1 files changed, 190 insertions, 65 deletions
diff --git a/ymir.nix b/ymir.nix
index 9c01b067..abb40975 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -6,18 +6,6 @@ let
  luaPam = pkgs.callPackage ./custom/luaPam.nix {};
  luaPosix = pkgs.callPackage ./custom/luaPosix.nix {};
  luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {};
-  prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {};
-  prosodyVirtHost = name: {
-    enabled = true;
-    domain = name;
-    ssl = {
-      key = "/var/lib/acme/yggdrasil.li/key.pem";
-      cert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
-      extraOptions = {
-        dhparam = config.security.dhparams.params.prosody.path;
-      };
-    };
-  };
  myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
                "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li"
                "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"
@@ -68,13 +56,6 @@ in rec {
  nixpkgs.overlays = [
    (self: super: {
-      prosody = self.callPackage ./customized/prosody.nix ({
-          inherit (self.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luasec luadbi;
-          lua5 = pkgs.lua5_1;
-          withCommunityModules = ["carbons" "reload_modules" "csi" "cloud_notify" "csi_pump" "smacks" "track_muc_joins" "watchuntrusted"];
-          extraModules = [prosodyAuth];
-          extraLibs = [luaPam luaPosix luaSha2] ++ (with self.lua51Packages; [lua-zlib]);
-        });
      # uwsgi = pkgs.callPackage ./customized/uwsgi.nix {
      #   extraPlugins = {
      #     cgi = {
@@ -243,7 +224,7 @@ in rec {
  };
  users.groups."ssl" = {
-    members = [ "prosody"
+    members = [ "ejabberd"
                "nginx"
                "postfix"
                "murmur"
@@ -257,59 +238,203 @@ in rec {
      SystemMaxUse=100M 
    '';
  };
-    
-  services.prosody = {
-    enable = true;
-    admins = [
-               "gkleen@xmpp.li"
-               "gkleen@praseodym.org"
-               "gkleen@141.li"
-               "gkleen@yggdrasil.li"
-             ];
-    allowRegistration = false;
-    extraModules = [ "posix"
-                     "private"
-                     "auth_custom"
-                     "carbons"
-                     "reload_modules"
-                     "smacks"
-                     "csi"
-                     "csi_pump"
-                     "cloud_notify"
-                     "pep"
-                     "disco"
-                     "admin_adhoc"
-                     "watchuntrusted"
-                   ];
-    extraConfig = ''
-      reload_modules = { "group", "tls" }
-      authentication="custom"
-      custom_alias_file="/etc/prosody/aliases"
-      custom_alias_secret_file="/etc/prosody/alias_secret"
-      Component "alias.xmpp.li"
+  services.ejabberd = {
-        Include "/etc/prosody/alias.xmpp.li.cfg.lua"
+    enable = true;
+    package = pkgs.ejabberd.override { withPam = true; };
-      Component "muc.xmpp.li" "muc"
+    configFile = ''
-        restrict_room_creation = true
+      loglevel: 4
-        max_history_messages = 100
+      hosts:
-        name = "Multi-user chats"
+        - xmpp.li
+        - yggdrasil.li
-      Component "proxy.xmpp.li" "proxy65"
+        - praseodym.org
-        proxy65_acl = {"xmpp.li", "yggdrasil.li", "praseodym.org", "141.li", "nights.email"};
+        - 141.li
+        - nights.email
+      certfiles: 
+        - /var/lib/acme/yggdrasil.li/fullchain.pem
+        - /var/lib/acme/yggdrasil.li/key.pem
+      listen:
+        - port: 5222
+          ip: "::"
+          module: ejabberd_c2s
+          starttls: true
+          starttls_required: true
+          max_stanza_size: 262144
+          shaper: c2s_shaper
+          access: c2s
+        - port: 5269
+          ip: "::"
+          module: ejabberd_s2s_in
+          max_stanza_size: 524288
+    s2s_use_starttls: optional
+    auth_method: [pam]
+    pam_service: xmpp
+    acl:
+      local:
+        user_regexp: ""
+      loopback:
+        ip:
+          - 127.0.0.0/8
+          - ::1/128
+      admin:
+        user:
+          - "gkleen@xmpp.li"
+          - "gkleen@praseodym.org"
+          - "gkleen@141.li"
+          - "gkleen@yggdrasil.li"
+    access_rules:
+      local:
+        allow: local
+      c2s:
+        deny: blocked
+        allow: all
+      announce:
+        allow: admin
+      configure:
+        allow: admin
+      muc_create:
+        allow: local
+      pubsub_createnode:
+        allow: local
+      trusted_network:
+        allow: loopback
+    api_permissions:
+      "console commands":
+        from:
+          - ejabberd_ctl
+        who: all
+        what: "*"
+      "admin access":
+        who:
+          access:
+            allow:
+              - acl: loopback
+              - acl: admin
+          oauth:
+            scope: "ejabberd:admin"
+            access:
+              allow:
+                - acl: loopback
+                - acl: admin
+        what:
+          - "*"
+          - "!stop"
+          - "!start"
+      "public commands":
+        who:
+          ip: 127.0.0.1/8
+        what:
+          - status
+          - connected_users_number
+    shaper:
+      normal:
+        rate: 3000
+        burst_size: 20000
+      fast: 100000
+    shaper_rules:
+      max_user_sessions: 10
+      max_user_offline_messages:
+        5000: admin
+        100: all
+      c2s_shaper:
+        none: admin
+        normal: all
+      s2s_shaper: fast
+    modules:
+      mod_adhoc: {}
+      mod_admin_extra: {}
+      mod_announce:
+        access: announce
+      mod_avatar: {}
+      mod_blocking: {}
+      mod_bosh: {}
+      mod_caps: {}
+      mod_carboncopy: {}
+      mod_client_state: {}
+      mod_configure: {}
+      mod_disco: {}
+      mod_fail2ban: {}
+      mod_http_api: {}
+      # mod_http_upload:
+      #   put_url: https://@HOST@:5443/upload
+      #   custom_headers:
+      #     "Access-Control-Allow-Origin": "https://@HOST@"
+      #     "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
+      #     "Access-Control-Allow-Headers": "Content-Type"
+      mod_last: {}
+      mod_mam:
+        ## Mnesia is limited to 2GB, better to use an SQL backend
+        ## For small servers SQLite is a good fit and is very easy
+        ## to configure. Uncomment this when you have SQL configured:
+        ## db_type: sql
+        assume_mam_usage: true
+        default: always
+      mod_mqtt: {}
+      mod_muc:
+        access:
+          - allow
+        access_admin:
+          - allow: admin
+        access_create: muc_create
+        access_persistent: muc_create
+        access_mam:
+          - allow
+        default_room_options:
+          mam: true
+      mod_muc_admin: {}
+      mod_offline:
+        access_max_user_messages: max_user_offline_messages
+      mod_ping: {}
+      mod_privacy: {}
+      mod_private: {}
+      mod_proxy65:
+        access: local
+        max_connections: 5
+      mod_pubsub:
+        access_createnode: pubsub_createnode
+        plugins:
+          - flat
+          - pep
+        force_node_config:
+          ## Avoid buggy clients to make their bookmarks public
+          storage:bookmarks:
+            access_model: whitelist
+      mod_push: {}
+      mod_push_keepalive: {}
+      mod_register:
+        ## Only accept registration requests from the "trusted"
+        ## network (see access_rules section above).
+        ## Think twice before enabling registration from any
+        ## address. See the Jabber SPAM Manifesto for details:
+        ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+        ip_access: trusted_network
+      mod_roster:
+        versioning: true
+      mod_s2s_dialback: {}
+      mod_shared_roster: {}
+      mod_stream_mgmt:
+        resend_on_timeout: if_offline
+      mod_stun_disco: {}
+      mod_vcard: {}
+      mod_vcard_xupdate: {}
+      mod_version:
+        show_os: false
    '';
-    virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; })
-      ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]);
-    xmppComplianceSuite = false;
  };
  security.pam.services."xmpp".text = ''
    auth requisite  pam_succeed_if.so user ingroup xmpp
    auth required   pam_unix.so audit
  '';
  users.groups."shadow" = {
-    members = [ "prosody"
+    members = [ "ejabberd"
              ];
  };
  users.groups."xmpp" = {};

diff --git a/ymir.nix b/ymir.nix index 9c01b067..abb40975 100644 --- a/ymir.nix +++ b/ymir.nix
@@ -6,18 +6,6 @@ let
6	luaPam = pkgs.callPackage ./custom/luaPam.nix {};	6	luaPam = pkgs.callPackage ./custom/luaPam.nix {};
7	luaPosix = pkgs.callPackage ./custom/luaPosix.nix {};	7	luaPosix = pkgs.callPackage ./custom/luaPosix.nix {};
8	luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {};	8	luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {};
9	prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {};
10	prosodyVirtHost = name: {
11	enabled = true;
12	domain = name;
13	ssl = {
14	key = "/var/lib/acme/yggdrasil.li/key.pem";
15	cert = "/var/lib/acme/yggdrasil.li/fullchain.pem";
16	extraOptions = {
17	dhparam = config.security.dhparams.params.prosody.path;
18	};
19	};
20	};
21	myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"	9	myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org"
22	"online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li"	10	"online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li"
23	"ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"	11	"ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li"
@@ -68,13 +56,6 @@ in rec {
68		56
69	nixpkgs.overlays = [	57	nixpkgs.overlays = [
70	(self: super: {	58	(self: super: {
71	prosody = self.callPackage ./customized/prosody.nix ({
72	inherit (self.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luasec luadbi;
73	lua5 = pkgs.lua5_1;
74	withCommunityModules = ["carbons" "reload_modules" "csi" "cloud_notify" "csi_pump" "smacks" "track_muc_joins" "watchuntrusted"];
75	extraModules = [prosodyAuth];
76	extraLibs = [luaPam luaPosix luaSha2] ++ (with self.lua51Packages; [lua-zlib]);
77	});
78	# uwsgi = pkgs.callPackage ./customized/uwsgi.nix {	59	# uwsgi = pkgs.callPackage ./customized/uwsgi.nix {
79	# extraPlugins = {	60	# extraPlugins = {
80	# cgi = {	61	# cgi = {
@@ -243,7 +224,7 @@ in rec {
243	};	224	};
244		225
245	users.groups."ssl" = {	226	users.groups."ssl" = {
246	members = [ "prosody"	227	members = [ "ejabberd"
247	"nginx"	228	"nginx"
248	"postfix"	229	"postfix"
249	"murmur"	230	"murmur"
@@ -257,59 +238,203 @@ in rec {
257	SystemMaxUse=100M	238	SystemMaxUse=100M
258	'';	239	'';
259	};	240	};
260
261	services.prosody = {
262	enable = true;
263	admins = [
264	"gkleen@xmpp.li"
265	"gkleen@praseodym.org"
266	"gkleen@141.li"
267	"gkleen@yggdrasil.li"
268	];
269	allowRegistration = false;
270	extraModules = [ "posix"
271	"private"
272	"auth_custom"
273	"carbons"
274	"reload_modules"
275	"smacks"
276	"csi"
277	"csi_pump"
278	"cloud_notify"
279	"pep"
280	"disco"
281	"admin_adhoc"
282	"watchuntrusted"
283	];
284	extraConfig = ''
285	reload_modules = { "group", "tls" }
286	authentication="custom"
287	custom_alias_file="/etc/prosody/aliases"
288	custom_alias_secret_file="/etc/prosody/alias_secret"
289		241
290	Component "alias.xmpp.li"	242	services.ejabberd = {
291	Include "/etc/prosody/alias.xmpp.li.cfg.lua"	243	enable = true;
292		244	package = pkgs.ejabberd.override { withPam = true; };
293	Component "muc.xmpp.li" "muc"	245	configFile = ''
294	restrict_room_creation = true	246	loglevel: 4
295	max_history_messages = 100	247	hosts:
296	name = "Multi-user chats"	248	- xmpp.li
297		249	- yggdrasil.li
298	Component "proxy.xmpp.li" "proxy65"	250	- praseodym.org
299	proxy65_acl = {"xmpp.li", "yggdrasil.li", "praseodym.org", "141.li", "nights.email"};	251	- 141.li
		252	- nights.email
		253	certfiles:
		254	- /var/lib/acme/yggdrasil.li/fullchain.pem
		255	- /var/lib/acme/yggdrasil.li/key.pem
		256	listen:
		257	- port: 5222
		258	ip: "::"
		259	module: ejabberd_c2s
		260	starttls: true
		261	starttls_required: true
		262	max_stanza_size: 262144
		263	shaper: c2s_shaper
		264	access: c2s
		265	- port: 5269
		266	ip: "::"
		267	module: ejabberd_s2s_in
		268	max_stanza_size: 524288
		269	s2s_use_starttls: optional
		270
		271	auth_method: [pam]
		272	pam_service: xmpp
		273
		274	acl:
		275	local:
		276	user_regexp: ""
		277	loopback:
		278	ip:
		279	- 127.0.0.0/8
		280	- ::1/128
		281	admin:
		282	user:
		283	- "gkleen@xmpp.li"
		284	- "gkleen@praseodym.org"
		285	- "gkleen@141.li"
		286	- "gkleen@yggdrasil.li"
		287
		288	access_rules:
		289	local:
		290	allow: local
		291	c2s:
		292	deny: blocked
		293	allow: all
		294	announce:
		295	allow: admin
		296	configure:
		297	allow: admin
		298	muc_create:
		299	allow: local
		300	pubsub_createnode:
		301	allow: local
		302	trusted_network:
		303	allow: loopback
		304
		305	api_permissions:
		306	"console commands":
		307	from:
		308	- ejabberd_ctl
		309	who: all
		310	what: "*"
		311	"admin access":
		312	who:
		313	access:
		314	allow:
		315	- acl: loopback
		316	- acl: admin
		317	oauth:
		318	scope: "ejabberd:admin"
		319	access:
		320	allow:
		321	- acl: loopback
		322	- acl: admin
		323	what:
		324	- "*"
		325	- "!stop"
		326	- "!start"
		327	"public commands":
		328	who:
		329	ip: 127.0.0.1/8
		330	what:
		331	- status
		332	- connected_users_number
		333
		334	shaper:
		335	normal:
		336	rate: 3000
		337	burst_size: 20000
		338	fast: 100000
		339
		340	shaper_rules:
		341	max_user_sessions: 10
		342	max_user_offline_messages:
		343	5000: admin
		344	100: all
		345	c2s_shaper:
		346	none: admin
		347	normal: all
		348	s2s_shaper: fast
		349
		350	modules:
		351	mod_adhoc: {}
		352	mod_admin_extra: {}
		353	mod_announce:
		354	access: announce
		355	mod_avatar: {}
		356	mod_blocking: {}
		357	mod_bosh: {}
		358	mod_caps: {}
		359	mod_carboncopy: {}
		360	mod_client_state: {}
		361	mod_configure: {}
		362	mod_disco: {}
		363	mod_fail2ban: {}
		364	mod_http_api: {}
		365	# mod_http_upload:
		366	# put_url: https://@HOST@:5443/upload
		367	# custom_headers:
		368	# "Access-Control-Allow-Origin": "https://@HOST@"
		369	# "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
		370	# "Access-Control-Allow-Headers": "Content-Type"
		371	mod_last: {}
		372	mod_mam:
		373	## Mnesia is limited to 2GB, better to use an SQL backend
		374	## For small servers SQLite is a good fit and is very easy
		375	## to configure. Uncomment this when you have SQL configured:
		376	## db_type: sql
		377	assume_mam_usage: true
		378	default: always
		379	mod_mqtt: {}
		380	mod_muc:
		381	access:
		382	- allow
		383	access_admin:
		384	- allow: admin
		385	access_create: muc_create
		386	access_persistent: muc_create
		387	access_mam:
		388	- allow
		389	default_room_options:
		390	mam: true
		391	mod_muc_admin: {}
		392	mod_offline:
		393	access_max_user_messages: max_user_offline_messages
		394	mod_ping: {}
		395	mod_privacy: {}
		396	mod_private: {}
		397	mod_proxy65:
		398	access: local
		399	max_connections: 5
		400	mod_pubsub:
		401	access_createnode: pubsub_createnode
		402	plugins:
		403	- flat
		404	- pep
		405	force_node_config:
		406	## Avoid buggy clients to make their bookmarks public
		407	storage:bookmarks:
		408	access_model: whitelist
		409	mod_push: {}
		410	mod_push_keepalive: {}
		411	mod_register:
		412	## Only accept registration requests from the "trusted"
		413	## network (see access_rules section above).
		414	## Think twice before enabling registration from any
		415	## address. See the Jabber SPAM Manifesto for details:
		416	## https://github.com/ge0rg/jabber-spam-fighting-manifesto
		417	ip_access: trusted_network
		418	mod_roster:
		419	versioning: true
		420	mod_s2s_dialback: {}
		421	mod_shared_roster: {}
		422	mod_stream_mgmt:
		423	resend_on_timeout: if_offline
		424	mod_stun_disco: {}
		425	mod_vcard: {}
		426	mod_vcard_xupdate: {}
		427	mod_version:
		428	show_os: false
300	'';	429	'';
301
302	virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; })
303	["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]);
304
305	xmppComplianceSuite = false;
306	};	430	};
		431
307	security.pam.services."xmpp".text = ''	432	security.pam.services."xmpp".text = ''
308	auth requisite pam_succeed_if.so user ingroup xmpp	433	auth requisite pam_succeed_if.so user ingroup xmpp
309	auth required pam_unix.so audit	434	auth required pam_unix.so audit
310	'';	435	'';
311	users.groups."shadow" = {	436	users.groups."shadow" = {
312	members = [ "prosody"	437	members = [ "ejabberd"
313	];	438	];
314	};	439	};
315	users.groups."xmpp" = {};	440	users.groups."xmpp" = {};