No trailing slash!
16 |
17 | echo
18 |
19 | echo "${b-}Initiating restore script...${x-}"
20 | echo
21 |
22 |
23 |
24 | SESSION_TYPE=local
25 |
26 | if [ -n "$SSH_CLIENT" ] || [ -n "$SSH_TTY" ]; then
27 | SESSION_TYPE=ssh
28 | else
29 | case $(ps -o comm= -p $PPID) in
30 | sshd|*/sshd) SESSION_TYPE=ssh;;
31 | esac
32 | fi
33 |
34 | if [ $SESSION_TYPE = "ssh" ]
35 | then
36 |
37 | sshconnectionstatus="$(echo "$SSH_CLIENT" | grep "::1" | wc -l)"
38 |
39 | if [ ! $sshconnectionstatus = 0 ]
40 | then
41 | echo "${r-}${b-}You appear to be connected via SSH on port 443 thanks to SSLH.${x-}"
42 | echo
43 | echo "${b-}This is usually perfectly fine, but not during installation, as we will be terminating SSLH during one of the steps.${x-}"
44 | echo
45 | echo "${b-}Please connect via your normal SSH port until you're finished re-installing aenigma${x-}"
46 | echo
47 | echo "${b-}Exiting...${x-}"
48 | echo
49 | exit
50 | fi
51 |
52 | fi
53 |
54 |
55 |
56 | if [[ $EUID -ne 0 ]]
57 | then
58 | echo "${r-}${b-}This script must be run as root. Run it as:${x-}"
59 | echo
60 | echo "sudo bash aenigma/install.sh"
61 | echo
62 | echo "${b-}Exiting...${x-}"
63 | echo
64 | exit
65 | fi
66 |
67 |
68 |
69 | if [ "`lsb_release -d | sed 's/.*:\s*//' | sed 's/16\.04\.[0-9]/16.04/' `" != "Ubuntu 16.04 LTS" ]
70 | then
71 | echo "${r-}${b-}aenigma only runs on Ubuntu 16.04. You are running:${x-}"
72 | echo
73 | lsb_release -d | sed 's/.*:\s*//'
74 | echo
75 | exit
76 | fi
77 |
78 |
79 |
80 | if [ -f $basedir/DFBS/run-ok ]
81 | then
82 | echo "${g-}${b-}Debian First Boot Setup was previously run successfully. Continuing...${x-}"
83 | echo
84 | else
85 | echo "${r-}${b-}Debian First Boot Setup was NOT previously run successfully OR the system was not rebooted at the end.${x-}"
86 | echo
87 | read -p "${b-}Run it now? (Y/n): ${x-}" -n 1 -r
88 | echo
89 | if [[ ! $REPLY =~ ^[Nn]$ ]]
90 | then
91 | echo "${b-}Ok, running DFBS now...${x-}"
92 | echo
93 | echo "${b-}After you're done running DFBS [make sure you reboot this machine at the end], simply run the aenigma installer again.${x-}"
94 | echo
95 | sleep 3
96 | if [ -d "/root/Debian-First-Boot-Setup" ]
97 | then
98 | rm -r "/root/Debian-First-Boot-Setup"
99 | fi
100 | git clone https://github.com/openspace42/Debian-First-Boot-Setup
101 | clear
102 | bash Debian-First-Boot-Setup/script.sh
103 | exit
104 | else
105 | echo "${b-}No problem, you can run it [make sure you reboot this machine at the end] by executing the following commands:${x-}"
106 | echo
107 | echo "${b-} | git clone https://github.com/openspace42/Debian-First-Boot-Setup |${x-}"
108 | echo
109 | echo "${b-} | bash Debian-First-Boot-Setup/script.sh |${x-}"
110 | echo
111 | echo "${b-}Exiting...${x-}"
112 | echo
113 | exit
114 | fi
115 | fi
116 |
117 |
118 |
119 | echo "${b-}Now installing dependencies...${x-}"
120 | echo
121 | hostname="$(cat /etc/hostname)"
122 | apt-add-repository ppa:duplicity-team/ppa -y
123 | apt-get update
124 | apt-get -y install dnsutils ufw bc duplicity python-pip pwgen
125 | pip install --upgrade pip
126 | pip install boto
127 | debconf-set-selections <<< "postfix postfix/mailname string $hostname"
128 | debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
129 | apt-get install -y mailutils
130 | /etc/init.d/postfix reload
131 | echo
132 | echo "${b-}Finished installing dependencies.${x-}"
133 | echo
134 |
135 |
136 |
137 | echo "${g-}${b-}Preflight check complete.${x-}"
138 | echo
139 | echo "${b-}Now proceeding with aenigma restore...${x-}"
140 | echo
141 |
142 | sudo bash aenigma/tools/aenigma-restore
143 |
144 | echo "${b-}Exiting restore script.${x-}"
145 | echo
146 |
147 |
148 |
149 | exit
150 |
--------------------------------------------------------------------------------
/setup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ################################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | clear screen.
10 |
11 | clear
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ## this file is being executed via a symlink.
27 | ## therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ## this file is being directly executed.
35 | ## therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | head setup.
75 |
76 | echo "${g-}${b-}Initiating setup...${x-}"
77 | echo
78 |
79 | #### ###########################################################################
80 |
81 | #### 4 | download and install dna.
82 |
83 | #### ###########################################################################
84 |
85 | ##### evaluate command arguments for custom-version install and project_specific
86 | ##### command arguments.
87 |
88 | ##### ##########################################################################
89 |
90 | while getopts ":b:d:p:o:u:" arguments
91 | do
92 |
93 | case $arguments in
94 |
95 | ## synthia
96 |
97 | b) export custom_branch="${OPTARG}"
98 | ;;
99 | d) export custom_dna_version="${OPTARG}"
100 | ;;
101 | p) export custom_project_version="${OPTARG}"
102 | ;;
103 | o) export custom_output="${OPTARG}"
104 | ;;
105 |
106 | ## project_specific
107 |
108 | u) export apt_upgrade="${OPTARG}"
109 | ;;
110 |
111 | ## else
112 |
113 | \?) echo "${r-}${b-}Invalid option | ${n-}-$OPTARG${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |.${x-}"
114 | echo
115 | echo "${b-}Exiting...${x-}"
116 | echo
117 | exit 1
118 | ;;
119 |
120 | esac
121 |
122 | done
123 |
124 | OPTIND=1
125 |
126 | if [ -n "${custom_branch-}" ] && [ -n "${custom_project_version-}" ]
127 | then
128 | dna-echo -e "Argument | ${n-}custom_project_version [-p]${r-} | is incompatible with argument | ${n-}custom_branch [-b]${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |."
129 | dna-echo -m "When using a custom branch, the bleeding_edge version of that branch will always be fetched."
130 | dna-exit
131 | fi
132 |
133 | if [ -n "${custom_branch-}" ]
134 | then
135 | export custom_project_version="b"
136 | fi
137 |
138 | ##### ##########################################################################
139 |
140 | ##### if not using local version of project repo...
141 |
142 | ##### ##########################################################################
143 |
144 | if [ ! "${custom_project_version-null}" = "l" ]
145 | then
146 |
147 | ## reset the repo to HEAD before proceeding with anything.
148 |
149 | ( cd "${exec_dir_root}" && git fetch && git reset --hard origin/master > /dev/null )
150 |
151 | fi
152 |
153 | ##### ##########################################################################
154 |
155 | ##### download dna.
156 |
157 | synthia-download_dna
158 |
159 | #### ###########################################################################
160 |
161 | #### 5 | source dna and perform dna-bound operations.
162 |
163 | #### ###########################################################################
164 |
165 | ##### source dna.
166 |
167 | synthia-source_dna
168 |
169 | ##### define variables.
170 |
171 | synthia-define_vars
172 |
173 | ##### read conf settings.
174 |
175 | dna-read_conf_settings
176 |
177 | ##### touch temp dir.
178 |
179 | dna-touch_tmp_project_dir
180 |
181 | #### ###########################################################################
182 |
183 | ### ############################################################################
184 |
185 | ### actually start script operations.
186 |
187 | dna-run_install
188 |
189 | ################################################################################
190 | ################################################################################
191 |
--------------------------------------------------------------------------------
/tools/aenigma-backup:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 |
106 | while getopts ":lsri" arguments
107 | do
108 | case $arguments in
109 | l) export backup_locally_only="y"
110 | ;;
111 | s) export backup_s3_only="y"
112 | ;;
113 | r) export backup_last_before_restore="y"
114 | ;;
115 | i) export backup_skip_install_complete_check="y"
116 | ;;
117 | \?) dna-echo -e "Invalid option | ${n-}-${OPTARG}${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |."
118 | dna-exit
119 | ;;
120 | esac
121 | done
122 | OPTIND=1
123 |
124 | if [ -n "${backup_last_before_restore-}" ]
125 | then
126 |
127 | if [ -n "${backup_s3_only-}" ]
128 | then
129 |
130 | dna-echo -e "Option | ${n-}backup_s3_only [-s]${r-} | is incompatible with option | ${n-}backup_last_before_restore [-r]${r-} |."
131 | dna-exit
132 |
133 | fi
134 |
135 | export backup_locally_only="y"
136 |
137 | fi
138 |
139 | ### ############################################################################
140 |
141 | ### actually start script operations.
142 |
143 | ### ############################################################################
144 |
145 | synthia-backup
146 |
147 | ### ############################################################################
148 |
--------------------------------------------------------------------------------
/tools/aenigma-clusterize:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 |
106 | while getopts ":e" arguments
107 | do
108 | case $arguments in
109 | e) export clusterize_force_reinstall_etcd_cluster="y"
110 | ;;
111 | \?) dna-echo -e "Invalid option | ${n-}-${OPTARG}${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |."
112 | dna-exit
113 | ;;
114 | esac
115 | done
116 | OPTIND=1
117 |
118 | ### ############################################################################
119 |
120 | ### actually start script operations.
121 |
122 | ### ############################################################################
123 |
124 | aenigma-clusterize
125 |
126 | ### ############################################################################
127 |
--------------------------------------------------------------------------------
/tools/aenigma-create-push-certs:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### actually start script operations.
103 |
104 | aenigma-create_push_certs
105 |
106 | ### ############################################################################
107 |
--------------------------------------------------------------------------------
/tools/aenigma-env:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | clear
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head shell.
97 |
98 | if [[ $- == *i* ]]
99 | then
100 | dna-echo -m "${g-}You are now inside of the ${project_name}-env shell."
101 | export PS1="\u@${project_name}-env:\[\e[32m\]~#\[\e[m\] "
102 | else
103 | dna-echo -e "This file is NOT intended to be run directly."
104 | dna-echo -m "It is only intended to be sourced by the command:"
105 | dna-echo -m " | ${y-}bash --init-file ${exec_dir}/${project_name}-env${n-} |"
106 | dna-echo -m "to enter the developement environment of this project."
107 | dna-exit
108 | fi
109 |
110 | #### ###########################################################################
111 |
112 | ### ############################################################################
113 |
--------------------------------------------------------------------------------
/tools/aenigma-exec:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script -h
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 |
106 | if [ $# -eq 0 ]
107 | then
108 | dna-echo -e "No argument supplied for function | ${n-}${FUNCNAME[0]}${r-} |."
109 | dna-echo -m "This script must not be run directly."
110 | dna-echo -m "It is only meant to be executed by other functions remotely."
111 | dna-exit
112 | fi
113 |
114 | while getopts ":c:" arguments
115 | do
116 | case $arguments in
117 | c) commands="${OPTARG}"
118 | ;;
119 | \?) dna-echo -e "Invalid option | ${n-}-$OPTARG${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |."
120 | dna-exit
121 | ;;
122 | esac
123 | done
124 | OPTIND=1
125 |
126 | if [ -z "${commands-}" ]
127 | then
128 | dna-echo -e "Commands [option | ${n-}-c${r-} |] must be supplied for function | ${n-}${FUNCNAME[0]}${r-} |."
129 | dna-exit
130 | fi
131 |
132 | ### ############################################################################
133 |
134 | ### execute commands.
135 |
136 | echo "$commands" |
137 | while IFS= read -r line
138 | do
139 | if [ ! -z "${line-}" ]
140 | then
141 | line="$(echo $line | xargs)"
142 | ${line}
143 | fi
144 | done
145 | IFS=$' \t\n'
146 |
147 | ### ############################################################################
148 |
--------------------------------------------------------------------------------
/tools/aenigma-perform-dns-checks:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 | ### ############################################################################
106 |
107 | ### actually start script operations.
108 |
109 | ### ############################################################################
110 |
111 | aenigma-perform_dns_checks
112 |
113 | ### ############################################################################
114 |
--------------------------------------------------------------------------------
/tools/aenigma-push_routing_info:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 | ### ############################################################################
106 |
107 | ### actually start script operations.
108 |
109 | ### ############################################################################
110 |
111 | #### perform cluster operations preflight check.
112 |
113 | aenigma-cluster_operations_preflight
114 |
115 | #### update routing info on this machine.
116 |
117 | aenigma-update_routing_info
118 |
119 | #### push and update routing info on all secondary nodes to allow them to connect
120 | #### to each other correctly.
121 |
122 | aenigma-push_routing_info
123 |
124 | ### ############################################################################
125 |
--------------------------------------------------------------------------------
/tools/aenigma-restore:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ################################################################################
4 |
5 | ### Set bash environment error management
6 |
7 | set -eu
8 |
9 | ################################################################################
10 |
11 | ### Add padding to output
12 |
13 | echo
14 |
15 | ################################################################################
16 |
17 | ### Determine script execution directory and install directory.
18 |
19 | if [ -L "${BASH_SOURCE}" ]
20 | then
21 |
22 | ### This file is being executed via a symlink.
23 | ### Identify the parent directory of the target file
24 |
25 | link_target="$(readlink ${BASH_SOURCE})"
26 | exec_dir="${link_target%/*}"
27 |
28 | else
29 |
30 | ### This file is being directly executed.
31 | ### Identify our parent directory.
32 |
33 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
34 |
35 | fi
36 |
37 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
38 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
39 |
40 | if [ -f "${exec_dir_trim_2}/functions" ]
41 | then
42 | exec_dir_root="${exec_dir_trim_2}"
43 | else
44 | if [ -f "${exec_dir_trim_3}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_3}"
47 | else
48 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
49 | echo
50 | echo "Exiting..."
51 | echo
52 | exit 1
53 | fi
54 | fi
55 |
56 | ### Source local functions file.
57 |
58 | . "$exec_dir_root/functions"
59 |
60 | ################################################################################
61 |
62 | ### Define formatting
63 |
64 | synthia-define_formatting
65 |
66 | ################################################################################
67 |
68 | ### Check for root user runtime
69 |
70 | synthia-check_root
71 |
72 | ################################################################################
73 |
74 | ### Source dna
75 |
76 | synthia-source_dna
77 |
78 | ################################################################################
79 |
80 | ### Define variables
81 |
82 | synthia-define_vars
83 |
84 | ################################################################################
85 |
86 | ### Read conf settings
87 |
88 | dna-read_conf_settings
89 |
90 | ################################################################################
91 |
92 | ### Head script
93 |
94 | dna-head_script
95 |
96 | ################################################################################
97 |
98 | ################################################################################
99 | ############### Read any project-specific restore script arguments #############
100 | ################################################################################
101 |
102 | ################################################################################
103 | ################################################################################
104 | ################################################################################
105 |
106 | ################################################################################
107 |
108 | dna-br_purge_incomplete_archives
109 |
110 | dna-br_purge_dirs
111 |
112 | dna-br_create_dirs restore
113 |
114 | ################################################################################
115 |
116 | dna-check_install_complete
117 |
118 | if [ "$install_complete" = "n" ]
119 | then
120 |
121 | echo "${r-}${b-}It appears ${project_name} is not currently installed or there is an incomplete installation on this machine.${x-}"
122 | echo
123 | echo "${b-}If you have an S3 backup and want to restore your previous instance of ${project_name} on this machine while inheriting all of your old settings, you can still run this script, although in bootstrap mode, therefore running the restore prior to actually running the ${project_name} installation.${x-}"
124 | echo
125 | echo "${b-}If this is not the case, you must run [or finish running] the install script first.${x-}"
126 | echo
127 |
128 | dna-ask_for_boolean -d "n" -q "Run this script in bootstrap mode to restore your previous instance from S3?"
129 |
130 | if [ "${boolean_output}" = "y" ]
131 | then
132 | echo "${b-}Ok, continuing in bootstrap mode.${x-}"
133 | echo
134 | bootstrap_mode="y"
135 | else
136 | echo "${b-}Ok, aborting.${x-}"
137 | echo
138 | dna-exit
139 | fi
140 |
141 | if [ ${bootstrap_mode-null} = "y" ]
142 | then
143 |
144 | dna-setup_backup_restore_s3 -s
145 | dna-br_launch_restore -s
146 | rsync -aAXx --delete "$restore_file_path/conf/" "$conf_dir/"
147 |
148 | echo "${g-}${b-}Bootstrap-mode restore from S3 complete.${x-}"
149 | echo
150 | echo "${b-}Now launching installation.${x-}"
151 | echo
152 |
153 | dna-run_install
154 |
155 | echo "${g-}${b-}Bootstrap-mode installation complete.${x-}"
156 | echo
157 | echo "${b-}Exiting.${x-}"
158 | echo
159 |
160 | exit
161 |
162 | fi
163 |
164 | fi
165 |
166 | ################################################################################
167 |
168 | ################################################################################
169 | #################### Specify your restore-time settings here ###################
170 | ################################################################################
171 |
172 | restore_from_standalone_content_description() {
173 | echo "${b-}1] /root/${project_name}-restore/config${x-}"
174 | echo "${b-}2] /root/${project_name}-restore/ejabberd-mnesia-backup${x-}"
175 | echo "${b-}3] /root/${project_name}-restore/etc-ejabberd${x-}"
176 | echo "${b-}4] /root/${project_name}-restore/var-lib-ejabberd${x-}"
177 | }
178 |
179 | validate_standalone_restore_content="y"
180 |
181 | restore_from_standalone_content_validation() {
182 |
183 | declare -A restorevalidationarray=(
184 | [config]="config"
185 | [mnesia]="ejabberd-mnesia-backup"
186 | [etc]="etc-ejabberd"
187 | [var]="var-lib-ejabberd"
188 | )
189 |
190 | for i in "${!restorevalidationarray[@]}"
191 | do
192 |
193 | overrideerrors=n
194 |
195 | if [ ! -e "$restorefileloc"/"${restorevalidationarray[$i]}" ]
196 | then
197 | echo "${r-}${b-}${restorevalidationarray[$i]} file/directory NOT found. If you continue, your restore will NOT be complete.${x-}"
198 | echo
199 | read -p "${b-}Do you still wish to continue? (y/N): ${x-}" -n 1 -r
200 | echo
201 | if [[ $REPLY =~ ^[Yy]$ ]]
202 | then
203 | echo "${b-}Ok, continuing...${x-}"
204 | echo
205 | overrideerrors=y
206 | else
207 | echo "${b-}Ok, exiting...${x-}"
208 | echo
209 | exit
210 | fi
211 | fi
212 |
213 | done
214 |
215 | if [ $overrideerrors = "y" ]
216 | then
217 | set +e
218 | fi
219 |
220 | }
221 |
222 | ################################################################################
223 | ################################################################################
224 | ################################################################################
225 |
226 | dna-br_launch_restore
227 |
228 | ################################################################################
229 |
230 | ### Perform a [last] backup of this currently running installation just in case
231 |
232 | if [ ! "${skip_backup:-null}" = "y" ]
233 | then
234 |
235 | dna-br_last_local_backup
236 |
237 | fi
238 |
239 | ################################################################################
240 |
241 | restore_loop
242 |
243 | dna-br_purge_dirs
244 |
245 | dna-echo -s "Restore complete!"
246 |
--------------------------------------------------------------------------------
/tools/aenigma-resync_cluster:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 |
106 | if [[ "${@#--return-check}" = "$@" ]]
107 | then
108 | dna-echo -e "This script must not be run directly."
109 | dna-echo -m "It is only intended to be started at boot time by cron and it should be already running right now on this machine in the background if this node is part of a cluster."
110 | dna-echo -m "You can see its runtime log at this location: | ${y-}/root/logs/${project_name}-resync_cluster${n-} | and you should get email notifications in case of a | ${r-}running_partitioned_network${n-} | error message appearance."
111 | dna-exit
112 | fi
113 |
114 |
115 | ### ############################################################################
116 |
117 | ### actually start script operations.
118 |
119 | ### ############################################################################
120 |
121 | #### ensure reference error file exists.
122 | #### this is the file we monitor for cluster-related errors and trigger the
123 | #### resync accordingly when necessary.
124 |
125 | if [ ! -f "/var/log/ejabberd/error.log" ]
126 | then
127 | dna-echo -e "ejabberd error logfile | ${n-}/var/log/ejabberd/error.log${r-} | not found."
128 | dna-exit
129 | fi
130 |
131 | #### edit all previous instances of "running_partitioned_network" in the logfile
132 | #### so that we won't generate false positives at this run.
133 |
134 | sed -i "s|running_partitioned_network|running-partitioned-network|g" "/var/log/ejabberd/error.log"
135 |
136 | schedule_ejabberd_restart() {
137 |
138 | ##### a positive result has been found. ejabberd is running in partitioned
139 | ##### state. define time parameters to schedule an ejabberd reboot in two
140 | ##### minutes frm now and only once per minute at maximum.
141 |
142 | nh="$(date +"%H")"
143 | nm="$(date +"%-M")"
144 | fm=$(( $nm + 2 ))
145 | if [ $fm -lt 10 ]
146 | then
147 | fm=0$fm
148 | fi
149 | nt="$nh:$nm"
150 | ft="$nh:$fm"
151 |
152 | if ! $(atq | grep -q $ft)
153 | then
154 |
155 | ##### send an email alert.
156 |
157 | dna-send_mail -s "aenigma: ejabberd cluster partitioned" \
158 | -b "aenigma has detected that ejabberd is running in a partitioned state. ejabberd has been restarted..." \
159 | -r "${admin_mail}"
160 |
161 | ##### schedule an ejabberd restart in [0-100] seconds from now.
162 |
163 | echo "sleep `head /dev/urandom | tr -dc "0123456789" | head -c2` && /usr/sbin/service ejabberd restart" | at $ft
164 |
165 | fi
166 |
167 | }
168 |
169 | tail -f "/var/log/ejabberd/error.log" |
170 | while read LOGLINE
171 | do
172 |
173 | [[ "${LOGLINE}" == *"running_partitioned_network"* ]] && schedule_ejabberd_restart
174 |
175 | done
176 |
177 | ### ############################################################################
178 |
--------------------------------------------------------------------------------
/tools/aenigma-test-online-nodes:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### evaluate arguments.
103 |
104 | ### ############################################################################
105 | ### ############################################################################
106 |
107 | ### actually start script operations.
108 |
109 | ### ############################################################################
110 |
111 | #### perform cluster operations preflight check.
112 |
113 | aenigma-cluster_operations_preflight
114 |
115 | ### test online nodes.
116 |
117 | aenigma-test_nodes_online
118 |
119 | ### ############################################################################
120 |
--------------------------------------------------------------------------------
/tools/aenigma-upgrade:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | clear
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | head upgrade.
75 |
76 | echo "${g-}${b-}Initiating upgrade...${x-}"
77 | echo
78 |
79 | ### ############################################################################
80 |
81 | ### evaluate arguments.
82 |
83 | ### ############################################################################
84 |
85 | while getopts ":b:d:p:o:" arguments
86 | do
87 | case $arguments in
88 | b) export custom_branch="${OPTARG}"
89 | ;;
90 | d) export custom_dna_version="${OPTARG}"
91 | ;;
92 | p) export custom_project_version="${OPTARG}"
93 | ;;
94 | o) export custom_output="${OPTARG}"
95 | ;;
96 | \?) echo "${r-}${b-}Invalid option | ${n-}-$OPTARG${r-} | for function | ${n-}${FUNCNAME[0]}${r-} |.${x-}"
97 | echo
98 | echo "${b-}Exiting...${x-}"
99 | echo
100 | exit 1
101 | ;;
102 | esac
103 | done
104 | OPTIND=1
105 |
106 | if [[ "${custom_project_version-null}" == "l" ]] ### Do NOT escape the string comparison
107 | then
108 | echo
109 | dna-echo -e "You're running the installation via the upgrade script."
110 | dna-echo -m "Therefore the | ${r-}local${n-} | version of the ${project_name} directory doesn't exist, as it's cloned automatically by the upgrade script itself."
111 | dna-echo -m "If you want to make customizations to the project before installing it, clone it yourself while in the root directory of the root user and then run:"
112 | dna-echo -m " | ${c-}bash ${project_name}/setup -pl | "
113 | dna-exit
114 | fi
115 |
116 | if [ -n "${custom_branch}" ]
117 | then
118 | export custom_project_version="b"
119 | fi
120 |
121 | ### ############################################################################
122 |
123 | ### continue initializing script with standard synthia bootstrapping block.
124 |
125 | ### ############################################################################
126 |
127 | #### 4 | download and source dna and perform dna-bound operations.
128 |
129 | #### ###########################################################################
130 |
131 | ##### download dna
132 |
133 | synthia-download_dna
134 |
135 | ##### source dna.
136 |
137 | synthia-source_dna
138 |
139 | ##### define variables.
140 |
141 | synthia-define_vars
142 |
143 | #### ###########################################################################
144 |
145 | ### ############################################################################
146 |
147 | ### clone and upgrade
148 |
149 | ### ############################################################################
150 |
151 | if [ -d "/root/${project_name}/" ]
152 | then
153 | rm -r "/root/${project_name}/"
154 | fi
155 |
156 | echo
157 |
158 | cd
159 |
160 | if [ -z "${custom_branch}" ]
161 | then
162 | git clone "${git_host}/${author_name}/${project_name}"
163 | else
164 | git clone "${git_host}/${author_name}/${project_name}" -b "${custom_branch}"
165 | fi
166 |
167 | dna-run_install
168 |
169 | ### ############################################################################
170 |
--------------------------------------------------------------------------------
/tools/aenigma-version:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | ### ############################################################################
4 |
5 | ### initialize script with standard synthia bootstrapping block.
6 |
7 | ### ############################################################################
8 |
9 | #### 1 | add padding to output / clear screen.
10 |
11 | echo
12 |
13 | #### 2 | locate execution environment and perform synthia-bound operations.
14 |
15 | #### ###########################################################################
16 |
17 | ##### set bash environment error management.
18 |
19 | set -eu
20 |
21 | ##### determine script execution directory and install directory.
22 |
23 | if [ -L "${BASH_SOURCE}" ]
24 | then
25 |
26 | ###### this file is being executed via a symlink.
27 | ###### therefore identify the parent directory of the target file.
28 |
29 | link_target="$(readlink ${BASH_SOURCE})"
30 | exec_dir="${link_target%/*}"
31 |
32 | else
33 |
34 | ###### this file is being directly executed.
35 | ###### therefore identify our parent directory.
36 |
37 | exec_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
38 |
39 | fi
40 |
41 | exec_dir_trim_2="$( echo ${exec_dir} | cut -f 1,2,3 -d'/')"
42 | exec_dir_trim_3="$( echo ${exec_dir} | cut -f 1,2,3,4 -d'/')"
43 |
44 | if [ -f "${exec_dir_trim_2}/functions" ]
45 | then
46 | exec_dir_root="${exec_dir_trim_2}"
47 | else
48 | if [ -f "${exec_dir_trim_3}/functions" ]
49 | then
50 | exec_dir_root="${exec_dir_trim_3}"
51 | else
52 | echo "Functions file not found in any second or third level parent directory of: | ${exec_dir} |."
53 | echo
54 | echo "Exiting..."
55 | echo
56 | exit 1
57 | fi
58 | fi
59 |
60 | ##### source local functions file.
61 |
62 | . "$exec_dir_root/functions"
63 |
64 | ##### define formatting.
65 |
66 | synthia-define_formatting
67 |
68 | ##### check for root user runtime.
69 |
70 | synthia-check_root
71 |
72 | #### ###########################################################################
73 |
74 | #### 3 | source dna and perform dna-bound operations.
75 |
76 | #### ###########################################################################
77 |
78 | ##### source dna.
79 |
80 | synthia-source_dna
81 |
82 | ##### define variables.
83 |
84 | synthia-define_vars
85 |
86 | ##### read conf settings.
87 |
88 | dna-read_conf_settings
89 |
90 | ##### touch temp dir.
91 |
92 | dna-touch_tmp_project_dir
93 |
94 | #### ###########################################################################
95 |
96 | #### 4 | head/log script.
97 |
98 | dna-log_script
99 |
100 | ### ############################################################################
101 |
102 | ### actually start script operations.
103 |
104 | dna-get_project_version
105 |
106 | dna-get_dna_version
107 |
108 | ### ############################################################################
109 |
--------------------------------------------------------------------------------