feat: Add allowed_remote_server_names

This allows explicitly allowing servers. Can be
combined with the opposite to create allowlist-only
federation.

See also #31

Closes #673

src/core/config/mod.rs

@@ -1383,12 +1383,24 @@ pub struct Config {
 	///
 	/// Basically "global" ACLs.
 	///
+	/// You can set this to ["*"] to block all servers by default, and then
+	/// use `allowed_remote_server_names` to allow only specific servers.
+	///
 	/// example: ["badserver\.tld$", "badphrase", "19dollarfortnitecards"]
 	///
 	/// default: []
 	#[serde(default, with = "serde_regex")]
 	pub forbidden_remote_server_names: RegexSet,
 
+	/// List of allowed server names via regex patterns that we will allow,
+	/// regardless of if they match `forbidden_remote_server_names`.
+	///
+	/// example: ["goodserver\.tld$", "goodphrase"]
+	///
+	/// default: []
+	#[serde(default, with = "serde_regex")]
+	pub allowed_remote_server_names: RegexSet,
+
 	/// List of forbidden server names via regex patterns that we will block all
 	/// outgoing federated room directory requests for. Useful for preventing
 	/// our users from wandering into bad servers or spaces.

src/service/moderation.rs

@@ -24,8 +24,23 @@ impl crate::Service for Service {
 #[implement(Service)]
 #[must_use]
 pub fn is_remote_server_forbidden(&self, server_name: &ServerName) -> bool {
-	// Forbidden if NOT (allowed is empty OR allowed contains server OR is self)
-	// OR forbidden contains server
+	// We must never block federating with ourselves
+	if server_name == self.services.server.config.server_name {
+		return false;
+	}
+
+	// Check if server is explicitly allowed
+	if self
+		.services
+		.server
+		.config
+		.allowed_remote_server_names
+		.is_match(server_name.host())
+	{
+		return false;
+	}
+
+	// Check if server is explicitly forbidden
 	self.services
 		.server
 		.config