ansible/roles/prosody/templates/prosody.cfg.lua.j2

-- {{ ansible_managed }}

admins = { "deelkar@jabber.ccchb.de", "freak@jabber.ccchb.de", "jali@jabber.ccchb.de" }

use_libevent = true;
modules_enabled = {
	-- Generally required
	"roster";
	"saslauth";
	"tls";
	"dialback";
	"disco";
	"posix";
	"private";

	-- Nice to have
	"version";
	"uptime";
	"time";
	"ping";
	"pep";
	"register";

	-- Admin interfaces
	"admin_adhoc";
	"admin_shell";

	-- HTTP modules
	"bosh";
	"http_files";
	"http_file_share";

	-- Other specific functionality
	"groups";
	"watchregistrations";
	"turn_external";
	"carbons";
	"blocklist";
	"mam";
	"csi_simple";
	"vcard_legacy";
	"proxy65";
};

allow_registration = {% if prosody_allow_registration then "True" else "False" %};

c2s_require_encryption = true
s2s_secure_auth = false

-- PID file, necessary for prosodyctl
pidfile = "/var/run/prosody/prosody.pid"

authentication = "internal_hashed"

log = {
	error = "/var/log/prosody/prosody.err";
}

-- TODO: Fix escaping
http_external_url = "{{ prosody_http_url }}"
trusted_proxies = { "127.0.0.1", "::1", "192.168.1.1", }

-- TURN Server
turn_external_host = "{{ prosody_turn_server }}"
turn_external_secret = "{{ prosody_turn_secret }}"


VirtualHost "localhost"

VirtualHost "jabber.ccchb.de"
	enabled = true -- Remove this line to enable this host

	-- Assign this host a certificate for TLS, otherwise it would use the one
	-- set in the global section (if any).
	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
	-- use the global one.
	ssl = {
		protocol = "tlsv1_2+";
		key = "{{ prosody_ssl_key }}";
		certificate = "{{ prosody_ssl_cert }}";
		dhparam = "/etc/prosody/certs/dh-2048.pem";
		-- TODO: Evaluate allowed ciphers
		ciphers = "ECDH:DH:HIGH+kEDH:HIGH+kEECDH:HIGH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM";
	}

Component "muc.jabber.ccchb.de" "muc"
	modules_enabled = {
		"vcard_muc",
		"muc_mam"
	}

Component "upload.jabber.ccchb.de" "http_file_share"