diff options
author | Gregor Kleen <gkleen@yggdrasil.li> | 2020-07-12 19:37:23 +0200 |
---|---|---|
committer | Gregor Kleen <gkleen@yggdrasil.li> | 2020-07-12 19:37:23 +0200 |
commit | f8a30dfd880637a9db306fd16b0da22354d93d03 (patch) | |
tree | aef3942f91b20e0d6d22985d3fccc5c44b3398bb | |
parent | 69b1e740b4bcae179f7021d1b24c8a835af9c863 (diff) | |
download | nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.gz nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.bz2 nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.tar.xz nixos-f8a30dfd880637a9db306fd16b0da22354d93d03.zip |
ymir: prosody -> ejabberd
-rw-r--r-- | ymir.nix | 255 |
1 files changed, 190 insertions, 65 deletions
@@ -6,18 +6,6 @@ let | |||
6 | luaPam = pkgs.callPackage ./custom/luaPam.nix {}; | 6 | luaPam = pkgs.callPackage ./custom/luaPam.nix {}; |
7 | luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; | 7 | luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; |
8 | luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; | 8 | luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; |
9 | prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {}; | ||
10 | prosodyVirtHost = name: { | ||
11 | enabled = true; | ||
12 | domain = name; | ||
13 | ssl = { | ||
14 | key = "/var/lib/acme/yggdrasil.li/key.pem"; | ||
15 | cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; | ||
16 | extraOptions = { | ||
17 | dhparam = config.security.dhparams.params.prosody.path; | ||
18 | }; | ||
19 | }; | ||
20 | }; | ||
21 | myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" | 9 | myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" |
22 | "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li" | 10 | "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li" |
23 | "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li" | 11 | "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li" |
@@ -68,13 +56,6 @@ in rec { | |||
68 | 56 | ||
69 | nixpkgs.overlays = [ | 57 | nixpkgs.overlays = [ |
70 | (self: super: { | 58 | (self: super: { |
71 | prosody = self.callPackage ./customized/prosody.nix ({ | ||
72 | inherit (self.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luasec luadbi; | ||
73 | lua5 = pkgs.lua5_1; | ||
74 | withCommunityModules = ["carbons" "reload_modules" "csi" "cloud_notify" "csi_pump" "smacks" "track_muc_joins" "watchuntrusted"]; | ||
75 | extraModules = [prosodyAuth]; | ||
76 | extraLibs = [luaPam luaPosix luaSha2] ++ (with self.lua51Packages; [lua-zlib]); | ||
77 | }); | ||
78 | # uwsgi = pkgs.callPackage ./customized/uwsgi.nix { | 59 | # uwsgi = pkgs.callPackage ./customized/uwsgi.nix { |
79 | # extraPlugins = { | 60 | # extraPlugins = { |
80 | # cgi = { | 61 | # cgi = { |
@@ -243,7 +224,7 @@ in rec { | |||
243 | }; | 224 | }; |
244 | 225 | ||
245 | users.groups."ssl" = { | 226 | users.groups."ssl" = { |
246 | members = [ "prosody" | 227 | members = [ "ejabberd" |
247 | "nginx" | 228 | "nginx" |
248 | "postfix" | 229 | "postfix" |
249 | "murmur" | 230 | "murmur" |
@@ -257,59 +238,203 @@ in rec { | |||
257 | SystemMaxUse=100M | 238 | SystemMaxUse=100M |
258 | ''; | 239 | ''; |
259 | }; | 240 | }; |
260 | |||
261 | services.prosody = { | ||
262 | enable = true; | ||
263 | admins = [ | ||
264 | "gkleen@xmpp.li" | ||
265 | "gkleen@praseodym.org" | ||
266 | "gkleen@141.li" | ||
267 | "gkleen@yggdrasil.li" | ||
268 | ]; | ||
269 | allowRegistration = false; | ||
270 | extraModules = [ "posix" | ||
271 | "private" | ||
272 | "auth_custom" | ||
273 | "carbons" | ||
274 | "reload_modules" | ||
275 | "smacks" | ||
276 | "csi" | ||
277 | "csi_pump" | ||
278 | "cloud_notify" | ||
279 | "pep" | ||
280 | "disco" | ||
281 | "admin_adhoc" | ||
282 | "watchuntrusted" | ||
283 | ]; | ||
284 | extraConfig = '' | ||
285 | reload_modules = { "group", "tls" } | ||
286 | authentication="custom" | ||
287 | custom_alias_file="/etc/prosody/aliases" | ||
288 | custom_alias_secret_file="/etc/prosody/alias_secret" | ||
289 | 241 | ||
290 | Component "alias.xmpp.li" | 242 | services.ejabberd = { |
291 | Include "/etc/prosody/alias.xmpp.li.cfg.lua" | 243 | enable = true; |
292 | 244 | package = pkgs.ejabberd.override { withPam = true; }; | |
293 | Component "muc.xmpp.li" "muc" | 245 | configFile = '' |
294 | restrict_room_creation = true | 246 | loglevel: 4 |
295 | max_history_messages = 100 | 247 | hosts: |
296 | name = "Multi-user chats" | 248 | - xmpp.li |
297 | 249 | - yggdrasil.li | |
298 | Component "proxy.xmpp.li" "proxy65" | 250 | - praseodym.org |
299 | proxy65_acl = {"xmpp.li", "yggdrasil.li", "praseodym.org", "141.li", "nights.email"}; | 251 | - 141.li |
252 | - nights.email | ||
253 | certfiles: | ||
254 | - /var/lib/acme/yggdrasil.li/fullchain.pem | ||
255 | - /var/lib/acme/yggdrasil.li/key.pem | ||
256 | listen: | ||
257 | - port: 5222 | ||
258 | ip: "::" | ||
259 | module: ejabberd_c2s | ||
260 | starttls: true | ||
261 | starttls_required: true | ||
262 | max_stanza_size: 262144 | ||
263 | shaper: c2s_shaper | ||
264 | access: c2s | ||
265 | - port: 5269 | ||
266 | ip: "::" | ||
267 | module: ejabberd_s2s_in | ||
268 | max_stanza_size: 524288 | ||
269 | s2s_use_starttls: optional | ||
270 | |||
271 | auth_method: [pam] | ||
272 | pam_service: xmpp | ||
273 | |||
274 | acl: | ||
275 | local: | ||
276 | user_regexp: "" | ||
277 | loopback: | ||
278 | ip: | ||
279 | - 127.0.0.0/8 | ||
280 | - ::1/128 | ||
281 | admin: | ||
282 | user: | ||
283 | - "gkleen@xmpp.li" | ||
284 | - "gkleen@praseodym.org" | ||
285 | - "gkleen@141.li" | ||
286 | - "gkleen@yggdrasil.li" | ||
287 | |||
288 | access_rules: | ||
289 | local: | ||
290 | allow: local | ||
291 | c2s: | ||
292 | deny: blocked | ||
293 | allow: all | ||
294 | announce: | ||
295 | allow: admin | ||
296 | configure: | ||
297 | allow: admin | ||
298 | muc_create: | ||
299 | allow: local | ||
300 | pubsub_createnode: | ||
301 | allow: local | ||
302 | trusted_network: | ||
303 | allow: loopback | ||
304 | |||
305 | api_permissions: | ||
306 | "console commands": | ||
307 | from: | ||
308 | - ejabberd_ctl | ||
309 | who: all | ||
310 | what: "*" | ||
311 | "admin access": | ||
312 | who: | ||
313 | access: | ||
314 | allow: | ||
315 | - acl: loopback | ||
316 | - acl: admin | ||
317 | oauth: | ||
318 | scope: "ejabberd:admin" | ||
319 | access: | ||
320 | allow: | ||
321 | - acl: loopback | ||
322 | - acl: admin | ||
323 | what: | ||
324 | - "*" | ||
325 | - "!stop" | ||
326 | - "!start" | ||
327 | "public commands": | ||
328 | who: | ||
329 | ip: 127.0.0.1/8 | ||
330 | what: | ||
331 | - status | ||
332 | - connected_users_number | ||
333 | |||
334 | shaper: | ||
335 | normal: | ||
336 | rate: 3000 | ||
337 | burst_size: 20000 | ||
338 | fast: 100000 | ||
339 | |||
340 | shaper_rules: | ||
341 | max_user_sessions: 10 | ||
342 | max_user_offline_messages: | ||
343 | 5000: admin | ||
344 | 100: all | ||
345 | c2s_shaper: | ||
346 | none: admin | ||
347 | normal: all | ||
348 | s2s_shaper: fast | ||
349 | |||
350 | modules: | ||
351 | mod_adhoc: {} | ||
352 | mod_admin_extra: {} | ||
353 | mod_announce: | ||
354 | access: announce | ||
355 | mod_avatar: {} | ||
356 | mod_blocking: {} | ||
357 | mod_bosh: {} | ||
358 | mod_caps: {} | ||
359 | mod_carboncopy: {} | ||
360 | mod_client_state: {} | ||
361 | mod_configure: {} | ||
362 | mod_disco: {} | ||
363 | mod_fail2ban: {} | ||
364 | mod_http_api: {} | ||
365 | # mod_http_upload: | ||
366 | # put_url: https://@HOST@:5443/upload | ||
367 | # custom_headers: | ||
368 | # "Access-Control-Allow-Origin": "https://@HOST@" | ||
369 | # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" | ||
370 | # "Access-Control-Allow-Headers": "Content-Type" | ||
371 | mod_last: {} | ||
372 | mod_mam: | ||
373 | ## Mnesia is limited to 2GB, better to use an SQL backend | ||
374 | ## For small servers SQLite is a good fit and is very easy | ||
375 | ## to configure. Uncomment this when you have SQL configured: | ||
376 | ## db_type: sql | ||
377 | assume_mam_usage: true | ||
378 | default: always | ||
379 | mod_mqtt: {} | ||
380 | mod_muc: | ||
381 | access: | ||
382 | - allow | ||
383 | access_admin: | ||
384 | - allow: admin | ||
385 | access_create: muc_create | ||
386 | access_persistent: muc_create | ||
387 | access_mam: | ||
388 | - allow | ||
389 | default_room_options: | ||
390 | mam: true | ||
391 | mod_muc_admin: {} | ||
392 | mod_offline: | ||
393 | access_max_user_messages: max_user_offline_messages | ||
394 | mod_ping: {} | ||
395 | mod_privacy: {} | ||
396 | mod_private: {} | ||
397 | mod_proxy65: | ||
398 | access: local | ||
399 | max_connections: 5 | ||
400 | mod_pubsub: | ||
401 | access_createnode: pubsub_createnode | ||
402 | plugins: | ||
403 | - flat | ||
404 | - pep | ||
405 | force_node_config: | ||
406 | ## Avoid buggy clients to make their bookmarks public | ||
407 | storage:bookmarks: | ||
408 | access_model: whitelist | ||
409 | mod_push: {} | ||
410 | mod_push_keepalive: {} | ||
411 | mod_register: | ||
412 | ## Only accept registration requests from the "trusted" | ||
413 | ## network (see access_rules section above). | ||
414 | ## Think twice before enabling registration from any | ||
415 | ## address. See the Jabber SPAM Manifesto for details: | ||
416 | ## https://github.com/ge0rg/jabber-spam-fighting-manifesto | ||
417 | ip_access: trusted_network | ||
418 | mod_roster: | ||
419 | versioning: true | ||
420 | mod_s2s_dialback: {} | ||
421 | mod_shared_roster: {} | ||
422 | mod_stream_mgmt: | ||
423 | resend_on_timeout: if_offline | ||
424 | mod_stun_disco: {} | ||
425 | mod_vcard: {} | ||
426 | mod_vcard_xupdate: {} | ||
427 | mod_version: | ||
428 | show_os: false | ||
300 | ''; | 429 | ''; |
301 | |||
302 | virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; }) | ||
303 | ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]); | ||
304 | |||
305 | xmppComplianceSuite = false; | ||
306 | }; | 430 | }; |
431 | |||
307 | security.pam.services."xmpp".text = '' | 432 | security.pam.services."xmpp".text = '' |
308 | auth requisite pam_succeed_if.so user ingroup xmpp | 433 | auth requisite pam_succeed_if.so user ingroup xmpp |
309 | auth required pam_unix.so audit | 434 | auth required pam_unix.so audit |
310 | ''; | 435 | ''; |
311 | users.groups."shadow" = { | 436 | users.groups."shadow" = { |
312 | members = [ "prosody" | 437 | members = [ "ejabberd" |
313 | ]; | 438 | ]; |
314 | }; | 439 | }; |
315 | users.groups."xmpp" = {}; | 440 | users.groups."xmpp" = {}; |