machines/losurdo/prosody.nix

   1 { pkgs, lib, config, machines, ipv4, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.services) prosody;
   5   inherit (machines.mermet.config.services) coturn;
   6 in
   7 {
   8 imports = [
   9   prosody/biboumi.nix
  10   ../../../sec/machines/losurdo/prosody.nix
  11 ];
  12 networking.nftables.ruleset = ''
  13   add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
  14   add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
  15   add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
  16   add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
  17 '';
  18 users.groups.acme.members = [ prosody.user ];
  19 security.acme.certs."${networking.domain}" = {
  20   postRun = "systemctl reload prosody";
  21 };
  22 systemd.services.prosody = {
  23   wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
  24   after = [ "acme-selfsigned-${networking.domain}.service" ];
  25 };
  26 # sudo -u prosody prosodyctl check
  27 services.prosody = {
  28   enable = true;
  29   xmppComplianceSuite = true;
  30   modules = {
  31     announce = true;
  32     blocklist = true;
  33     cloud_notify = true;
  34     groups = true;
  35     limits = false;
  36     motd = true;
  37     watchregistrations = true;
  38     websocket = false;
  39     welcome = true;
  40     proxy65 = false;
  41   };
  42   extraModules = [
  43     "turncredentials"
  44     #"net_multiplex"
  45     #"extdisco"
  46   ];
  47   extraConfig = ''
  48     -- Listen only in IPv4 until hosting provider's IPv6 works well.
  49     interfaces = { "0.0.0.0" }
  50     c2s_interfaces = { "0.0.0.0" }
  51
  52     turncredentials_host = "turn.${networking.domain}"
  53     turncredentials_port = 3478
  54
  55     --http_files_dir = "/var/lib/prosody/files"
  56     --http_external_url = "https://tmp.${networking.domain}:5281"
  57     --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
  58     --https_key = "/var/lib/acme/${networking.domain}/key.pem"
  59     --certificates = "/var/lib/acme"
  60
  61     proxy65_ports = 5000
  62     Component "proxy65.${networking.domain}" "proxy65"
  63       proxy65_address = "proxy65.${networking.domain}"
  64       proxy65_acl = { "${networking.domain}" }
  65
  66     Component "biboumi.${networking.domain}"
  67       component_secret = "useless-secret-on-loopback"
  68   '';
  69   #ports = {80};
  70   #ssl_ports = {443};
  71   c2sRequireEncryption = true;
  72   s2sRequireEncryption = true;
  73   s2sSecureAuth = true;
  74   uploadHttp = {
  75     domain = "tmp.${networking.domain}";
  76     # Prosody's HTTP parser limit on body size
  77     uploadFileSizeLimit = "10485760";
  78     userQuota = 100 * 1024 * 1024;
  79     uploadExpireAfter = "60 * 60 * 24 * 7";
  80     httpUploadPath = "/var/lib/prosody/upload";
  81   };
  82   muc = [
  83     { domain = "salons.${networking.domain}";
  84       extraConfig = ''
  85         restrict_room_creation = "local"
  86         max_history_messages = 42
  87         muc_room_locking = true
  88         muc_room_lock_timeout = 600
  89         muc_tombstones = true
  90         muc_tombstone_expiry = 31 * 24 * 60 * 60
  91         muc_room_default_public = true
  92         muc_room_default_members_only = false
  93         muc_room_default_moderated = true
  94         muc_room_default_public_jids = false
  95         muc_room_default_change_subject = true
  96         muc_room_default_history_length = 42
  97         muc_room_default_language = "fr"
  98       '';
  99     }
 100   ];
 101   ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
 102   ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
 103   admins = [
 104     "julm@${networking.domain}"
 105   ];
 106   virtualHosts."${networking.domain}" = {
 107     enabled = true;
 108     domain = "${networking.domain}";
 109     ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
 110     ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
 111   };
 112   allowRegistration = false;
 113   authentication = "internal_hashed";
 114   httpPorts = [];
 115   httpsPorts = [5281];
 116   disco_items = [
 117     { url = "biboumi.${networking.domain}";
 118       description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
 119   ];
 120   package = pkgs.prosody.override {
 121     withCommunityModules = [
 122       "turncredentials"
 123       #"extdisco"
 124     ];
 125   };
 126 };
 127 }