nix-config/hosts/jabber/default.nix

{ zentralwerk, config, hostRegistry, pkgs, lib, ... }:

let
  domain = "jabber.c3d2.de";
in
{
  c3d2 = {
    deployment.server = "server10";
    hq.statistics.enable = true;
  };

  microvm.mem = 2048;

  networking = {
    hostName = "jabber";
    firewall = {
      allowedTCPPorts = [
        # Prosody
        80
        443
        5222
        5223
        5269
        5270
        5280
        5281
        # Coturn
        3478
        3479
      ];
      allowedUDPPorts = [
        # Coturn
        3478
        3479
      ];
    # TODO: allowedSCTPPorts
    };
  };

  security = {
    acme.certs."${domain}" = {
      extraDomainNames = [
        "chat.c3d2.de"
        "*.${domain}"
      ];
      # DynDNS method
      dnsProvider = "rfc2136";
      credentialsFile = config.sops.secrets."acme/credentials-file".path;
      reloadServices = [ "prosody" ];
      # Make keys accessible by putting them in prosody's group
      inherit (config.services.prosody) group;
    };
    dhparams = {
      enable = true;
      params.prosody = { };
    };
  };

  services = {
    backup = {
      enable = true;
      paths = [ "/var/lib/prosody/" ];
    };

    collectd.plugins.exec = ''
      Exec "${config.services.collectd.user}" "${lib.getExe pkgs.ruby}" "${./prosody-stats.rb}"
    '';

    coturn = {
      enable = true;
      realm = "turn.${domain}";
      static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;
      use-auth-secret = true;
      extraConfig = ''
        external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
        # secure-stun # not supported by jabber

        # no old shit
        no-tlsv1
        no-tlsv1_1

        # strongly encouraged options to decrease amplification attacks
        no-rfc5780
        no-stun-backward-compatibility
        response-origin-only-with-rfc5780
      '';
    };

    postgresql = {
      enable = true;
      ensureDatabases = [ "prosody" ];
      ensureUsers = [{
        name = "prosody";
        ensurePermissions = {
          "DATABASE prosody" = "ALL PRIVILEGES";
        };
      }];
      package = pkgs.postgresql_16;
      upgrade.stopServices = [ "prosody" ];
    };

    #TODO: txt records?
    prosody = {
      enable = true;
      allowRegistration = false;
      admins = [ "astro@spaceboyz.net" "0@jabber.c3d2.de" "nek0@jabber.c3d2.de" "sandro@jabber.c3d2.de" ];
      package = pkgs.prosody.override {
        withCommunityModules = [ "cloud_notify" "cloud_notify_extensions" "firewall" "presence_cache" ];
        withExtraLuaPackages = luaPackages: with luaPackages; [
          luadbi-postgresql
          luaossl # required by cloud_notify_extensions
        ];
      };

      modules = {
        # HTTP stuff
        bosh = true;
        http_altconnect = true;
        http_files = true;
        websocket = true;

        admin_telnet = true;
        announce = true;
        carbons = true;
        csi_simple = true;
        mam = true;
        # File-transfer proxies are an outdated technology
        proxy65 = false;
        server_contact_info = true;
        smacks = true;
        s2s_bidi = true;
        turn_external = true;
      };

      ssl = {
        key = "/var/lib/acme/${domain}/key.pem";
        cert = "/var/lib/acme/${domain}/fullchain.pem";
        extraOptions = {
          dhparam = config.security.dhparams.params.nginx.path;
        };
      };

      # encryption is a must
      c2sRequireEncryption = true;
      s2sRequireEncryption = true;
      s2sSecureAuth = true;

      virtualHosts = {
        "${domain}" = {
          enabled = true;
          inherit domain;
        };
        "anon.${domain}" = {
          enabled = true;
          domain = "anon.${domain}";
          extraConfig = ''
            authentication = "anonymous"
          '';
        };
      };
      muc = [{
        domain = "chat.c3d2.de";
        maxHistoryMessages = 100;
        name = "Group chats";
      }];

      httpPorts = [ 80 5280 ];
      httpsPorts = [ 443 5281 ];
      uploadHttp = {
        domain = "upload.${domain}";
        uploadFileSizeLimit = "10 * 1024 * 1024";
        userQuota = 512 * 1024 * 1024;
        uploadExpireAfter = "2 * 60 * 60";
      };

      extraConfig =
        let
          prosodyFirewall = pkgs.writeText "antispam.pfw" ''
            %ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, nixnet.services, marxist.club, dw.live, 01337.io, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one

            IN ROSTER?
            PASS.

            LEAVING: spam
            BOUNCE=policy-violation (Your domain has been blacklisted due to spam.)
          '';
        in
        /* lua */ ''
          c2s_direct_tls_ports = { 5223 }
          c2s_direct_tls_ssl = {
            key = "/var/lib/acme/${domain}/key.pem",
            certificate = "/var/lib/acme/${domain}/fullchain.pem",
          }
          s2s_direct_tls_ports = { 5270 }
          certificates = "/var/lib/acme"

          contact_info = {
            abuse = { "mailto:mail@c3d2.de" };
            admin = { "mailto:mail@c3d2.de" };
            feedback = { "mailto:mail@c3d2.de" };
            -- sales = { "mailto:mail@c3d2.de" }; -- we don't sell anything ;)
            security = { "mailto:mail@c3d2.de" };
            support = { "mailto:mail@c3d2.de" };
          }

          storage = "sql"
          sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "" }
          log = { info = "*syslog"; }

          firewall_scripts = { "${prosodyFirewall}" }

          -- How to get the IPv6 from config?
          external_addresses = { "${zentralwerk.lib.dns.publicIPv4}", "2a00:8180:2c00:282:e058:3ff:fea2:d83a", "${hostRegistry.jabber.ip4}", "${hostRegistry.jabber.ip6}" }
          trusted_proxies = { "127.0.0.1", "::1", "${hostRegistry.public-access-proxy.ip4}", "${hostRegistry.public-access-proxy.ip6}" }
          http_cors_override = {
            bosh = {
              enabled = true;
            };
            websocket = {
              enabled = true;
            };
          }
          http_default_host = "${domain}"
          http_host = "${domain}"
          http_external_url = "https://${domain}/"
          http_upload_file_size_limit = 10 * 1024 * 1024
          http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds

          turn_external_host = "turn.${domain}";
          turn_external_secret = "$PROSODY_TURN_SECRET"
        '';
    };
  };

  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
      "acme/credentials-file" = { };
      "coturn/static-auth-secret".owner = "turnserver";
      "prosody/enviroment" = { };
    };
  };

  systemd.services = {
    collectd.requires = [ "prosody.service" ];

    prosody.serviceConfig = {
      # Allow binding ports <1024
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      EnvironmentFile = config.sops.secrets."prosody/enviroment".path;
    };
  };

  system.stateVersion = "21.05";
}
Fix eval, remove useless attr hosts in hostRegistry, hosts are now directly at hostRegistry 2022-12-20 05:40:58 +01:00			`{ zentralwerk, config, hostRegistry, pkgs, lib, ... }:`
jabber: init 2021-10-18 03:46:25 +02:00
			`let`
			`domain = "jabber.c3d2.de";`
			`in`
			`{`
jabber: format 2023-05-22 00:44:40 +02:00			`c3d2 = {`
			`deployment.server = "server10";`
			`hq.statistics.enable = true;`
			`};`

jabber: microvmify 2022-06-20 00:15:34 +02:00			`microvm.mem = 2048;`

jabber: init 2021-10-18 03:46:25 +02:00			`networking = {`
			`hostName = "jabber";`
Enable firewall everywhere 2023-06-05 19:56:03 +02:00			`firewall = {`
			`allowedTCPPorts = [`
			`# Prosody`
jabber: add s2s tls, http_altdirect 2023-10-12 22:40:40 +02:00			`80`
			`443`
Enable firewall everywhere 2023-06-05 19:56:03 +02:00			`5222`
			`5223`
			`5269`
jabber: add s2s tls, http_altdirect 2023-10-12 22:40:40 +02:00			`5270`
Enable firewall everywhere 2023-06-05 19:56:03 +02:00			`5280`
			`5281`
			`# Coturn`
			`3478`
			`3479`
			`];`
			`allowedUDPPorts = [`
			`# Coturn`
			`3478`
			`3479`
			`];`
jabber: init 2021-10-18 03:46:25 +02:00			`# TODO: allowedSCTPPorts`
jabber: fix eval 2023-06-05 20:18:14 +02:00			`};`
jabber: init 2021-10-18 03:46:25 +02:00			`};`

jabber: remove default ssl options, use dhparams 2023-10-11 19:40:44 +02:00			`security = {`
			`acme.certs."${domain}" = {`
			`extraDomainNames = [`
			`"chat.c3d2.de"`
			`"*.${domain}"`
			`];`
			`# DynDNS method`
			`dnsProvider = "rfc2136";`
			`credentialsFile = config.sops.secrets."acme/credentials-file".path;`
			`reloadServices = [ "prosody" ];`
			`# Make keys accessible by putting them in prosody's group`
			`inherit (config.services.prosody) group;`
			`};`
			`dhparams = {`
			`enable = true;`
			`params.prosody = { };`
			`};`
jabber: init 2021-10-18 03:46:25 +02:00			`};`

jabber: format 2023-05-22 00:44:40 +02:00			`services = {`
Explicitly enable backups 2023-11-11 04:27:22 +01:00			`backup = {`
			`enable = true;`
			`paths = [ "/var/lib/prosody/" ];`
			`};`
jabber: add backups 2023-05-22 00:48:40 +02:00
jabber: format 2023-05-22 00:44:40 +02:00			`collectd.plugins.exec = ''`
jabber: cleanup 2023-10-11 20:19:55 +02:00			`Exec "${config.services.collectd.user}" "${lib.getExe pkgs.ruby}" "${./prosody-stats.rb}"`
jabber: format 2023-05-22 00:44:40 +02:00			`'';`

			`coturn = {`
			`enable = true;`
			`realm = "turn.${domain}";`
jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`static-auth-secret-file = config.sops.secrets."coturn/static-auth-secret".path;`
			`use-auth-secret = true;`
jabber: use shorter, direct vars 2023-10-11 22:23:00 +02:00			`extraConfig = ''`
			`external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}`
jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`# secure-stun # not supported by jabber`

			`# no old shit`
			`no-tlsv1`
			`no-tlsv1_1`
Bump postgreses 2023-09-26 22:10:50 +02:00
jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`# strongly encouraged options to decrease amplification attacks`
			`no-rfc5780`
			`no-stun-backward-compatibility`
			`response-origin-only-with-rfc5780`
jabber: format 2023-05-22 00:44:40 +02:00			`'';`
jabber: init 2021-10-18 03:46:25 +02:00			`};`
jabber: add stats, automatic prosody restart 2021-10-19 02:10:34 +02:00
jabber: format 2023-05-22 00:44:40 +02:00			`postgresql = {`
			`enable = true;`
jabber: format 2023-10-11 19:16:25 +02:00			`ensureDatabases = [ "prosody" ];`
jabber: format 2023-05-22 00:44:40 +02:00			`ensureUsers = [{`
			`name = "prosody";`
			`ensurePermissions = {`
			`"DATABASE prosody" = "ALL PRIVILEGES";`
			`};`
			`}];`
Bump postgreses 2023-09-26 22:10:50 +02:00			`package = pkgs.postgresql_16;`
jabber: format 2023-05-22 00:44:40 +02:00			`upgrade.stopServices = [ "prosody" ];`
jabber: init 2021-10-18 03:46:25 +02:00			`};`
jabber: format 2023-10-11 19:16:25 +02:00
jabber: format 2023-05-22 00:44:40 +02:00			`#TODO: txt records?`
jabber: fix eval 2023-05-22 00:50:25 +02:00			`prosody = {`
jabber: format 2023-05-22 00:44:40 +02:00			`enable = true;`
			`allowRegistration = false;`
jabber: fix neki admin, add sandro 2023-10-31 02:25:53 +01:00			`admins = [ "astro@spaceboyz.net" "0@jabber.c3d2.de" "nek0@jabber.c3d2.de" "sandro@jabber.c3d2.de" ];`
jabber: format 2023-05-22 00:44:40 +02:00			`package = pkgs.prosody.override {`
jabber: enable cloud_notify_extensions, presence_cache, s2s_bidi, csi_simple 2023-10-31 02:16:41 +01:00			`withCommunityModules = [ "cloud_notify" "cloud_notify_extensions" "firewall" "presence_cache" ];`
jabber: format 2023-05-22 00:44:40 +02:00			`withExtraLuaPackages = luaPackages: with luaPackages; [`
			`luadbi-postgresql`
jabber: enable cloud_notify_extensions, presence_cache, s2s_bidi, csi_simple 2023-10-31 02:16:41 +01:00			`luaossl # required by cloud_notify_extensions`
jabber: format 2023-05-22 00:44:40 +02:00			`];`
			`};`
jabber: init 2021-10-18 03:46:25 +02:00
jabber: format 2023-05-22 00:44:40 +02:00			`modules = {`
			`# HTTP stuff`
			`bosh = true;`
jabber: add s2s tls, http_altdirect 2023-10-12 22:40:40 +02:00			`http_altconnect = true;`
jabber: format 2023-05-22 00:44:40 +02:00			`http_files = true;`
jabber: format 2023-10-11 19:16:25 +02:00			`websocket = true;`
jabber: format 2023-05-22 00:44:40 +02:00
			`admin_telnet = true;`
			`announce = true;`
			`carbons = true;`
jabber: enable cloud_notify_extensions, presence_cache, s2s_bidi, csi_simple 2023-10-31 02:16:41 +01:00			`csi_simple = true;`
			`mam = true;`
jabber: add s2s tls, http_altdirect 2023-10-12 22:40:40 +02:00			`# File-transfer proxies are an outdated technology`
jabber: format 2023-05-22 00:44:40 +02:00			`proxy65 = false;`
jabber: add server_contact_info 2023-10-11 19:16:39 +02:00			`server_contact_info = true;`
jabber: enable cloud_notify_extensions, presence_cache, s2s_bidi, csi_simple 2023-10-31 02:16:41 +01:00			`smacks = true;`
			`s2s_bidi = true;`
			`turn_external = true;`
jabber: init 2021-10-18 03:46:25 +02:00			`};`
jabber: format 2023-05-22 00:44:40 +02:00
			`ssl = {`
			`key = "/var/lib/acme/${domain}/key.pem";`
			`cert = "/var/lib/acme/${domain}/fullchain.pem";`
jabber: fix syntax 2023-10-11 22:23:07 +02:00			`extraOptions = {`
			`dhparam = config.security.dhparams.params.nginx.path;`
			`};`
jabber: init 2021-10-18 03:46:25 +02:00			`};`

jabber: be secure 2023-10-31 02:17:16 +01:00			`# encryption is a must`
jabber: format 2023-05-22 00:44:40 +02:00			`c2sRequireEncryption = true;`
			`s2sRequireEncryption = true;`
jabber: be secure 2023-10-31 02:17:16 +01:00			`s2sSecureAuth = true;`
jabber: format 2023-05-22 00:44:40 +02:00
			`virtualHosts = {`
			`"${domain}" = {`
			`enabled = true;`
			`inherit domain;`
jabber: init 2021-10-18 03:46:25 +02:00			`};`
jabber: format 2023-05-22 00:44:40 +02:00			`"anon.${domain}" = {`
			`enabled = true;`
			`domain = "anon.${domain}";`
			`extraConfig = ''`
			`authentication = "anonymous"`
			`'';`
jabber: init 2021-10-18 03:46:25 +02:00			`};`
jabber: format 2023-05-22 00:44:40 +02:00			`};`
			`muc = [{`
			`domain = "chat.c3d2.de";`
jabber: bump max history 2023-10-31 02:17:23 +01:00			`maxHistoryMessages = 100;`
jabber: format 2023-05-22 00:44:40 +02:00			`name = "Group chats";`
			`}];`

			`httpPorts = [ 80 5280 ];`
			`httpsPorts = [ 443 5281 ];`
			`uploadHttp = {`
			`domain = "upload.${domain}";`
			`uploadFileSizeLimit = "10 * 1024 * 1024";`
			`userQuota = 512 * 1024 * 1024;`
			`uploadExpireAfter = "2 * 60 * 60";`
			`};`
jabber: init 2021-10-18 03:46:25 +02:00
jabber: format 2023-05-22 00:44:40 +02:00			`extraConfig =`
			`let`
			`prosodyFirewall = pkgs.writeText "antispam.pfw" ''`
jabber: allow jabber.ccc.de, deshalbfrei.org again 2023-10-17 13:18:28 +02:00			%ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, nixnet.services, marxist.club, dw.live, 01337.io, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one
jabber: format 2023-05-22 00:44:40 +02:00
			`IN ROSTER?`
			`PASS.`

			`LEAVING: spam`
			`BOUNCE=policy-violation (Your domain has been blacklisted due to spam.)`
			`'';`
			`in`
jabber: format 2023-10-11 19:16:25 +02:00			`/* lua */ ''`
jabber: modernize config 2023-10-11 20:20:08 +02:00			`c2s_direct_tls_ports = { 5223 }`
			`c2s_direct_tls_ssl = {`
jabber: format 2023-05-22 00:44:40 +02:00			`key = "/var/lib/acme/${domain}/key.pem",`
			`certificate = "/var/lib/acme/${domain}/fullchain.pem",`
			`}`
jabber: add s2s tls, http_altdirect 2023-10-12 22:40:40 +02:00			`s2s_direct_tls_ports = { 5270 }`
jabber: format 2023-05-22 00:44:40 +02:00			`certificates = "/var/lib/acme"`

jabber: add server_contact_info 2023-10-11 19:16:39 +02:00			`contact_info = {`
			`abuse = { "mailto:mail@c3d2.de" };`
			`admin = { "mailto:mail@c3d2.de" };`
			`feedback = { "mailto:mail@c3d2.de" };`
			`-- sales = { "mailto:mail@c3d2.de" }; -- we don't sell anything ;)`
			`security = { "mailto:mail@c3d2.de" };`
			`support = { "mailto:mail@c3d2.de" };`
			`}`

jabber: format 2023-05-22 00:44:40 +02:00			`storage = "sql"`
			`sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "" }`
			`log = { info = "*syslog"; }`

			`firewall_scripts = { "${prosodyFirewall}" }`

jabber: fix external ips 2023-10-11 22:24:57 +02:00			`-- How to get the IPv6 from config?`
			`external_addresses = { "${zentralwerk.lib.dns.publicIPv4}", "2a00:8180:2c00:282:e058:3ff:fea2:d83a", "${hostRegistry.jabber.ip4}", "${hostRegistry.jabber.ip6}" }`
jabber: cleanup syntax, fix missing ipv6 caused by copy paste error 2023-10-11 22:24:13 +02:00			`trusted_proxies = { "127.0.0.1", "::1", "${hostRegistry.public-access-proxy.ip4}", "${hostRegistry.public-access-proxy.ip6}" }`
jabber: add cors 2023-10-13 00:12:31 +02:00			`http_cors_override = {`
			`bosh = {`
			`enabled = true;`
			`};`
			`websocket = {`
			`enabled = true;`
			`};`
			`}`
jabber: format 2023-05-22 00:44:40 +02:00			`http_default_host = "${domain}"`
			`http_host = "${domain}"`
			`http_external_url = "https://${domain}/"`
			`http_upload_file_size_limit = 10 * 1024 * 1024`
			`http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds`

jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`turn_external_host = "turn.${domain}";`
			`turn_external_secret = "$PROSODY_TURN_SECRET"`
jabber: format 2023-05-22 00:44:40 +02:00			`'';`
			`};`
jabber: init 2021-10-18 03:46:25 +02:00			`};`

Convert to sops 2022-12-27 02:24:17 +01:00			`sops = {`
			`defaultSopsFile = ./secrets.yaml;`
jabber: add backups 2023-05-22 00:48:40 +02:00			`secrets = {`
jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`"acme/credentials-file" = { };`
			`"coturn/static-auth-secret".owner = "turnserver";`
			`"prosody/enviroment" = { };`
jabber: add backups 2023-05-22 00:48:40 +02:00			`};`
Convert to sops 2022-12-27 02:24:17 +01:00			`};`

jabber: format 2023-05-22 00:44:40 +02:00			`systemd.services = {`
			`collectd.requires = [ "prosody.service" ];`

			`prosody.serviceConfig = {`
			`# Allow binding ports <1024`
			`AmbientCapabilities = "CAP_NET_BIND_SERVICE";`
jabber: use auth-secret for coturn 2023-10-31 02:16:07 +01:00			`EnvironmentFile = config.sops.secrets."prosody/enviroment".path;`
jabber: format 2023-05-22 00:44:40 +02:00			`};`
			`};`

jabber: init 2021-10-18 03:46:25 +02:00			`system.stateVersion = "21.05";`
			`}`