machines/losurdo/prosody.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   inherit (builtins.extraBuiltins) pass-chomp;
   4   inherit (config) networking;
   5   inherit (config.services) prosody;
   6 in
   7 {
   8 networking.nftables.ruleset = ''
   9   add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
  10   add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
  11   add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
  12   add rule inet filter fw2net meta skuid ${prosody.user} tcp dport 3478 counter accept comment "TURN"
  13   add rule inet filter fw2net meta skuid ${prosody.user} udp dport 3478 counter accept comment "TURN"
  14   add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
  15   add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
  16 '';
  17 users.groups.acme.members = [ prosody.user ];
  18 security.acme.certs."${networking.domain}" = {
  19   postRun = "systemctl reload prosody";
  20 };
  21 systemd.services.prosody = {
  22   wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
  23   after = [ "acme-selfsigned-${networking.domain}.service" ];
  24 };
  25 services.prosody = {
  26   enable = true;
  27   xmppComplianceSuite = true;
  28   modules = {
  29     announce = true;
  30     groups = true;
  31     limits = false;
  32     motd = true;
  33     watchregistrations = true;
  34     websocket = false;
  35     welcome = true;
  36   };
  37   extraModules = [
  38     "turncredentials"
  39     #"net_multiplex"
  40   ];
  41   extraConfig = ''
  42     Component "proxy65.${networking.domain}" "proxy65"
  43       proxy65_ports = 5000
  44
  45     turncredentials_host = "turn.${networking.domain}"
  46     turncredentials_secret = "${pass-chomp "machines/mermet/coturn/static-auth-secret"}"
  47     turncredentials_port = 3478
  48   '';
  49   #ports = {80};
  50   #ssl_ports = {443};
  51   c2sRequireEncryption = true;
  52   s2sRequireEncryption = true;
  53   s2sSecureAuth = true;
  54   uploadHttp = {
  55     domain = "tmp.${networking.domain}";
  56     # Prosody's HTTP parser limit on body size
  57     uploadFileSizeLimit = "10485760";
  58     userQuota = 100 * 1024 * 1024;
  59     uploadExpireAfter = "60 * 60 * 24 * 7";
  60   };
  61   muc = [
  62     { domain = "salons.${networking.domain}";
  63       extraConfig = ''
  64         restrict_room_creation = "local"
  65         max_history_messages = 42
  66         muc_room_locking = true
  67         muc_room_lock_timeout = 600
  68         muc_tombstones = true
  69         muc_tombstone_expiry = 31 * 24 * 60 * 60
  70         muc_room_default_public = true
  71         muc_room_default_members_only = false
  72         muc_room_default_moderated = true
  73         muc_room_default_public_jids = false
  74         muc_room_default_change_subject = true
  75         muc_room_default_history_length = 42
  76         muc_room_default_language = "fr"
  77       '';
  78     }
  79   ];
  80   virtualHosts."${networking.domain}" = {
  81     enabled = true;
  82     domain = "${networking.domain}";
  83     ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
  84     ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
  85   };
  86   admins = [
  87     "julm@${networking.domain}"
  88   ];
  89   allowRegistration = false;
  90   authentication = "internal_hashed";
  91   httpPorts = [];
  92   disco_items = [];
  93 };
  94 }