summaryrefslogtreecommitdiffstats
path: root/old/modules/tv
diff options
context:
space:
mode:
Diffstat (limited to 'old/modules/tv')
-rw-r--r--old/modules/tv/base-cac-CentOS-7-64bit.nix27
-rw-r--r--old/modules/tv/base.nix16
-rw-r--r--old/modules/tv/config/consul-client.nix9
-rw-r--r--old/modules/tv/config/consul-server.nix22
-rw-r--r--old/modules/tv/consul/default.nix121
-rw-r--r--old/modules/tv/ejabberd.nix867
-rw-r--r--old/modules/tv/environment.nix93
-rw-r--r--old/modules/tv/exim-retiolum.nix126
-rw-r--r--old/modules/tv/exim-smarthost.nix474
-rw-r--r--old/modules/tv/git/cgit.nix93
-rw-r--r--old/modules/tv/git/config.nix272
-rw-r--r--old/modules/tv/git/default.nix27
-rw-r--r--old/modules/tv/git/options.nix93
-rw-r--r--old/modules/tv/git/public.nix82
-rw-r--r--old/modules/tv/identity/default.nix71
-rw-r--r--old/modules/tv/iptables/config.nix93
-rw-r--r--old/modules/tv/iptables/default.nix11
-rw-r--r--old/modules/tv/iptables/options.nix29
-rw-r--r--old/modules/tv/nginx/config.nix49
-rw-r--r--old/modules/tv/nginx/default.nix11
-rw-r--r--old/modules/tv/nginx/options.nix21
-rw-r--r--old/modules/tv/retiolum/config.nix130
-rw-r--r--old/modules/tv/retiolum/default.nix11
-rw-r--r--old/modules/tv/retiolum/options.nix87
-rw-r--r--old/modules/tv/sanitize.nix12
-rw-r--r--old/modules/tv/smartd.nix17
-rw-r--r--old/modules/tv/synaptics.nix14
-rw-r--r--old/modules/tv/urlwatch/default.nix158
-rw-r--r--old/modules/tv/urxvt.nix24
-rw-r--r--old/modules/tv/users/default.nix67
-rw-r--r--old/modules/tv/xserver.nix40
31 files changed, 3167 insertions, 0 deletions
diff --git a/old/modules/tv/base-cac-CentOS-7-64bit.nix b/old/modules/tv/base-cac-CentOS-7-64bit.nix
new file mode 100644
index 000000000..42ab481b3
--- /dev/null
+++ b/old/modules/tv/base-cac-CentOS-7-64bit.nix
@@ -0,0 +1,27 @@
+{ config, pkgs, ... }:
+
+{
+ boot.loader.grub.device = "/dev/sda";
+ boot.loader.grub.enable = true;
+ boot.loader.grub.version = 2;
+
+ boot.initrd.availableKernelModules = [
+ "ata_piix"
+ "vmw_pvscsi"
+ ];
+
+ fileSystems."/" = {
+ device = "/dev/centos/root";
+ fsType = "xfs";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/sda1";
+ fsType = "xfs";
+ };
+
+ swapDevices = [
+ { device = "/dev/centos/swap"; }
+ ];
+}
+
diff --git a/old/modules/tv/base.nix b/old/modules/tv/base.nix
new file mode 100644
index 000000000..94f3609cc
--- /dev/null
+++ b/old/modules/tv/base.nix
@@ -0,0 +1,16 @@
+{ config, pkgs, ... }:
+
+{
+ time.timeZone = "Europe/Berlin";
+
+ # TODO check if both are required:
+ nix.chrootDirs = [ "/etc/protocols" pkgs.iana_etc.outPath ];
+
+ nix.trustedBinaryCaches = [
+ "https://cache.nixos.org"
+ "http://cache.nixos.org"
+ "http://hydra.nixos.org"
+ ];
+
+ nix.useChroot = true;
+}
diff --git a/old/modules/tv/config/consul-client.nix b/old/modules/tv/config/consul-client.nix
new file mode 100644
index 000000000..0a8bf4d75
--- /dev/null
+++ b/old/modules/tv/config/consul-client.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+
+{
+ imports = [ ./consul-server.nix ];
+
+ tv.consul = {
+ server = pkgs.lib.mkForce false;
+ };
+}
diff --git a/old/modules/tv/config/consul-server.nix b/old/modules/tv/config/consul-server.nix
new file mode 100644
index 000000000..4cedbd349
--- /dev/null
+++ b/old/modules/tv/config/consul-server.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+
+{
+ imports = [ ../../tv/consul ];
+ tv.consul = rec {
+ enable = true;
+
+ inherit (config.tv.identity) self;
+ inherit (self) dc;
+
+ server = true;
+
+ hosts = with config.tv.identity.hosts; [
+ # TODO get this list automatically from each host where tv.consul.enable is true
+ cd
+ mkdir
+ nomic
+ rmdir
+ #wu
+ ];
+ };
+}
diff --git a/old/modules/tv/consul/default.nix b/old/modules/tv/consul/default.nix
new file mode 100644
index 000000000..2ee6fb8c2
--- /dev/null
+++ b/old/modules/tv/consul/default.nix
@@ -0,0 +1,121 @@
+{ config, lib, pkgs, ... }:
+
+# if quorum gets lost, then start any node with a config that doesn't contain bootstrap_expect
+# but -bootstrap
+# TODO consul-bootstrap HOST that actually does is
+# TODO tools to inspect state of a cluster in outage state
+
+with builtins;
+with lib;
+let
+ cfg = config.tv.consul;
+
+ out = {
+ imports = [ ../../tv/iptables ];
+ options.tv.consul = api;
+ config = mkIf cfg.enable (mkMerge [
+ imp
+ { tv.iptables.input-retiolum-accept-new-tcp = [ "8300" "8301" ]; }
+ # TODO udp for 8301
+ ]);
+ };
+
+ api = {
+ # TODO inherit (lib) api.options.enable; oder so
+ enable = mkOption {
+ type = types.bool;
+ default = false;
+ description = "enable tv.consul";
+ };
+ dc = mkOption {
+ type = types.unspecified;
+ };
+ hosts = mkOption {
+ type = with types; listOf unspecified;
+ };
+ encrypt-file = mkOption {
+ type = types.str; # TODO path (but not just into store)
+ default = "/etc/consul/encrypt.json";
+ };
+ data-dir = mkOption {
+ type = types.str; # TODO path (but not just into store)
+ default = "/var/lib/consul";
+ };
+ self = mkOption {
+ type = types.unspecified;
+ };
+ server = mkOption {
+ type = types.bool;
+ default = false;
+ };
+ GOMAXPROCS = mkOption {
+ type = types.int;
+ default = cfg.self.cores;
+ };
+ };
+
+ consul-config = {
+ datacenter = cfg.dc;
+ data_dir = cfg.data-dir;
+ log_level = "INFO";
+ #node_name =
+ server = cfg.server;
+ bind_addr = cfg.self.addr; # TODO cfg.addr
+ enable_syslog = true;
+ retry_join = map (getAttr "addr") (filter (host: host.fqdn != cfg.self.fqdn) cfg.hosts);
+ leave_on_terminate = true;
+ } // optionalAttrs cfg.server {
+ bootstrap_expect = length cfg.hosts;
+ leave_on_terminate = false;
+ };
+
+ imp = {
+ environment.systemPackages = with pkgs; [
+ consul
+ ];
+
+ systemd.services.consul = {
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ path = with pkgs; [
+ consul
+ ];
+ environment = {
+ GOMAXPROCS = toString cfg.GOMAXPROCS;
+ };
+ serviceConfig = {
+ PermissionsStartOnly = "true";
+ SyslogIdentifier = "consul";
+ User = user.name;
+ PrivateTmp = "true";
+ Restart = "always";
+ ExecStartPre = pkgs.writeScript "consul-init" ''
+ #! /bin/sh
+ mkdir -p ${cfg.data-dir}
+ chown consul: ${cfg.data-dir}
+ '';
+ ExecStart = pkgs.writeScript "consul-service" ''
+ #! /bin/sh
+ set -euf
+ exec >/dev/null
+ exec consul agent \
+ -config-file=${toFile "consul.json" (toJSON consul-config)} \
+ -config-file=${cfg.encrypt-file} \
+ '';
+ #-node=${cfg.self.fqdn} \
+ #ExecStart = "${tinc}/sbin/tincd -c ${confDir} -d 0 -U ${user} -D";
+ };
+ };
+
+ users.extraUsers = singleton {
+ inherit (user) name uid;
+ };
+ };
+
+ user = {
+ name = "consul";
+ uid = 2983239726; # genid consul
+ };
+
+in
+out
diff --git a/old/modules/tv/ejabberd.nix b/old/modules/tv/ejabberd.nix
new file mode 100644
index 000000000..54a9aad0f
--- /dev/null
+++ b/old/modules/tv/ejabberd.nix
@@ -0,0 +1,867 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+
+ inherit (pkgs) ejabberd writeScript writeScriptBin utillinux;
+ inherit (lib) makeSearchPath;
+
+ cfg = config.services.ejabberd-cd;
+
+ # XXX this is a placeholder that happens to work the default strings.
+ toErlang = builtins.toJSON;
+
+in
+
+{
+
+ ####### interface
+
+ options = {
+
+ services.ejabberd-cd = {
+
+ enable = mkOption {
+ default = false;
+ description = "Whether to enable ejabberd server";
+ };
+
+ certFile = mkOption {
+ # TODO if it's types.path then it gets copied to /nix/store with
+ # bad unsafe permissions...
+ type = types.string;
+ default = "/etc/ejabberd/ejabberd.pem";
+ description = ''
+ TODO
+ '';
+ };
+
+ config = mkOption {
+ type = types.string;
+ default = "";
+ description = ''
+ TODO
+ '';
+ };
+
+ user = mkOption {
+ type = types.string;
+ default = "ejabberd";
+ description = ''
+ TODO
+ '';
+ };
+
+ group = mkOption {
+ type = types.string;
+ default = "ejabberd";
+ description = ''
+ TODO
+ '';
+ };
+
+
+ # spoolDir = mkOption {
+ # default = "/var/lib/ejabberd";
+ # description = "Location of the spooldir of ejabberd";
+ # };
+
+ # logsDir = mkOption {
+ # default = "/var/log/ejabberd";
+ # description = "Location of the logfile directory of ejabberd";
+ # };
+
+ # confDir = mkOption {
+ # default = "/var/ejabberd";
+ # description = "Location of the config directory of ejabberd";
+ # };
+
+ # virtualHosts = mkOption {
+ # default = "\"localhost\"";
+ # description = "Virtualhosts that ejabberd should host. Hostnames are surrounded with doublequotes and separated by commas";
+ # };
+
+ # loadDumps = mkOption {
+ # default = [];
+ # description = "Configuration dump that should be loaded on the first startup";
+ # example = literalExample "[ ./myejabberd.dump ]";
+ # };
+
+ # config
+ };
+
+ };
+
+
+ ####### implementation
+
+ config =
+ let
+ my-ejabberdctl = writeScriptBin "ejabberdctl" ''
+ #! /bin/sh
+ set -euf
+ exec env \
+ SPOOLDIR=/var/ejabberd \
+ EJABBERD_CONFIG_PATH=/etc/ejabberd.cfg \
+ ${ejabberd}/bin/ejabberdctl \
+ --logs /var/ejabberd \
+ "$@"
+ '';
+ in
+ mkIf cfg.enable {
+ #environment.systemPackages = [ pkgs.ejabberd ];
+
+ environment = {
+ etc."ejabberd.cfg".text = ''
+ %%%
+ %%% ejabberd configuration file
+ %%%
+ %%%'
+
+ %%% The parameters used in this configuration file are explained in more detail
+ %%% in the ejabberd Installation and Operation Guide.
+ %%% Please consult the Guide in case of doubts, it is included with
+ %%% your copy of ejabberd, and is also available online at
+ %%% http://www.process-one.net/en/ejabberd/docs/
+
+ %%% This configuration file contains Erlang terms.
+ %%% In case you want to understand the syntax, here are the concepts:
+ %%%
+ %%% - The character to comment a line is %
+ %%%
+ %%% - Each term ends in a dot, for example:
+ %%% override_global.
+ %%%
+ %%% - A tuple has a fixed definition, its elements are
+ %%% enclosed in {}, and separated with commas:
+ %%% {loglevel, 4}.
+ %%%
+ %%% - A list can have as many elements as you want,
+ %%% and is enclosed in [], for example:
+ %%% [http_poll, web_admin, tls]
+ %%%
+ %%% - A keyword of ejabberd is a word in lowercase.
+ %%% Strings are enclosed in "" and can contain spaces, dots, ...
+ %%% {language, "en"}.
+ %%% {ldap_rootdn, "dc=example,dc=com"}.
+ %%%
+ %%% - This term includes a tuple, a keyword, a list, and two strings:
+ %%% {hosts, ["jabber.example.net", "im.example.com"]}.
+ %%%
+
+
+ %%%. =======================
+ %%%' OVERRIDE STORED OPTIONS
+
+ %%
+ %% Override the old values stored in the database.
+ %%
+
+ %%
+ %% Override global options (shared by all ejabberd nodes in a cluster).
+ %%
+ %%override_global.
+
+ %%
+ %% Override local options (specific for this particular ejabberd node).
+ %%
+ %%override_local.
+
+ %%
+ %% Remove the Access Control Lists before new ones are added.
+ %%
+ %%override_acls.
+
+
+ %%%. =========
+ %%%' DEBUGGING
+
+ %%
+ %% loglevel: Verbosity of log files generated by ejabberd.
+ %% 0: No ejabberd log at all (not recommended)
+ %% 1: Critical
+ %% 2: Error
+ %% 3: Warning
+ %% 4: Info
+ %% 5: Debug
+ %%
+ {loglevel, 3}.
+
+ %%
+ %% watchdog_admins: Only useful for developers: if an ejabberd process
+ %% consumes a lot of memory, send live notifications to these XMPP
+ %% accounts.
+ %%
+ %%{watchdog_admins, ["bob@example.com"]}.
+
+
+ %%%. ================
+ %%%' SERVED HOSTNAMES
+
+ %%
+ %% hosts: Domains served by ejabberd.
+ %% You can define one or several, for example:
+ %% {hosts, ["example.net", "example.com", "example.org"]}.
+ %%
+ {hosts, ["jabber.viljetic.de"]}.
+
+ %%
+ %% route_subdomains: Delegate subdomains to other XMPP servers.
+ %% For example, if this ejabberd serves example.org and you want
+ %% to allow communication with an XMPP server called im.example.org.
+ %%
+ %%{route_subdomains, s2s}.
+
+
+ %%%. ===============
+ %%%' LISTENING PORTS
+
+ %%
+ %% listen: The ports ejabberd will listen on, which service each is handled
+ %% by and what options to start it with.
+ %%
+ {listen,
+ [
+
+ {5222, ejabberd_c2s, [
+
+ %%
+ %% If TLS is compiled in and you installed a SSL
+ %% certificate, specify the full path to the
+ %% file and uncomment this line:
+ %%
+ starttls,
+ {certfile, ${toErlang cfg.certFile}},
+
+ {access, c2s},
+ {shaper, c2s_shaper},
+ {max_stanza_size, 65536}
+ ]},
+
+ {5269, ejabberd_s2s_in, [
+ {shaper, s2s_shaper},
+ {max_stanza_size, 131072}
+ ]},
+
+ %%
+ %% ejabberd_service: Interact with external components (transports, ...)
+ %%
+ %%{8888, ejabberd_service, [
+ %% {access, all},
+ %% {shaper_rule, fast},
+ %% {ip, {127, 0, 0, 1}},
+ %% {hosts, ["icq.example.org", "sms.example.org"],
+ %% [{password, "secret"}]
+ %% }
+ %% ]},
+
+ %%
+ %% ejabberd_stun: Handles STUN Binding requests
+ %%
+ %%{{3478, udp}, ejabberd_stun, []},
+
+ {5280, ejabberd_http, [
+ %%{request_handlers,
+ %% [
+ %% {["pub", "archive"], mod_http_fileserver}
+ %% ]},
+ captcha,
+ http_bind,
+ http_poll,
+ %%register,
+ web_admin
+ ]}
+
+ ]}.
+
+ %%
+ %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
+ %% Allowed values are: false optional required required_trusted
+ %% You must specify a certificate file.
+ %%
+ {s2s_use_starttls, required}.
+
+ %%
+ %% s2s_certfile: Specify a certificate file.
+ %%
+ {s2s_certfile, ${toErlang cfg.certFile}}.
+
+ %%
+ %% domain_certfile: Specify a different certificate for each served hostname.
+ %%
+ %%{domain_certfile, "example.org", "/path/to/example_org.pem"}.
+ %%{domain_certfile, "example.com", "/path/to/example_com.pem"}.
+
+ %%
+ %% S2S whitelist or blacklist
+ %%
+ %% Default s2s policy for undefined hosts.
+ %%
+ %%{s2s_default_policy, allow}.
+
+ %%
+ %% Allow or deny communication with specific servers.
+ %%
+ %%{{s2s_host, "goodhost.org"}, allow}.
+ %%{{s2s_host, "badhost.org"}, deny}.
+
+ %%
+ %% Outgoing S2S options
+ %%
+ %% Preferred address families (which to try first) and connect timeout
+ %% in milliseconds.
+ %%
+ %%{outgoing_s2s_options, [ipv4, ipv6], 10000}.
+
+
+ %%%. ==============
+ %%%' AUTHENTICATION
+
+ %%
+ %% auth_method: Method used to authenticate the users.
+ %% The default method is the internal.
+ %% If you want to use a different method,
+ %% comment this line and enable the correct ones.
+ %%
+ {auth_method, internal}.
+ %%
+ %% Store the plain passwords or hashed for SCRAM:
+ %%{auth_password_format, plain}.
+ %%{auth_password_format, scram}.
+ %%
+ %% Define the FQDN if ejabberd doesn't detect it:
+ %%{fqdn, "server3.example.com"}.
+
+ %%
+ %% Authentication using external script
+ %% Make sure the script is executable by ejabberd.
+ %%
+ %%{auth_method, external}.
+ %{extauth_program, "$ {ejabberd-auth}"}.
+
+ %%
+ %% Authentication using ODBC
+ %% Remember to setup a database in the next section.
+ %%
+ %%{auth_method, odbc}.
+
+ %%
+ %% Authentication using PAM
+ %%
+ %%{auth_method, pam}.
+ %%{pam_service, "pamservicename"}.
+
+ %%
+ %% Authentication using LDAP
+ %%
+ %%{auth_method, ldap}.
+ %%
+ %% List of LDAP servers:
+ %%{ldap_servers, ["localhost"]}.
+ %%
+ %% Encryption of connection to LDAP servers:
+ %%{ldap_encrypt, none}.
+ %%{ldap_encrypt, tls}.
+ %%
+ %% Port to connect to on LDAP servers:
+ %%{ldap_port, 389}.
+ %%{ldap_port, 636}.
+ %%
+ %% LDAP manager:
+ %%{ldap_rootdn, "dc=example,dc=com"}.
+ %%
+ %% Password of LDAP manager:
+ %%{ldap_password, "******"}.
+ %%
+ %% Search base of LDAP directory:
+ %%{ldap_base, "dc=example,dc=com"}.
+ %%
+ %% LDAP attribute that holds user ID:
+ %%{ldap_uids, [{"mail", "%u@mail.example.org"}]}.
+ %%
+ %% LDAP filter:
+ %%{ldap_filter, "(objectClass=shadowAccount)"}.
+
+ %%
+ %% Anonymous login support:
+ %% auth_method: anonymous
+ %% anonymous_protocol: sasl_anon | login_anon | both
+ %% allow_multiple_connections: true | false
+ %%
+ %%{host_config, "public.example.org", [{auth_method, anonymous},
+ %% {allow_multiple_connections, false},
+ %% {anonymous_protocol, sasl_anon}]}.
+ %%
+ %% To use both anonymous and internal authentication:
+ %%
+ %%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.
+
+
+ %%%. ==============
+ %%%' DATABASE SETUP
+
+ %% ejabberd by default uses the internal Mnesia database,
+ %% so you do not necessarily need this section.
+ %% This section provides configuration examples in case
+ %% you want to use other database backends.
+ %% Please consult the ejabberd Guide for details on database creation.
+
+ %%
+ %% MySQL server:
+ %%
+ %%{odbc_server, {mysql, "server", "database", "username", "password"}}.
+ %%
+ %% If you want to specify the port:
+ %%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}.
+
+ %%
+ %% PostgreSQL server:
+ %%
+ %%{odbc_server, {pgsql, "server", "database", "username", "password"}}.
+ %%
+ %% If you want to specify the port:
+ %%{odbc_server, {pgsql, "server", 1234, "database", "username", "password"}}.
+ %%
+ %% If you use PostgreSQL, have a large database, and need a
+ %% faster but inexact replacement for "select count(*) from users"
+ %%
+ %%{pgsql_users_number_estimate, true}.
+
+ %%
+ %% ODBC compatible or MSSQL server:
+ %%
+ %%{odbc_server, "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"}.
+
+ %%
+ %% Number of connections to open to the database for each virtual host
+ %%
+ %%{odbc_pool_size, 10}.
+
+ %%
+ %% Interval to make a dummy SQL request to keep the connections to the
+ %% database alive. Specify in seconds: for example 28800 means 8 hours
+ %%
+ %%{odbc_keepalive_interval, undefined}.
+
+
+ %%%. ===============
+ %%%' TRAFFIC SHAPERS
+
+ %%
+ %% The "normal" shaper limits traffic speed to 1000 B/s
+ %%
+ {shaper, normal, {maxrate, 1000}}.
+
+ %%
+ %% The "fast" shaper limits traffic speed to 50000 B/s
+ %%
+ {shaper, fast, {maxrate, 50000}}.
+
+ %%
+ %% This option specifies the maximum number of elements in the queue
+ %% of the FSM. Refer to the documentation for details.
+ %%
+ {max_fsm_queue, 1000}.
+
+
+ %%%. ====================
+ %%%' ACCESS CONTROL LISTS
+
+ %%
+ %% The 'admin' ACL grants administrative privileges to XMPP accounts.
+ %% You can put here as many accounts as you want.
+ %%
+ %%{acl, admin, {user, "aleksey", "localhost"}}.
+ %%{acl, admin, {user, "ermine", "example.org"}}.
+
+ %%
+ %% Blocked users
+ %%
+ %%{acl, blocked, {user, "baduser", "example.org"}}.
+ %%{acl, blocked, {user, "test"}}.
+
+ %%
+ %% Local users: don't modify this line.
+ %%
+ {acl, local, {user_regexp, ""}}.
+
+ %%
+ %% More examples of ACLs
+ %%
+ %%{acl, jabberorg, {server, "jabber.org"}}.
+ %%{acl, aleksey, {user, "aleksey", "jabber.ru"}}.
+ %%{acl, test, {user_regexp, "^test"}}.
+ %%{acl, test, {user_glob, "test*"}}.
+
+ %%
+ %% Define specific ACLs in a virtual host.
+ %%
+ %%{host_config, "localhost",
+ %% [
+ %% {acl, admin, {user, "bob-local", "localhost"}}
+ %% ]
+ %%}.
+
+
+ %%%. ============
+ %%%' ACCESS RULES
+
+ %% Maximum number of simultaneous sessions allowed for a single user:
+ {access, max_user_sessions, [{10, all}]}.
+
+ %% Maximum number of offline messages that users can have:
+ {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
+
+ %% This rule allows access only for local users:
+ {access, local, [{allow, local}]}.
+
+ %% Only non-blocked users can use c2s connections:
+ {access, c2s, [{deny, blocked},
+ {allow, all}]}.
+
+ %% For C2S connections, all users except admins use the "normal" shaper
+ {access, c2s_shaper, [{none, admin},
+ {normal, all}]}.
+
+ %% All S2S connections use the "fast" shaper
+ {access, s2s_shaper, [{fast, all}]}.
+
+ %% Only admins can send announcement messages:
+ {access, announce, [{allow, admin}]}.
+
+ %% Only admins can use the configuration interface:
+ {access, configure, [{allow, admin}]}.
+
+ %% Admins of this server are also admins of the MUC service:
+ {access, muc_admin, [{allow, admin}]}.
+
+ %% Only accounts of the local ejabberd server can create rooms:
+ {access, muc_create, [{allow, local}]}.
+
+ %% All users are allowed to use the MUC service:
+ {access, muc, [{allow, all}]}.
+
+ %% Only accounts on the local ejabberd server can create Pubsub nodes:
+ {access, pubsub_createnode, [{allow, local}]}.
+
+ %% In-band registration allows registration of any possible username.
+ %% To disable in-band registration, replace 'allow' with 'deny'.
+ {access, register, [{allow, all}]}.
+
+ %% By default the frequency of account registrations from the same IP
+ %% is limited to 1 account every 10 minutes. To disable, specify: infinity
+ %%{registration_timeout, 600}.
+
+ %%
+ %% Define specific Access Rules in a virtual host.
+ %%
+ %%{host_config, "localhost",
+ %% [
+ %% {access, c2s, [{allow, admin}, {deny, all}]},
+ %% {access, register, [{deny, all}]}
+ %% ]
+ %%}.
+
+
+ %%%. ================
+ %%%' DEFAULT LANGUAGE
+
+ %%
+ %% language: Default language used for server messages.
+ %%
+ {language, "en"}.
+
+ %%
+ %% Set a different default language in a virtual host.
+ %%
+ %%{host_config, "localhost",
+ %% [{language, "ru"}]
+ %%}.
+
+
+ %%%. =======
+ %%%' CAPTCHA
+
+ %%
+ %% Full path to a script that generates the image.
+ %%
+ %%{captcha_cmd, "/lib/ejabberd/priv/bin/captcha.sh"}.
+
+ %%
+ %% Host for the URL and port where ejabberd listens for CAPTCHA requests.
+ %%
+ %%{captcha_host, "example.org:5280"}.
+
+ %%
+ %% Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
+ %%
+ %%{captcha_limit, 5}.
+
+ %%%. =======
+ %%%' MODULES
+
+ %%
+ %% Modules enabled in all ejabberd virtual hosts.
+ %%