prosody: brewery mode for jvb/jicofo discovery muc

* prosody: brewery mode for jvb/jicofo discovery muc

* do not include c2s limits in brewery mode

prosody/rootfs/defaults/conf.d/brewery.cfg.lua

@@ -0,0 +1,36 @@
+{{ $REGION_NAME := .Env.PROSODY_REGION_NAME | default "default" -}}
+{{ $RELEASE_NUMBER := .Env.RELEASE_NUMBER | default "" -}}
+{{ $SHARD_NAME := .Env.SHARD | default "default" -}}
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+
+admins = {
+    "focus@{{ $JVB_XMPP_AUTH_DOMAIN }}",
+    "{{ $JVB_AUTH_USER }}@{{ $JVB_XMPP_AUTH_DOMAIN }}"
+}
+
+plugin_paths = { "/prosody-plugins/", "/prosody-plugins-custom" }
+
+VirtualHost "{{ $JVB_XMPP_AUTH_DOMAIN }}"
+    modules_enabled = {
+      "ping";
+    }
+    authentication = "internal_hashed"
+    ssl = {
+        key = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.key";
+        certificate = "/config/certs/{{ $JVB_XMPP_AUTH_DOMAIN }}.crt";
+    }
+
+Component "{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}" "muc"
+    modules_enabled = {
+      "ping",
+      "muc_hide_all";
+      "muc_filter_access";
+    }
+    storage = "memory"
+    muc_room_cache_size = 10000
+    muc_filter_whitelist="{{ $JVB_XMPP_AUTH_DOMAIN }}"
+    muc_room_locking = false
+    muc_room_default_public_jids = true
+

prosody/rootfs/defaults/prosody.cfg.lua

@@ -99,7 +99,10 @@ modules_enabled = {
 		--"watchregistrations"; -- Alert admins of registrations
 		--"motd"; -- Send a message to users when they log in
 		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
-
+		{{ if eq .Env.PROSODY_MODE "brewery" -}}
+		"firewall"; -- Enable firewalling
+		"secure_interfaces";
+		{{ end -}}
 		{{ if $ENABLE_S2S -}}
 		"s2s_bidi";
 		"certs_s2soutinjection";
@@ -114,6 +117,13 @@ modules_enabled = {
 component_ports = { }
 https_ports = { }
 
+
+{{ if eq .Env.PROSODY_MODE "brewery" -}}
+firewall_scripts = {
+    "/config/rules.d/jvb_muc_presence_filter.pfw";
+};
+{{ end -}}
+
 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
 modules_disabled = {
@@ -129,6 +139,7 @@ modules_disabled = {
 -- For more information see http://prosody.im/doc/creating_accounts
 allow_registration = false;
 
+{{ if ne .Env.PROSODY_MODE "brewery" -}}
 -- Enable rate limits for incoming client and server connections
 limits = {
 {{ if ne $PROSODY_C2S_LIMIT "" }}
@@ -142,6 +153,7 @@ limits = {
   };
 {{ end }}
 }
+{{ end -}}
 
 --Prosody garbage collector settings
 --For more information see https://prosody.im/doc/advanced_gc

prosody/rootfs/defaults/rules.d/jvb_muc_presence_filter.pfw

@@ -0,0 +1,13 @@
+{{ $JVB_XMPP_AUTH_DOMAIN := .Env.JVB_XMPP_AUTH_DOMAIN | default "auth.jvb.meet.jitsi" -}}
+{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN := .Env.JVB_XMPP_INTERNAL_MUC_DOMAIN | default "muc.jvb.meet.jitsi" -}}
+{{ $JVB_AUTH_USER := .Env.JVB_AUTH_USER | default "jvb" -}}
+{{ $JVB_BREWERY_MUC := .Env.JVB_BREWERY_MUC | default "jvbbrewery" -}}
+# Drop all presence from a jvb in a MUC to a jvb
+FROM: {{ $JVB_BREWERY_MUC }}@{{ $JVB_XMPP_INTERNAL_MUC_DOMAIN }}
+TO: {{ $JVB_AUTH_USER }}@{{ $JVB_XMPP_AUTH_DOMAIN }}
+KIND: presence
+# Seems safer to allow all "unavailable" to pass
+TYPE: available
+# Allow self-presence (code=110)
+NOT INSPECT: {http://jabber.org/protocol/muc#user}x/status@code=110
+DROP.