nix: update switch from julm-nix
[sourcephile-nix.git] / hosts / mermet / prosody.nix
index 22afd2de1c214ca4f34ee2fa992a8093aab8b8c6..16465c883389f027e2492265db62e62afa242da7 100644 (file)
@@ -1,22 +1,28 @@
-{ pkgs, lib, config, hosts, ipv4, ... }:
+{ pkgs, lib, config, hosts, ... }:
 let
-  inherit (config) networking;
   inherit (config.services) prosody;
   inherit (hosts.mermet.config.services) coturn;
+  domain = config.networking.domain;
 in
 {
-imports = [
-  prosody/biboumi.nix
-];
-networking.nftables.ruleset = ''
-  add rule inet filter net2fw tcp dport {5222,5269} counter accept comment "XMPP"
-  add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
-  add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
-  add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
-'';
-/*
-services.upnpc.redirections =
-  [
+  imports = [
+    prosody/biboumi.nix
+  ];
+  networking.nftables.ruleset = ''
+    table inet filter {
+      chain input-net {
+        tcp dport { xmpp-client, xmpp-server } counter accept comment "prosody: XMPP"
+        tcp dport 5000 counter accept comment "prosody: XMPP XEP-0065 File Transfer Proxy"
+        tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "prosody: HTTPS"
+      }
+      chain output-net {
+        skuid ${prosody.user} counter accept comment "prosody"
+      }
+    }
+  '';
+  /*
+    services.upnpc.redirections =
+    [
     { description = "XMPP";
       externalPort = 5222; protocol = "TCP";
       duration = 30 * 60;
@@ -35,144 +41,163 @@ services.upnpc.redirections =
       service.wantedBy = ["prosody.service"];
       service.partOf   = ["prosody.service"];
     }
-  ] ++ map (externalPort: {
+    ] ++ map (externalPort: {
     description = "XMPP-HTTPS";
     inherit externalPort; protocol="TCP";
     duration = 30 * 60;
     service.wantedBy = ["prosody.service"];
     service.partOf   = ["prosody.service"];
-  }) prosody.httpsPorts;
-*/
-/*
-services.tor.relay.hiddenServices."${networking.domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
-*/
-users.groups.acme.members = [ prosody.user ];
-security.acme.certs."${networking.domain}" = {
-  postRun = "systemctl reload prosody";
-};
-fileSystems."/var/lib/prosody" = {
-  device = "rpool/var/prosody";
-  fsType = "zfs";
-};
-services.sanoid.datasets = {
-  "rpool/var/prosody" = {
-    use_template = [ "local" ];
-    daily = 7;
+    }) prosody.httpsPorts;
+  */
+  /*
+    services.tor.relay.hiddenServices."${domain}/xmpp".map = [ 5222 5269 5000 ] ++ prosody.httpsPorts;
+  */
+  users.groups.acme.members = [ prosody.user ];
+  security.acme.certs."${domain}" = {
+    postRun = "systemctl try-restart prosody";
   };
-};
-systemd.services.prosody = {
-  wants = [ "acme-selfsigned-${networking.domain}.service" "acme-${networking.domain}.service"];
-  after = [ "acme-selfsigned-${networking.domain}.service" ];
-};
-# sudo -u prosody prosodyctl check
-services.prosody = {
-  enable = true;
-  xmppComplianceSuite = true;
-  modules = {
-    announce = true;
-    blocklist = true;
-    cloud_notify = true;
-    groups = true;
-    limits = false;
-    motd = true;
-    server_contact_info = true;
-    watchregistrations = true;
-    websocket = false;
-    welcome = true;
-    proxy65 = false;
+  fileSystems."/var/lib/prosody" = {
+    device = "rpool/var/prosody";
+    fsType = "zfs";
   };
-  extraModules = [
-    "turncredentials"
-    #"net_multiplex"
-    #"extdisco"
-  ];
-  extraConfig = ''
-    -- Listen only in IPv4 until hosting provider's IPv6 works well.
-    interfaces = { "0.0.0.0" }
-    c2s_interfaces = { "0.0.0.0" }
-    contact_info = {
-      --abuse = { "mailto:abuse@${networking.domain}", "xmpp:abuse@${networking.domain}" };
-      --admin = { "mailto:admin@${networking.domain}", "xmpp:admin@${networking.domain}" };
-      --feedback = { "http://${networking.domain}/feedback.php", "mailto:feedback@${networking.domain}", "xmpp:feedback@${networking.domain}" };
-      --sales = { "xmpp:bard@${networking.domain}" };
-      --security = { "xmpp:security@${networking.domain}" };
-      --support = { "http://${networking.domain}/support.php", "xmpp:support@${networking.domain}" };
-    }
-    legacy_ssl_ports = { 5222 }
+  services.sanoid.datasets = {
+    "rpool/var/prosody" = {
+      use_template = [ "snap" ];
+      daily = 7;
+    };
+  };
+  systemd.services.prosody = {
+    wants = [ "acme-selfsigned-${domain}.service" "acme-${domain}.service" ];
+    after = [ "acme-selfsigned-${domain}.service" ];
+  };
+  # sudo -u prosody prosodyctl check
+  services.prosody = {
+    enable = true;
+    xmppComplianceSuite = true;
+    modules = {
+      announce = true;
+      blocklist = true;
+      cloud_notify = false; # not encrypted even with OMEMO
+      #cloud_notify_encrypted = true;
+      groups = true;
+      limits = false;
+      motd = true;
+      server_contact_info = true;
+      watchregistrations = true;
+      websocket = false;
+      welcome = true;
+      proxy65 = false;
+    };
+    extraModules = [
+      "turn_external"
+      #"turncredentials"
+      #"net_multiplex"
+      #"extdisco"
+    ];
+    extraConfig = ''
+      log = {
+        -- debug = "*syslog";
+        info = "*syslog";
+        warn  = "*syslog";
+        error = "*syslog";
+      }
+      -- Listen only in IPv4 until hosting provider's IPv6 works well.
+      interfaces = { "0.0.0.0" }
+      c2s_interfaces = { "0.0.0.0" }
+      contact_info = {
+        --abuse = { "mailto:abuse@${domain}", "xmpp:abuse@${domain}" };
+        --admin = { "mailto:admin@${domain}", "xmpp:admin@${domain}" };
+        --feedback = { "http://${domain}/feedback.php", "mailto:feedback@${domain}", "xmpp:feedback@${domain}" };
+        --sales = { "xmpp:bard@${domain}" };
+        --security = { "xmpp:security@${domain}" };
+        --support = { "http://${domain}/support.php", "xmpp:support@${domain}" };
+      }
+      legacy_ssl_ports = { 5222 }
 
-    turncredentials_host = "turn.${networking.domain}"
-    turncredentials_port = 3478
+      -- turncredentials_host = "turn.${domain}"
+      -- turncredentials_port = 3478
+      -- turncredentials_secret = "${coturn.static-auth-secret}";
 
-    --http_files_dir = "/var/lib/prosody/files"
-    --http_external_url = "https://tmp.${networking.domain}:5281"
-    --https_certificate = "/var/lib/acme/${networking.domain}/fullchain.pem"
-    --https_key = "/var/lib/acme/${networking.domain}/key.pem"
-    --certificates = "/var/lib/acme"
+      turn_external_secret = "${coturn.static-auth-secret}"
+      turn_external_host = "turn.${domain}"
+      turn_external_port = 3478
+      turn_external_ttl = 86400
 
-    proxy65_ports = 5000
-    Component "proxy65.${networking.domain}" "proxy65"
-      proxy65_address = "proxy65.${networking.domain}"
-      proxy65_acl = { "${networking.domain}" }
+      smacks_enabled_s2s = true;
+      smacks_s2s_resend = true;
 
-    Component "biboumi.${networking.domain}"
-      component_secret = "useless-secret-on-loopback"
-  '';
-  #ports = {80};
-  #ssl_ports = {443};
-  c2sRequireEncryption = true;
-  s2sRequireEncryption = true;
-  s2sSecureAuth = true;
-  uploadHttp = {
-    domain = "tmp.${networking.domain}";
-    # Prosody's HTTP parser limit on body size
-    uploadFileSizeLimit = "10485760";
-    userQuota = 100 * 1024 * 1024;
-    uploadExpireAfter = "60 * 60 * 24 * 7";
-    httpUploadPath = "/var/lib/prosody/upload";
-  };
-  muc = [
-    { domain = "salons.${networking.domain}";
-      extraConfig = ''
-        restrict_room_creation = "local"
-        max_history_messages = 42
-        muc_room_locking = true
-        muc_room_lock_timeout = 600
-        muc_tombstones = true
-        muc_tombstone_expiry = 31 * 24 * 60 * 60
-        muc_room_default_public = true
-        muc_room_default_members_only = false
-        muc_room_default_moderated = true
-        muc_room_default_public_jids = false
-        muc_room_default_change_subject = true
-        muc_room_default_history_length = 42
-        muc_room_default_language = "fr"
-      '';
-    }
-  ];
-  ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
-  ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
-  admins = [
-    "julm@${networking.domain}"
-  ];
-  virtualHosts."${networking.domain}" = {
-    enabled = true;
-    domain = "${networking.domain}";
-    ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
-    ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
-  };
-  allowRegistration = false;
-  authentication = "internal_hashed";
-  httpPorts = [];
-  httpsPorts = [5281];
-  disco_items = [
-    { url = "biboumi.${networking.domain}";
-      description = "Passerelle vers des serveurs IRC (Internet Relay Chat)"; }
-  ];
-  package = pkgs.prosody.override {
-    withCommunityModules = [
-      "turncredentials"
-      #"extdisco"
+      --http_files_dir = "/var/lib/prosody/files"
+      --http_external_url = "https://tmp.${domain}:5281"
+      --https_certificate = "/var/lib/acme/${domain}/fullchain.pem"
+      --https_key = "/var/lib/acme/${domain}/key.pem"
+      --certificates = "/var/lib/acme"
+
+      proxy65_ports = 5000
+      Component "proxy65.${domain}" "proxy65"
+        proxy65_address = "proxy65.${domain}"
+        proxy65_acl = { "${domain}" }
+
+      Component "biboumi.${domain}"
+        component_secret = "useless-secret-on-loopback"
+    '';
+    httpFileShare = {
+      domain = "tmp.${domain}";
+      size_limit = 100 * 1024 * 1024; # 100 MiB
+      daily_quota = 200 * 1024 * 1024; # 200 MiB per day per user
+      global_quota = 1 * 1024 * 1024 * 1024; # 1 GiB total
+      expires_after = 7 * 24 * 60 * 60; # 7 days
+    };
+    #ports = {80};
+    #ssl_ports = {443};
+    c2sRequireEncryption = true;
+    s2sRequireEncryption = true;
+    s2sSecureAuth = true;
+    muc = [
+      {
+        domain = "salons.${domain}";
+        extraConfig = ''
+          restrict_room_creation = "local"
+          max_history_messages = 42
+          muc_room_locking = true
+          muc_room_lock_timeout = 600
+          muc_tombstones = true
+          muc_tombstone_expiry = 31 * 24 * 60 * 60
+          muc_room_default_public = true
+          muc_room_default_members_only = false
+          muc_room_default_moderated = true
+          muc_room_default_public_jids = false
+          muc_room_default_change_subject = true
+          muc_room_default_history_length = 42
+          muc_room_default_language = "fr"
+        '';
+      }
+    ];
+    ssl.key = "/var/lib/acme/${domain}/key.pem";
+    ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
+    admins = [
+      "julm@${domain}"
+    ];
+    virtualHosts."${domain}" = {
+      enabled = true;
+      domain = "${domain}";
+      ssl.key = "/var/lib/acme/${domain}/key.pem";
+      ssl.cert = "/var/lib/acme/${domain}/fullchain.pem";
+    };
+    allowRegistration = false;
+    authentication = "internal_hashed";
+    httpPorts = [ ];
+    httpsPorts = [ 5281 ];
+    disco_items = [
+      {
+        url = "biboumi.${domain}";
+        description = "Passerelle vers des serveurs IRC (Internet Relay Chat)";
+      }
     ];
+    package = pkgs.prosody.override {
+      withCommunityModules = [
+        "turncredentials"
+        #"extdisco"
+      ];
+    };
   };
-};
 }