1 files changed, 1 insertions, 185 deletions
diff --git a/ymir.nix b/ymir.nix
index abb40975..98b3cc0e 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -242,191 +242,7 @@ in rec {
  services.ejabberd = {
    enable = true;
    package = pkgs.ejabberd.override { withPam = true; };
-    configFile = ''
+    configFile = ./ymir/ejabberd.yml;
-      loglevel: 4
-      hosts:
-        - xmpp.li
-        - yggdrasil.li
-        - praseodym.org
-        - 141.li
-        - nights.email
-      certfiles: 
-        - /var/lib/acme/yggdrasil.li/fullchain.pem
-        - /var/lib/acme/yggdrasil.li/key.pem
-      listen:
-        - port: 5222
-          ip: "::"
-          module: ejabberd_c2s
-          starttls: true
-          starttls_required: true
-          max_stanza_size: 262144
-          shaper: c2s_shaper
-          access: c2s
-        - port: 5269
-          ip: "::"
-          module: ejabberd_s2s_in
-          max_stanza_size: 524288
-    s2s_use_starttls: optional
-    auth_method: [pam]
-    pam_service: xmpp
-    acl:
-      local:
-        user_regexp: ""
-      loopback:
-        ip:
-          - 127.0.0.0/8
-          - ::1/128
-      admin:
-        user:
-          - "gkleen@xmpp.li"
-          - "gkleen@praseodym.org"
-          - "gkleen@141.li"
-          - "gkleen@yggdrasil.li"
-    access_rules:
-      local:
-        allow: local
-      c2s:
-        deny: blocked
-        allow: all
-      announce:
-        allow: admin
-      configure:
-        allow: admin
-      muc_create:
-        allow: local
-      pubsub_createnode:
-        allow: local
-      trusted_network:
-        allow: loopback
-    api_permissions:
-      "console commands":
-        from:
-          - ejabberd_ctl
-        who: all
-        what: "*"
-      "admin access":
-        who:
-          access:
-            allow:
-              - acl: loopback
-              - acl: admin
-          oauth:
-            scope: "ejabberd:admin"
-            access:
-              allow:
-                - acl: loopback
-                - acl: admin
-        what:
-          - "*"
-          - "!stop"
-          - "!start"
-      "public commands":
-        who:
-          ip: 127.0.0.1/8
-        what:
-          - status
-          - connected_users_number
-    shaper:
-      normal:
-        rate: 3000
-        burst_size: 20000
-      fast: 100000
-    shaper_rules:
-      max_user_sessions: 10
-      max_user_offline_messages:
-        5000: admin
-        100: all
-      c2s_shaper:
-        none: admin
-        normal: all
-      s2s_shaper: fast
-    modules:
-      mod_adhoc: {}
-      mod_admin_extra: {}
-      mod_announce:
-        access: announce
-      mod_avatar: {}
-      mod_blocking: {}
-      mod_bosh: {}
-      mod_caps: {}
-      mod_carboncopy: {}
-      mod_client_state: {}
-      mod_configure: {}
-      mod_disco: {}
-      mod_fail2ban: {}
-      mod_http_api: {}
-      # mod_http_upload:
-      #   put_url: https://@HOST@:5443/upload
-      #   custom_headers:
-      #     "Access-Control-Allow-Origin": "https://@HOST@"
-      #     "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
-      #     "Access-Control-Allow-Headers": "Content-Type"
-      mod_last: {}
-      mod_mam:
-        ## Mnesia is limited to 2GB, better to use an SQL backend
-        ## For small servers SQLite is a good fit and is very easy
-        ## to configure. Uncomment this when you have SQL configured:
-        ## db_type: sql
-        assume_mam_usage: true
-        default: always
-      mod_mqtt: {}
-      mod_muc:
-        access:
-          - allow
-        access_admin:
-          - allow: admin
-        access_create: muc_create
-        access_persistent: muc_create
-        access_mam:
-          - allow
-        default_room_options:
-          mam: true
-      mod_muc_admin: {}
-      mod_offline:
-        access_max_user_messages: max_user_offline_messages
-      mod_ping: {}
-      mod_privacy: {}
-      mod_private: {}
-      mod_proxy65:
-        access: local
-        max_connections: 5
-      mod_pubsub:
-        access_createnode: pubsub_createnode
-        plugins:
-          - flat
-          - pep
-        force_node_config:
-          ## Avoid buggy clients to make their bookmarks public
-          storage:bookmarks:
-            access_model: whitelist
-      mod_push: {}
-      mod_push_keepalive: {}
-      mod_register:
-        ## Only accept registration requests from the "trusted"
-        ## network (see access_rules section above).
-        ## Think twice before enabling registration from any
-        ## address. See the Jabber SPAM Manifesto for details:
-        ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
-        ip_access: trusted_network
-      mod_roster:
-        versioning: true
-      mod_s2s_dialback: {}
-      mod_shared_roster: {}
-      mod_stream_mgmt:
-        resend_on_timeout: if_offline
-      mod_stun_disco: {}
-      mod_vcard: {}
-      mod_vcard_xupdate: {}
-      mod_version:
-        show_os: false
-    '';
  };
  security.pam.services."xmpp".text = ''

diff --git a/ymir.nix b/ymir.nix index abb40975..98b3cc0e 100644 --- a/ymir.nix +++ b/ymir.nix
@@ -242,191 +242,7 @@ in rec {
242	services.ejabberd = {	242	services.ejabberd = {
243	enable = true;	243	enable = true;
244	package = pkgs.ejabberd.override { withPam = true; };	244	package = pkgs.ejabberd.override { withPam = true; };
245	configFile = ''	245	configFile = ./ymir/ejabberd.yml;
246	loglevel: 4
247	hosts:
248	- xmpp.li
249	- yggdrasil.li
250	- praseodym.org
251	- 141.li
252	- nights.email
253	certfiles:
254	- /var/lib/acme/yggdrasil.li/fullchain.pem
255	- /var/lib/acme/yggdrasil.li/key.pem
256	listen:
257	- port: 5222
258	ip: "::"
259	module: ejabberd_c2s
260	starttls: true
261	starttls_required: true
262	max_stanza_size: 262144
263	shaper: c2s_shaper
264	access: c2s
265	- port: 5269
266	ip: "::"
267	module: ejabberd_s2s_in
268	max_stanza_size: 524288
269	s2s_use_starttls: optional
270
271	auth_method: [pam]
272	pam_service: xmpp
273
274	acl:
275	local:
276	user_regexp: ""
277	loopback:
278	ip:
279	- 127.0.0.0/8
280	- ::1/128
281	admin:
282	user:
283	- "gkleen@xmpp.li"
284	- "gkleen@praseodym.org"
285	- "gkleen@141.li"
286	- "gkleen@yggdrasil.li"
287
288	access_rules:
289	local:
290	allow: local
291	c2s:
292	deny: blocked
293	allow: all
294	announce:
295	allow: admin
296	configure:
297	allow: admin
298	muc_create:
299	allow: local
300	pubsub_createnode:
301	allow: local
302	trusted_network:
303	allow: loopback
304
305	api_permissions:
306	"console commands":
307	from:
308	- ejabberd_ctl
309	who: all
310	what: "*"
311	"admin access":
312	who:
313	access:
314	allow:
315	- acl: loopback
316	- acl: admin
317	oauth:
318	scope: "ejabberd:admin"
319	access:
320	allow:
321	- acl: loopback
322	- acl: admin
323	what:
324	- "*"
325	- "!stop"
326	- "!start"
327	"public commands":
328	who:
329	ip: 127.0.0.1/8
330	what:
331	- status
332	- connected_users_number
333
334	shaper:
335	normal:
336	rate: 3000
337	burst_size: 20000
338	fast: 100000
339
340	shaper_rules:
341	max_user_sessions: 10
342	max_user_offline_messages:
343	5000: admin
344	100: all
345	c2s_shaper:
346	none: admin
347	normal: all
348	s2s_shaper: fast
349
350	modules:
351	mod_adhoc: {}
352	mod_admin_extra: {}
353	mod_announce:
354	access: announce
355	mod_avatar: {}
356	mod_blocking: {}
357	mod_bosh: {}
358	mod_caps: {}
359	mod_carboncopy: {}
360	mod_client_state: {}
361	mod_configure: {}
362	mod_disco: {}
363	mod_fail2ban: {}
364	mod_http_api: {}
365	# mod_http_upload:
366	# put_url: https://@HOST@:5443/upload
367	# custom_headers:
368	# "Access-Control-Allow-Origin": "https://@HOST@"
369	# "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
370	# "Access-Control-Allow-Headers": "Content-Type"
371	mod_last: {}
372	mod_mam:
373	## Mnesia is limited to 2GB, better to use an SQL backend
374	## For small servers SQLite is a good fit and is very easy
375	## to configure. Uncomment this when you have SQL configured:
376	## db_type: sql
377	assume_mam_usage: true
378	default: always
379	mod_mqtt: {}
380	mod_muc:
381	access:
382	- allow
383	access_admin:
384	- allow: admin
385	access_create: muc_create
386	access_persistent: muc_create
387	access_mam:
388	- allow
389	default_room_options:
390	mam: true
391	mod_muc_admin: {}
392	mod_offline:
393	access_max_user_messages: max_user_offline_messages
394	mod_ping: {}
395	mod_privacy: {}
396	mod_private: {}
397	mod_proxy65:
398	access: local
399	max_connections: 5
400	mod_pubsub:
401	access_createnode: pubsub_createnode
402	plugins:
403	- flat
404	- pep
405	force_node_config:
406	## Avoid buggy clients to make their bookmarks public
407	storage:bookmarks:
408	access_model: whitelist
409	mod_push: {}
410	mod_push_keepalive: {}
411	mod_register:
412	## Only accept registration requests from the "trusted"
413	## network (see access_rules section above).
414	## Think twice before enabling registration from any
415	## address. See the Jabber SPAM Manifesto for details:
416	## https://github.com/ge0rg/jabber-spam-fighting-manifesto
417	ip_access: trusted_network
418	mod_roster:
419	versioning: true
420	mod_s2s_dialback: {}
421	mod_shared_roster: {}
422	mod_stream_mgmt:
423	resend_on_timeout: if_offline
424	mod_stun_disco: {}
425	mod_vcard: {}
426	mod_vcard_xupdate: {}
427	mod_version:
428	show_os: false
429	'';
430	};	246	};
431		247
432	security.pam.services."xmpp".text = ''	248	security.pam.services."xmpp".text = ''