]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/prosody.nix
systemd-crypt: fix decrypt.sh
[sourcephile-nix.git] / hosts / mermet / prosody.nix
1 { pkgs, lib, config, inputs, hosts, ipv4, ... }:
2 let
3 inherit (config.services) prosody;
4 inherit (hosts.mermet.config.services) coturn;
5 domain = config.networking.domain;
6 in
7 {
8 imports = [
9 prosody/biboumi.nix
10 ];
11 networking.nftables.ruleset = ''
12 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
13 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
14 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
15 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
16 '';
17 /*
18 services.upnpc.redirections =
19 [
20 { description = "XMPP";
21 externalPort = 5222; protocol = "TCP";
22 duration = 30 * 60;
23 service.wantedBy = ["prosody.service"];
24 service.partOf = ["prosody.service"];
25 }
26 { description = "XMPP";
27 externalPort = 5269; protocol = "TCP";
28 duration = 30 * 60;
29 service.wantedBy = ["prosody.service"];
30 service.partOf = ["prosody.service"];
31 }
32 { description = "XMPP-FTP";
33 externalPort = 5000; protocol = "TCP";
34 duration = 30 * 60;
35 service.wantedBy = ["prosody.service"];
36 service.partOf = ["prosody.service"];
37 }
38 ] ++ map (externalPort: {
39 description = "XMPP-HTTPS";
40 inherit externalPort; protocol="TCP";
41 duration = 30 * 60;
42 service.wantedBy = ["prosody.service"];
43 service.partOf = ["prosody.service"];
44 }) prosody.httpsPorts;
45 */
46 /*
47 services.tor.relay.hiddenServices."${domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
48 */
49 users.groups.acme.members = [ prosody.user ];
50 security.acme.certs."${domain}" = {
51 postRun = "systemctl restart prosody";
52 };
53 fileSystems."/var/lib/prosody" = {
54 device = "rpool/var/prosody";
55 fsType = "zfs";
56 };
57 services.sanoid.datasets = {
58 "rpool/var/prosody" = {
59 use_template = [ "snap" ];
60 daily = 7;
61 };
62 };
63 systemd.services.prosody = {
64 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
65 after = [ "acme-selfsigned-${domain}.service" ];
66 };
67 # sudo -u prosody prosodyctl check
68 services.prosody = {
69 enable = true;
70 xmppComplianceSuite = true;
71 modules = {
72 announce = true;
73 blocklist = true;
74 cloud_notify = false; # not encrypted even with OMEMO
75 #cloud_notify_encrypted = true;
76 groups = true;
77 limits = false;
78 motd = true;
79 server_contact_info = true;
80 watchregistrations = true;
81 websocket = false;
82 welcome = true;
83 proxy65 = false;
84 };
85 extraModules = [
86 "turn_external"
87 #"turncredentials"
88 #"net_multiplex"
89 #"extdisco"
90 ];
91 extraConfig = ''
92 log = {
93 -- debug = "*syslog";
94 info = "*syslog";
95 warn = "*syslog";
96 error = "*syslog";
97 }
98 -- Listen only in IPv4 until hosting provider's IPv6 works well.
99 interfaces = { "0.0.0.0" }
100 c2s_interfaces = { "0.0.0.0" }
101 contact_info = {
102 --abuse = { "mailto:abuse@${domain}", "xmpp:abuse@${domain}" };
103 --admin = { "mailto:admin@${domain}", "xmpp:admin@${domain}" };
104 --feedback = { "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" };
105 --sales = { "xmpp:bard@${domain}" };
106 --security = { "xmpp:security@${domain}" };
107 --support = { "http://${domain}/support.php", "xmpp:support@${domain}" };
108 }
109 legacy_ssl_ports = { 5222 }
110
111 -- turncredentials_host = "turn.${domain}"
112 -- turncredentials_port = 3478
113 -- turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}";
114
115 turn_external_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}"
116 turn_external_host = "turn.${domain}"
117 turn_external_port = 3478
118 turn_external_ttl = 86400
119
120 smacks_enabled_s2s = true;
121 smacks_s2s_resend = true;
122
123 --http_files_dir = "/var/lib/prosody/files"
124 --http_external_url = "https://tmp.${domain}:5281"
125 --https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
126 --https_key = "/var/lib/acme/${domain}/key.pem"
127 --certificates = "/var/lib/acme"
128
129 proxy65_ports = 5000
130 Component "proxy65.${domain}" "proxy65"
131 proxy65_address = "proxy65.${domain}"
132 proxy65_acl = { "${domain}" }
133
134 Component "biboumi.${domain}"
135 component_secret = "useless-secret-on-loopback"
136 '';
137 httpFileShare = {
138 domain = "tmp.${domain}";
139 size_limit = 16*1024*1024; # 16 MiB
140 daily_quota = 100*1024*1024; # 100 MiB per day per user
141 global_quota = 1024*1024*1024; # 1 GiB total
142 };
143 #ports = {80};
144 #ssl_ports = {443};
145 c2sRequireEncryption = true;
146 s2sRequireEncryption = true;
147 s2sSecureAuth = true;
148 muc = [
149 {
150 domain = "salons.${domain}";
151 extraConfig = ''
152 restrict_room_creation = "local"
153 max_history_messages = 42
154 muc_room_locking = true
155 muc_room_lock_timeout = 600
156 muc_tombstones = true
157 muc_tombstone_expiry = 31 * 24 * 60 * 60
158 muc_room_default_public = true
159 muc_room_default_members_only = false
160 muc_room_default_moderated = true
161 muc_room_default_public_jids = false
162 muc_room_default_change_subject = true
163 muc_room_default_history_length = 42
164 muc_room_default_language = "fr"
165 '';
166 }
167 ];
168 ssl.key = "/var/lib/acme/${domain}/key.pem";
169 ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
170 admins = [
171 "julm@${domain}"
172 ];
173 virtualHosts."${domain}" = {
174 enabled = true;
175 domain = "${domain}";
176 ssl.key = "/var/lib/acme/${domain}/key.pem";
177 ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
178 };
179 allowRegistration = false;
180 authentication = "internal_hashed";
181 httpPorts = [];
182 httpsPorts = [5281];
183 disco_items = [
184 { url = "biboumi.${domain}";
185 description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
186 ];
187 package = pkgs.prosody.override {
188 withCommunityModules = [
189 "turncredentials"
190 #"extdisco"
191 ];
192 };
193 };
194 }