This commit is contained in:
aitzol 2024-03-01 13:03:42 +01:00
parent 6ae2c3eb5f
commit d8d9fd9e67
15 changed files with 148 additions and 140 deletions

2
.gitignore vendored
View File

@ -1,6 +1,6 @@
data/* data/*
certs/ certs/
matterbrige/*.t* extras/matterbridge/*.t*
tests/certs/ tests/certs/
tests/venv/ tests/venv/
tests/__pycache__/ tests/__pycache__/

View File

@ -1,5 +1,22 @@
# Changelog # Changelog
## v1.3.1
* Added optional Firewall module for testing
### Breaking Change
Switched from [http_upload](https://modules.prosody.im/mod_http_upload) to [http_file_share](https://prosody.im/doc/modules/mod_http_file_share).
This means that previous uploads will NOT work after upgrading.
ENV variable `HTTP_UPLOAD_FILE_SIZE_LIMIT` was removed.
The new module uses the following variables:
* HTTP_FILE_SHARE_SIZE_LIMIT
* HTTP_FILE_SHARE_DAILY_QUOTA
See [readme.md](readme.md) for explanations and defaults.
## v1.3.0 ## v1.3.0
* Update to Debian Bookworm * Update to Debian Bookworm

View File

@ -110,10 +110,12 @@ RUN download-prosody-modules.bash \
filter_chatstates `# disable "X is typing" type messages` \ filter_chatstates `# disable "X is typing" type messages` \
smacks `# stream management (XEP-0198)` \ smacks `# stream management (XEP-0198)` \
throttle_presence `# presence throttling in CSI` \ throttle_presence `# presence throttling in CSI` \
http_upload `# file sharing (XEP-0363)` \
vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \ vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \
&& docker-prosody-module-pre-install.bash \
firewall `# anti-spam firewall` \
&& rm -rf "/usr/src/prosody-modules" && rm -rf "/usr/src/prosody-modules"
RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf
USER prosody USER prosody
ENTRYPOINT ["/entrypoint.bash"] ENTRYPOINT ["/entrypoint.bash"]

View File

@ -1,6 +1,7 @@
plugin_paths = { "/usr/local/lib/prosody/custom-modules/" }; plugin_paths = { "/usr/local/lib/prosody/custom-modules/" };
modules_enabled = { -- table of enabled modules
local mods_enabled = {
-- Generally required -- Generally required
"roster"; -- Allow users to have a roster. Recommended ;) "roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in. "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
@ -32,7 +33,7 @@ modules_enabled = {
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582 --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules -- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP --"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality -- Other specific functionality
@ -47,6 +48,20 @@ modules_enabled = {
"server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157. "server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157.
}; };
local enabled = os.getenv("ENABLE_FIREWALL") or "false"
local spam_blocklist = os.getenv("SPAM_BLOCKLIST") and "/usr/local/etc/prosody/firewall/" .. os.getenv("SPAM_BLOCKLIST") or "module:scripts/spam-blocklists.pfw"
if(enabled == "true")
then
table.insert(mods_enabled, "firewall");
firewall_scripts = {
spam_blocklist;
}
end
modules_enabled = mods_enabled;
-- These modules are auto-loaded, but should you want -- These modules are auto-loaded, but should you want
-- to disable them then uncomment them here: -- to disable them then uncomment them here:
modules_disabled = { modules_disabled = {
@ -54,3 +69,4 @@ modules_disabled = {
-- "c2s"; -- Handle client connections -- "c2s"; -- Handle client connections
-- "s2s"; -- Handle server-to-server connections -- "s2s"; -- Handle server-to-server connections
}; };

View File

@ -21,11 +21,13 @@ storage = {
archive_expires_after = "1y" archive_expires_after = "1y"
-- bandwith limits -- bandwith limits
limits = { --limits = {
c2s = { --c2s = {
rate = "10kb/s"; --rate = "10kb/s";
}; --};
s2sin = { --s2sin = {
rate = "30kb/s"; --rate = "30kb/s";
}; --};
} --}
http_max_content_size = os.getenv("HTTP_MAX_CONTENT_SIZE") or 1024 * 1024 * 10 -- Default is 10MB

View File

@ -21,9 +21,12 @@ https_ssl = {
VirtualHost (domain) VirtualHost (domain)
-- Set up a http file upload because proxy65 is not working in muc -- Set up a http file upload
Component (domain_http_upload) "http_upload" Component (domain_http_upload) "http_file_share"
http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds http_file_share_expires_after = 60 * 60 * 24 * 7 -- a week in seconds
local size_limit = os.getenv("HTTP_FILE_SHARE_SIZE_LIMIT") or 10 * 1024 * 1024 -- Default is 10MB
http_file_share_size_limit = size_limit
http_file_share_daily_quota = os.getenv("HTTP_FILE_SHARE_DAILY_QUOTA") or 10 * size_limit -- Default is 10x the size limit
Component (domain_muc) "muc" Component (domain_muc) "muc"
name = "Prosody Chatrooms" name = "Prosody Chatrooms"

View File

@ -43,7 +43,7 @@ for ext in $exts; do
# Skip this if the modules should not be added to modules_enabled. # Skip this if the modules should not be added to modules_enabled.
if [ "$ext" != "http_upload" ] && [ "$ext" != "vcard_muc" ] ; then if [ "$ext" != "http_upload" ] && [ "$ext" != "vcard_muc" ] ; then
echo " - enabling within ${config}" echo " - enabling within ${config}"
new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(modules_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/') new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(mods_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
echo "${new_config}" > "${config}" echo "${new_config}" > "${config}"
fi fi
done done

View File

@ -0,0 +1,42 @@
#!/bin/bash
set -e
source="/usr/src/prosody-modules"
target="/usr/local/lib/prosody/custom-modules"
cd ${source}
usage() {
echo "usage: $0 ext-name [ext-name ...]"
echo " ie: $0 carbons e2e_policy proxy65"
echo
echo 'Possible values for ext-name:'
find . -mindepth 1 -maxdepth 1 -type d | sort | sed s/\.\\/mod_//g | xargs
}
exts=
for ext; do
if [ -z "mod_$ext" ]; then
continue
fi
if [ ! -d "mod_$ext" ]; then
echo >&2 "error: $PWD/mod_$ext does not exist"
echo >&2
usage >&2
exit 1
fi
exts="$exts $ext"
done
if [ -z "$exts" ]; then
usage >&2
exit 1
fi
for ext in $exts; do
echo "Installing mod_${ext}"
echo " - copying to ${target}"
cp -r "${source}/mod_${ext}" "${target}/"
done

View File

@ -0,0 +1,18 @@
bashtel.ru
creep.im
darkengine.biz
default.rs
hiddenlizard.org
jabber.bitactive.com
jabber.cd
jabber.freenet.de
jabber.ipredator.se
jabber.npw.net
jabber.sampo.ru
labas.biz
otr.chat
paranoid.scarab.name
rassnet.org
safetyjabber.com
sj.ms
xmpp.bytesund.biz

View File

@ -0,0 +1,21 @@
# This script depends on spam-blocking.pfw also being loaded
# Any traffic that is not explicitly blocked or allowed by other
# rules will be checked against the JabberSPAM server blocklist
%LIST blocklist: file:/usr/local/etc/prosody/firewall/blacklist.txt
#%LIST blocklist: https://cdn.jsdelivr.net/gh/jabberspam/blacklist/blacklist.txt
::user/spam_handle_unknown_custom
CHECK LIST: blocklist contains $<@from|host>
BOUNCE=policy-violation (Your server is blocked due to spam)
::user/spam_check_muc_invite_custom
# Check the server we received the invitation from
CHECK LIST: blocklist contains $<@from|host>
BOUNCE=policy-violation (Your server is blocked due to spam)
# Check the inviter's JID against the blocklist, too
CHECK LIST: blocklist contains $<{http://jabber.org/protocol/muc#user}x/invite@from|host>
BOUNCE=policy-violation (Your server is blocked due to spam)

View File

@ -1,84 +0,0 @@
#https://github.com/42wim/matterbridge
###################################################################
#XMPP section - berriketak
###################################################################
[xmpp]
[xmpp.telegram_berriketak]
#Server="lainoa.eus:5222"
Server="server:5222"
#Jid="admin@lainoa.eus"
Jid="admin@lainoa.eus"
#Password="sagastarri996X"
Password="sagastarri996"
Muc="conference.lainoa.eus"
Nick="Admin"
SkipTLSVerify=true
#IgnoreNicks="ircspammer1 ircspammer2"
#RemoteNickFormat="[{NICK}] "
RemoteNickFormat="{TENGO}({PROTOCOL}) "
ShowJoinPart=false
###################################################################
#telegram section - berriketak
###################################################################
[telegram]
[telegram.berriket_xmppBot]
Token="434963747:AAHRbJAw9oN30b9KdjWacnyYyHS22r056SM" #token berriket_xmppBot
MessageFormat="HTMLNick"
EditDisable=false
EditSuffix=" (edited)"
IgnoreNicks="spammer1 spammer2"
RemoteNickFormat="{NICK}: "
ShowJoinPart=false
UseInsecureURL=true
MediaConvertWebPToPNG=true
DisableWebPagePreview=false
[tengo]
#RemoteNickFormat="remotenickformat.tengo"
RemoteNickFormat="/etc/matterbridge/nicks.tengo"
#InMessage="/etc/matterbridge/in.tengo"
OutMessage="/etc/matterbridge/out.tengo"
###################################################################
#gateway section
###################################################################
[[gateway]]
name="gateway_berriketak"
enable=true
[[gateway.inout]]
account="xmpp.telegram_berriketak"
channel="berriketak"
#channel="test"
[[gateway.inout]]
account="telegram.berriket_xmppBot"
channel="-183435536" #Telegram berriketak taldearen ID-a
[[gateway]]
name="test"
enable=true
[[gateway.inout]]
account="xmpp.telegram_berriketak"
channel="test"
[[gateway.inout]]
account="telegram.berriket_xmppBot"
#channel="-241666435" #Telegram xmpp_test taldearen ID-a
channel="-1001617641457"
#[[gateway]]
#name="etxekok"
#enable=true
# [[gateway.inout]]
# account="xmpp.telegram_berriketak"
# channel="etxekok"
# [[gateway.inout]]
# account="telegram.berriket_xmppBot"
# channel="-523032" #Telegram etxekok taldearen ID-a

View File

@ -1,5 +0,0 @@
/*Customize nicks from X to XMPP*/
result = nick
if(nick == "Nekane Nekane") {
result = "Amona Nekane"
}

View File

@ -1,30 +0,0 @@
text := import("text")
fmt := import("fmt")
fmt.println(msgText)
if(inProtocol == "telegram"){
if text.index(msgText, "https") > 1 {
media_array := text.re_split(":", msgText, 2)
fmt.println(media_array)
if len(media_array) > 1 {
//TG desktop
media := text.trim_prefix(media_array[1]," ")
//msgText=media
bold := "**"+media+"**"
//link := "[link]("+media+")"
//msgText =link
msgText = text.re_replace("MEDIA", bold, msgText)
//msgText="![Tux, the Linux mascot]("+media+")"
//msgText=text.re_replace("matterbridge",msgText,"matterbridge (https://github.com/42wim/matterbridge)")
}else{
//TG android
msgText="https:"+media_array[0]
}
}
}else{
//capitalize + bold
msgUsername = "<strong>"+text.title(msgUsername)+"</strong>"
msgText = msgText
}

View File

@ -54,6 +54,7 @@ While Conversations got everything set-up out-of-the-box, Gajim was used with th
* Secure by default * Secure by default
* SSL certificate required * SSL certificate required
* End-to-end encryption required (using [OMEMO](https://conversations.im/omemo/) or [OTR](https://en.wikipedia.org/wiki/Off-the-Record_Messaging)) * End-to-end encryption required (using [OMEMO](https://conversations.im/omemo/) or [OTR](https://en.wikipedia.org/wiki/Off-the-Record_Messaging))
* Anti-spam filter (based on the pre-installed [Firewall](https://modules.prosody.im/mod_firewall) module)
* Data storage * Data storage
* SQLite message store * SQLite message store
* Configured file upload and image sharing * Configured file upload and image sharing
@ -228,6 +229,9 @@ sudo chown 999:999 ./data
| **DB_PORT** | Port on which the database is listening | *optional* | | | **DB_PORT** | Port on which the database is listening | *optional* | |
| **DB_USERNAME** | The username to authenticate to the database | *optional* | | | **DB_USERNAME** | The username to authenticate to the database | *optional* | |
| **DB_PASSWORD** | The password to authenticate to the database | *optional* | | | **DB_PASSWORD** | The password to authenticate to the database | *optional* | |
| **HTTP_MAX_CONTENT_SIZE** | Max http content size in bytes | *optional* | 10485760 |
| **HTTP_FILE_SHARE_SIZE_LIMIT** | Max http file share size in bytes | *optional* | 10485760 |
| **HTTP_FILE_SHARE_DAILY_QUOTA** | Daily quota in bytes | *optional* | 10 times share size limit |
| **E2E_POLICY_CHAT** | Policy for chat messages. Possible values: "none", "optional" and "required". | *optional* | "required" | | **E2E_POLICY_CHAT** | Policy for chat messages. Possible values: "none", "optional" and "required". | *optional* | "required" |
| **E2E_POLICY_MUC** | Policy for MUC messages. Possible values: "none", "optional" and "required". | *optional* | "required" | | **E2E_POLICY_MUC** | Policy for MUC messages. Possible values: "none", "optional" and "required". | *optional* | "required" |
| **E2E_POLICY_WHITELIST** | Make this module ignore messages sent to and from this JIDs or MUCs. | *optional* | "" | | **E2E_POLICY_WHITELIST** | Make this module ignore messages sent to and from this JIDs or MUCs. | *optional* | "" |
@ -242,6 +246,8 @@ sudo chown 999:999 ./data
| **SERVER_CONTACT_INFO_SECURITY** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:security@**DOMAIN**" | | **SERVER_CONTACT_INFO_SECURITY** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:security@**DOMAIN**" |
| **SERVER_CONTACT_INFO_SUPPORT** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:support@**DOMAIN**" | | **SERVER_CONTACT_INFO_SUPPORT** | A list of strings. Each string should be an URI. See [here](https://prosody.im/doc/modules/mod_server_contact_info). | *optional* | "xmpp:support@**DOMAIN**" |
| **PROSODY_ADMINS** | Specify who is an administrator. List of adresses. Eg. "me@example.com", "admin@example.net" | *optional* | "" | | **PROSODY_ADMINS** | Specify who is an administrator. List of adresses. Eg. "me@example.com", "admin@example.net" | *optional* | "" |
| **ENABLE_FIREWALL** | Enable Firewall module | *optional* | false |
| **SPAM_BLOCKLIST** | Blacklist to use with Firewall module. Eg. "custom-blocklist.pfw" | *optional* | |
#### DNS #### DNS
@ -262,7 +268,7 @@ There is a helper script that eases installing additional prosody modules: ```do
It downloads the current [prosody-modules](https://hg.prosody.im/prosody-modules/) repository. The specified modules are copied and its name is added to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. It downloads the current [prosody-modules](https://hg.prosody.im/prosody-modules/) repository. The specified modules are copied and its name is added to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```.
There is also ```docker-prosody-module-copy``` which copies the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. There is also ```docker-prosody-module-pre-install.bash``` which downloads the specified modules but does not add them to the ```modules_enabled``` variable within ```conf.d/01-modules.cfg.lua```. In fact, this script is in charge of pre-installing the Firewall module.
If you need additional configuration just overwrite the respective _cfg.lua_ file or add new ones. If you need additional configuration just overwrite the respective _cfg.lua_ file or add new ones.
@ -277,16 +283,16 @@ prosodyctl mod_storage_sql upgrade
## Matterbridge ## Matterbridge
To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check [documentation](https://github.com/42wim/matterbridge#readme). To enable bridges using **Matterbridge** simply add the service in the docker-compose.yml file. Then you need to add _toml_ config file in ```matterbridge``` directory spedifying protocols and gateways. Check the [documentation](https://github.com/42wim/matterbridge#readme) for more information.
``` yaml ``` yaml
matterbridge: matterbridge:
image: 42wim/matterbridge:latest image: 42wim/matterbridge:latest
restart: unless-stopped restart: unless-stopped
volumes: volumes:
- ./matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro - ./extras/matterbridge/matterbridge.toml:/etc/matterbridge/matterbridge.toml:ro
- ./matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro - ./extras/matterbridge/nicks.tengo:/etc/matterbridge/nicks.tengo:ro
- ./matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro - ./extras/matterbridge/out.tengo:/etc/matterbridge/out.tengo:ro
depends_on: depends_on:
- server - server