]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/prosody.nix
upnp: improve module
[sourcephile-nix.git] / machines / losurdo / prosody.nix
1 { pkgs, lib, config, machines, ipv4, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) prosody;
5 inherit (machines.mermet.config.services) coturn;
6 in
7 {
8 imports = [
9 prosody/biboumi.nix
10 #../../sec/machines/losurdo/prosody.nix
11 ];
12 networking.nftables.ruleset = ''
13 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
14 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
15 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
16 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
17 '';
18 services.upnpc.redirections =
19 [
20 { description = "XMPP";
21 externalPort = 5222; protocol = "TCP";
22 duration = 30 * 60;
23 service.wantedBy = ["prosody.service"];
24 service.partOf = ["prosody.service"];
25 }
26 { description = "XMPP";
27 externalPort = 5269; protocol = "TCP";
28 duration = 30 * 60;
29 service.wantedBy = ["prosody.service"];
30 service.partOf = ["prosody.service"];
31 }
32 { description = "XMPP-FTP";
33 externalPort = 5000; protocol = "TCP";
34 duration = 30 * 60;
35 service.wantedBy = ["prosody.service"];
36 service.partOf = ["prosody.service"];
37 }
38 ] ++ map (externalPort: {
39 description = "XMPP-HTTPS";
40 inherit externalPort; protocol="TCP";
41 duration = 30 * 60;
42 service.wantedBy = ["prosody.service"];
43 service.partOf = ["prosody.service"];
44 }) prosody.httpsPorts;
45 /*
46 services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
47 */
48 users.groups.acme.members = [ prosody.user ];
49 security.acme.certs."${networking.domain}" = {
50 postRun = "systemctl reload prosody";
51 };
52 systemd.services.prosody = {
53 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
54 after = [ "acme-selfsigned-${networking.domain}.service" ];
55 };
56 # sudo -u prosody prosodyctl check
57 services.prosody = {
58 enable = true;
59 xmppComplianceSuite = true;
60 modules = {
61 announce = true;
62 blocklist = true;
63 cloud_notify = true;
64 groups = true;
65 limits = false;
66 motd = true;
67 server_contact_info = true;
68 watchregistrations = true;
69 websocket = false;
70 welcome = true;
71 proxy65 = false;
72 };
73 extraModules = [
74 "turncredentials"
75 #"net_multiplex"
76 #"extdisco"
77 ];
78 extraConfig = ''
79 -- Listen only in IPv4 until hosting provider's IPv6 works well.
80 interfaces = { "0.0.0.0" }
81 c2s_interfaces = { "0.0.0.0" }
82 contact_info = {
83 --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
84 --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
85 --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
86 --sales = { "xmpp:bard@${networking.domain}" };
87 --security = { "xmpp:security@${networking.domain}" };
88 --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
89 }
90 legacy_ssl_ports = { 5222 }
91
92 turncredentials_host = "turn.${networking.domain}"
93 turncredentials_port = 3478
94
95 --http_files_dir = "/var/lib/prosody/files"
96 --http_external_url = "https://tmp.${networking.domain}:5281"
97 --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
98 --https_key = "/var/lib/acme/${networking.domain}/key.pem"
99 --certificates = "/var/lib/acme"
100
101 proxy65_ports = 5000
102 Component "proxy65.${networking.domain}" "proxy65"
103 proxy65_address = "proxy65.${networking.domain}"
104 proxy65_acl = { "${networking.domain}" }
105
106 Component "biboumi.${networking.domain}"
107 component_secret = "useless-secret-on-loopback"
108 '';
109 #ports = {80};
110 #ssl_ports = {443};
111 c2sRequireEncryption = true;
112 s2sRequireEncryption = true;
113 s2sSecureAuth = true;
114 uploadHttp = {
115 domain = "tmp.${networking.domain}";
116 # Prosody's HTTP parser limit on body size
117 uploadFileSizeLimit = "10485760";
118 userQuota = 100 * 1024 * 1024;
119 uploadExpireAfter = "60 * 60 * 24 * 7";
120 httpUploadPath = "/var/lib/prosody/upload";
121 };
122 muc = [
123 { domain = "salons.${networking.domain}";
124 extraConfig = ''
125 restrict_room_creation = "local"
126 max_history_messages = 42
127 muc_room_locking = true
128 muc_room_lock_timeout = 600
129 muc_tombstones = true
130 muc_tombstone_expiry = 31 * 24 * 60 * 60
131 muc_room_default_public = true
132 muc_room_default_members_only = false
133 muc_room_default_moderated = true
134 muc_room_default_public_jids = false
135 muc_room_default_change_subject = true
136 muc_room_default_history_length = 42
137 muc_room_default_language = "fr"
138 '';
139 }
140 ];
141 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
142 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
143 admins = [
144 "julm@${networking.domain}"
145 ];
146 virtualHosts."${networking.domain}" = {
147 enabled = true;
148 domain = "${networking.domain}";
149 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
150 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
151 };
152 allowRegistration = false;
153 authentication = "internal_hashed";
154 httpPorts = [];
155 httpsPorts = [5281];
156 disco_items = [
157 { url = "biboumi.${networking.domain}";
158 description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
159 ];
160 package = pkgs.prosody.override {
161 withCommunityModules = [
162 "turncredentials"
163 #"extdisco"
164 ];
165 };
166 };
167 }