let's start with the template files

4 files changed, 344 insertions, 0 deletions

diff --git a/etc/nginx/sites-enabled/chat.exemple.fr.conf b/etc/nginx/sites-enabled/chat.exemple.fr.conf
new file mode 100644
index 0000000..bc3f462
--- /dev/null
+++ b/etc/nginx/sites-enabled/chat.exemple.fr.conf
@@ -0,0 +1,96 @@
+server {
+    listen 80;
+    server_name chat.exemple.fr;
+
+    location / {
+        return 301 https://$host$uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    ssl_certificate /etc/letsencrypt/live/chat.exemple.fr/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/chat.exemple.fr/privkey.pem;
+
+    root /var/www/chat.exemple.fr;
+    index index.html;
+
+    # XMPP BOSH
+    location ^~ /http-bind {
+        proxy_pass https://exemple.fr:5281/http-bind;
+        proxy_http_version 1.1;
+        proxy_set_header Host exemple.fr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        tcp_nodelay on; 
+    }
+
+    # XMPP HTTP-Upload
+    location ^~ /upload {
+        proxy_pass https://f.exemple.fr; proxy_http_version 1.1;
+        proxy_set_header Host exemple.fr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_buffering off;
+        tcp_nodelay on; 
+    }
+
+    # XMPP Websockets
+    location /xmpp-websocket {
+        proxy_pass http://exemple.fr:5280/xmpp-websocket;
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 900s;
+    }
+
+    # XMPP Account invite
+    location ^~ /invite {
+        proxy_pass https://exemple.fr:5281/invite;
+        proxy_http_version 1.1;
+        proxy_set_header Host exemple.fr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_buffering off;
+        tcp_nodelay on; 
+    }
+
+    # XMPP account register
+    location ^~ /register {
+        proxy_pass https://exemple.fr:5281/register;
+        proxy_http_version 1.1;
+        proxy_set_header Host exemple.fr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_buffering off;
+        tcp_nodelay on; 
+    }
+
+    # sur mon vps debian j'ai eu besoin de ça pour
+    # que les pages d'invitation soit bien
+    # formatées
+    location = /share/bootstrap4/css/bootstrap.min.css {
+        alias /usr/lib/nodejs/bootstrap/dist/css/bootstrap.min.css; 
+    }
+
+    location = /share/jquery/jquery.min.js {
+        alias /usr/lib/nodejs/jquery/dist/jquery.min.js;
+    }
+
+    location = /share/bootstrap4/js/bootstrap.min.js {
+        alias /usr/lib/nodejs/bootstrap/dist/js/bootstrap.min.js;
+    }
+
+}
diff --git a/etc/nginx/sites-enabled/exemple.fr.conf b/etc/nginx/sites-enabled/exemple.fr.conf
new file mode 100644
index 0000000..29daea1
--- /dev/null
+++ b/etc/nginx/sites-enabled/exemple.fr.conf
@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    server_name exemple.fr;
+
+    location / {
+        return 301 https://$host$uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_nam  exemple.fr;
+    ssl_certificate /etc/letsencrypt/live/exemple.fr/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/exemple.fr/privkey.pem;
+}
diff --git a/etc/nginx/sites-enabled/f.exemple.fr.conf b/etc/nginx/sites-enabled/f.exemple.fr.conf
new file mode 100644
index 0000000..6e31a5c
--- /dev/null
+++ b/etc/nginx/sites-enabled/f.exemple.fr.conf
@@ -0,0 +1,37 @@
+perl_modules /usr/local/lib/perl; # Path to upload.pm.
+perl_require upload.pm;
+
+server {
+    listen 80;
+    server_name f.exemple.fr;
+    location / {
+        return 301 https://$host$request_uri;   
+    }
+}
+
+server {
+    # Specify directives such as "listen", "server_name", and TLS-related
+    # settings for the "server" that handles the uploads. 
+    listen 443 ssl http2;
+    server_name f.exemple.fr;
+    ssl_certificate /etc/letsencrypt/live/f.exemple.fr/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/f.exemple.fr/privkey.pem; 
+
+
+    # Uploaded files will be stored below the "root" directory. To minimize
+    # disk I/O, make sure the specified path is on the same file system as
+    # the directory used by Nginx to store temporary files holding request
+    # bodies ("client_body_temp_path", often some directory below /var).
+
+    root /var/www/upload;
+    index index.html;
+
+    # Specify this "location" block (if you don't use "/", see below):
+    location / {
+        perl upload::handle;
+    }
+
+    # Upload file size limit (default: 1m), also specified in your XMPP
+    # server's upload module configuration (see below):
+    client_max_body_size 100m;
+}
diff --git a/etc/prosody.cfg.lua b/etc/prosody.cfg.lua
new file mode 100644
index 0000000..ced3f74
--- /dev/null
+++ b/etc/prosody.cfg.lua
@@ -0,0 +1,196 @@
+admins = { "vous@exemple.fr" }
+
+-- For more information see: https://prosody.im/doc/libevent
+-- use_libevent = true
+
+plugin_paths = { "/usr/lib/prosody/modules" }
+
+modules_enabled = {
+
+    -- Generally required
+    "roster"; -- Allow users to have a roster. Recommended ;)
+    "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
+    "tls"; -- Add support for secure TLS on c2s/s2s connections
+    "dialback"; -- s2s dialback support
+    "disco"; -- Service discovery
+
+    -- Not essential, but recommended
+    "carbons"; -- Keep multiple clients in sync
+    "carbons_copies";
+    "carbons_copies_adhoc";
+    "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
+    "private"; -- Private XML storage (for room bookmarks, etc.)
+    "blocklist"; -- Allow users to block communications with other users
+    "vcard4"; -- User profiles (stored in PEP)
+    "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
+    "smacks";
+    "bookmarks"; -- vieux module mais compatible avec la
+    -- majorité des clients XMPP contrairement
+    -- à bookmarks2
+    --"bookmarks2";
+    "presence"; -- voir l'état de l'utilisateur (en ligne, hors
+    -- ligne, etc...)
+    "offline";
+
+    -- Nice to have
+    "version"; -- Replies to server version requests
+    "uptime"; -- Report how long server has been running
+    "time"; -- Let others know the time here on this server
+    "ping"; -- Replies to XMPP pings with pongs
+    "register"; -- Allow users to register on this server using a client and change passwords
+    "mam"; -- Store messages in an archive and allow users to access it
+    "csi";
+    "csi_simple"; -- Simple Mobile optimizations
+    "csi_battery_saver";
+    "vjud"; -- recherche d'utilisateurs dans les salons
+
+    -- Admin interfaces
+    "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
+
+    -- HTTP modules
+    "bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+    "websocket"; -- XMPP over WebSockets
+
+    -- Other specific functionality
+    "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
+    "limits"; -- Enable bandwidth limiting for XMPP connections
+    "groups"; -- Shared roster support
+    "server_contact_info"; -- Publish contact information for this service
+    "announce"; -- Send announcement to all online users
+    "welcome"; -- Welcome users who register accounts
+    "watchregistrations"; -- Alert admins of registrations
+    "motd"; -- Send a message to users when they log in
+    --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+    --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
+    }
+
+    -- These modules are auto-loaded, but should you want
+    -- to disable them then uncomment them here:
+    modules_disabled = {
+    -- "offline"; -- Store offline messages
+    -- "c2s"; -- Handle client connections
+    -- "s2s"; -- Handle server-to-server connections
+}
+
+motd_text = [[Bonjour à tous ! Bienvenue sur mon serveur XMPP. Clavardez heureux !]]
+welcome_message = "C'est ta première connexion, $username. Bienvenue à toi."
+
+daemonize = false;
+pidfile = "/run/prosody/prosody.pid";
+trusted_proxies = { "127.0.0.1", "::1" }
+
+-- Force certificate authentication for server-to-server connections
+c2s_require_encryption = true -- chiffrement requis pour connexion client à serveur
+s2s_require_encryption = true -- chiffrement requis pour connexion entre serveurs
+s2s_secure_auth = true 
+authentication = "internal_hashed"
+
+-- mam settings
+archive_expires_after = "never" -- historique permanent des chats
+
+log = {
+    -- Log files (change 'info' to 'debug' for debug logs):
+    info = "/var/log/prosody/prosody.log";
+    error = "/var/log/prosody/prosody.err";
+    -- Syslog:
+    { levels = { "error" }; to = "syslog";  };
+}
+
+-- http and certificate shenanigans
+certificates = "certs"
+
+-- Include "conf.d/*.cfg.lua"
+
+legacy_ssl_ports =  { 5223 }
+-- http_ports =  { 5280 }
+-- http_interface = { "*" }
+-- https_ports = { 5281 }
+-- https_interfaces { "*" }
+
+
+cross_domain_bosh = { "https://chat.exemple.fr" }
+cross_domain_websocket = { "https://chat.exemple.fr" }
+consider_bosh_secure = true
+consider_websocket_secure = true
+allow_registration = true -- nécessaire pour mod_invites
+registration_invite_only = true -- inscription autorisé seulement avec les invitations
+vjud_mode = "opt-in" -- l'utilisateur doit consentir pour que la recherche vjud 
+-- le fasse remonter dans les résultats.
+
+-- https://prosody.im/security/advisory_20210512/
+gc = {
+    speed = 500;
+}
+c2s_stanza_size_limit = 256 * 1024
+s2s_stanza_size_limit = 512 * 1024
+
+limits = {
+    c2s = {
+        rate = "10kb/s";
+    };
+    s2sin = {
+        rate = "3kb/s";
+    };
+}
+-- https://prosody.im/security/advisory_20210512/
+
+ssl = { 
+    key = "certs/exemple.fr.key";
+    certificate = "certs/exemple.fr.crt";
+}
+
+VirtualHost "exemple.fr"
+    invites_page = "https://chat.exemple.fr/invite?{invite.token}"
+    webchat_url = "https://chat.exemple.fr/"
+    http_external_url = "https://chat.exemple.fr/"
+    invite_expiry = 86400 * 7 -- 7 jours avant qu'un lien d'invitation expire
+    http_paths = {
+        invites_page = "/invite";
+        invites_register_web = "/register";
+    }
+
+    modules_enabled = {
+        "invites";
+        "invites_adhoc";
+        "invites_page";
+        "invites_register";
+        "invites_register_web";
+        "http_libjs";
+    }
+
+    contact_info = {
+        abuse = { "mailto:vous@exemple.fr", "xmpp:vous@exemple.fr" };
+        admin = { "mailto:vous@exemple.fr", "xmpp:vous@exemple.fr" };
+        security = { "mailto:vous@exemple.fr", "xmpp:vous@exemple.fr" };
+        support = { "mailto:vous@exemple.fr", "xmpp:vous@exemple.fr" };
+    };
+
+    https_certificate = "certs/exemple.fr.crt";
+        ssl = { 
+        key = "certs/exemple.fr.key";
+        certificate = "certs/exemple.fr.crt";
+    }
+
+    Component "f.exemple.fr" "http_upload_external"
+        http_upload_external_base_url = "https://f.exemple.fr/"
+        http_upload_external_secret = "its-a-secret"
+        http_upload_external_file_size_limit = 104857600 -- limite de à 100Mo pour les envois de pjs
+        ssl = { 
+            key = "certs/f.exemple.fr.key";
+            certificate = "certs/f.exemple.fr.crt";
+        }
+
+    Component "salons.exemple.fr" "muc"
+        name = "Salons (chatrooms) chez exemple.fr"
+        modules_enabled = { "muc_mam", "vcard_muc" }
+        muc_room_default_language = "fr"
+        muc_log_expires_after = "never" -- histo permanent des groupes de
+        -- chats
+        log_all_rooms = true
+        muc_log_by_default = true
+        muc_log_presences = false
+        restrict_room_creation = "admin" -- seul l'admin peut créer des salons
+            ssl = { 
+            key = "certs/salons.exemple.fr.key";
+            certificate = "certs/salons.exemple.fr.crt";
+        }