{ pkgs, lib, config, inputs, hosts, ipv4, ... }:
let
- inherit (config) networking;
inherit (config.services) prosody;
inherit (hosts.mermet.config.services) coturn;
+ domain = config.networking.domain;
in
{
imports = [
prosody/biboumi.nix
];
networking.nftables.ruleset = ''
- add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
- add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
- add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
- add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
+ table inet filter {
+ chain input-net {
+ tcp dport { xmpp-client, xmpp-server } counter accept comment "prosody: XMPP"
+ tcp dport 5000 counter accept comment "prosody: XMPP XEP-0065 File Transfer Proxy"
+ tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "prosody: HTTPS"
+ }
+ chain output-net {
+ skuid ${prosody.user} counter accept comment "prosody"
+ }
+ }
'';
/*
services.upnpc.redirections =
}) prosody.httpsPorts;
*/
/*
-services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
+services.tor.relay.hiddenServices."${domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
*/
users.groups.acme.members = [ prosody.user ];
-security.acme.certs."${networking.domain}" = {
- postRun = "systemctl reload prosody";
+security.acme.certs."${domain}" = {
+ postRun = "systemctl restart prosody";
};
fileSystems."/var/lib/prosody" = {
device = "rpool/var/prosody";
};
};
systemd.services.prosody = {
- wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
- after = [ "acme-selfsigned-${networking.domain}.service" ];
+ wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service"];
+ after = [ "acme-selfsigned-${domain}.service" ];
};
# sudo -u prosody prosodyctl check
services.prosody = {
modules = {
announce = true;
blocklist = true;
- cloud_notify = true;
+ cloud_notify = false; # not encrypted even with OMEMO
+ #cloud_notify_encrypted = true;
groups = true;
limits = false;
motd = true;
proxy65 = false;
};
extraModules = [
- "turncredentials"
+ "turn_external"
+ #"turncredentials"
#"net_multiplex"
#"extdisco"
];
extraConfig = ''
+ log = {
+ -- debug = "*syslog";
+ info = "*syslog";
+ warn = "*syslog";
+ error = "*syslog";
+ }
-- Listen only in IPv4 until hosting provider's IPv6 works well.
interfaces = { "0.0.0.0" }
c2s_interfaces = { "0.0.0.0" }
contact_info = {
- --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
- --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
- --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
- --sales = { "xmpp:bard@${networking.domain}" };
- --security = { "xmpp:security@${networking.domain}" };
- --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
+ --abuse = { "mailto:abuse@${domain}", "xmpp:abuse@${domain}" };
+ --admin = { "mailto:admin@${domain}", "xmpp:admin@${domain}" };
+ --feedback = { "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" };
+ --sales = { "xmpp:bard@${domain}" };
+ --security = { "xmpp:security@${domain}" };
+ --support = { "http://${domain}/support.php", "xmpp:support@${domain}" };
}
legacy_ssl_ports = { 5222 }
- turncredentials_host = "turn.${networking.domain}"
- turncredentials_port = 3478
- turncredentials_secret = "${lib.removeSuffix "\n" (builtins.readFile (inputs.secrets + "/coturn/static-auth-secret"))}";
+ -- turncredentials_host = "turn.${domain}"
+ -- turncredentials_port = 3478
+ -- turncredentials_secret = "${coturn.static-auth-secret}";
+
+ turn_external_secret = "${coturn.static-auth-secret}"
+ turn_external_host = "turn.${domain}"
+ turn_external_port = 3478
+ turn_external_ttl = 86400
+
smacks_enabled_s2s = true;
smacks_s2s_resend = true;
--http_files_dir = "/var/lib/prosody/files"
- --http_external_url = "https://tmp.${networking.domain}:5281"
- --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
- --https_key = "/var/lib/acme/${networking.domain}/key.pem"
+ --http_external_url = "https://tmp.${domain}:5281"
+ --https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
+ --https_key = "/var/lib/acme/${domain}/key.pem"
--certificates = "/var/lib/acme"
proxy65_ports = 5000
- Component "proxy65.${networking.domain}" "proxy65"
- proxy65_address = "proxy65.${networking.domain}"
- proxy65_acl = { "${networking.domain}" }
+ Component "proxy65.${domain}" "proxy65"
+ proxy65_address = "proxy65.${domain}"
+ proxy65_acl = { "${domain}" }
- Component "biboumi.${networking.domain}"
+ Component "biboumi.${domain}"
component_secret = "useless-secret-on-loopback"
'';
+ httpFileShare = {
+ domain = "tmp.${domain}";
+ size_limit = 100 * 1024*1024; # 100 MiB
+ daily_quota = 200 * 1024*1024; # 200 MiB per day per user
+ global_quota = 1 * 1024*1024*1024; # 1 GiB total
+ expires_after = 7 * 24*60*60; # 7 days
+ };
#ports = {80};
#ssl_ports = {443};
c2sRequireEncryption = true;
s2sRequireEncryption = true;
s2sSecureAuth = true;
- uploadHttp = {
- domain = "tmp.${networking.domain}";
- # Prosody's HTTP parser limit on body size
- uploadFileSizeLimit = "10485760";
- userQuota = 100 * 1024 * 1024;
- uploadExpireAfter = "60 * 60 * 24 * 7";
- httpUploadPath = "/var/lib/prosody/upload";
- };
muc = [
- { domain = "salons.${networking.domain}";
+ {
+ domain = "salons.${domain}";
extraConfig = ''
restrict_room_creation = "local"
max_history_messages = 42
'';
}
];
- ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
- ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
+ ssl.key = "/var/lib/acme/${domain}/key.pem";
+ ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
admins = [
- "julm@${networking.domain}"
+ "julm@${domain}"
];
- virtualHosts."${networking.domain}" = {
+ virtualHosts."${domain}" = {
enabled = true;
- domain = "${networking.domain}";
- ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
- ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
+ domain = "${domain}";
+ ssl.key = "/var/lib/acme/${domain}/key.pem";
+ ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
};
allowRegistration = false;
authentication = "internal_hashed";
httpPorts = [];
httpsPorts = [5281];
disco_items = [
- { url = "biboumi.${networking.domain}";
+ { url = "biboumi.${domain}";
description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
];
package = pkgs.prosody.override {
sourcephile / git / sourcephile-nix.git / blobdiff