]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/prosody.nix
carotte: apply git-crypt
[sourcephile-nix.git] / hosts / mermet / prosody.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (config.services) prosody;
4 inherit (hosts.mermet.config.services) coturn;
5 domain = config.networking.domain;
6 commas = lib.concatMapStringsSep "," toString;
7 in
8 {
9 imports = [
10 prosody/biboumi.nix
11 ];
12 networking.nftables.ruleset = ''
13 table inet filter {
14 chain input-net {
15 tcp dport { xmpp-client, xmpp-server } counter accept comment "prosody: XMPP"
16 tcp dport {${commas (with prosody.settings; c2s_direct_tls_ports ++ s2s_direct_tls_ports)}} counter accept comment "prosody: XMPPS"
17 tcp dport {${commas prosody.settings.proxy65_ports}} counter accept comment "prosody: XMPP XEP-0065 File Transfer Proxy"
18 tcp dport {${commas prosody.settings.https_ports}} counter accept comment "prosody: HTTPS"
19 }
20 chain output-net {
21 skuid ${prosody.user} counter accept comment "prosody"
22 }
23 }
24 '';
25 /*
26 services.upnpc.redirections =
27 [
28 { description = "XMPP";
29 externalPort = 5222; protocol = "TCP";
30 duration = 30 * 60;
31 service.wantedBy = ["prosody.service"];
32 service.partOf = ["prosody.service"];
33 }
34 { description = "XMPP";
35 externalPort = 5269; protocol = "TCP";
36 duration = 30 * 60;
37 service.wantedBy = ["prosody.service"];
38 service.partOf = ["prosody.service"];
39 }
40 { description = "XMPP-FTP";
41 externalPort = 5000; protocol = "TCP";
42 duration = 30 * 60;
43 service.wantedBy = ["prosody.service"];
44 service.partOf = ["prosody.service"];
45 }
46 ] ++ map (externalPort: {
47 description = "XMPP-HTTPS";
48 inherit externalPort; protocol="TCP";
49 duration = 30 * 60;
50 service.wantedBy = ["prosody.service"];
51 service.partOf = ["prosody.service"];
52 }) prosody.settings.https_ports;
53 */
54 /*
55 services.tor.relay.hiddenServices."${domain}/xmpp".map = with prosody.settings; c2s_direct_tls_ports ++ s2s_direct_tls_ports ++ proxy65_ports ++ https_ports;
56 */
57 users.groups.acme.members = [ prosody.user ];
58 security.acme.certs."${domain}" = {
59 postRun = "systemctl try-restart prosody";
60 };
61 fileSystems."/var/lib/prosody" = {
62 device = "rpool/var/prosody";
63 fsType = "zfs";
64 };
65 services.sanoid.datasets = {
66 "rpool/var/prosody" = {
67 use_template = [ "snap" ];
68 daily = 7;
69 };
70 };
71 systemd.services.prosody = {
72 wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
73 after = [ "acme-selfsigned-${domain}.service" ];
74 };
75 # sudo -u prosody prosodyctl check
76 services.prosody = {
77 enable = true;
78 xmppComplianceSuite = true;
79 components = {
80 "biboumi.${domain}" = {
81 settings = {
82 component_secret = "useless-secret-on-loopback";
83 };
84 };
85 "proxy65.${domain}" = {
86 #module = "proxy65";
87 settings = {
88 proxy65_address = "proxy65.${domain}";
89 proxy65_acl = [ domain ];
90 };
91 };
92 "pubsub.${domain}" = {
93 module = "pubsub";
94 settings = {
95 modules_enabled = [
96 #"pubsub_alertmanager"
97 "pubsub_feeds"
98 #"pubsub_github"
99 "pubsub_summary"
100 "pubsub_text_interface"
101 ];
102 admins = { };
103 autocreate_on_subscribe = false;
104 autocreate_on_publish = false;
105 pubsub_max_items = 256;
106 pubsub_summary_templates = {
107 "http://www.w3.org/2005/Atom" = "{summary|or{{author/name|and{{author/name} posted }}{title}}}";
108 };
109 };
110 };
111 "salons.${domain}" = {
112 module = "muc";
113 settings = {
114 modules_enabled = [
115 "http_muc_log"
116 "muc_mam"
117 "vcard_muc"
118 #"muc_log"
119 #"muc_log_http"
120 ];
121 name = "Prosody Chatrooms";
122 restrict_room_creation = "local";
123 max_history_messages = 42;
124 muc_room_locking = true;
125 muc_room_lock_timeout = 600;
126 muc_tombstones = true;
127 muc_tombstone_expiry = 31 * 24 * 60 * 60;
128 muc_room_default_public = true;
129 muc_room_default_members_only = false;
130 muc_room_default_moderated = true;
131 muc_room_default_public_jids = false;
132 muc_room_default_change_subject = true;
133 muc_room_default_history_length = 42;
134 muc_room_default_language = "fr";
135
136 # mod_muc_mam
137 muc_log_by_default = true;
138 muc_log_presences = false;
139 log_all_rooms = false;
140 muc_log_expires_after = "1w";
141 muc_log_cleanup_interval = 4 * 60 * 60;
142 # mod_http_muc_log
143 http_muc_log_show_images = true;
144 #http_muc_log_default_view = "latest";
145 http_muc_log_list_order = [
146 "test@salons.${domain}"
147 ];
148 };
149 };
150 "tmp.${domain}" = {
151 module = "http_file_share";
152 settings = {
153 size_limit = 100 * 1024 * 1024; # 100 MiB
154 daily_quota = 200 * 1024 * 1024; # 200 MiB per day per user
155 global_quota = 1 * 1024 * 1024 * 1024; # 1 GiB total
156 expires_after = 7 * 24 * 60 * 60; # 7 days
157 };
158 };
159 };
160 virtualHosts.${domain} = {
161 useACMEHost = domain;
162 settings = {
163 enabled = true;
164 };
165 };
166 settings = {
167 admins = [
168 "julm@${domain}"
169 ];
170 site_name = "soucephile.fr";
171 contact_info = {
172 #abuse = [ "mailto:abuse@${domain}", "xmpp:abuse@${domain}" ];
173 #admin = [ "mailto:admin@${domain}", "xmpp:admin@${domain}" ];
174 #feedback = [ "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" ];
175 #sales = [ "xmpp:bard@${domain}" ];
176 #security = [ "xmpp:security@${domain}" ];
177 #support = [ "http://${domain}/support.php", "xmpp:support@${domain}" ];
178 };
179
180 allow_registration = true;
181 registration_invite_only = true;
182 authentication = "internal_hashed";
183
184 # Listen only in IPv4 until hosting provider's IPv6 works well.
185 interfaces = [ "0.0.0.0" ];
186 c2s_interfaces = [ "0.0.0.0" ];
187 c2s_ports = [ 5222 ];
188 c2s_direct_tls_ports = [ 5223 ];
189 c2s_direct_tls_ssl = {
190 key = "/var/lib/acme/${domain}/key.pem";
191 certificate = "/var/lib/acme/${domain}/fullchain.pem";
192 };
193 c2s_require_encryption = true;
194 s2s_require_encryption = true;
195 s2s_secure_auth = true;
196 s2s_ports = [ 5269 ];
197 s2s_direct_tls_ports = [ 5270 ];
198 s2s_direct_tls_ssl = {
199 key = "/var/lib/acme/${domain}/key.pem";
200 certificate = "/var/lib/acme/${domain}/fullchain.pem";
201 };
202 ssl.key = "/var/lib/acme/${domain}/key.pem";
203 ssl.certificate = "/var/lib/acme/${domain}/fullchain.pem";
204 http_ports = [ ];
205 https_ports = [ 5281 ];
206 proxy65_ports = [ 5000 ];
207
208 disco_items = [
209 [
210 "biboumi.${domain}"
211 "Gateway to IRC (Internet Relay Chat) servers"
212 ]
213 ];
214
215 log = {
216 # debug = "*syslog";
217 info = "*syslog";
218 warn = "*syslog";
219 error = "*syslog";
220 };
221
222 storage = {
223 archive = "xmlarchive";
224 muc_log = "xmlarchive";
225 };
226 # mod_mam
227 archive_expires_after = "3m"; # months
228 archive_cleanup_interval = 4 * 60 * 60;
229 default_archive_policy = "roster";
230
231 limits = {
232 c2s = {
233 rate = "3kb/s";
234 burst = "2s";
235 };
236 s2sin = {
237 rate = "10kb/s";
238 burst = "5s";
239 };
240 };
241
242 csi_important_payloads = {
243 # Anything in this namespace:
244 #"{urn:example:important-namespace}"
245 # Specific element name and namespace:
246 #"{urn:example:xmpp:priority}super-important"
247 };
248
249 feeds = {
250 code_gouv_fr = "https://code.gouv.fr/feed/feed.xml";
251 haskellweekly = "https://haskellweekly.news/newsletter.atom";
252 planet_jabber = "https://planet.jabber.org/atom.xml";
253 #prosody_blog = "http://blog.prosody.im/feed/atom.xml";
254 };
255
256 modules_enabled = [
257 "admin_shell"
258 "announce"
259 "blocklist"
260 #"cloud_notify_encrypted"
261 "csi_simple"
262 #"extdisco"
263 "groups"
264 "invites"
265 "invites_page"
266 "invites_register"
267 "limits"
268 "motd"
269 #"net_multiplex"
270 "register_apps"
271 "server_contact_info"
272 #"throttle_presence"
273 "turn_external"
274 "vcard4"
275 "watchregistrations"
276 "welcome"
277 "storage_xmlarchive"
278 ];
279 modules_disabled = [
280 "cloud_notify" # not encrypted even with OMEMO
281 "http_files"
282 "http_upload"
283 #"proxy65"
284 "vcard_legacy"
285 "websocket"
286 ];
287
288 smacks_enabled_s2s = true;
289 smacks_s2s_resend = true;
290
291 turn_external_secret = coturn.static-auth-secret;
292 #turn_external_secret = "ENV_TURN_EXTERNAL_SECRET";
293 turn_external_host = "turn.${domain}";
294 turn_external_port = 3478;
295 turn_external_ttl = 86400;
296
297 # http_files_dir = "/var/lib/prosody/files"
298 # http_external_url = "https://tmp.${domain}:5281"
299 # https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
300 # https_key = "/var/lib/acme/${domain}/key.pem"
301 # certificates = "/var/lib/acme"
302 #ports = {80};
303 #ssl_ports = {443};
304 };
305 package = pkgs.prosody.override {
306 withCommunityModules = [
307 "http_muc_log"
308 #"log_auth"
309 #"offline_email"
310 #"pubsub_alertmanager"
311 "pubsub_feeds"
312 #"pubsub_github"
313 "pubsub_summary"
314 "pubsub_text_interface"
315 "register_apps"
316 "invites_page"
317 #"extdisco"
318 "storage_xmlarchive"
319 ];
320 };
321 };
322 }