From f8a30dfd880637a9db306fd16b0da22354d93d03 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 12 Jul 2020 19:37:23 +0200 Subject: ymir: prosody -> ejabberd --- ymir.nix | 255 +++++++++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 190 insertions(+), 65 deletions(-) (limited to 'ymir.nix') diff --git a/ymir.nix b/ymir.nix index 9c01b067..abb40975 100644 --- a/ymir.nix +++ b/ymir.nix @@ -6,18 +6,6 @@ let luaPam = pkgs.callPackage ./custom/luaPam.nix {}; luaPosix = pkgs.callPackage ./custom/luaPosix.nix {}; luaSha2 = pkgs.callPackage ./custom/luaSha2.nix {}; - prosodyAuth = pkgs.callPackage ./custom/prosody-auth.nix {}; - prosodyVirtHost = name: { - enabled = true; - domain = name; - ssl = { - key = "/var/lib/acme/yggdrasil.li/key.pem"; - cert = "/var/lib/acme/yggdrasil.li/fullchain.pem"; - extraOptions = { - dhparam = config.security.dhparams.params.prosody.path; - }; - }; - }; myDomains = [ "dirty-haskell.org" "www.dirty-haskell.org" "lists.dirty-haskell.org" "l.dirty-haskell.org" "online.141.li" "o.141.li" "ftp.141.li" "files.141.li" "f.141.li" "ymir.141.li" "141.li" "www.141.li" "lists.141.li" "l.141.li" "rpg.141.li" "odin.141.li" "ymir.xmpp.li" "xmpp.li" "www.xmpp.li" "lists.xmpp.li" "l.xmpp.li" "muc.xmpp.li" "proxy.xmpp.li" @@ -68,13 +56,6 @@ in rec { nixpkgs.overlays = [ (self: super: { - prosody = self.callPackage ./customized/prosody.nix ({ - inherit (self.lua51Packages) luasocket luaexpat luafilesystem luabitop luaevent luasec luadbi; - lua5 = pkgs.lua5_1; - withCommunityModules = ["carbons" "reload_modules" "csi" "cloud_notify" "csi_pump" "smacks" "track_muc_joins" "watchuntrusted"]; - extraModules = [prosodyAuth]; - extraLibs = [luaPam luaPosix luaSha2] ++ (with self.lua51Packages; [lua-zlib]); - }); # uwsgi = pkgs.callPackage ./customized/uwsgi.nix { # extraPlugins = { # cgi = { @@ -243,7 +224,7 @@ in rec { }; users.groups."ssl" = { - members = [ "prosody" + members = [ "ejabberd" "nginx" "postfix" "murmur" @@ -257,59 +238,203 @@ in rec { SystemMaxUse=100M ''; }; - - services.prosody = { - enable = true; - admins = [ - "gkleen@xmpp.li" - "gkleen@praseodym.org" - "gkleen@141.li" - "gkleen@yggdrasil.li" - ]; - allowRegistration = false; - extraModules = [ "posix" - "private" - "auth_custom" - "carbons" - "reload_modules" - "smacks" - "csi" - "csi_pump" - "cloud_notify" - "pep" - "disco" - "admin_adhoc" - "watchuntrusted" - ]; - extraConfig = '' - reload_modules = { "group", "tls" } - authentication="custom" - custom_alias_file="/etc/prosody/aliases" - custom_alias_secret_file="/etc/prosody/alias_secret" - Component "alias.xmpp.li" - Include "/etc/prosody/alias.xmpp.li.cfg.lua" - - Component "muc.xmpp.li" "muc" - restrict_room_creation = true - max_history_messages = 100 - name = "Multi-user chats" - - Component "proxy.xmpp.li" "proxy65" - proxy65_acl = {"xmpp.li", "yggdrasil.li", "praseodym.org", "141.li", "nights.email"}; + services.ejabberd = { + enable = true; + package = pkgs.ejabberd.override { withPam = true; }; + configFile = '' + loglevel: 4 + hosts: + - xmpp.li + - yggdrasil.li + - praseodym.org + - 141.li + - nights.email + certfiles: + - /var/lib/acme/yggdrasil.li/fullchain.pem + - /var/lib/acme/yggdrasil.li/key.pem + listen: + - port: 5222 + ip: "::" + module: ejabberd_c2s + starttls: true + starttls_required: true + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + - port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + s2s_use_starttls: optional + + auth_method: [pam] + pam_service: xmpp + + acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + admin: + user: + - "gkleen@xmpp.li" + - "gkleen@praseodym.org" + - "gkleen@141.li" + - "gkleen@yggdrasil.li" + + access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + + api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number + + shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + + shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + + modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + # mod_http_upload: + # put_url: https://@HOST@:5443/upload + # custom_headers: + # "Access-Control-Allow-Origin": "https://@HOST@" + # "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + # "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + ## db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false ''; - - virtualHosts = builtins.listToAttrs (map (name: { inherit name; value = prosodyVirtHost name; }) - ["xmpp.li" "yggdrasil.li" "praseodym.org" "141.li" "nights.email"]); - - xmppComplianceSuite = false; }; + security.pam.services."xmpp".text = '' auth requisite pam_succeed_if.so user ingroup xmpp auth required pam_unix.so audit ''; users.groups."shadow" = { - members = [ "prosody" + members = [ "ejabberd" ]; }; users.groups."xmpp" = {}; -- cgit v1.2.3