1 { pkgs, lib, config, ... }:
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) prosody;
8 networking.nftables.ruleset = ''
9 add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
10 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
11 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
12 add rule inet filter fw2net meta skuid ${prosody.user} tcp dport 3478 counter accept comment "TURN"
13 add rule inet filter fw2net meta skuid ${prosody.user} udp dport 3478 counter accept comment "TURN"
14 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
15 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
17 users.groups.acme.members = [ prosody.user ];
18 security.acme.certs."${networking.domain}" = {
19 postRun = "systemctl reload prosody";
21 systemd.services.prosody = {
22 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
23 after = [ "acme-selfsigned-${networking.domain}.service" ];
27 xmppComplianceSuite = true;
33 watchregistrations = true;
42 Component "proxy65.${networking.domain}" "proxy65"
45 turncredentials_host = "turn.${networking.domain}"
46 turncredentials_secret = "${pass-chomp "machines/mermet/coturn/static-auth-secret"}"
47 turncredentials_port = 3478
51 c2sRequireEncryption = true;
52 s2sRequireEncryption = true;
55 domain = "tmp.${networking.domain}";
56 # Prosody's HTTP parser limit on body size
57 uploadFileSizeLimit = "10485760";
58 userQuota = 100 * 1024 * 1024;
59 uploadExpireAfter = "60 * 60 * 24 * 7";
62 { domain = "salons.${networking.domain}";
64 restrict_room_creation = "local"
65 max_history_messages = 42
66 muc_room_locking = true
67 muc_room_lock_timeout = 600
69 muc_tombstone_expiry = 31 * 24 * 60 * 60
70 muc_room_default_public = true
71 muc_room_default_members_only = false
72 muc_room_default_moderated = true
73 muc_room_default_public_jids = false
74 muc_room_default_change_subject = true
75 muc_room_default_history_length = 42
76 muc_room_default_language = "fr"
80 virtualHosts."${networking.domain}" = {
82 domain = "${networking.domain}";
83 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
84 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
87 "julm@${networking.domain}"
89 allowRegistration = false;
90 authentication = "internal_hashed";