Harden security

utilities/prosody/prosody.cfg.lua

@@ -1,9 +1,19 @@
+local env = os.getenv
+local domain = env("DOMAIN") or "example.com"
+local xmpp_component = env("XMPP_JID") or ("jews." .. domain)
+local share_host = env("XMPP_SHARE_HOST") or ("share." .. domain)
+local xmpp_secret = env("XMPP_SECRET") or ""
+
+if xmpp_secret == "" then
+  error("XMPP_SECRET is required for Prosody component authentication")
+end
+
 sasl_mechanisms = { "PLAIN", "SCRAM-SHA-1", "SCRAM-SHA-256" }
 
 daemonize = false
 pidfile = "/run/prosody/prosody.pid"
 
-admins = { "mm@zm.is" }
+admins = { env("XMPP_ADMIN_JID") or ("admin@" .. domain) }
 
 modules_enabled = {
   "disco";
@@ -59,16 +69,16 @@ certificates = "certs"
 component_ports = { 8888 }
 component_interfaces = { "0.0.0.0" }
 
-VirtualHost "zm.is"
+VirtualHost domain
   authentication = "external_insecure"
   external_auth_command = "/code/utilities/prosody/auth_django.sh"
   certificate = "/etc/prosody/certs/cert.pem"
 
-Component "jews.zm.is"
-  component_secret = "REepvw+QeX3ZzfmRSbBMKQhyiPd5bFowesnYuiiYbiYy2ZQVXvayxmsB"
+Component xmpp_component
+  component_secret = xmpp_secret
 
-Component "share.zm.is" "http_file_share"
+Component share_host "http_file_share"
 
 http_ports = { 5280 }
 http_interfaces = { "0.0.0.0", "::" }
-http_external_url = "https://share.zm.is/"
+http_external_url = "https://" .. share_host .. "/"