hosts/mermet/prosody.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   inherit (config.services) prosody;
   4   inherit (hosts.mermet.config.services) coturn;
   5   domain = config.networking.domain;
   6 in
   7 {
   8   imports = [
   9     prosody/biboumi.nix
  10   ];
  11   networking.nftables.ruleset = ''
  12     table inet filter {
  13       chain input-net {
  14         tcp dport { xmpp-client, xmpp-server } counter accept comment "prosody: XMPP"
  15         tcp dport 5000 counter accept comment "prosody: XMPP XEP-0065 File Transfer Proxy"
  16         tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "prosody: HTTPS"
  17       }
  18       chain output-net {
  19         skuid ${prosody.user} counter accept comment "prosody"
  20       }
  21     }
  22   '';
  23   /*
  24     services.upnpc.redirections =
  25     [
  26     { description = "XMPP";
  27       externalPort = 5222; protocol = "TCP";
  28       duration = 30 * 60;
  29       service.wantedBy = ["prosody.service"];
  30       service.partOf   = ["prosody.service"];
  31     }
  32     { description = "XMPP";
  33       externalPort = 5269; protocol = "TCP";
  34       duration = 30 * 60;
  35       service.wantedBy = ["prosody.service"];
  36       service.partOf   = ["prosody.service"];
  37     }
  38     { description = "XMPP-FTP";
  39       externalPort = 5000; protocol = "TCP";
  40       duration = 30 * 60;
  41       service.wantedBy = ["prosody.service"];
  42       service.partOf   = ["prosody.service"];
  43     }
  44     ] ++ map (externalPort: {
  45     description = "XMPP-HTTPS";
  46     inherit externalPort; protocol="TCP";
  47     duration = 30 * 60;
  48     service.wantedBy = ["prosody.service"];
  49     service.partOf   = ["prosody.service"];
  50     }) prosody.httpsPorts;
  51   */
  52   /*
  53     services.tor.relay.hiddenServices."${domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
  54   */
  55   users.groups.acme.members = [ prosody.user ];
  56   security.acme.certs."${domain}" = {
  57     postRun = "systemctl try-restart prosody";
  58   };
  59   fileSystems."/var/lib/prosody" = {
  60     device = "rpool/var/prosody";
  61     fsType = "zfs";
  62   };
  63   services.sanoid.datasets = {
  64     "rpool/var/prosody" = {
  65       use_template = [ "snap" ];
  66       daily = 7;
  67     };
  68   };
  69   systemd.services.prosody = {
  70     wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
  71     after = [ "acme-selfsigned-${domain}.service" ];
  72   };
  73   # sudo -u prosody prosodyctl check
  74   services.prosody = {
  75     enable = true;
  76     xmppComplianceSuite = true;
  77     modules = {
  78       announce = true;
  79       blocklist = true;
  80       cloud_notify = false; # not encrypted even with OMEMO
  81       #cloud_notify_encrypted = true;
  82       groups = true;
  83       limits = false;
  84       motd = true;
  85       server_contact_info = true;
  86       watchregistrations = true;
  87       websocket = false;
  88       welcome = true;
  89       proxy65 = false;
  90     };
  91     extraModules = [
  92       "turn_external"
  93       #"turncredentials"
  94       #"net_multiplex"
  95       #"extdisco"
  96     ];
  97     extraConfig = ''
  98       log = {
  99         -- debug = "*syslog";
 100         info = "*syslog";
 101         warn  = "*syslog";
 102         error = "*syslog";
 103       }
 104       -- Listen only in IPv4 until hosting provider's IPv6 works well.
 105       interfaces = { "0.0.0.0" }
 106       c2s_interfaces = { "0.0.0.0" }
 107       contact_info = {
 108         --abuse = { "mailto:abuse@${domain}", "xmpp:abuse@${domain}" };
 109         --admin = { "mailto:admin@${domain}", "xmpp:admin@${domain}" };
 110         --feedback = { "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" };
 111         --sales = { "xmpp:bard@${domain}" };
 112         --security = { "xmpp:security@${domain}" };
 113         --support = { "http://${domain}/support.php", "xmpp:support@${domain}" };
 114       }
 115       legacy_ssl_ports = { 5222 }
 116
 117       -- turncredentials_host = "turn.${domain}"
 118       -- turncredentials_port = 3478
 119       -- turncredentials_secret = "${coturn.static-auth-secret}";
 120
 121       turn_external_secret = "${coturn.static-auth-secret}"
 122       turn_external_host = "turn.${domain}"
 123       turn_external_port = 3478
 124       turn_external_ttl = 86400
 125
 126       smacks_enabled_s2s = true;
 127       smacks_s2s_resend = true;
 128
 129       --http_files_dir = "/var/lib/prosody/files"
 130       --http_external_url = "https://tmp.${domain}:5281"
 131       --https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
 132       --https_key = "/var/lib/acme/${domain}/key.pem"
 133       --certificates = "/var/lib/acme"
 134
 135       proxy65_ports = 5000
 136       Component "proxy65.${domain}" "proxy65"
 137         proxy65_address = "proxy65.${domain}"
 138         proxy65_acl = { "${domain}" }
 139
 140       Component "biboumi.${domain}"
 141         component_secret = "useless-secret-on-loopback"
 142     '';
 143     httpFileShare = {
 144       domain = "tmp.${domain}";
 145       size_limit = 100 * 1024 * 1024; # 100 MiB
 146       daily_quota = 200 * 1024 * 1024; # 200 MiB per day per user
 147       global_quota = 1 * 1024 * 1024 * 1024; # 1 GiB total
 148       expires_after = 7 * 24 * 60 * 60; # 7 days
 149     };
 150     #ports = {80};
 151     #ssl_ports = {443};
 152     c2sRequireEncryption = true;
 153     s2sRequireEncryption = true;
 154     s2sSecureAuth = true;
 155     muc = [
 156       {
 157         domain = "salons.${domain}";
 158         extraConfig = ''
 159           restrict_room_creation = "local"
 160           max_history_messages = 42
 161           muc_room_locking = true
 162           muc_room_lock_timeout = 600
 163           muc_tombstones = true
 164           muc_tombstone_expiry = 31 * 24 * 60 * 60
 165           muc_room_default_public = true
 166           muc_room_default_members_only = false
 167           muc_room_default_moderated = true
 168           muc_room_default_public_jids = false
 169           muc_room_default_change_subject = true
 170           muc_room_default_history_length = 42
 171           muc_room_default_language = "fr"
 172         '';
 173       }
 174     ];
 175     ssl.key = "/var/lib/acme/${domain}/key.pem";
 176     ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
 177     admins = [
 178       "julm@${domain}"
 179     ];
 180     virtualHosts."${domain}" = {
 181       enabled = true;
 182       domain = "${domain}";
 183       ssl.key = "/var/lib/acme/${domain}/key.pem";
 184       ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
 185     };
 186     allowRegistration = false;
 187     authentication = "internal_hashed";
 188     httpPorts = [ ];
 189     httpsPorts = [ 5281 ];
 190     disco_items = [
 191       {
 192         url = "biboumi.${domain}";
 193         description = "Passerelle vers des serveurs IRC (Internet Relay Chat)";
 194       }
 195     ];
 196     package = pkgs.prosody.override {
 197       withCommunityModules = [
 198         "turncredentials"
 199         #"extdisco"
 200       ];
 201     };
 202   };
 203 }