--- /dev/null
+{ pkgs, lib, config, ... }:
+let
+ inherit (config) networking;
+ inherit (config.users) users;
+ inherit (config.services) prosody;
+in
+{
+networking.nftables.ruleset = ''
+ add rule inet filter net2fw tcp dport {5222, 5269} counter accept comment "XMPP"
+ add rule inet filter net2fw tcp dport 5000 counter accept comment "XMPP XEP-0065 File Transfer Proxy"
+ add rule inet filter net2fw tcp dport {${lib.concatMapStringsSep "," toString prosody.httpsPorts}} counter accept comment "XMPP HTTPS"
+ add rule inet filter fw2net meta skuid ${prosody.user} counter accept comment "Prosody"
+'';
+users.groups.acme.members = [ users.prosody.name ];
+services.prosody = {
+ enable = true;
+ xmppComplianceSuite = true;
+ modules = {
+ websocket = false;
+ limits = false;
+ groups = true;
+ announce = true;
+ welcome = true;
+ watchregistrations = true;
+ motd = true;
+ };
+ extraModules = [
+ #"net_multiplex"
+ ];
+ extraConfig = ''
+ Component "proxy65.${networking.domain}" "proxy65"
+ proxy65_ports = 5000
+ '';
+ #ports = {80};
+ #ssl_ports = {443};
+ c2sRequireEncryption = true;
+ s2sRequireEncryption = true;
+ s2sSecureAuth = true;
+ uploadHttp = {
+ domain = "tmp.${networking.domain}";
+ # Prosody's HTTP parser limit on body size
+ uploadFileSizeLimit = "10485760";
+ userQuota = 100 * 1024 * 1024;
+ uploadExpireAfter = "60 * 60 * 24 * 7";
+ };
+ muc = [
+ { domain = "salons.${networking.domain}";
+ extraConfig = ''
+ restrict_room_creation = "local"
+ max_history_messages = 42
+ muc_room_locking = true
+ muc_room_lock_timeout = 600
+ muc_tombstones = true
+ muc_tombstone_expiry = 31 * 24 * 60 * 60
+ muc_room_default_public = true
+ muc_room_default_members_only = false
+ muc_room_default_moderated = true
+ muc_room_default_public_jids = false
+ muc_room_default_change_subject = true
+ muc_room_default_history_length = 42
+ muc_room_default_language = "fr"
+ '';
+ }
+ ];
+ virtualHosts."${networking.domain}" = {
+ enabled = true;
+ domain = "${networking.domain}";
+ ssl.key = "/var/lib/acme/${networking.domain}/key.pem";
+ ssl.cert = "/var/lib/acme/${networking.domain}/fullchain.pem";
+ };
+ admins = [
+ "julm@${networking.domain}"
+ ];
+ allowRegistration = false;
+ authentication = "internal_hashed";
+ httpPorts = [];
+ disco_items = [];
+};
+}
covid19 A ${machines.mermet.extraArgs.ipv4}
openconcerto A ${machines.losurdo.extraArgs.ipv4}
croc A ${machines.mermet.extraArgs.ipv4}
+ xmpp A ${machines.losurdo.extraArgs.ipv4}
; SPF (Sender Policy Framework)
@ 3600 IN SPF "v=spf1 mx ip4:${machines.mermet.extraArgs.ipv4} -all"
; SRV (SeRVice)
_git._tcp.git 18000 IN SRV 0 0 9418 git
+ _xmpp-client._tcp 18000 IN SRV 0 5 5222 xmpp
+ _xmpp-server._tcp 18000 IN SRV 0 5 5269 xmpp
+ _xmpp-server._tcp.salons 18000 IN SRV 0 5 5269 xmpp
+ _xmpp-server._tcp.proxy65 18000 IN SRV 0 5 5000 xmpp
+
; CAA (Certificate Authority Authorization)
; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
@ CAA 128 issue "letsencrypt.org"
sourcephile / git / sourcephile-nix.git / commitdiff