1 { pkgs, lib, config, machines, ipv4, ... }:
3 inherit (config) networking;
4 inherit (config.services) prosody;
5 inherit (machines.mermet.config.services) coturn;
10 #../../sec/machines/losurdo/prosody.nix
12 networking.nftables.ruleset = ''
13 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
14 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
15 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
16 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
19 services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
21 users.groups.acme.members = [ prosody.user ];
22 security.acme.certs."${networking.domain}" = {
23 postRun = "systemctl reload prosody";
25 systemd.services.prosody = {
26 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
27 after = [ "acme-selfsigned-${networking.domain}.service" ];
29 # sudo -u prosody prosodyctl check
32 xmppComplianceSuite = true;
40 server_contact_info = true;
41 watchregistrations = true;
52 -- Listen only in IPv4 until hosting provider's IPv6 works well.
53 interfaces = { "0.0.0.0" }
54 c2s_interfaces = { "0.0.0.0" }
56 --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
57 --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
58 --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
59 --sales = { "xmpp:bard@${networking.domain}" };
60 --security = { "xmpp:security@${networking.domain}" };
61 --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
63 legacy_ssl_ports = { 5222 }
65 turncredentials_host = "turn.${networking.domain}"
66 turncredentials_port = 3478
68 --http_files_dir = "/var/lib/prosody/files"
69 --http_external_url = "https://tmp.${networking.domain}:5281"
70 --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
71 --https_key = "/var/lib/acme/${networking.domain}/key.pem"
72 --certificates = "/var/lib/acme"
75 Component "proxy65.${networking.domain}" "proxy65"
76 proxy65_address = "proxy65.${networking.domain}"
77 proxy65_acl = { "${networking.domain}" }
79 Component "biboumi.${networking.domain}"
80 component_secret = "useless-secret-on-loopback"
84 c2sRequireEncryption = true;
85 s2sRequireEncryption = true;
88 domain = "tmp.${networking.domain}";
89 # Prosody's HTTP parser limit on body size
90 uploadFileSizeLimit = "10485760";
91 userQuota = 100 * 1024 * 1024;
92 uploadExpireAfter = "60 * 60 * 24 * 7";
93 httpUploadPath = "/var/lib/prosody/upload";
96 { domain = "salons.${networking.domain}";
98 restrict_room_creation = "local"
99 max_history_messages = 42
100 muc_room_locking = true
101 muc_room_lock_timeout = 600
102 muc_tombstones = true
103 muc_tombstone_expiry = 31 * 24 * 60 * 60
104 muc_room_default_public = true
105 muc_room_default_members_only = false
106 muc_room_default_moderated = true
107 muc_room_default_public_jids = false
108 muc_room_default_change_subject = true
109 muc_room_default_history_length = 42
110 muc_room_default_language = "fr"
114 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
115 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
117 "julm@${networking.domain}"
119 virtualHosts."${networking.domain}" = {
121 domain = "${networking.domain}";
122 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
123 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
125 allowRegistration = false;
126 authentication = "internal_hashed";
130 { url = "biboumi.${networking.domain}";
131 description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
133 package = pkgs.prosody.override {
134 withCommunityModules = [