1 { pkgs, lib, config, machines, ... }:
3 inherit (builtins.extraBuiltins) pass-chomp;
4 inherit (config) networking;
5 inherit (config.services) prosody;
6 inherit (machines.mermet.config.services) coturn;
12 networking.nftables.ruleset = ''
13 add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
14 add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
15 add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
16 add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
18 users.groups.acme.members = [ prosody.user ];
19 security.acme.certs."${networking.domain}" = {
20 postRun = "systemctl reload prosody";
22 systemd.services.prosody = {
23 wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
24 after = [ "acme-selfsigned-${networking.domain}.service" ];
26 # sudo -u prosody prosodyctl check
29 xmppComplianceSuite = true;
36 watchregistrations = true;
47 turncredentials_host = "turn.${networking.domain}"
48 turncredentials_secret = "${pass-chomp "machines/mermet/coturn/static-auth-secret"}"
49 turncredentials_port = 3478
51 --external_services = {
52 -- ["turn.${networking.domain}"] = {
55 -- port="${toString coturn.alt-listening-port}";
57 -- ["turn.${networking.domain}"] = {
60 -- port="${toString coturn.listening-port}";
61 -- username="xmpp-user";
62 -- password="base64.encode(hmac_sha1(\"${pass-chomp "machines/mermet/coturn/static-auth-secret"}\", "xmpp-user", false))";
66 --http_files_dir = "/var/lib/prosody/files"
67 --http_external_url = "https://tmp.${networking.domain}:5281"
68 --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
69 --https_key = "/var/lib/acme/${networking.domain}/key.pem"
70 --certificates = "/var/lib/acme"
73 Component "proxy65.${networking.domain}" "proxy65"
74 proxy65_address = "proxy65.${networking.domain}"
75 proxy65_acl = { "${networking.domain}" }
77 -- Component "irc.${networking.domain}"
78 -- component_secret = "useless-secret-on-loopback"
82 c2sRequireEncryption = true;
83 s2sRequireEncryption = true;
86 domain = "tmp.${networking.domain}";
87 # Prosody's HTTP parser limit on body size
88 uploadFileSizeLimit = "10485760";
89 userQuota = 100 * 1024 * 1024;
90 uploadExpireAfter = "60 * 60 * 24 * 7";
91 httpUploadPath = "/var/lib/prosody/upload";
94 { domain = "salons.${networking.domain}";
96 restrict_room_creation = "local"
97 max_history_messages = 42
98 muc_room_locking = true
99 muc_room_lock_timeout = 600
100 muc_tombstones = true
101 muc_tombstone_expiry = 31 * 24 * 60 * 60
102 muc_room_default_public = true
103 muc_room_default_members_only = false
104 muc_room_default_moderated = true
105 muc_room_default_public_jids = false
106 muc_room_default_change_subject = true
107 muc_room_default_history_length = 42
108 muc_room_default_language = "fr"
112 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
113 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
115 "julm@${networking.domain}"
117 virtualHosts."${networking.domain}" = {
119 domain = "${networking.domain}";
120 ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
121 ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
123 allowRegistration = false;
124 authentication = "internal_hashed";
128 package = pkgs.prosody.override {
129 withCommunityModules = [