]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/prosody.nix
security: no longer depend upon upstream's hardening
[sourcephile-nix.git] / machines / losurdo / prosody.nix
1 { pkgs, lib, config, machines, ipv4, ... }:
2 let
3 inherit (config) networking;
4 inherit (config.services) prosody;
5 inherit (machines.mermet.config.services) coturn;
6 in
7 {
8 imports = [
9 prosody/biboumi.nix
10 #../../sec/machines/losurdo/prosody.nix
11 ];
12 networking.nftables.ruleset = ''
13 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
14 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
15 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
16 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
17 '';
18 services.upnpc.redirections = [
19 { port = 5222; protocol = "TCP"; }
20 { port = 5269; protocol = "TCP"; }
21 { port = 5000; protocol = "TCP"; }
22 ] ++ map (port: {inherit port; protocol="TCP";}) prosody.httpsPorts;
23 /*
24 services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
25 */
26 users.groups.acme.members = [ prosody.user ];
27 security.acme.certs."${networking.domain}" = {
28 postRun = "systemctl reload prosody";
29 };
30 systemd.services.prosody = {
31 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
32 after = [ "acme-selfsigned-${networking.domain}.service" ];
33 };
34 # sudo -u prosody prosodyctl check
35 services.prosody = {
36 enable = true;
37 xmppComplianceSuite = true;
38 modules = {
39 announce = true;
40 blocklist = true;
41 cloud_notify = true;
42 groups = true;
43 limits = false;
44 motd = true;
45 server_contact_info = true;
46 watchregistrations = true;
47 websocket = false;
48 welcome = true;
49 proxy65 = false;
50 };
51 extraModules = [
52 "turncredentials"
53 #"net_multiplex"
54 #"extdisco"
55 ];
56 extraConfig = ''
57 -- Listen only in IPv4 until hosting provider's IPv6 works well.
58 interfaces = { "0.0.0.0" }
59 c2s_interfaces = { "0.0.0.0" }
60 contact_info = {
61 --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
62 --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
63 --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
64 --sales = { "xmpp:bard@${networking.domain}" };
65 --security = { "xmpp:security@${networking.domain}" };
66 --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
67 }
68 legacy_ssl_ports = { 5222 }
69
70 turncredentials_host = "turn.${networking.domain}"
71 turncredentials_port = 3478
72
73 --http_files_dir = "/var/lib/prosody/files"
74 --http_external_url = "https://tmp.${networking.domain}:5281"
75 --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
76 --https_key = "/var/lib/acme/${networking.domain}/key.pem"
77 --certificates = "/var/lib/acme"
78
79 proxy65_ports = 5000
80 Component "proxy65.${networking.domain}" "proxy65"
81 proxy65_address = "proxy65.${networking.domain}"
82 proxy65_acl = { "${networking.domain}" }
83
84 Component "biboumi.${networking.domain}"
85 component_secret = "useless-secret-on-loopback"
86 '';
87 #ports = {80};
88 #ssl_ports = {443};
89 c2sRequireEncryption = true;
90 s2sRequireEncryption = true;
91 s2sSecureAuth = true;
92 uploadHttp = {
93 domain = "tmp.${networking.domain}";
94 # Prosody's HTTP parser limit on body size
95 uploadFileSizeLimit = "10485760";
96 userQuota = 100 * 1024 * 1024;
97 uploadExpireAfter = "60 * 60 * 24 * 7";
98 httpUploadPath = "/var/lib/prosody/upload";
99 };
100 muc = [
101 { domain = "salons.${networking.domain}";
102 extraConfig = ''
103 restrict_room_creation = "local"
104 max_history_messages = 42
105 muc_room_locking = true
106 muc_room_lock_timeout = 600
107 muc_tombstones = true
108 muc_tombstone_expiry = 31 * 24 * 60 * 60
109 muc_room_default_public = true
110 muc_room_default_members_only = false
111 muc_room_default_moderated = true
112 muc_room_default_public_jids = false
113 muc_room_default_change_subject = true
114 muc_room_default_history_length = 42
115 muc_room_default_language = "fr"
116 '';
117 }
118 ];
119 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
120 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
121 admins = [
122 "julm@${networking.domain}"
123 ];
124 virtualHosts."${networking.domain}" = {
125 enabled = true;
126 domain = "${networking.domain}";
127 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
128 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
129 };
130 allowRegistration = false;
131 authentication = "internal_hashed";
132 httpPorts = [];
133 httpsPorts = [5281];
134 disco_items = [
135 { url = "biboumi.${networking.domain}";
136 description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
137 ];
138 package = pkgs.prosody.override {
139 withCommunityModules = [
140 "turncredentials"
141 #"extdisco"
142 ];
143 };
144 };
145 }