machines/losurdo/prosody.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (config) networking;
   4   inherit (config.users) users;
   5   inherit (config.services) prosody;
   6 in
   7 {
   8 networking.nftables.ruleset = ''
   9   add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
  10   add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
  11   add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
  12   add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
  13 '';
  14 users.groups.acme.members = [ users.prosody.name ];
  15 services.prosody = {
  16   enable = true;
  17   xmppComplianceSuite = true;
  18   modules = {
  19     websocket = false;
  20     limits = false;
  21     groups = true;
  22     announce = true;
  23     welcome = true;
  24     watchregistrations = true;
  25     motd = true;
  26   };
  27   extraModules = [
  28     #"net_multiplex"
  29   ];
  30   extraConfig = ''
  31     Component "proxy65.${networking.domain}" "proxy65"
  32       proxy65_ports = 5000
  33   '';
  34   #ports = {80};
  35   #ssl_ports = {443};
  36   c2sRequireEncryption = true;
  37   s2sRequireEncryption = true;
  38   s2sSecureAuth = true;
  39   uploadHttp = {
  40     domain = "tmp.${networking.domain}";
  41     # Prosody's HTTP parser limit on body size
  42     uploadFileSizeLimit = "10485760";
  43     userQuota = 100 * 1024 * 1024;
  44     uploadExpireAfter = "60 * 60 * 24 * 7";
  45   };
  46   muc = [
  47     { domain = "salons.${networking.domain}";
  48       extraConfig = ''
  49         restrict_room_creation = "local"
  50         max_history_messages = 42
  51         muc_room_locking = true
  52         muc_room_lock_timeout = 600
  53         muc_tombstones = true
  54         muc_tombstone_expiry = 31 * 24 * 60 * 60
  55         muc_room_default_public = true
  56         muc_room_default_members_only = false
  57         muc_room_default_moderated = true
  58         muc_room_default_public_jids = false
  59         muc_room_default_change_subject = true
  60         muc_room_default_history_length = 42
  61         muc_room_default_language = "fr"
  62       '';
  63     }
  64   ];
  65   virtualHosts."${networking.domain}" = {
  66     enabled = true;
  67     domain = "${networking.domain}";
  68     ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
  69     ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
  70   };
  71   admins = [
  72     "julm@${networking.domain}"
  73   ];
  74   allowRegistration = false;
  75   authentication = "internal_hashed";
  76   httpPorts = [];
  77   disco_items = [];
  78 };
  79 }