1 { config, lib, pkgs, ... }:
5 cfg = config.services.prosody;
13 description = "Path to the key file.";
16 # TODO: rename to certificate to match the prosody config
19 description = "Path to the certificate file.";
22 extraOptions = mkOption {
25 description = "Extra SSL configuration options.";
35 description = "URL of the endpoint you want to make discoverable";
37 description = mkOption {
39 description = "A short description of the endpoint you want to advertise";
45 # Required for compliance with https://compliance.conversations.im/about/
49 description = "Allow users to have a roster";
55 description = "Authentication for clients and servers. Recommended if you want to log in.";
61 description = "Add support for secure TLS on c2s/s2s connections";
67 description = "s2s dialback support";
73 description = "Service discovery";
76 # Not essential, but recommended
80 description = "Keep multiple clients in sync";
86 description = "Implements the CSI protocol that allows clients to report their active/inactive state to the server";
89 cloud_notify = mkOption {
92 description = "Push notifications to inform users of new messages or other pertinent information even when they have no XMPP clients online";
98 description = "Enables users to publish their mood, activity, playing music and more";
104 description = "Private XML storage (for room bookmarks, etc.)";
107 blocklist = mkOption {
110 description = "Allow users to block communications with other users";
116 description = "Allow users to set vCards";
119 vcard_legacy = mkOption {
122 description = "Converts users profiles and Avatars between old and new formats";
125 bookmarks = mkOption {
128 description = "Allows interop between older clients that use XEP-0048: Bookmarks in its 1.0 version and recent clients which use it in PEP";
135 description = "Replies to server version requests";
141 description = "Report how long server has been running";
147 description = "Let others know the time here on this server";
153 description = "Replies to XMPP pings with pongs";
156 register = mkOption {
159 description = "Allow users to register on this server using a client and change passwords";
165 description = "Store messages in an archive and allow users to access it";
171 description = "Allow a client to resume a disconnected session, and prevent message loss";
175 admin_adhoc = mkOption {
178 description = "Allows administration via an XMPP client that supports ad-hoc commands";
181 http_files = mkOption {
184 description = "Serve static files from a directory over HTTP";
190 description = "Enables a file transfer proxy service which clients behind NAT can use";
193 admin_telnet = mkOption {
196 description = "Opens telnet console interface on localhost port 5582";
203 description = "Enable BOSH clients, aka 'Jabber over HTTP'";
206 websocket = mkOption {
209 description = "Enable WebSocket support";
212 # Other specific functionality
216 description = "Enable bandwidth limiting for XMPP connections";
222 description = "Shared roster support";
225 server_contact_info = mkOption {
228 description = "Publish contact information for this service";
231 announce = mkOption {
234 description = "Send announcement to all online users";
240 description = "Welcome users who register accounts";
243 watchregistrations = mkOption {
246 description = "Alert admins of registrations";
252 description = "Send a message to users when they log in";
255 legacyauth = mkOption {
258 description = "Legacy authentication. Only used by some old clients and bots";
263 if builtins.isString x then ''"${x}"''
264 else if builtins.isBool x then boolToString x
265 else if builtins.isInt x then toString x
266 else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }''
267 else throw "Invalid Lua value";
269 settingsToLua = prefix: settings: generators.toKeyValue {
270 listsAsDuplicateKeys = false;
272 generators.mkKeyValueDefault {
273 mkValueString = toLua;
274 } " = " (prefix + k);
276 (filterAttrs (k: v: v != null) settings);
278 createSSLOptsStr = o: ''
280 cafile = "/etc/ssl/certs/ca-bundle.crt";
282 certificate = "${o.cert}";
283 ${concatStringsSep "\n" (mapAttrsToList (name: value: "${name} = ${toLua value};") o.extraOptions)}
291 description = "Domain name of the MUC";
295 description = "The name to return in service discovery responses for the MUC service itself";
296 default = "Prosody Chatrooms";
298 restrictRoomCreation = mkOption {
299 type = types.enum [ true false "admin" "local" ];
301 description = "Restrict room creation to server admins";
303 maxHistoryMessages = mkOption {
306 description = "Specifies a limit on what each room can be configured to keep";
308 roomLocking = mkOption {
312 Enables room locking, which means that a room must be
313 configured before it can be used. Locked rooms are invisible
314 and cannot be entered by anyone but the creator
317 roomLockTimeout = mkOption {
321 Timout after which the room is destroyed or unlocked if not
322 configured, in seconds
325 tombstones = mkOption {
329 When a room is destroyed, it leaves behind a tombstone which
330 prevents the room being entered or recreated. It also allows
331 anyone who was not in the room at the time it was destroyed
332 to learn about it, and to update their bookmarks. Tombstones
333 prevents the case where someone could recreate a previously
334 semi-anonymous room in order to learn the real JIDs of those
335 who often join there.
338 tombstoneExpiry = mkOption {
342 This settings controls how long a tombstone is considered
343 valid. It defaults to 31 days. After this time, the room in
344 question can be created again.
348 vcard_muc = mkOption {
351 description = "Adds the ability to set vCard for Multi User Chat rooms";
354 # Extra parameters. Defaulting to prosody default values.
355 # Adding them explicitly to make them visible from the options
358 # See https://prosody.im/doc/modules/mod_muc for more details.
359 roomDefaultPublic = mkOption {
362 description = "If set, the MUC rooms will be public by default.";
364 roomDefaultMembersOnly = mkOption {
367 description = "If set, the MUC rooms will only be accessible to the members by default.";
369 roomDefaultModerated = mkOption {
372 description = "If set, the MUC rooms will be moderated by default.";
374 roomDefaultPublicJids = mkOption {
377 description = "If set, the MUC rooms will display the public JIDs by default.";
379 roomDefaultChangeSubject = mkOption {
382 description = "If set, the rooms will display the public JIDs by default.";
384 roomDefaultHistoryLength = mkOption {
387 description = "Number of history message sent to participants by default.";
389 roomDefaultLanguage = mkOption {
392 description = "Default room language.";
394 extraConfig = mkOption {
397 description = "Additional MUC specific configuration";
402 uploadHttpOpts = { ... }: {
405 type = types.nullOr types.str;
406 description = "Domain name for the http-upload service";
408 uploadFileSizeLimit = mkOption {
410 default = "50 * 1024 * 1024";
411 description = "Maximum file size, in bytes. Defaults to 50MB.";
413 uploadExpireAfter = mkOption {
415 default = "60 * 60 * 24 * 7";
416 description = "Max age of a file before it gets deleted, in seconds.";
418 userQuota = mkOption {
419 type = types.nullOr types.int;
423 Maximum size of all uploaded files per user, in bytes. There
424 will be no quota if this option is set to null.
427 httpUploadPath = mkOption {
430 Directory where the uploaded files will be stored
431 when the http_upload module is used.
432 By default, uploaded files are put in a sub-directory of the
433 default Prosody storage path (usually /var/lib/prosody).
435 default = "/var/lib/prosody";
440 httpFileShareOpts = { ... }: {
441 freeformType = with types;
442 let atom = oneOf [ int bool str (listOf atom) ]; in
443 attrsOf (nullOr atom);
444 options.domain = mkOption {
445 type = with types; nullOr str;
446 description = "Domain name for a http_file_share service.";
450 vHostOpts = { ... }: {
454 # TODO: require attribute
457 description = "Domain name";
463 description = "Whether to enable the virtual host";
467 type = types.nullOr (types.submodule sslOpts);
469 description = "Paths to SSL files";
472 extraConfig = mkOption {
475 description = "Additional virtual host specific configuration";
495 description = "Whether to enable the prosody server";
498 xmppComplianceSuite = mkOption {
502 The XEP-0423 defines a set of recommended XEPs to implement
503 for a server. It's generally a good idea to implement this
504 set of extensions if you want to provide your users with a
505 good XMPP experience.
507 This NixOS module aims to provide a "advanced server"
508 experience as per defined in the XEP-0423[1] specification.
510 Setting this option to true will prevent you from building a
511 NixOS configuration which won't comply with this standard.
512 You can explicitely decide to ignore this standard if you
513 know what you are doing by setting this option to false.
515 [1] https://xmpp.org/extensions/xep-0423.html
520 type = types.package;
521 description = "Prosody package to use";
522 default = pkgs.prosody;
523 defaultText = literalExpression "pkgs.prosody";
524 example = literalExpression ''
525 pkgs.prosody.override {
526 withExtraLibs = [ pkgs.luaPackages.lpty ];
527 withCommunityModules = [ "auth_external" ];
534 description = "Directory where Prosody stores its data";
535 default = "/var/lib/prosody";
538 disco_items = mkOption {
539 type = types.listOf (types.submodule discoOpts);
541 description = "List of discoverable items you want to advertise.";
547 description = "User account under which prosody runs.";
553 description = "Group account under which prosody runs.";
556 allowRegistration = mkOption {
559 description = "Allow account creation";
562 # HTTP server-related options
563 httpPorts = mkOption {
564 type = types.listOf types.int;
565 description = "Listening HTTP ports list for this service.";
569 httpInterfaces = mkOption {
570 type = types.listOf types.str;
571 default = [ "*" "::" ];
572 description = "Interfaces on which the HTTP server will listen on.";
575 httpsPorts = mkOption {
576 type = types.listOf types.int;
577 description = "Listening HTTPS ports list for this service.";
581 httpsInterfaces = mkOption {
582 type = types.listOf types.str;
583 default = [ "*" "::" ];
584 description = "Interfaces on which the HTTPS server will listen on.";
587 c2sRequireEncryption = mkOption {
591 Force clients to use encrypted connections? This option will
592 prevent clients from authenticating unless they are using encryption.
596 s2sRequireEncryption = mkOption {
600 Force servers to use encrypted connections? This option will
601 prevent servers from authenticating unless they are using encryption.
602 Note that this is different from authentication.
606 s2sSecureAuth = mkOption {
610 Force certificate authentication for server-to-server connections?
611 This provides ideal security, but requires servers you communicate
612 with to support encryption AND present valid, trusted certificates.
613 For more information see https://prosody.im/doc/s2s#security
617 s2sInsecureDomains = mkOption {
618 type = types.listOf types.str;
620 example = [ "insecure.example.com" ];
622 Some servers have invalid or self-signed certificates. You can list
623 remote domains here that will not be required to authenticate using
624 certificates. They will be authenticated using DNS instead, even
625 when s2s_secure_auth is enabled.
629 s2sSecureDomains = mkOption {
630 type = types.listOf types.str;
632 example = [ "jabber.org" ];
634 Even if you leave s2s_secure_auth disabled, you can still require valid
635 certificates for some domains by specifying a list here.
640 modules = moduleOpts;
642 extraModules = mkOption {
643 type = types.listOf types.str;
645 description = "Enable custom modules";
648 extraPluginPaths = mkOption {
649 type = types.listOf types.path;
651 description = "Addtional path in which to look find plugins/modules";
654 uploadHttp = mkOption {
656 Configures the old Prosody builtin HTTP server to handle user uploads.
658 type = types.nullOr (types.submodule uploadHttpOpts);
661 domain = "uploads.my-xmpp-example-host.org";
665 httpFileShare = mkOption {
667 Configures the http_file_share module to handle user uploads.
669 type = types.nullOr (types.submodule httpFileShareOpts);
672 domain = "uploads.my-xmpp-example-host.org";
677 type = types.listOf (types.submodule mucOpts);
680 domain = "conference.my-xmpp-example-host.org";
682 description = "Multi User Chat (MUC) configuration";
685 virtualHosts = mkOption {
687 description = "Define the virtual hosts";
689 type = with types; attrsOf (submodule vHostOpts);
693 domain = "my-xmpp-example-host.org";
700 domain = "localhost";
708 type = types.nullOr (types.submodule sslOpts);
710 description = "Paths to SSL files";
714 type = types.listOf types.str;
716 example = [ "admin1@example.com" "admin2@example.com" ];
717 description = "List of administrators of the current host";
720 authentication = mkOption {
721 type = types.enum [ "internal_plain" "internal_hashed" "cyrus" "anonymous" ];
722 default = "internal_hashed";
723 example = "internal_plain";
724 description = "Authentication mechanism used for logins.";
727 extraConfig = mkOption {
730 description = "Additional prosody configuration";
737 ###### implementation
739 config = mkIf cfg.enable {
744 Having a server not XEP-0423-compliant might make your XMPP
745 experience terrible. See the NixOS manual for further
748 If you know what you're doing, you can disable this warning by
749 setting config.services.prosody.xmppComplianceSuite to false.
752 { assertion = (builtins.length cfg.muc > 0) || !cfg.xmppComplianceSuite;
754 You need to setup at least a MUC domain to comply with
757 { assertion = cfg.uploadHttp != null || cfg.httpFileShare != null || !cfg.xmppComplianceSuite;
759 You need to setup the http_upload or http_file_share modules through
760 config.services.prosody.uploadHttp
761 or config.services.prosody.httpFileShare
762 to comply with XEP-0423.
767 environment.systemPackages = [ cfg.package ];
769 environment.etc."prosody/prosody.cfg.lua".text =
772 optional (cfg.uploadHttp != null)
773 { url = cfg.uploadHttp.domain; description = "HTTP upload endpoint";} ++
774 optional (cfg.httpFileShare != null)
775 { url = cfg.httpFileShare.domain; description = "HTTP file share endpoint";};
776 mucDiscoItems = builtins.foldl'
777 (acc: muc: [{ url = muc.domain; description = "${muc.domain} MUC endpoint";}] ++ acc)
780 discoItems = cfg.disco_items ++ httpDiscoItems ++ mucDiscoItems;
783 pidfile = "/run/prosody/prosody.pid"
787 data_path = "${cfg.dataDir}"
789 ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) }
792 ${ optionalString (cfg.ssl != null) (createSSLOptsStr cfg.ssl) }
794 admins = ${toLua cfg.admins}
796 -- we already build with libevent, so we can just enable it for a more performant server
801 ${ lib.concatStringsSep "\n " (lib.mapAttrsToList
802 (name: val: optionalString val "${toLua name};")
804 ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)}
805 ${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)}
809 ${ lib.concatStringsSep "\n" (builtins.map (x: ''{ "${x.url}", "${x.description}"};'') discoItems)}
812 allow_registration = ${toLua cfg.allowRegistration}
814 c2s_require_encryption = ${toLua cfg.c2sRequireEncryption}
816 s2s_require_encryption = ${toLua cfg.s2sRequireEncryption}
818 s2s_secure_auth = ${toLua cfg.s2sSecureAuth}
820 s2s_insecure_domains = ${toLua cfg.s2sInsecureDomains}
822 s2s_secure_domains = ${toLua cfg.s2sSecureDomains}
824 authentication = ${toLua cfg.authentication}
826 http_interfaces = ${toLua cfg.httpInterfaces}
828 https_interfaces = ${toLua cfg.httpsInterfaces}
830 http_ports = ${toLua cfg.httpPorts}
832 https_ports = ${toLua cfg.httpsPorts}
836 ${lib.concatMapStrings (muc: ''
837 Component ${toLua muc.domain} "muc"
838 modules_enabled = { "muc_mam"; ${optionalString muc.vcard_muc ''"vcard_muc";'' } }
839 name = ${toLua muc.name}
840 restrict_room_creation = ${toLua muc.restrictRoomCreation}
841 max_history_messages = ${toLua muc.maxHistoryMessages}
842 muc_room_locking = ${toLua muc.roomLocking}
843 muc_room_lock_timeout = ${toLua muc.roomLockTimeout}
844 muc_tombstones = ${toLua muc.tombstones}
845 muc_tombstone_expiry = ${toLua muc.tombstoneExpiry}
846 muc_room_default_public = ${toLua muc.roomDefaultPublic}
847 muc_room_default_members_only = ${toLua muc.roomDefaultMembersOnly}
848 muc_room_default_moderated = ${toLua muc.roomDefaultModerated}
849 muc_room_default_public_jids = ${toLua muc.roomDefaultPublicJids}
850 muc_room_default_change_subject = ${toLua muc.roomDefaultChangeSubject}
851 muc_room_default_history_length = ${toLua muc.roomDefaultHistoryLength}
852 muc_room_default_language = ${toLua muc.roomDefaultLanguage}
856 ${ lib.optionalString (cfg.uploadHttp != null) ''
857 Component ${toLua cfg.uploadHttp.domain} "http_upload"
858 http_upload_file_size_limit = ${cfg.uploadHttp.uploadFileSizeLimit}
859 http_upload_expire_after = ${cfg.uploadHttp.uploadExpireAfter}
860 ${lib.optionalString (cfg.uploadHttp.userQuota != null) "http_upload_quota = ${toLua cfg.uploadHttp.userQuota}"}
861 http_upload_path = ${toLua cfg.uploadHttp.httpUploadPath}
864 ${ lib.optionalString (cfg.httpFileShare != null) ''
865 Component ${toLua cfg.httpFileShare.domain} "http_file_share"
866 ${settingsToLua " http_file_share_" (cfg.httpFileShare // { domain = null; })}
869 ${ lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
870 VirtualHost "${v.domain}"
871 enabled = ${boolToString v.enabled};
872 ${ optionalString (v.ssl != null) (createSSLOptsStr v.ssl) }
874 '') cfg.virtualHosts) }
877 users.users.prosody = mkIf (cfg.user == "prosody") {
878 uid = config.ids.uids.prosody;
879 description = "Prosody user";
882 home = "${cfg.dataDir}";
885 users.groups.prosody = mkIf (cfg.group == "prosody") {
886 gid = config.ids.gids.prosody;
889 systemd.services.prosody = {
890 description = "Prosody XMPP server";
891 after = [ "network-online.target" ];
892 wants = [ "network-online.target" ];
893 wantedBy = [ "multi-user.target" ];
894 restartTriggers = [ config.environment.etc."prosody/prosody.cfg.lua".source ];
899 RuntimeDirectory = [ "prosody" ];
900 PIDFile = "/run/prosody/prosody.pid";
901 ExecStart = "${cfg.package}/bin/prosodyctl start";
902 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
904 MemoryDenyWriteExecute = true;
905 PrivateDevices = true;
906 PrivateMounts = true;
908 ProtectControlGroups = true;
910 ProtectHostname = true;
911 ProtectKernelModules = true;
912 ProtectKernelTunables = true;
913 RestrictNamespaces = true;
914 RestrictRealtime = true;
915 RestrictSUIDSGID = true;
920 meta.doc = ./prosody.xml;
sourcephile / git / sourcephile-nix.git / blob