904 lines
29 KiB
Bash
904 lines
29 KiB
Bash
#!/bin/sh
|
|
sqldb="ejabberd"
|
|
sqlusername="ejabberd"
|
|
ejabberdtlsdir="/var/lib/ejabberd"
|
|
|
|
pacman -S --noconfirm ejabberd
|
|
|
|
read -p "Enter your domain: " domain
|
|
|
|
domains=("conference.$domain" "proxy.$domain" "pubsub.$domain" "upload.$domain")
|
|
certdirs=("/etc/letsencrypt/live/$domain" "/etc/letsencrypt/live/${domains[0]}" "/etc/letsencrypt/live/${domains[1]}" "/etc/letsencrypt/live/${domains[2]}" "/etc/letsencrypt/live/${domains[3]}")
|
|
ejabberdcertdirs=("${ejabberdtlsdir}/${domain}.pem" "${ejabberdtlsdir}/${domains[0]}.pem" "${ejabberdtlsdir}/${domains[1]}.pem" "${ejabberdtlsdir}/${domains[2]}.pem" "${ejabberdtlsdir}/${domains[3]}.pem")
|
|
|
|
index=0
|
|
|
|
# try to find any existing certificates for the various vhosts required by
|
|
# ejabberd, otherwise retrieve them via certbot
|
|
for vhost in ${domains[@]}; do # for each vhost
|
|
[ ! -d "${certdirs[$index]}" ] && # if default cert dir for the vhost doesn't exist
|
|
certdirs[$index]=$(certbot certificates 2>/dev/null | grep "Domains:.* \(\*\.$domain\|$vhost\)\(\s\|$\)" -A 2 | awk '/Certificate Path/ {print $3}' | head -n1) # set cert dir for certificate
|
|
((index++))
|
|
|
|
[ ! -d "${certdirs[$index]}" ] && # if there is no certificate for the domain
|
|
if systemctl is-active --quiet nginx
|
|
then
|
|
pacman -S --noconfirm certbot-nginx
|
|
certbot -d "$vhost" certonly --nginx --register-unsafely-without-email --agree-tos &&
|
|
certdirs[$index]="/etc/letsencrypt/live/$vhost" # request cert with nginx
|
|
else
|
|
pacman -S --noconfirm certbot
|
|
certbot -d "$vhost" certonly --standalone --register-unsafely-without-email --agree-tos &&
|
|
certdirs[$index]="/etc/letsencrypt/live/$vhost" # request cert with certbot
|
|
fi
|
|
[ ! -d "${certdirs[$index]}" ] && echo "Error locating or installing SSL certificate." && exit 1
|
|
done
|
|
|
|
read -p "Enter the username for the admin user: " adminusername
|
|
while read -p "$adminusername@$domain is this correct? (y/n): " confirm; do
|
|
if [ "$confirm" == "y" ]; then
|
|
break
|
|
else
|
|
read -p "Enter the username for the admin user: " adminusername
|
|
continue
|
|
fi
|
|
done
|
|
|
|
read -p "Enter the password for the ejabberd SQL user: " sqlpassword
|
|
while read -p "$sqlpassword is this correct? (y/n): " confirm; do
|
|
if [ "$confirm" == "y" ]; then
|
|
break
|
|
else
|
|
read -p "Enter the password for the ejabberd SQL user: " sqlpassword
|
|
continue
|
|
fi
|
|
done
|
|
|
|
index=0
|
|
|
|
echo "Creating ejabberd TLS cert files..." # we have to create special TLS
|
|
# certs just for ejabberd because
|
|
# it's a special snowflake who
|
|
# reads the guardian
|
|
for vhost in ${certdirs[@]}; do # for each vhost
|
|
# concatenate the private key and fullchain into one file
|
|
cat ${certdirs[$index]}/privkey.pem ${certdirs[$index]}/fullchain.pem > ${ejabberdtlsdir}/${vhost}.pem
|
|
# update file perms
|
|
chown jabber:jabber ${ejabberdtlsdir}/${vhost}.pem
|
|
chmod 700 ${ejabberdtlsdir}/${vhost}.pem
|
|
done
|
|
|
|
echo "Setting up ejabberd SQL database..."
|
|
|
|
mariadb -e "CREATE DATABASE $sqldb; CREATE USER $sqlusername@localhost IDENTIFIED BY '$sqlpassword'; GRANT ALL ON ejabberd.* TO $sqlusername@localhost"
|
|
|
|
echo """
|
|
--
|
|
-- ejabberd, Copyright (C) 2002-2023 ProcessOne
|
|
--
|
|
-- This program is free software; you can redistribute it and/or
|
|
-- modify it under the terms of the GNU General Public License as
|
|
-- published by the Free Software Foundation; either version 2 of the
|
|
-- License, or (at your option) any later version.
|
|
--
|
|
-- This program is distributed in the hope that it will be useful,
|
|
-- but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
-- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
-- General Public License for more details.
|
|
--
|
|
-- You should have received a copy of the GNU General Public License along
|
|
-- with this program; if not, write to the Free Software Foundation, Inc.,
|
|
-- 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
--
|
|
|
|
CREATE TABLE users (
|
|
username varchar(191) PRIMARY KEY,
|
|
password text NOT NULL,
|
|
serverkey varchar(128) NOT NULL DEFAULT '',
|
|
salt varchar(128) NOT NULL DEFAULT '',
|
|
iterationcount integer NOT NULL DEFAULT 0,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
-- Add support for SCRAM auth to a database created before ejabberd 16.03:
|
|
-- ALTER TABLE users ADD COLUMN serverkey varchar(64) NOT NULL DEFAULT '';
|
|
-- ALTER TABLE users ADD COLUMN salt varchar(64) NOT NULL DEFAULT '';
|
|
-- ALTER TABLE users ADD COLUMN iterationcount integer NOT NULL DEFAULT 0;
|
|
|
|
CREATE TABLE last (
|
|
username varchar(191) PRIMARY KEY,
|
|
seconds text NOT NULL,
|
|
state text NOT NULl
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
|
|
CREATE TABLE rosterusers (
|
|
username varchar(191) NOT NULL,
|
|
jid varchar(191) NOT NULL,
|
|
nick text NOT NULL,
|
|
subscription character(1) NOT NULL,
|
|
ask character(1) NOT NULL,
|
|
askmessage text NOT NULL,
|
|
server character(1) NOT NULL,
|
|
subscribe text NOT NULL,
|
|
type text,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_rosteru_user_jid ON rosterusers(username(75), jid(75));
|
|
CREATE INDEX i_rosteru_jid ON rosterusers(jid);
|
|
|
|
CREATE TABLE rostergroups (
|
|
username varchar(191) NOT NULL,
|
|
jid varchar(191) NOT NULL,
|
|
grp text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX pk_rosterg_user_jid ON rostergroups(username(75), jid(75));
|
|
|
|
CREATE TABLE sr_group (
|
|
name varchar(191) NOT NULL,
|
|
opts text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_sr_group_name ON sr_group(name);
|
|
|
|
CREATE TABLE sr_user (
|
|
jid varchar(191) NOT NULL,
|
|
grp varchar(191) NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_sr_user_jid_group ON sr_user(jid(75), grp(75));
|
|
CREATE INDEX i_sr_user_grp ON sr_user(grp);
|
|
|
|
CREATE TABLE spool (
|
|
username varchar(191) NOT NULL,
|
|
xml mediumtext NOT NULL,
|
|
seq BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_despool USING BTREE ON spool(username);
|
|
CREATE INDEX i_spool_created_at USING BTREE ON spool(created_at);
|
|
|
|
CREATE TABLE archive (
|
|
username varchar(191) NOT NULL,
|
|
timestamp BIGINT UNSIGNED NOT NULL,
|
|
peer varchar(191) NOT NULL,
|
|
bare_peer varchar(191) NOT NULL,
|
|
xml mediumtext NOT NULL,
|
|
txt mediumtext,
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE,
|
|
kind varchar(10),
|
|
nick varchar(191),
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE FULLTEXT INDEX i_text ON archive(txt);
|
|
CREATE INDEX i_username_timestamp USING BTREE ON archive(username(191), timestamp);
|
|
CREATE INDEX i_username_peer USING BTREE ON archive(username(191), peer(191));
|
|
CREATE INDEX i_username_bare_peer USING BTREE ON archive(username(191), bare_peer(191));
|
|
CREATE INDEX i_timestamp USING BTREE ON archive(timestamp);
|
|
|
|
CREATE TABLE archive_prefs (
|
|
username varchar(191) NOT NULL PRIMARY KEY,
|
|
def text NOT NULL,
|
|
always text NOT NULL,
|
|
never text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE vcard (
|
|
username varchar(191) PRIMARY KEY,
|
|
vcard mediumtext NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE vcard_search (
|
|
username varchar(191) NOT NULL,
|
|
lusername varchar(191) PRIMARY KEY,
|
|
fn text NOT NULL,
|
|
lfn varchar(191) NOT NULL,
|
|
family text NOT NULL,
|
|
lfamily varchar(191) NOT NULL,
|
|
given text NOT NULL,
|
|
lgiven varchar(191) NOT NULL,
|
|
middle text NOT NULL,
|
|
lmiddle varchar(191) NOT NULL,
|
|
nickname text NOT NULL,
|
|
lnickname varchar(191) NOT NULL,
|
|
bday text NOT NULL,
|
|
lbday varchar(191) NOT NULL,
|
|
ctry text NOT NULL,
|
|
lctry varchar(191) NOT NULL,
|
|
locality text NOT NULL,
|
|
llocality varchar(191) NOT NULL,
|
|
email text NOT NULL,
|
|
lemail varchar(191) NOT NULL,
|
|
orgname text NOT NULL,
|
|
lorgname varchar(191) NOT NULL,
|
|
orgunit text NOT NULL,
|
|
lorgunit varchar(191) NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_vcard_search_lfn ON vcard_search(lfn);
|
|
CREATE INDEX i_vcard_search_lfamily ON vcard_search(lfamily);
|
|
CREATE INDEX i_vcard_search_lgiven ON vcard_search(lgiven);
|
|
CREATE INDEX i_vcard_search_lmiddle ON vcard_search(lmiddle);
|
|
CREATE INDEX i_vcard_search_lnickname ON vcard_search(lnickname);
|
|
CREATE INDEX i_vcard_search_lbday ON vcard_search(lbday);
|
|
CREATE INDEX i_vcard_search_lctry ON vcard_search(lctry);
|
|
CREATE INDEX i_vcard_search_llocality ON vcard_search(llocality);
|
|
CREATE INDEX i_vcard_search_lemail ON vcard_search(lemail);
|
|
CREATE INDEX i_vcard_search_lorgname ON vcard_search(lorgname);
|
|
CREATE INDEX i_vcard_search_lorgunit ON vcard_search(lorgunit);
|
|
|
|
CREATE TABLE privacy_default_list (
|
|
username varchar(191) PRIMARY KEY,
|
|
name varchar(191) NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE privacy_list (
|
|
username varchar(191) NOT NULL,
|
|
name varchar(191) NOT NULL,
|
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT UNIQUE,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_privacy_list_username_name USING BTREE ON privacy_list (username(75), name(75));
|
|
|
|
CREATE TABLE privacy_list_data (
|
|
id bigint,
|
|
t character(1) NOT NULL,
|
|
value text NOT NULL,
|
|
action character(1) NOT NULL,
|
|
ord NUMERIC NOT NULL,
|
|
match_all boolean NOT NULL,
|
|
match_iq boolean NOT NULL,
|
|
match_message boolean NOT NULL,
|
|
match_presence_in boolean NOT NULL,
|
|
match_presence_out boolean NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_privacy_list_data_id ON privacy_list_data(id);
|
|
|
|
CREATE TABLE private_storage (
|
|
username varchar(191) NOT NULL,
|
|
namespace varchar(191) NOT NULL,
|
|
data text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_private_storage_username_namespace USING BTREE ON private_storage(username(75), namespace(75));
|
|
|
|
-- Not tested in mysql
|
|
CREATE TABLE roster_version (
|
|
username varchar(191) PRIMARY KEY,
|
|
version text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
-- To update from 1.x:
|
|
-- ALTER TABLE rosterusers ADD COLUMN askmessage text AFTER ask;
|
|
-- UPDATE rosterusers SET askmessage = '';
|
|
-- ALTER TABLE rosterusers ALTER COLUMN askmessage SET NOT NULL;
|
|
|
|
CREATE TABLE pubsub_node (
|
|
host text NOT NULL,
|
|
node text NOT NULL,
|
|
parent VARCHAR(191) NOT NULL DEFAULT '',
|
|
plugin text NOT NULL,
|
|
nodeid bigint auto_increment primary key
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE INDEX i_pubsub_node_parent ON pubsub_node(parent(120));
|
|
CREATE UNIQUE INDEX i_pubsub_node_tuple ON pubsub_node(host(71), node(120));
|
|
|
|
CREATE TABLE pubsub_node_option (
|
|
nodeid bigint,
|
|
name text NOT NULL,
|
|
val text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE INDEX i_pubsub_node_option_nodeid ON pubsub_node_option(nodeid);
|
|
ALTER TABLE \`pubsub_node_option\` ADD FOREIGN KEY (\`nodeid\`) REFERENCES \`pubsub_node\` (\`nodeid\`) ON DELETE CASCADE;
|
|
|
|
CREATE TABLE pubsub_node_owner (
|
|
nodeid bigint,
|
|
owner text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE INDEX i_pubsub_node_owner_nodeid ON pubsub_node_owner(nodeid);
|
|
ALTER TABLE \`pubsub_node_owner\` ADD FOREIGN KEY (\`nodeid\`) REFERENCES \`pubsub_node\` (\`nodeid\`) ON DELETE CASCADE;
|
|
|
|
CREATE TABLE pubsub_state (
|
|
nodeid bigint,
|
|
jid text NOT NULL,
|
|
affiliation character(1),
|
|
subscriptions VARCHAR(191) NOT NULL DEFAULT '',
|
|
stateid bigint auto_increment primary key
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE INDEX i_pubsub_state_jid ON pubsub_state(jid(60));
|
|
CREATE UNIQUE INDEX i_pubsub_state_tuple ON pubsub_state(nodeid, jid(60));
|
|
ALTER TABLE \`pubsub_state\` ADD FOREIGN KEY (\`nodeid\`) REFERENCES \`pubsub_node\` (\`nodeid\`) ON DELETE CASCADE;
|
|
|
|
CREATE TABLE pubsub_item (
|
|
nodeid bigint,
|
|
itemid text NOT NULL,
|
|
publisher text NOT NULL,
|
|
creation varchar(32) NOT NULL,
|
|
modification varchar(32) NOT NULL,
|
|
payload mediumtext NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE INDEX i_pubsub_item_itemid ON pubsub_item(itemid(36));
|
|
CREATE UNIQUE INDEX i_pubsub_item_tuple ON pubsub_item(nodeid, itemid(36));
|
|
ALTER TABLE \`pubsub_item\` ADD FOREIGN KEY (\`nodeid\`) REFERENCES \`pubsub_node\` (\`nodeid\`) ON DELETE CASCADE;
|
|
|
|
CREATE TABLE pubsub_subscription_opt (
|
|
subid text NOT NULL,
|
|
opt_name varchar(32),
|
|
opt_value text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
CREATE UNIQUE INDEX i_pubsub_subscription_opt ON pubsub_subscription_opt(subid(32), opt_name(32));
|
|
|
|
CREATE TABLE muc_room (
|
|
name text NOT NULL,
|
|
host text NOT NULL,
|
|
opts mediumtext NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_muc_room_name_host USING BTREE ON muc_room(name(75), host(75));
|
|
CREATE INDEX i_muc_room_host_created_at ON muc_room(host(75), created_at);
|
|
|
|
CREATE TABLE muc_registered (
|
|
jid text NOT NULL,
|
|
host text NOT NULL,
|
|
nick text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_muc_registered_nick USING BTREE ON muc_registered(nick(75));
|
|
CREATE UNIQUE INDEX i_muc_registered_jid_host USING BTREE ON muc_registered(jid(75), host(75));
|
|
|
|
CREATE TABLE muc_online_room (
|
|
name text NOT NULL,
|
|
host text NOT NULL,
|
|
node text NOT NULL,
|
|
pid text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_muc_online_room_name_host USING BTREE ON muc_online_room(name(75), host(75));
|
|
|
|
CREATE TABLE muc_online_users (
|
|
username text NOT NULL,
|
|
server text NOT NULL,
|
|
resource text NOT NULL,
|
|
name text NOT NULL,
|
|
host text NOT NULL,
|
|
node text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_muc_online_users USING BTREE ON muc_online_users(username(75), server(75), resource(75), name(75), host(75));
|
|
|
|
CREATE TABLE muc_room_subscribers (
|
|
room varchar(191) NOT NULL,
|
|
host varchar(191) NOT NULL,
|
|
jid varchar(191) NOT NULL,
|
|
nick text NOT NULL,
|
|
nodes text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
|
UNIQUE KEY i_muc_room_subscribers_host_room_jid (host, room, jid)
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_muc_room_subscribers_host_jid USING BTREE ON muc_room_subscribers(host, jid);
|
|
CREATE INDEX i_muc_room_subscribers_jid USING BTREE ON muc_room_subscribers(jid);
|
|
|
|
CREATE TABLE motd (
|
|
username varchar(191) PRIMARY KEY,
|
|
xml text,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE caps_features (
|
|
node varchar(191) NOT NULL,
|
|
subnode varchar(191) NOT NULL,
|
|
feature text,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE INDEX i_caps_features_node_subnode ON caps_features(node(75), subnode(75));
|
|
|
|
CREATE TABLE sm (
|
|
usec bigint NOT NULL,
|
|
pid text NOT NULL,
|
|
node text NOT NULL,
|
|
username varchar(191) NOT NULL,
|
|
resource varchar(191) NOT NULL,
|
|
priority text NOT NULL,
|
|
info text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_sid ON sm(usec, pid(75));
|
|
CREATE INDEX i_node ON sm(node(75));
|
|
CREATE INDEX i_username ON sm(username);
|
|
|
|
CREATE TABLE oauth_token (
|
|
token varchar(191) NOT NULL PRIMARY KEY,
|
|
jid text NOT NULL,
|
|
scope text NOT NULL,
|
|
expire bigint NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE oauth_client (
|
|
client_id varchar(191) NOT NULL PRIMARY KEY,
|
|
client_name text NOT NULL,
|
|
grant_type text NOT NULL,
|
|
options text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE TABLE route (
|
|
domain text NOT NULL,
|
|
server_host text NOT NULL,
|
|
node text NOT NULL,
|
|
pid text NOT NULL,
|
|
local_hint text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_route ON route(domain(75), server_host(75), node(75), pid(75));
|
|
|
|
CREATE TABLE bosh (
|
|
sid text NOT NULL,
|
|
node text NOT NULL,
|
|
pid text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_bosh_sid ON bosh(sid(75));
|
|
|
|
CREATE TABLE proxy65 (
|
|
sid text NOT NULL,
|
|
pid_t text NOT NULL,
|
|
pid_i text NOT NULL,
|
|
node_t text NOT NULL,
|
|
node_i text NOT NULL,
|
|
jid_i text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_proxy65_sid ON proxy65 (sid(191));
|
|
CREATE INDEX i_proxy65_jid ON proxy65 (jid_i(191));
|
|
|
|
CREATE TABLE push_session (
|
|
username text NOT NULL,
|
|
timestamp bigint NOT NULL,
|
|
service text NOT NULL,
|
|
node text NOT NULL,
|
|
xml text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_push_usn ON push_session (username(191), service(191), node(191));
|
|
CREATE UNIQUE INDEX i_push_ut ON push_session (username(191), timestamp);
|
|
|
|
CREATE TABLE mix_channel (
|
|
channel text NOT NULL,
|
|
service text NOT NULL,
|
|
username text NOT NULL,
|
|
domain text NOT NULL,
|
|
jid text NOT NULL,
|
|
hidden boolean NOT NULL,
|
|
hmac_key text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_mix_channel ON mix_channel (channel(191), service(191));
|
|
CREATE INDEX i_mix_channel_serv ON mix_channel (service(191));
|
|
|
|
CREATE TABLE mix_participant (
|
|
channel text NOT NULL,
|
|
service text NOT NULL,
|
|
username text NOT NULL,
|
|
domain text NOT NULL,
|
|
jid text NOT NULL,
|
|
id text NOT NULL,
|
|
nick text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_mix_participant ON mix_participant (channel(191), service(191), username(191), domain(191));
|
|
|
|
CREATE TABLE mix_subscription (
|
|
channel text NOT NULL,
|
|
service text NOT NULL,
|
|
username text NOT NULL,
|
|
domain text NOT NULL,
|
|
node text NOT NULL,
|
|
jid text NOT NULL
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_mix_subscription ON mix_subscription (channel(153), service(153), username(153), domain(153), node(153));
|
|
CREATE INDEX i_mix_subscription_chan_serv_node ON mix_subscription (channel(191), service(191), node(191));
|
|
|
|
CREATE TABLE mix_pam (
|
|
username text NOT NULL,
|
|
channel text NOT NULL,
|
|
service text NOT NULL,
|
|
id text NOT NULL,
|
|
created_at timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
|
|
|
|
CREATE UNIQUE INDEX i_mix_pam ON mix_pam (username(191), channel(191), service(191));
|
|
|
|
CREATE TABLE mqtt_pub (
|
|
username varchar(191) NOT NULL,
|
|
resource varchar(191) NOT NULL,
|
|
topic text NOT NULL,
|
|
qos tinyint NOT NULL,
|
|
payload blob NOT NULL,
|
|
payload_format tinyint NOT NULL,
|
|
content_type text NOT NULL,
|
|
response_topic text NOT NULL,
|
|
correlation_data blob NOT NULL,
|
|
user_properties blob NOT NULL,
|
|
expiry int unsigned NOT NULL,
|
|
UNIQUE KEY i_mqtt_topic (topic(191))
|
|
) ENGINE=InnoDB CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;""" | mariadb -D $sqldb
|
|
|
|
if [ ! -f /etc/ssl/dh2048.pem ]
|
|
then
|
|
echo "Generating dhfile..."
|
|
openssl dhparam -out /etc/ssl/dh2048.pem 2048
|
|
fi
|
|
|
|
echo "HTTP uploads in XMPP are stored on the server itself. There are many
|
|
different parameters you can configure with respect to HTTP uploads. A soft
|
|
quota can be set per user, along with a hard quota. After the hard quota is
|
|
exceeded, files are deleted from the oldest until the total size of files the
|
|
user has on the server is less than the soft quota."
|
|
|
|
read -p "What soft quota would you like to set per user? (MB): " softquota
|
|
while read -p "$softquota MB is this correct? (y/n): " confirm; do
|
|
if [ "$confirm" == "y" ]; then
|
|
break
|
|
else
|
|
read -p "What soft quota would you like to set per user? (MB): " softquota
|
|
continue
|
|
fi
|
|
done
|
|
|
|
read -p "What hard quota would you like to set per user? (MB): " hardquota
|
|
while read -p "$hardquota MB is this correct? (y/n): " confirm; do
|
|
if [ "$confirm" == "y" ]; then
|
|
break
|
|
else
|
|
read -p "What hard quota would you like to set per user? (MB): " hardquota
|
|
continue
|
|
fi
|
|
done
|
|
|
|
echo "Installing ejabberd config file..."
|
|
|
|
echo """
|
|
###
|
|
### ejabberd configuration file
|
|
###
|
|
### The parameters used in this configuration file are explained at
|
|
###
|
|
### https://docs.ejabberd.im/admin/configuration
|
|
###
|
|
### The configuration file is written in YAML.
|
|
### *******************************************************
|
|
### ******* !!! WARNING !!! *******
|
|
### ******* YAML IS INDENTATION SENSITIVE *******
|
|
### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
|
|
### *******************************************************
|
|
### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
|
|
###
|
|
|
|
# strict TLS configuration to disable insecure ciphers and TLS versions
|
|
define_macro:
|
|
BACKLOG: 50
|
|
DH_FILE: /etc/ssl/dh2048.pem
|
|
CIPHERS: \"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256\"
|
|
TLS_OPTIONS:
|
|
- \"no_sslv2\"
|
|
- \"no_sslv3\"
|
|
- \"no_tlsv1\"
|
|
- \"no_tlsv1_1\"
|
|
- \"cipher_server_preference\"
|
|
- \"no_compression\"
|
|
|
|
hosts:
|
|
- $domain
|
|
|
|
loglevel: info
|
|
|
|
acme:
|
|
auto: false
|
|
|
|
certfiles:
|
|
- ${ejabberdtlsdirs[0]}
|
|
- ${ejabberdtlsdirs[1]}
|
|
- ${ejabberdtlsdirs[2]}
|
|
- ${ejabberdtlsdirs[3]}
|
|
- ${ejabberdtlsdirs[4]}
|
|
|
|
c2s_ciphers: TLS_CIPHERS
|
|
c2s_protocol_options: TLS_OPTIONS
|
|
c2s_dhfile: DH_FILE
|
|
s2s_ciphers: TLS_CIPHERS
|
|
s2s_protocol_options: TLS_OPTIONS
|
|
s2s_dhfile: DH_FILE
|
|
s2s_use_starttls: required
|
|
|
|
listen:
|
|
-
|
|
port: 5222
|
|
ip: \"::\"
|
|
module: ejabberd_c2s
|
|
max_stanza_size: 262144
|
|
starttls: true
|
|
starttls_required: false
|
|
tls_compression: false
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
backlog: BACKLOG
|
|
-
|
|
port: 5223
|
|
ip: \"::\"
|
|
tls: true
|
|
backlog: BACKLOG
|
|
module: ejabberd_c2s
|
|
max_stanza_size: 262144
|
|
shaper: c2s_shaper
|
|
access: c2s
|
|
tls_compression: false
|
|
-
|
|
port: 5269
|
|
ip: \"::\"
|
|
module: ejabberd_s2s_in
|
|
max_stanza_size: 524288
|
|
tls_compression: false
|
|
-
|
|
port: 5270
|
|
ip: \"::\"
|
|
backlog: BACKLOG
|
|
module: ejabberd_s2s_in
|
|
max_stanza_size: 524288
|
|
tls_compression: false
|
|
-
|
|
port: 5280
|
|
ip: \"::\"
|
|
module: ejabberd_http
|
|
request_handlers:
|
|
/admin: ejabberd_web_admin
|
|
/.well-known/acme-challenge: ejabberd_acme
|
|
/upload: mod_http_upload
|
|
-
|
|
port: 3478
|
|
ip: \"::\"
|
|
transport: udp
|
|
module: ejabberd_stun
|
|
use_turn: true
|
|
-
|
|
port: 1883
|
|
ip: \"::\"
|
|
module: mod_mqtt
|
|
backlog: 1000
|
|
|
|
auth_method: sql
|
|
default_db: sql
|
|
|
|
sql_type: mysql
|
|
sql_server: \"localhost\"
|
|
sql_database: \"$sqldb\"
|
|
sql_username: \"$sqlusername\"
|
|
sql_password: \"$sqlpassword\"
|
|
|
|
acl:
|
|
admin:
|
|
user: $adminusername@$domain
|
|
local:
|
|
user_regexp: \"\"
|
|
loopback:
|
|
ip:
|
|
- 127.0.0.0/8
|
|
- ::1/128
|
|
|
|
access_rules:
|
|
configure:
|
|
allow: admin # only allow an admin to configure the server
|
|
local:
|
|
allow: local
|
|
c2s:
|
|
allow: all
|
|
deny: blocked
|
|
announce:
|
|
allow: admin # only allow an admin to send announcements
|
|
muc_create:
|
|
allow: admin # only allow an admin to create MUCs
|
|
pubsub_createnode:
|
|
allow: local
|
|
trusted_network:
|
|
allow: loopback
|
|
|
|
api_permissions:
|
|
\"console commands\":
|
|
from:
|
|
- ejabberd_ctl
|
|
who: all
|
|
what: \"*\"
|
|
\"admin access\":
|
|
who:
|
|
access:
|
|
allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
oauth:
|
|
scope: \"ejabberd:admin\"
|
|
access:
|
|
allow:
|
|
- acl: loopback
|
|
- acl: admin
|
|
what:
|
|
- \"*\"
|
|
- \"!stop\"
|
|
- \"!start\"
|
|
\"public commands\":
|
|
who:
|
|
ip: 127.0.0.1/8
|
|
what:
|
|
- status
|
|
- connected_users_number
|
|
|
|
shaper:
|
|
normal:
|
|
rate: 1000000 # monal (iOS XMPP client) only has 30 seconds to load messages (of which there could be many) from a push notification, hence the high rate
|
|
burst_size: 5000000 # see above
|
|
fast: 50000000
|
|
|
|
shaper_rules:
|
|
max_user_sessions: 10
|
|
max_user_offline_messages:
|
|
5000: admin
|
|
1000: all
|
|
c2s_shaper:
|
|
none: admin
|
|
normal: all
|
|
s2s_shaper: fast
|
|
soft_upload_quota:
|
|
$softquota: all # MB
|
|
hard_upload_quota:
|
|
$hardquota: all # MB
|
|
|
|
modules:
|
|
mod_adhoc: {}
|
|
mod_admin_extra: {}
|
|
mod_announce:
|
|
access: announce
|
|
mod_avatar: {}
|
|
mod_blocking: {}
|
|
mod_bosh: {}
|
|
mod_caps: {}
|
|
mod_carboncopy: {}
|
|
mod_client_state: {}
|
|
mod_configure: {}
|
|
mod_disco: {}
|
|
mod_fail2ban: {}
|
|
mod_http_api: {}
|
|
mod_http_upload:
|
|
put_url: \"https://${domains[3]}/upload/@HOST@\"
|
|
hosts:
|
|
- ${domains[3]}
|
|
custom_headers:
|
|
\"Access-Control-Allow-Origin\": \"*\"
|
|
\"Access-Control-Allow-Methods\": \"GET,HEAD,PUT,OPTIONS\"
|
|
\"Access-Control-Allow-Headers\": \"Content-Type\"
|
|
#mod_http_upload_quota:
|
|
#max_days: 100 # 100 days until content is deleted
|
|
mod_last: {}
|
|
mod_mam:
|
|
## Mnesia is limited to 2GB, better to use an SQL backend
|
|
## For small servers SQLite is a good fit and is very easy
|
|
## to configure. Uncomment this when you have SQL configured:
|
|
db_type: sql
|
|
assume_mam_usage: true
|
|
default: always
|
|
mod_mqtt: {}
|
|
mod_muc:
|
|
access:
|
|
- allow
|
|
access_admin:
|
|
- allow: admin
|
|
access_create: muc_create
|
|
access_persistent: muc_create
|
|
access_mam:
|
|
- allow
|
|
default_room_options:
|
|
mam: true
|
|
mod_muc_admin: {}
|
|
mod_offline:
|
|
access_max_user_messages: max_user_offline_messages
|
|
mod_ping: {}
|
|
mod_privacy: {}
|
|
mod_private: {}
|
|
mod_proxy65:
|
|
access: local
|
|
max_connections: 5
|
|
mod_pubsub:
|
|
access_createnode: pubsub_createnode
|
|
plugins:
|
|
- flat
|
|
- pep
|
|
force_node_config:
|
|
## Avoid buggy clients to make their bookmarks public
|
|
\"eu.siacs.conversations.axolotl.*\":
|
|
access_model: open
|
|
storage:bookmarks:
|
|
access_model: whitelist
|
|
mod_push: {}
|
|
mod_push_keepalive: {}
|
|
mod_register:
|
|
## Only accept registration requests from the \"trusted\"
|
|
## network (see access_rules section above).
|
|
## Think twice before enabling registration from any
|
|
## address. See the Jabber SPAM Manifesto for details:
|
|
## https://github.com/ge0rg/jabber-spam-fighting-manifesto
|
|
ip_access: trusted_network
|
|
mod_roster:
|
|
versioning: true
|
|
mod_s2s_dialback: {}
|
|
mod_shared_roster: {}
|
|
mod_stream_mgmt:
|
|
resend_on_timeout: if_offline
|
|
mod_stun_disco: {}
|
|
mod_vcard: {}
|
|
mod_vcard_xupdate: {}
|
|
mod_version:
|
|
show_os: false
|
|
|
|
### Local Variables:
|
|
### mode: yaml
|
|
### End:
|
|
### vim: set filetype=yaml tabstop=8""" > /etc/ejabberd/ejabberd.yml
|
|
|
|
chown jabber:jabber /etc/ejabberd/ejabberd.yml
|
|
chmod 700 /etc/ejabberd/ejabberd.yml
|
|
|
|
systemctl start ejabberd && systemctl enable ejabberd
|
|
|
|
echo "Installing nginx upload vhost file..."
|
|
|
|
echo "
|
|
server {
|
|
server_name ${domains[3]};
|
|
|
|
listen 443 ssl;
|
|
ssl_certificate ${certdirs[4]}/fullchain.pem;
|
|
ssl_certificate_key ${certdirs[4]}/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
|
|
location /upload {
|
|
proxy_pass http://localhost:5280/upload;
|
|
proxy_set_header Host \$host;
|
|
proxy_set_header X-Real-IP \$remote_addr;
|
|
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto \$scheme;
|
|
}
|
|
|
|
}
|
|
server {
|
|
if (\$host = ${domains[3]}) {
|
|
return 301 https://\$host\$request_uri;
|
|
}
|
|
|
|
|
|
server_name ${domains[3]};
|
|
|
|
listen 80;
|
|
return 404;
|
|
|
|
|
|
}" > /etc/nginx/sites-available/${domains[3]} # direct uploads to ejabberd
|
|
|
|
ln -s /etc/nginx/sites-available/${domains[3]} /etc/nginx/sites-enabled/${domains[3]}
|
|
|
|
systemctl restart nginx
|