apparmor: PR#93457 has been reverted

[sourcephile-nix.git] / machines / losurdo / prosody.nix

diff --git a/machines/losurdo/prosody.nix b/machines/losurdo/prosody.nix
index 462f9ad5cfa9832eea21928c8b2c1419d8baa1d0..d3f318bc228a7eb4e124d825e8020179001164a6 100644 (file)
--- a/machines/losurdo/prosody.nix
+++ b/machines/losurdo/prosody.nix
@@ -1,19 +1,23 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, machines, ipv4, ... }:
 let
-  inherit (builtins.extraBuiltins) pass-chomp;
   inherit (config) networking;
   inherit (config.services) prosody;
+  inherit (machines.mermet.config.services) coturn;
 in
 {
+imports = [
+  prosody/biboumi.nix
+  #../../sec/machines/losurdo/prosody.nix
+];
 networking.nftables.ruleset = ''
-  add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
+  add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
   add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
   add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
-  add rule inet filter fw2net meta skuid ${prosody.user} tcp dport 3478 counter accept comment "TURN"
-  add rule inet filter fw2net meta skuid ${prosody.user} udp dport 3478 counter accept comment "TURN"
-  add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
   add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
 '';
+/*
+services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
+*/
 users.groups.acme.members = [ prosody.user ];
 security.acme.certs."${networking.domain}" = {
   postRun = "systemctl reload prosody";
@@ -22,29 +26,58 @@ systemd.services.prosody = {
   wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
   after = [ "acme-selfsigned-${networking.domain}.service" ];
 };
+# sudo -u prosody prosodyctl check
 services.prosody = {
   enable = true;
   xmppComplianceSuite = true;
   modules = {
     announce = true;
+    blocklist = true;
+    cloud_notify = true;
     groups = true;
     limits = false;
     motd = true;
+    server_contact_info = true;
     watchregistrations = true;
     websocket = false;
     welcome = true;
+    proxy65 = false;
   };
   extraModules = [
     "turncredentials"
     #"net_multiplex"
+    #"extdisco"
   ];
   extraConfig = ''
-    Component "proxy65.${networking.domain}" "proxy65"
-      proxy65_ports = 5000
-    
+    -- Listen only in IPv4 until hosting provider's IPv6 works well.
+    interfaces = { "0.0.0.0" }
+    c2s_interfaces = { "0.0.0.0" }
+    contact_info = {
+      --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
+      --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
+      --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
+      --sales = { "xmpp:bard@${networking.domain}" };
+      --security = { "xmpp:security@${networking.domain}" };
+      --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
+    }
+    legacy_ssl_ports = { 5222 }
+
     turncredentials_host = "turn.${networking.domain}"
-    turncredentials_secret = "${pass-chomp "machines/mermet/coturn/static-auth-secret"}"
     turncredentials_port = 3478
+
+    --http_files_dir = "/var/lib/prosody/files"
+    --http_external_url = "https://tmp.${networking.domain}:5281"
+    --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
+    --https_key = "/var/lib/acme/${networking.domain}/key.pem"
+    --certificates = "/var/lib/acme"
+
+    proxy65_ports = 5000
+    Component "proxy65.${networking.domain}" "proxy65"
+      proxy65_address = "proxy65.${networking.domain}"
+      proxy65_acl = { "${networking.domain}" }
+
+    Component "biboumi.${networking.domain}"
+      component_secret = "useless-secret-on-loopback"
   '';
   #ports = {80};
   #ssl_ports = {443};
@@ -57,6 +90,7 @@ services.prosody = {
     uploadFileSizeLimit = "10485760";
     userQuota = 100 * 1024 * 1024;
     uploadExpireAfter = "60 * 60 * 24 * 7";
+    httpUploadPath = "/var/lib/prosody/upload";
   };
   muc = [
     { domain = "salons.${networking.domain}";
@@ -77,18 +111,30 @@ services.prosody = {
       '';
     }
   ];
+  ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
+  ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
+  admins = [
+    "julm@${networking.domain}"
+  ];
   virtualHosts."${networking.domain}" = {
     enabled = true;
     domain = "${networking.domain}";
     ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
     ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
   };
-  admins = [
-    "julm@${networking.domain}"
-  ];
   allowRegistration = false;
   authentication = "internal_hashed";
-  #httpPorts = [];
-  disco_items = [];
+  httpPorts = [];
+  httpsPorts = [5281];
+  disco_items = [
+    { url = "biboumi.${networking.domain}";
+      description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
+  ];
+  package = pkgs.prosody.override {
+    withCommunityModules = [
+      "turncredentials"
+      #"extdisco"
+    ];
+  };
 };
 }