]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/prosody.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
prosody: test PR#260006
[sourcephile-nix.git] / hosts / mermet / prosody.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (config.services) prosody;
4 inherit (hosts.mermet.config.services) coturn;
5 domain = config.networking.domain;
6 commas = lib.concatMapStringsSep "," toString;
7 in
8 {
9 imports = [
10 prosody/biboumi.nix
11 ];
12 networking.nftables.ruleset = ''
13 table inet filter {
14 chain input-net {
15 tcp dport { xmpp-client, xmpp-server } counter accept comment "prosody: XMPP"
16 tcp dport {${commas (with prosody.settings; c2s_direct_tls_ports ++ s2s_direct_tls_ports)}} counter accept comment "prosody: XMPPS"
17 tcp dport {${commas prosody.settings.proxy65_ports}} counter accept comment "prosody: XMPP XEP-0065 File Transfer Proxy"
18 tcp dport {${commas prosody.settings.https_ports}} counter accept comment "prosody: HTTPS"
19 }
20 chain output-net {
21 skuid ${prosody.user} counter accept comment "prosody"
22 }
23 }
24 '';
25 /*
26 services.upnpc.redirections =
27 [
28 { description = "XMPP";
29 externalPort = 5222; protocol = "TCP";
30 duration = 30 * 60;
31 service.wantedBy = ["prosody.service"];
32 service.partOf = ["prosody.service"];
33 }
34 { description = "XMPP";
35 externalPort = 5269; protocol = "TCP";
36 duration = 30 * 60;
37 service.wantedBy = ["prosody.service"];
38 service.partOf = ["prosody.service"];
39 }
40 { description = "XMPP-FTP";
41 externalPort = 5000; protocol = "TCP";
42 duration = 30 * 60;
43 service.wantedBy = ["prosody.service"];
44 service.partOf = ["prosody.service"];
45 }
46 ] ++ map (externalPort: {
47 description = "XMPP-HTTPS";
48 inherit externalPort; protocol="TCP";
49 duration = 30 * 60;
50 service.wantedBy = ["prosody.service"];
51 service.partOf = ["prosody.service"];
52 }) prosody.settings.https_ports;
53 */
54 /*
55 services.tor.relay.hiddenServices."${domain}/xmpp".map = with prosody.settings; c2s_direct_tls_ports ++ s2s_direct_tls_ports ++ proxy65_ports ++ https_ports;
56 */
57 users.groups.acme.members = [ prosody.user ];
58 security.acme.certs."${domain}" = {
59 postRun = "systemctl try-restart prosody";
60 };
61 fileSystems."/var/lib/prosody" = {
62 device = "rpool/var/prosody";
63 fsType = "zfs";
64 };
65 services.sanoid.datasets = {
66 "rpool/var/prosody" = {
67 use_template = [ "snap" ];
68 daily = 7;
69 };
70 };
71 systemd.services.prosody = {
72 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
73 after = [ "acme-selfsigned-${domain}.service" ];
74 };
75 # sudo -u prosody prosodyctl check
76 services.prosody = {
77 enable = true;
78 xmppComplianceSuite = true;
79 components = {
80 "biboumi.${domain}" = {
81 settings = {
82 component_secret = "useless-secret-on-loopback";
83 };
84 };
85 "proxy65.${domain}" = {
86 #module = "proxy65";
87 settings = {
88 proxy65_address = "proxy65.${domain}";
89 proxy65_acl = [ domain ];
90 };
91 };
92 "salons.${domain}" = {
93 module = "muc";
94 settings = {
95 modules_enabled = [ "vcard_muc" ];
96 name = "Prosody Chatrooms";
97 restrict_room_creation = "local";
98 max_history_messages = 42;
99 muc_room_locking = true;
100 muc_room_lock_timeout = 600;
101 muc_tombstones = true;
102 muc_tombstone_expiry = 31 * 24 * 60 * 60;
103 muc_room_default_public = true;
104 muc_room_default_members_only = false;
105 muc_room_default_moderated = true;
106 muc_room_default_public_jids = false;
107 muc_room_default_change_subject = true;
108 muc_room_default_history_length = 42;
109 muc_room_default_language = "fr";
110 };
111 };
112 "tmp.${domain}" = {
113 module = "http_file_share";
114 settings = {
115 size_limit = 100 * 1024 * 1024; # 100 MiB
116 daily_quota = 200 * 1024 * 1024; # 200 MiB per day per user
117 global_quota = 1 * 1024 * 1024 * 1024; # 1 GiB total
118 expires_after = 7 * 24 * 60 * 60; # 7 days
119 };
120 };
121 };
122 virtualHosts.${domain} = {
123 useACMEHost = domain;
124 settings = {
125 enabled = true;
126 };
127 };
128 settings = {
129 admins = [
130 "julm@${domain}"
131 ];
132 contact_info = {
133 #abuse = [ "mailto:abuse@${domain}", "xmpp:abuse@${domain}" ];
134 #admin = [ "mailto:admin@${domain}", "xmpp:admin@${domain}" ];
135 #feedback = [ "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" ];
136 #sales = [ "xmpp:bard@${domain}" ];
137 #security = [ "xmpp:security@${domain}" ];
138 #support = [ "http://${domain}/support.php", "xmpp:support@${domain}" ];
139 };
140
141 allow_registration = false;
142 authentication = "internal_hashed";
143
144 # Listen only in IPv4 until hosting provider's IPv6 works well.
145 interfaces = [ "0.0.0.0" ];
146 c2s_interfaces = [ "0.0.0.0" ];
147 c2s_ports = [ 5222 ];
148 c2s_direct_tls_ports = [ 5223 ];
149 c2s_direct_tls_ssl = {
150 key = "/var/lib/acme/${domain}/key.pem";
151 certificate = "/var/lib/acme/${domain}/fullchain.pem";
152 };
153 c2s_require_encryption = true;
154 s2s_require_encryption = true;
155 s2s_secure_auth = true;
156 s2s_ports = [ 5269 ];
157 s2s_direct_tls_ports = [ 5270 ];
158 s2s_direct_tls_ssl = {
159 key = "/var/lib/acme/${domain}/key.pem";
160 certificate = "/var/lib/acme/${domain}/fullchain.pem";
161 };
162 ssl.key = "/var/lib/acme/${domain}/key.pem";
163 ssl.certificate = "/var/lib/acme/${domain}/fullchain.pem";
164 http_ports = [ ];
165 https_ports = [ 5281 ];
166 proxy65_ports = [ 5000 ];
167
168 disco_items = [
169 [
170 "biboumi.${domain}"
171 "Passerelle vers des serveurs IRC (Internet Relay Chat)"
172 ]
173 ];
174
175 log = {
176 # debug = "*syslog";
177 info = "*syslog";
178 warn = "*syslog";
179 error = "*syslog";
180 };
181
182 modules_enabled = [
183 "admin_shell"
184 "announce"
185 "blocklist"
186 "bookmark"
187 #"cloud_notify_encrypted"
188 #"extdisco"
189 "groups"
190 "motd"
191 #"muc_log"
192 #"muc_log_http"
193 #"net_multiplex"
194 "server_contact_info"
195 "turn_external"
196 #"turncredentials"
197 "watchregistrations"
198 "welcome"
199 ];
200 modules_disabled = [
201 "cloud_notify" # not encrypted even with OMEMO
202 #"proxy65"
203 "websocket"
204 "limits"
205 "http_files"
206 "http_upload"
207 ];
208
209 smacks_enabled_s2s = true;
210 smacks_s2s_resend = true;
211
212 turn_external_secret = coturn.static-auth-secret;
213 #turn_external_secret = "ENV_TURN_EXTERNAL_SECRET";
214 turn_external_host = "turn.${domain}";
215 turn_external_port = 3478;
216 turn_external_ttl = 86400;
217
218 # turncredentials_host = "turn.${domain}"
219 # turncredentials_port = 3478
220 # turncredentials_secret = "${coturn.static-auth-secret}";
221 # http_files_dir = "/var/lib/prosody/files"
222 # http_external_url = "https://tmp.${domain}:5281"
223 # https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
224 # https_key = "/var/lib/acme/${domain}/key.pem"
225 # certificates = "/var/lib/acme"
226 #ports = {80};
227 #ssl_ports = {443};
228 };
229 package = pkgs.prosody.override {
230 withCommunityModules = [
231 "turncredentials"
232 #"extdisco"
233 ];
234 };
235 };
236 }
NixOS configurations for Sourcephile's infrastructure