New config for bionic

diff --git a/ejabberd.yml b/ejabberd.yml
index fdfcda3c72bde2a4478914b4a6f6c129c968ba52..4794b61e971721bb8147479e4ea8a48343b0c6ef 100644 (file)
--- a/ejabberd.yml
+++ b/ejabberd.yml
@@ -23,7 +23,7 @@
 ###   Example of folded string:
 ###   > Art thou not Romeo,
 ###     and a Montague?
 ###   Example of folded string:
 ###   > Art thou not Romeo,
 ###     and a Montague?

-
+---

 ###.  =======
 ###'  LOGGING
 
 ###.  =======
 ###'  LOGGING
 


@@ -75,7 +75,7 @@ log_rate_limit: 100
 ##
 ## hosts: Domains served by ejabberd.
 ## You can define one or several, for example:
 ##
 ## hosts: Domains served by ejabberd.
 ## You can define one or several, for example:

-## hosts: 
+## hosts:

 ##   - "example.net"
 ##   - "example.com"
 ##   - "example.org"
 ##   - "example.net"
 ##   - "example.com"
 ##   - "example.org"


@@ -90,6 +90,42 @@ hosts:
 ##
 ## route_subdomains: s2s
 
 ##
 ## route_subdomains: s2s
 

+###.  ============
+###'  Certificates
+
+## List all available PEM files containing certificates for your domains,
+## chains of certificates or certificate keys. Full chains will be built
+## automatically by ejabberd.
+##
+certfiles:
+  - "/etc/ejabberd/ejabberd.pem"
+
+## If your system provides only a single CA file (CentOS/FreeBSD):
+## ca_file: "/etc/ssl/certs/ca-bundle.pem"
+
+###.  =================
+###'  TLS configuration
+
+## Note that the following configuration is the default
+## configuration of the TLS driver, so you don't need to
+## uncomment it.
+##
+define_macro:
+  'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH"
+  'TLS_OPTIONS':
+    - "no_sslv3"
+    - "no_tlsv1"
+    - "cipher_server_preference"
+    - "no_compression"
+  ## 'DH_FILE': "/path/to/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048
+
+## c2s_dhfile: 'DH_FILE'
+## s2s_dhfile: 'DH_FILE'
+c2s_ciphers: 'TLS_CIPHERS'
+s2s_ciphers: 'TLS_CIPHERS'
+c2s_protocol_options: 'TLS_OPTIONS'
+s2s_protocol_options: 'TLS_OPTIONS'
+

 ###.  ===============
 ###'  LISTENING PORTS
 
 ###.  ===============
 ###'  LISTENING PORTS
 


@@ -97,47 +133,54 @@ hosts:
 ## listen: The ports ejabberd will listen on, which service each is handled
 ## by and what options to start it with.
 ##
 ## listen: The ports ejabberd will listen on, which service each is handled
 ## by and what options to start it with.
 ##

-listen: 
-  - 
+listen:
+  -

     port: 5222
     ip: "::"
     module: ejabberd_c2s
     port: 5222
     ip: "::"
     module: ejabberd_c2s

-    ##
-    ## If TLS is compiled in and you installed a SSL
-    ## certificate, specify the full path to the
-    ## file and uncomment these lines:
-    ##
-    certfile: "/etc/ejabberd/ejabberd.pem"
-    starttls: true
-    ##
-    ## To enforce TLS encryption for client connections,
-    ## use this instead of the "starttls" option:
-    ##
-    ## starttls_required: true
-    ##
-    ## Custom OpenSSL options
-    ##
-    protocol_options:
-      - "no_sslv3"
-    ##   - "no_tlsv1"
+    starttls_required: true
+    protocol_options: 'TLS_OPTIONS'

     max_stanza_size: 65536
     shaper: c2s_shaper
     access: c2s
     max_stanza_size: 65536
     shaper: c2s_shaper
     access: c2s

-    zlib: true
-    resend_on_timeout: if_offline
-  - 
+  -

     port: 5269
     ip: "::"
     module: ejabberd_s2s_in
     port: 5269
     ip: "::"
     module: ejabberd_s2s_in

+  -
+    port: 5280
+    ip: "::"
+    module: ejabberd_http
+    request_handlers:
+      "/ws": ejabberd_http_ws
+      "/bosh": mod_bosh
+      "/api": mod_http_api
+    ##  "/pub/archive": mod_http_fileserver
+    web_admin: true
+    ## register: true
+    ## captcha: true
+    tls: true
+    protocol_options: 'TLS_OPTIONS'
+

   ##
   ## ejabberd_service: Interact with external components (transports, ...)
   ##
   ##
   ## ejabberd_service: Interact with external components (transports, ...)
   ##

-  ## - 
+  ## -

   ##   port: 8888
   ##   port: 8888

+  ##   ip: "::"

   ##   module: ejabberd_service
   ##   access: all
   ##   shaper_rule: fast
   ##   ip: "127.0.0.1"
   ##   module: ejabberd_service
   ##   access: all
   ##   shaper_rule: fast
   ##   ip: "127.0.0.1"

+  ##   privilege_access:
+  ##      roster: "both"
+  ##      message: "outgoing"
+  ##      presence: "roster"
+  ##   delegations:
+  ##      "urn:xmpp:mam:1":
+  ##        filtering: ["node"]
+  ##      "http://jabber.org/protocol/pubsub":
+  ##        filtering: []

   ##   hosts:
   ##     "icq.example.org":
   ##       password: "secret"
   ##   hosts:
   ##     "icq.example.org":
   ##       password: "secret"


@@ -147,7 +190,7 @@ listen:
   ##
   ## ejabberd_stun: Handles STUN Binding requests
   ##
   ##
   ## ejabberd_stun: Handles STUN Binding requests
   ##

-  ## - 
+  ## -

   ##   port: 3478
   ##   transport: udp
   ##   module: ejabberd_stun
   ##   port: 3478
   ##   transport: udp
   ##   module: ejabberd_stun


@@ -155,23 +198,30 @@ listen:
   ##
   ## To handle XML-RPC requests that provide admin credentials:
   ##
   ##
   ## To handle XML-RPC requests that provide admin credentials:
   ##

-  ## - 
+  ## -

   ##   port: 4560
   ##   port: 4560

+  ##   ip: "::"

   ##   module: ejabberd_xmlrpc
   ##   module: ejabberd_xmlrpc

-  ##   access_commands: {}
-  - 
-    port: 5280
-    ip: "::"
-    module: ejabberd_http
-    request_handlers:
-      "/websocket": ejabberd_http_ws
-    ##  "/pub/archive": mod_http_fileserver
-    web_admin: true
-    http_bind: true
-    ## register: true
-    captcha: true
-    tls: true
-    certfile: "/etc/ejabberd/ejabberd.pem"
+  ##   maxsessions: 10
+  ##   timeout: 5000
+  ##   access_commands:
+  ##     admin:
+  ##       commands: all
+  ##       options: []
+
+  ##
+  ## To enable secure http upload
+  ##
+  ## -
+  ##   port: 5444
+  ##   ip: "::"
+  ##   module: ejabberd_http
+  ##   request_handlers:
+  ##     "": mod_http_upload
+  ##   tls: true
+  ##   protocol_options: 'TLS_OPTIONS'
+  ##   dhfile: 'DH_FILE'
+  ##   ciphers: 'TLS_CIPHERS'

 
 ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
 ## password storage (see auth_password_format option).
 
 ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
 ## password storage (see auth_password_format option).


@@ -181,31 +231,11 @@ disable_sasl_mechanisms: "digest-md5"
 ###'  S2S GLOBAL OPTIONS
 
 ##
 ###'  S2S GLOBAL OPTIONS
 
 ##

-## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
-## Allowed values are: false optional required required_trusted
-## You must specify a certificate file.
-##
-s2s_use_starttls: optional
-
-##
-## s2s_certfile: Specify a certificate file.
-##
-s2s_certfile: "/etc/ejabberd/ejabberd.pem"
-
-## Custom OpenSSL options
-##
-s2s_protocol_options:
-  - "no_sslv3"
-##   - "no_tlsv1"
-
-##
-## domain_certfile: Specify a different certificate for each served hostname.
+## s2s_use_starttls: Enable STARTTLS for S2S connections.
+## Allowed values are: false, optional or required
+## You must specify 'certfiles' option

 ##
 ##

-## host_config:
-##   "example.org":
-##     domain_certfile: "/path/to/example_org.pem"
-##   "example.com":
-##     domain_certfile: "/path/to/example_com.pem"
+s2s_use_starttls: required

 
 ##
 ## S2S whitelist or blacklist
 
 ##
 ## S2S whitelist or blacklist


@@ -218,12 +248,12 @@ s2s_protocol_options:
 ## Outgoing S2S options
 ##
 ## Preferred address families (which to try first) and connect timeout
 ## Outgoing S2S options
 ##
 ## Preferred address families (which to try first) and connect timeout

-## in milliseconds.
+## in seconds.

 ##
 ## outgoing_s2s_families:
 ##   - ipv4
 ##   - ipv6
 ##
 ## outgoing_s2s_families:
 ##   - ipv4
 ##   - ipv6

-## outgoing_s2s_timeout: 10000
+## outgoing_s2s_timeout: 190

 
 ###.  ==============
 ###'  AUTHENTICATION
 
 ###.  ==============
 ###'  AUTHENTICATION


@@ -252,10 +282,10 @@ auth_password_format: scram
 ## extauth_program: "/path/to/authentication/script"
 
 ##
 ## extauth_program: "/path/to/authentication/script"
 
 ##

-## Authentication using ODBC
+## Authentication using SQL

 ## Remember to setup a database in the next section.
 ##
 ## Remember to setup a database in the next section.
 ##

-## auth_method: odbc
+## auth_method: sql

 
 ##
 ## Authentication using PAM
 
 ##
 ## Authentication using PAM


@@ -328,26 +358,26 @@ auth_password_format: scram
 ##
 ## MySQL server:
 ##
 ##
 ## MySQL server:
 ##

-## odbc_type: mysql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
+## sql_type: mysql
+## sql_server: "server"
+## sql_database: "database"
+## sql_username: "username"
+## sql_password: "password"

 ##
 ## If you want to specify the port:
 ##
 ## If you want to specify the port:

-## odbc_port: 1234
+## sql_port: 1234

 
 ##
 ## PostgreSQL server:
 ##
 
 ##
 ## PostgreSQL server:
 ##

-## odbc_type: pgsql
-## odbc_server: "server"
-## odbc_database: "database"
-## odbc_username: "username"
-## odbc_password: "password"
+## sql_type: pgsql
+## sql_server: "server"
+## sql_database: "database"
+## sql_username: "username"
+## sql_password: "password"

 ##
 ## If you want to specify the port:
 ##
 ## If you want to specify the port:

-## odbc_port: 1234
+## sql_port: 1234

 ##
 ## If you use PostgreSQL, have a large database, and need a
 ## faster but inexact replacement for "select count(*) from users"
 ##
 ## If you use PostgreSQL, have a large database, and need a
 ## faster but inexact replacement for "select count(*) from users"


@@ -357,25 +387,25 @@ auth_password_format: scram
 ##
 ## SQLite:
 ##
 ##
 ## SQLite:
 ##

-## odbc_type: sqlite
-## odbc_database: "/path/to/database.db"
+## sql_type: sqlite
+## sql_database: "/path/to/database.db"

 
 ##
 ## ODBC compatible or MSSQL server:
 ##
 
 ##
 ## ODBC compatible or MSSQL server:
 ##

-## odbc_type: odbc
-## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"
+## sql_type: odbc
+## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

 
 ##
 ## Number of connections to open to the database for each virtual host
 ##
 
 ##
 ## Number of connections to open to the database for each virtual host
 ##

-## odbc_pool_size: 10
+## sql_pool_size: 10

 
 ##
 ## Interval to make a dummy SQL request to keep the connections to the
 ## database alive. Specify in seconds: for example 28800 means 8 hours
 ##
 
 ##
 ## Interval to make a dummy SQL request to keep the connections to the
 ## database alive. Specify in seconds: for example 28800 means 8 hours
 ##

-## odbc_keepalive_interval: undefined
+## sql_keepalive_interval: undefined

 
 ###.  ===============
 ###'  TRAFFIC SHAPERS
 
 ###.  ===============
 ###'  TRAFFIC SHAPERS


@@ -395,7 +425,7 @@ shaper:
 ## This option specifies the maximum number of elements in the queue
 ## of the FSM. Refer to the documentation for details.
 ##
 ## This option specifies the maximum number of elements in the queue
 ## of the FSM. Refer to the documentation for details.
 ##

-max_fsm_queue: 1000
+max_fsm_queue: 10000

 
 ###.   ====================
 ###'   ACCESS CONTROL LISTS
 
 ###.   ====================
 ###'   ACCESS CONTROL LISTS


@@ -406,19 +436,19 @@ acl:
   ##
   admin:
      user:
   ##
   admin:
      user:

-         - "": "localhost"
+       - ""

 
   ##
   ## Blocked users
   ##
   ## blocked:
   ##   user:
 
   ##
   ## Blocked users
   ##
   ## blocked:
   ##   user:

-  ##     - "baduser": "example.org"
+  ##     - "baduser@example.org"

   ##     - "test"
 
   ## Local users: don't modify this.
   ##
   ##     - "test"
 
   ## Local users: don't modify this.
   ##

-  local: 
+  local:

     user_regexp: ""
 
   ##
     user_regexp: ""
 
   ##


@@ -429,7 +459,7 @@ acl:
   ##     - "jabber.org"
   ## aleksey:
   ##   user:
   ##     - "jabber.org"
   ## aleksey:
   ##   user:

-  ##     - "aleksey": "jabber.ru"
+  ##     - "aleksey@jabber.ru"

   ## test:
   ##   user_regexp: "^test"
   ##   user_glob: "test*"
   ## test:
   ##   user_regexp: "^test"
   ##   user_glob: "test*"


@@ -440,6 +470,8 @@ acl:
   loopback:
     ip:
       - "127.0.0.0/8"
   loopback:
     ip:
       - "127.0.0.0/8"

+      - "::1/128"
+      - "::FFFF:127.0.0.1/128"

 
   ##
   ## Bad XMPP servers
 
   ##
   ## Bad XMPP servers


@@ -457,66 +489,114 @@ acl:
 ##     acl:
 ##       admin:
 ##         user:
 ##     acl:
 ##       admin:
 ##         user:

-##           - "bob-local": "localhost"
+##           - "bob-local@localhost"

 
 ###.  ============
 
 ###.  ============

-###'  ACCESS RULES
-access:
+###'  SHAPER RULES
+
+shaper_rules:

   ## Maximum number of simultaneous sessions allowed for a single user:
   ## Maximum number of simultaneous sessions allowed for a single user:

-  max_user_sessions: 
-    all: 10
+  max_user_sessions: 10

   ## Maximum number of offline messages that users can have:
   ## Maximum number of offline messages that users can have:

-  max_user_offline_messages: 
-    admin: 5000
-    all: 100
-  ## This rule allows access only for local users:
-  local: 
-    local: allow
-  ## Only non-blocked users can use c2s connections:
-  c2s: 
-    blocked: deny
-    all: allow
+  max_user_offline_messages:
+    - 5000: admin
+    - 100

   ## For C2S connections, all users except admins use the "normal" shaper
   ## For C2S connections, all users except admins use the "normal" shaper

-  c2s_shaper: 
-    admin: none
-    all: normal
+  c2s_shaper:
+    - none: admin
+    - normal

   ## All S2S connections use the "fast" shaper
   ## All S2S connections use the "fast" shaper

-  s2s_shaper: 
-    all: fast
+  s2s_shaper: fast
+
+###.  ============
+###'  ACCESS RULES
+access_rules:
+  ## This rule allows access only for local users:
+  local:
+    - allow: local
+  ## Only non-blocked users can use c2s connections:
+  c2s:
+    - deny: blocked
+    - allow

   ## Only admins can send announcement messages:
   ## Only admins can send announcement messages:

-  announce: 
-    admin: allow
+  announce:
+    - allow: admin

   ## Only admins can use the configuration interface:
   ## Only admins can use the configuration interface:

-  configure: 
-    admin: allow
-  ## Admins of this server are also admins of the MUC service:
-  muc_admin: 
-    admin: allow
+  configure:
+    - allow: admin

   ## Only accounts of the local ejabberd server can create rooms:
   ## Only accounts of the local ejabberd server can create rooms:

-  muc_create: 
-    local: allow
-  ## All users are allowed to use the MUC service:
-  muc: 
-    all: allow
+  muc_create:
+    - allow: local

   ## Only accounts on the local ejabberd server can create Pubsub nodes:
   ## Only accounts on the local ejabberd server can create Pubsub nodes:

-  pubsub_createnode: 
-    local: allow
+  pubsub_createnode:
+    - allow: local

   ## In-band registration allows registration of any possible username.
   ## To disable in-band registration, replace 'allow' with 'deny'.
   ## In-band registration allows registration of any possible username.
   ## To disable in-band registration, replace 'allow' with 'deny'.

-  register: 
-    all: allow
+  register:
+    - allow

   ## Only allow to register from localhost
   ## Only allow to register from localhost

-  trusted_network: 
-    loopback: allow
-  ## Do not establish S2S connections with bad servers
-  ## s2s: 
-  ##   bad_servers: deny
-  ##   all: allow
+  trusted_network:
+    - allow: loopback
+    ## Do not establish S2S connections with bad servers
+    ## If you enable this you also have to uncomment "s2s_access: s2s"
+    ## s2s:
+    ##   - deny:
+    ##     - ip: "XXX.XXX.XXX.XXX/32"
+    ##   - deny:
+    ##     - ip: "XXX.XXX.XXX.XXX/32"
+    ##   - allow
+
+## ===============
+## API PERMISSIONS
+## ===============
+##
+## This section allows you to define who and using what method
+## can execute commands offered by ejabberd.
+##
+## By default "console commands" section allow executing all commands
+## issued using ejabberdctl command, and "admin access" section allows
+## users in admin acl that connect from 127.0.0.1 to  execute all
+## commands except start and stop with any available access method
+## (ejabberdctl, http-api, xmlrpc depending what is enabled on server).
+##
+## If you remove "console commands" there will be one added by
+## default allowing executing all commands, but if you just change
+## permissions in it, version from config file will be used instead
+## of default one.
+##
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      - access:
+        - allow:
+          - acl: loopback
+          - acl: admin
+      - oauth:
+        - scope: "ejabberd:admin"
+        - access:
+          - allow:
+            - acl: loopback
+            - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      - ip: "127.0.0.1/8"
+    what:
+      - "status"
+      - "connected_users_number"

 
 ## By default the frequency of account registrations from the same IP
 ## is limited to 1 account every 10 minutes. To disable, specify: infinity
 ## registration_timeout: 600
 
 ## By default the frequency of account registrations from the same IP
 ## is limited to 1 account every 10 minutes. To disable, specify: infinity
 ## registration_timeout: 600

-  
+

 ##
 ## Define specific Access Rules in a virtual host.
 ##
 ##
 ## Define specific Access Rules in a virtual host.
 ##


@@ -524,10 +604,10 @@ access:
 ##   "localhost":
 ##     access:
 ##       c2s:
 ##   "localhost":
 ##     access:
 ##       c2s:

-##         admin: allow
-##         all: deny
+##         - allow: admin
+##         - deny

 ##       register:
 ##       register:

-##         all: deny
+##         - deny

 
 ###.  ================
 ###'  DEFAULT LANGUAGE
 
 ###.  ================
 ###'  DEFAULT LANGUAGE


@@ -562,40 +642,83 @@ language: "en"
 ##
 ## captcha_limit: 5
 
 ##
 ## captcha_limit: 5
 

+###.  ====
+###'  ACME
+##
+## In order to use the acme certificate acquiring through "Let's Encrypt"
+## an http listener has to be configured to listen to port 80 so that
+## the authorization challenges posed by "Let's Encrypt" can be solved.
+##
+## A simple way of doing this would be to add the following in the listening
+## section and to configure port forwarding from 80 to 5281 either via NAT
+## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc.
+##   -
+##    port: 5281
+##    ip: "::"
+##    module: ejabberd_http
+
+acme:
+
+  ## A contact mail that the ACME Certificate Authority can contact in case of
+  ## an authorization issue, such as a server-initiated certificate revocation.
+  ## It is not mandatory to provide an email address but it is highly suggested.
+  contact: "mailto:example-admin@example.com"
+
+
+  ## The ACME Certificate Authority URL.
+  ## This could either be:
+  ##   - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
+  ##   - https://acme-staging.api.letsencrypt.org - for the staging CA
+  ##   - http://localhost:4000 - for a local version of the CA
+  ca_url: "https://acme-v01.api.letsencrypt.org"
+

 ###.  =======
 ###'  MODULES
 
 ##
 ## Modules enabled in all ejabberd virtual hosts.
 ##
 ###.  =======
 ###'  MODULES
 
 ##
 ## Modules enabled in all ejabberd virtual hosts.
 ##

-modules: 
+modules:

   mod_adhoc: {}
   mod_admin_extra: {}
   mod_adhoc: {}
   mod_admin_extra: {}

-  mod_announce: # recommends mod_adhoc
+  mod_announce:   # recommends mod_adhoc

     access: announce
     access: announce

-  mod_blocking: {} # requires mod_privacy
+  mod_blocking: {}   # requires mod_privacy

   mod_caps: {}
   mod_carboncopy: {}
   mod_client_state: {}
   mod_caps: {}
   mod_carboncopy: {}
   mod_client_state: {}

-  mod_configure: {} # requires mod_adhoc
+  mod_configure: {}   # requires mod_adhoc
+  ## mod_delegation: {}   # for xep0356

   mod_disco: {}
   mod_echo: {}
   mod_irc: {}
   mod_disco: {}
   mod_echo: {}
   mod_irc: {}

-  mod_http_bind: {}
+  mod_bosh: {}

   ## mod_http_fileserver:
   ##   docroot: "/var/www"
   ##   accesslog: "/var/log/ejabberd/access.log"
   ## mod_http_fileserver:
   ##   docroot: "/var/www"
   ##   accesslog: "/var/log/ejabberd/access.log"

+  ## mod_http_upload:
+  ##   # docroot: "@HOME@/upload"
+  ##   put_url: "https://@HOST@:5444"
+  ##   thumbnail: false # otherwise needs the identify command from ImageMagick installed
+  ## mod_http_upload_quota:
+  ##   max_days: 30

   mod_last: {}
   mod_last: {}

-  mod_muc: 
+  ## XEP-0313: Message Archive Management
+  ## You might want to setup a SQL backend for MAM because the mnesia database is
+  ## limited to 2GB which might be exceeded on large servers
+  ## mod_mam: {} # for xep0313, mnesia is limited to 2GB, better use an SQL backend
+  mod_muc:

     ## host: "conference.@HOST@"
     ## host: "conference.@HOST@"

-    access: muc
+    access:
+      - allow
+    access_admin:
+      - allow: admin

     access_create: muc_create
     access_persistent: muc_create
     access_create: muc_create
     access_persistent: muc_create

-    access_admin: muc_admin
-  ## mod_muc_log: {}

   mod_muc_admin: {}
   mod_muc_admin: {}

+  ## mod_muc_log: {}

   ## mod_multicast: {}
   ## mod_multicast: {}

-  mod_offline: 
+  mod_offline:

     access_max_user_messages: max_user_offline_messages
   mod_ping: {}
   ## mod_pres_counter:
     access_max_user_messages: max_user_offline_messages
   mod_ping: {}
   ## mod_pres_counter:


@@ -604,63 +727,78 @@ modules:
   mod_privacy: {}
   mod_private: {}
   ## mod_proxy65: {}
   mod_privacy: {}
   mod_private: {}
   ## mod_proxy65: {}

-  mod_pubsub: 
+  mod_pubsub:

     access_createnode: pubsub_createnode
     ## reduces resource comsumption, but XEP incompliant
     ignore_pep_from_offline: true
     ## XEP compliant, but increases resource comsumption
     ## ignore_pep_from_offline: false
     last_item_cache: false
     access_createnode: pubsub_createnode
     ## reduces resource comsumption, but XEP incompliant
     ignore_pep_from_offline: true
     ## XEP compliant, but increases resource comsumption
     ## ignore_pep_from_offline: false
     last_item_cache: false

-    plugins: 
+    plugins:

       - "flat"
       - "hometree"
       - "flat"
       - "hometree"

-      - "pep" # pep requires mod_caps
-  mod_register: 
-    ##
-    ## Protect In-Band account registrations with CAPTCHA.
-    ##
-    ## captcha_protected: true
-
-    ##
-    ## Set the minimum informational entropy for passwords.
-    ##
-    ## password_strength: 32
-
-    ##
-    ## After successful registration, the user receives
-    ## a message with this subject and body.
-    ##
-    welcome_message: 
-      subject: "Welcome!"
-      body: |-
-        Hi.
-        Welcome to this XMPP server.
-
-    ##
-    ## When a user registers, send a notification to
-    ## these XMPP accounts.
-    ##
-    ## registration_watchers:
-    ##   - "admin1@example.org"
-
-    ##
-    ## Only clients in the server machine can register accounts
-    ##
-    ip_access: trusted_network
-
-    ##
-    ## Local c2s or remote s2s users cannot register accounts
-    ##
-    ## access_from: deny
-
-    access: register
-  mod_roster: {}
+      - "pep"   # pep requires mod_caps
+  mod_push: {}
+  mod_push_keepalive: {}
+  ## mod_register:
+  ##
+  ## Protect In-Band account registrations with CAPTCHA.
+  ##
+  ##   captcha_protected: true
+  ##
+  ## Set the minimum informational entropy for passwords.
+  ##
+  ##   password_strength: 32
+  ##
+  ## After successful registration, the user receives
+  ## a message with this subject and body.
+  ##
+  ##   welcome_message:
+  ##     subject: "Welcome!"
+  ##     body: |-
+  ##       Hi.
+  ##       Welcome to this XMPP server.
+  ##
+  ## When a user registers, send a notification to
+  ## these XMPP accounts.
+  ##
+  ##   registration_watchers:
+  ##     - "admin1@example.org"
+  ##
+  ## Only clients in the server machine can register accounts
+  ##
+  ##   ip_access: trusted_network
+  ##
+  ## Local c2s or remote s2s users cannot register accounts
+  ##
+  ##   access_from: deny
+  ##   access: register
+  mod_roster:
+    versioning: true

   mod_shared_roster: {}
   mod_stats: {}
   mod_time: {}
   mod_vcard:
     search: false
   mod_shared_roster: {}
   mod_stats: {}
   mod_time: {}
   mod_vcard:
     search: false

+  mod_vcard_xupdate: {}
+  ## Convert all avatars posted by Android clients from WebP to JPEG
+  ## mod_avatar:  # this module needs compile option --enable-graphics
+  ##   convert:
+  ##     webp: jpeg

   mod_version: {}
   mod_version: {}

+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  ##   Non-SASL Authentication (XEP-0078) is now disabled by default
+  ##   because it's obsoleted and is used mostly by abandoned
+  ##   client software
+  ## mod_legacy_auth: {}
+  ##   The module for S2S dialback (XEP-0220). Please note that you cannot
+  ##   rely solely on dialback if you want to federate with other servers,
+  ##   because a lot of servers have dialback disabled and instead rely on
+  ##   PKIX authentication. Make sure you have proper certificates installed
+  ##   and check your accessibility at https://check.messaging.one/
+  mod_s2s_dialback: {}
+  mod_http_api: {}

 
 ##
 ## Enable modules with custom options in a specific virtual host
 
 ##
 ## Enable modules with custom options in a specific virtual host