summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2020-07-12 19:37:23 +0200
committerGregor Kleen <gkleen@yggdrasil.li>2020-07-12 19:37:23 +0200
commitf8a30dfd880637a9db306fd16b0da22354d93d03 (patch)
treeaef3942f91b20e0d6d22985d3fccc5c44b3398bb
parent69b1e740b4bcae179f7021d1b24c8a835af9c863 (diff)
downloadnixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar
nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.gz
nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.bz2
nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.xz
nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.zip
ymir: prosody -> ejabberd
-rw-r--r--ymir.nix255
1 files changed, 190 insertions, 65 deletions
diff --git a/ymir.nix b/ymir.nix
index 9c01b067..abb40975 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -6,18 +6,6 @@ let
6 luaPam = pkgs.callPackage ./custom/luaPam.nix {}; 6 luaPam = pkgs.callPackage ./custom/luaPam.nix {};
7 luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; 7 luaPosix = pkgs.callPackage ./custom/luaPosix.nix {};
8 luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; 8 luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {};
9 prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {};
10 prosodyVirtHost = name: {
11 enabled = true;
12 domain = name;
13 ssl = {
14 key = "/var/lib/acme/yggdrasil.li/key.pem";
15 cert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
16 extraOptions = {
17 dhparam = config.security.dhparams.params.prosody.path;
18 };
19 };
20 };
21 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" 9 myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
22 "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li" 10 "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li"
23 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li" 11 "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"
@@ -68,13 +56,6 @@ in rec {
68 56
69 nixpkgs.overlays = [ 57 nixpkgs.overlays = [
70 (self: super: { 58 (self: super: {
71 prosody = self.callPackage ./customized/prosody.nix ({
72 inherit (self.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luasec luadbi;
73 lua5 = pkgs.lua5_1;
74 withCommunityModules = ["carbons" "reload_modules" "csi" "cloud_notify" "csi_pump" "smacks" "track_muc_joins" "watchuntrusted"];
75 extraModules = [prosodyAuth];
76 extraLibs = [luaPam luaPosix luaSha2] ++ (with self.lua51Packages; [lua-zlib]);
77 });
78 # uwsgi = pkgs.callPackage ./customized/uwsgi.nix { 59 # uwsgi = pkgs.callPackage ./customized/uwsgi.nix {
79 # extraPlugins = { 60 # extraPlugins = {
80 # cgi = { 61 # cgi = {
@@ -243,7 +224,7 @@ in rec {
243 }; 224 };
244 225
245 users.groups."ssl" = { 226 users.groups."ssl" = {
246 members = [ "prosody" 227 members = [ "ejabberd"
247 "nginx" 228 "nginx"
248 "postfix" 229 "postfix"
249 "murmur" 230 "murmur"
@@ -257,59 +238,203 @@ in rec {
257 SystemMaxUse=100M 238 SystemMaxUse=100M
258 ''; 239 '';
259 }; 240 };
260
261 services.prosody = {
262 enable = true;
263 admins = [
264 "gkleen@xmpp.li"
265 "gkleen@praseodym.org"
266 "gkleen@141.li"
267 "gkleen@yggdrasil.li"
268 ];
269 allowRegistration = false;
270 extraModules = [ "posix"
271 "private"
272 "auth_custom"
273 "carbons"
274 "reload_modules"
275 "smacks"
276 "csi"
277 "csi_pump"
278 "cloud_notify"
279 "pep"
280 "disco"
281 "admin_adhoc"
282 "watchuntrusted"
283 ];
284 extraConfig = ''
285 reload_modules = { "group", "tls" }
286 authentication="custom"
287 custom_alias_file="/etc/prosody/aliases"
288 custom_alias_secret_file="/etc/prosody/alias_secret"
289 241
290 Component "alias.xmpp.li" 242 services.ejabberd = {
291 Include "/etc/prosody/alias.xmpp.li.cfg.lua" 243 enable = true;
292 244 package = pkgs.ejabberd.override { withPam = true; };
293 Component "muc.xmpp.li" "muc" 245 configFile = ''
294 restrict_room_creation = true 246 loglevel: 4
295 max_history_messages = 100 247 hosts:
296 name = "Multi-user chats" 248 - xmpp.li
297 249 - yggdrasil.li
298 Component "proxy.xmpp.li" "proxy65" 250 - praseodym.org
299 proxy65_acl = {"xmpp.li", "yggdrasil.li", "praseodym.org", "141.li", "nights.email"}; 251 - 141.li
252 - nights.email
253 certfiles:
254 - /var/lib/acme/yggdrasil.li/fullchain.pem
255 - /var/lib/acme/yggdrasil.li/key.pem
256 listen:
257 - port: 5222
258 ip: "::"
259 module: ejabberd_c2s
260 starttls: true
261 starttls_required: true
262 max_stanza_size: 262144
263 shaper: c2s_shaper
264 access: c2s
265 - port: 5269
266 ip: "::"
267 module: ejabberd_s2s_in
268 max_stanza_size: 524288
269 s2s_use_starttls: optional
270
271 auth_method: [pam]
272 pam_service: xmpp
273
274 acl:
275 local:
276 user_regexp: ""
277 loopback:
278 ip:
279 - 127.0.0.0/8
280 - ::1/128
281 admin:
282 user:
283 - "gkleen@xmpp.li"
284 - "gkleen@praseodym.org"
285 - "gkleen@141.li"
286 - "gkleen@yggdrasil.li"
287
288 access_rules:
289 local:
290 allow: local
291 c2s:
292 deny: blocked
293 allow: all
294 announce:
295 allow: admin
296 configure:
297 allow: admin
298 muc_create:
299 allow: local
300 pubsub_createnode:
301 allow: local
302 trusted_network:
303 allow: loopback
304
305 api_permissions:
306 "console commands":
307 from:
308 - ejabberd_ctl
309 who: all
310 what: "*"
311 "admin access":
312 who:
313 access:
314 allow:
315 - acl: loopback
316 - acl: admin
317 oauth:
318 scope: "ejabberd:admin"
319 access:
320 allow:
321 - acl: loopback
322 - acl: admin
323 what:
324 - "*"
325 - "!stop"
326 - "!start"
327 "public commands":
328 who:
329 ip: 127.0.0.1/8
330 what:
331 - status
332 - connected_users_number
333
334 shaper:
335 normal:
336 rate: 3000
337 burst_size: 20000
338 fast: 100000
339
340 shaper_rules:
341 max_user_sessions: 10
342 max_user_offline_messages:
343 5000: admin
344 100: all
345 c2s_shaper:
346 none: admin
347 normal: all
348 s2s_shaper: fast
349
350 modules:
351 mod_adhoc: {}
352 mod_admin_extra: {}
353 mod_announce:
354 access: announce
355 mod_avatar: {}
356 mod_blocking: {}
357 mod_bosh: {}
358 mod_caps: {}
359 mod_carboncopy: {}
360 mod_client_state: {}
361 mod_configure: {}
362 mod_disco: {}
363 mod_fail2ban: {}
364 mod_http_api: {}
365 # mod_http_upload:
366 # put_url: https://@HOST@:5443/upload
367 # custom_headers:
368 # "Access-Control-Allow-Origin": "https://@HOST@"
369 # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
370 # "Access-Control-Allow-Headers": "Content-Type"
371 mod_last: {}
372 mod_mam:
373 ## Mnesia is limited to 2GB, better to use an SQL backend
374 ## For small servers SQLite is a good fit and is very easy
375 ## to configure. Uncomment this when you have SQL configured:
376 ## db_type: sql
377 assume_mam_usage: true
378 default: always
379 mod_mqtt: {}
380 mod_muc:
381 access:
382 - allow
383 access_admin:
384 - allow: admin
385 access_create: muc_create
386 access_persistent: muc_create
387 access_mam:
388 - allow
389 default_room_options:
390 mam: true
391 mod_muc_admin: {}
392 mod_offline:
393 access_max_user_messages: max_user_offline_messages
394 mod_ping: {}
395 mod_privacy: {}
396 mod_private: {}
397 mod_proxy65:
398 access: local
399 max_connections: 5
400 mod_pubsub:
401 access_createnode: pubsub_createnode
402 plugins:
403 - flat
404 - pep
405 force_node_config:
406 ## Avoid buggy clients to make their bookmarks public
407 storage:bookmarks:
408 access_model: whitelist
409 mod_push: {}
410 mod_push_keepalive: {}
411 mod_register:
412 ## Only accept registration requests from the "trusted"
413 ## network (see access_rules section above).
414 ## Think twice before enabling registration from any
415 ## address. See the Jabber SPAM Manifesto for details:
416 ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
417 ip_access: trusted_network
418 mod_roster:
419 versioning: true
420 mod_s2s_dialback: {}
421 mod_shared_roster: {}
422 mod_stream_mgmt:
423 resend_on_timeout: if_offline
424 mod_stun_disco: {}
425 mod_vcard: {}
426 mod_vcard_xupdate: {}
427 mod_version:
428 show_os: false
300 ''; 429 '';
301
302 virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; })
303 ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]);
304
305 xmppComplianceSuite = false;
306 }; 430 };
431
307 security.pam.services."xmpp".text = '' 432 security.pam.services."xmpp".text = ''
308 auth requisite pam_succeed_if.so user ingroup xmpp 433 auth requisite pam_succeed_if.so user ingroup xmpp
309 auth required pam_unix.so audit 434 auth required pam_unix.so audit
310 ''; 435 '';
311 users.groups."shadow" = { 436 users.groups."shadow" = {
312 members = [ "prosody" 437 members = [ "ejabberd"
313 ]; 438 ];
314 }; 439 };
315 users.groups."xmpp" = {}; 440 users.groups."xmpp" = {};