]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/prosody.nix
networking: losurdo
[sourcephile-nix.git] / machines / losurdo / prosody.nix
1 { pkgs, lib, config, machines, ipv4, ... }:
2 let
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) prosody;
6 inherit (machines.mermet.config.services) coturn;
7 in
8 {
9 imports = [
10 prosody/biboumi.nix
11 ];
12 networking.nftables.ruleset = ''
13 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
14 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
15 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
16 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
17 '';
18 users.groups.acme.members = [ prosody.user ];
19 security.acme.certs."${networking.domain}" = {
20 postRun = "systemctl reload prosody";
21 };
22 systemd.services.prosody = {
23 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
24 after = [ "acme-selfsigned-${networking.domain}.service" ];
25 };
26 # sudo -u prosody prosodyctl check
27 services.prosody = {
28 enable = true;
29 xmppComplianceSuite = true;
30 modules = {
31 announce = true;
32 blocklist = true;
33 cloud_notify = true;
34 groups = true;
35 limits = false;
36 motd = true;
37 watchregistrations = true;
38 websocket = false;
39 welcome = true;
40 proxy65 = false;
41 };
42 extraModules = [
43 "turncredentials"
44 #"net_multiplex"
45 #"extdisco"
46 ];
47 extraConfig = ''
48 -- Listen only in IPv4 until hosting provider's IPv6 works well.
49 interfaces = { "0.0.0.0" }
50 c2s_interfaces = { "0.0.0.0" }
51
52 turncredentials_host = "turn.${networking.domain}"
53 turncredentials_secret = "${pass-chomp "machines/mermet/coturn/static-auth-secret"}"
54 turncredentials_port = 3478
55
56 --external_services = {
57 -- ["turn.${networking.domain}"] = {
58 -- type="stun";
59 -- transport="udp";
60 -- port="${toString coturn.alt-listening-port}";
61 -- };
62 -- ["turn.${networking.domain}"] = {
63 -- type="turn";
64 -- transport="udp";
65 -- port="${toString coturn.listening-port}";
66 -- username="xmpp-user";
67 -- password="base64.encode(hmac_sha1(\"${pass-chomp "machines/mermet/coturn/static-auth-secret"}\", "xmpp-user", false))";
68 -- };
69 --}
70
71 --http_files_dir = "/var/lib/prosody/files"
72 --http_external_url = "https://tmp.${networking.domain}:5281"
73 --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
74 --https_key = "/var/lib/acme/${networking.domain}/key.pem"
75 --certificates = "/var/lib/acme"
76
77 proxy65_ports = 5000
78 Component "proxy65.${networking.domain}" "proxy65"
79 proxy65_address = "proxy65.${networking.domain}"
80 proxy65_acl = { "${networking.domain}" }
81
82 Component "biboumi.${networking.domain}"
83 component_secret = "useless-secret-on-loopback"
84 '';
85 #ports = {80};
86 #ssl_ports = {443};
87 c2sRequireEncryption = true;
88 s2sRequireEncryption = true;
89 s2sSecureAuth = true;
90 uploadHttp = {
91 domain = "tmp.${networking.domain}";
92 # Prosody's HTTP parser limit on body size
93 uploadFileSizeLimit = "10485760";
94 userQuota = 100 * 1024 * 1024;
95 uploadExpireAfter = "60 * 60 * 24 * 7";
96 httpUploadPath = "/var/lib/prosody/upload";
97 };
98 muc = [
99 { domain = "salons.${networking.domain}";
100 extraConfig = ''
101 restrict_room_creation = "local"
102 max_history_messages = 42
103 muc_room_locking = true
104 muc_room_lock_timeout = 600
105 muc_tombstones = true
106 muc_tombstone_expiry = 31 * 24 * 60 * 60
107 muc_room_default_public = true
108 muc_room_default_members_only = false
109 muc_room_default_moderated = true
110 muc_room_default_public_jids = false
111 muc_room_default_change_subject = true
112 muc_room_default_history_length = 42
113 muc_room_default_language = "fr"
114 '';
115 }
116 ];
117 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
118 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
119 admins = [
120 "julm@${networking.domain}"
121 ];
122 virtualHosts."${networking.domain}" = {
123 enabled = true;
124 domain = "${networking.domain}";
125 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
126 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
127 };
128 allowRegistration = false;
129 authentication = "internal_hashed";
130 httpPorts = [];
131 httpsPorts = [5281];
132 disco_items = [
133 { url = "biboumi.${networking.domain}";
134 description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
135 ];
136 package = pkgs.prosody.override {
137 withCommunityModules = [
138 "turncredentials"
139 #"extdisco"
140 ];
141 };
142 };
143 }