2022-12-20 05:40:58 +01:00
|
|
|
{ zentralwerk, config, hostRegistry, pkgs, lib, ... }:
|
2021-10-18 03:46:25 +02:00
|
|
|
|
|
|
|
let
|
|
|
|
domain = "jabber.c3d2.de";
|
|
|
|
|
2023-01-03 03:04:24 +01:00
|
|
|
inherit (pkgs.jabber-secrets) coturnUser coturnPassword;
|
2021-10-18 03:46:25 +02:00
|
|
|
in
|
|
|
|
{
|
2023-05-22 00:44:40 +02:00
|
|
|
c3d2 = {
|
|
|
|
deployment.server = "server10";
|
|
|
|
hq.statistics.enable = true;
|
|
|
|
};
|
|
|
|
|
2022-06-20 00:15:34 +02:00
|
|
|
microvm.mem = 2048;
|
|
|
|
|
2021-10-18 03:46:25 +02:00
|
|
|
networking = {
|
|
|
|
hostName = "jabber";
|
2023-06-05 19:56:03 +02:00
|
|
|
firewall = {
|
|
|
|
allowedTCPPorts = [
|
|
|
|
# Prosody
|
2023-10-12 22:40:40 +02:00
|
|
|
80
|
|
|
|
443
|
2023-06-05 19:56:03 +02:00
|
|
|
5222
|
|
|
|
5223
|
|
|
|
5269
|
2023-10-12 22:40:40 +02:00
|
|
|
5270
|
2023-06-05 19:56:03 +02:00
|
|
|
5280
|
|
|
|
5281
|
|
|
|
# Coturn
|
|
|
|
3478
|
|
|
|
3479
|
|
|
|
];
|
|
|
|
allowedUDPPorts = [
|
|
|
|
# Coturn
|
|
|
|
3478
|
|
|
|
3479
|
|
|
|
];
|
2021-10-18 03:46:25 +02:00
|
|
|
# TODO: allowedSCTPPorts
|
2023-06-05 20:18:14 +02:00
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
|
|
|
|
2023-10-11 19:40:44 +02:00
|
|
|
security = {
|
|
|
|
acme.certs."${domain}" = {
|
|
|
|
extraDomainNames = [
|
|
|
|
"chat.c3d2.de"
|
|
|
|
"*.${domain}"
|
|
|
|
];
|
|
|
|
# DynDNS method
|
|
|
|
dnsProvider = "rfc2136";
|
|
|
|
credentialsFile = config.sops.secrets."acme/credentials-file".path;
|
|
|
|
reloadServices = [ "prosody" ];
|
|
|
|
# Make keys accessible by putting them in prosody's group
|
|
|
|
inherit (config.services.prosody) group;
|
|
|
|
};
|
|
|
|
dhparams = {
|
|
|
|
enable = true;
|
|
|
|
params.prosody = { };
|
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
services = {
|
2023-05-22 00:48:40 +02:00
|
|
|
backup.paths = [ "/var/lib/prosody/" ];
|
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
collectd.plugins.exec = ''
|
2023-10-11 20:19:55 +02:00
|
|
|
Exec "${config.services.collectd.user}" "${lib.getExe pkgs.ruby}" "${./prosody-stats.rb}"
|
2023-05-22 00:44:40 +02:00
|
|
|
'';
|
|
|
|
|
|
|
|
coturn = {
|
|
|
|
enable = true;
|
|
|
|
realm = "turn.${domain}";
|
|
|
|
lt-cred-mech = true;
|
2023-10-11 22:23:00 +02:00
|
|
|
extraConfig = ''
|
|
|
|
external-ip=${zentralwerk.lib.dns.publicIPv4}/${zentralwerk.lib.config.site.net.serv.hosts4.jabber}
|
2023-09-26 22:10:50 +02:00
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
user=${coturnUser}:${coturnPassword}
|
|
|
|
'';
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
2021-10-19 02:10:34 +02:00
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
2023-10-11 19:16:25 +02:00
|
|
|
ensureDatabases = [ "prosody" ];
|
2023-05-22 00:44:40 +02:00
|
|
|
ensureUsers = [{
|
|
|
|
name = "prosody";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE prosody" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}];
|
2023-09-26 22:10:50 +02:00
|
|
|
package = pkgs.postgresql_16;
|
2023-05-22 00:44:40 +02:00
|
|
|
upgrade.stopServices = [ "prosody" ];
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
2023-10-11 19:16:25 +02:00
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
#TODO: txt records?
|
2023-05-22 00:50:25 +02:00
|
|
|
prosody = {
|
2023-05-22 00:44:40 +02:00
|
|
|
enable = true;
|
|
|
|
allowRegistration = false;
|
|
|
|
admins = [ "astro@spaceboyz.net" "0@jabber.c3d2.de" "nek0@c3d2.de" ];
|
|
|
|
package = pkgs.prosody.override {
|
2023-10-11 19:16:25 +02:00
|
|
|
withCommunityModules = [ "cloud_notify" "csi" "extdisco" "firewall" "smacks" ];
|
2023-05-22 00:44:40 +02:00
|
|
|
withExtraLuaPackages = luaPackages: with luaPackages; [
|
|
|
|
luadbi-postgresql
|
|
|
|
];
|
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
modules = {
|
|
|
|
# HTTP stuff
|
|
|
|
bosh = true;
|
2023-10-12 22:40:40 +02:00
|
|
|
http_altconnect = true;
|
2023-05-22 00:44:40 +02:00
|
|
|
http_files = true;
|
2023-10-11 19:16:25 +02:00
|
|
|
websocket = true;
|
2023-05-22 00:44:40 +02:00
|
|
|
|
|
|
|
admin_telnet = true;
|
|
|
|
announce = true;
|
|
|
|
mam = true;
|
|
|
|
carbons = true;
|
2023-10-12 22:40:40 +02:00
|
|
|
# File-transfer proxies are an outdated technology
|
2023-05-22 00:44:40 +02:00
|
|
|
proxy65 = false;
|
2023-10-11 19:16:39 +02:00
|
|
|
server_contact_info = true;
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
2023-05-22 00:44:40 +02:00
|
|
|
|
|
|
|
ssl = {
|
|
|
|
key = "/var/lib/acme/${domain}/key.pem";
|
|
|
|
cert = "/var/lib/acme/${domain}/fullchain.pem";
|
2023-10-11 22:23:07 +02:00
|
|
|
extraOptions = {
|
|
|
|
dhparam = config.security.dhparams.params.nginx.path;
|
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
c2sRequireEncryption = true;
|
|
|
|
s2sRequireEncryption = true;
|
|
|
|
|
|
|
|
virtualHosts = {
|
|
|
|
"${domain}" = {
|
|
|
|
enabled = true;
|
|
|
|
inherit domain;
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
2023-05-22 00:44:40 +02:00
|
|
|
"anon.${domain}" = {
|
|
|
|
enabled = true;
|
|
|
|
domain = "anon.${domain}";
|
|
|
|
extraConfig = ''
|
|
|
|
authentication = "anonymous"
|
|
|
|
'';
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
2023-05-22 00:44:40 +02:00
|
|
|
};
|
|
|
|
muc = [{
|
|
|
|
domain = "chat.c3d2.de";
|
|
|
|
name = "Group chats";
|
|
|
|
}];
|
|
|
|
|
|
|
|
httpPorts = [ 80 5280 ];
|
|
|
|
httpsPorts = [ 443 5281 ];
|
|
|
|
uploadHttp = {
|
|
|
|
domain = "upload.${domain}";
|
|
|
|
uploadFileSizeLimit = "10 * 1024 * 1024";
|
|
|
|
userQuota = 512 * 1024 * 1024;
|
|
|
|
uploadExpireAfter = "2 * 60 * 60";
|
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
extraConfig =
|
|
|
|
let
|
|
|
|
prosodyFirewall = pkgs.writeText "antispam.pfw" ''
|
2023-06-28 21:42:30 +02:00
|
|
|
%ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, jabber.ccc.de, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, deshalbfrei.org, nixnet.services, marxist.club, dw.live, 01337.io, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one
|
2023-05-22 00:44:40 +02:00
|
|
|
|
|
|
|
IN ROSTER?
|
|
|
|
PASS.
|
|
|
|
|
|
|
|
LEAVING: spam
|
|
|
|
BOUNCE=policy-violation (Your domain has been blacklisted due to spam.)
|
|
|
|
'';
|
|
|
|
in
|
2023-10-11 19:16:25 +02:00
|
|
|
/* lua */ ''
|
2023-10-11 20:20:08 +02:00
|
|
|
c2s_direct_tls_ports = { 5223 }
|
|
|
|
c2s_direct_tls_ssl = {
|
2023-05-22 00:44:40 +02:00
|
|
|
key = "/var/lib/acme/${domain}/key.pem",
|
|
|
|
certificate = "/var/lib/acme/${domain}/fullchain.pem",
|
|
|
|
}
|
2023-10-12 22:40:40 +02:00
|
|
|
s2s_direct_tls_ports = { 5270 }
|
2023-05-22 00:44:40 +02:00
|
|
|
certificates = "/var/lib/acme"
|
|
|
|
|
2023-10-11 19:16:39 +02:00
|
|
|
contact_info = {
|
|
|
|
abuse = { "mailto:mail@c3d2.de" };
|
|
|
|
admin = { "mailto:mail@c3d2.de" };
|
|
|
|
feedback = { "mailto:mail@c3d2.de" };
|
|
|
|
-- sales = { "mailto:mail@c3d2.de" }; -- we don't sell anything ;)
|
|
|
|
security = { "mailto:mail@c3d2.de" };
|
|
|
|
support = { "mailto:mail@c3d2.de" };
|
|
|
|
}
|
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
storage = "sql"
|
|
|
|
sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "" }
|
|
|
|
log = { info = "*syslog"; }
|
|
|
|
|
|
|
|
firewall_scripts = { "${prosodyFirewall}" }
|
|
|
|
|
2023-10-11 22:24:57 +02:00
|
|
|
-- How to get the IPv6 from config?
|
|
|
|
external_addresses = { "${zentralwerk.lib.dns.publicIPv4}", "2a00:8180:2c00:282:e058:3ff:fea2:d83a", "${hostRegistry.jabber.ip4}", "${hostRegistry.jabber.ip6}" }
|
2023-10-11 22:24:13 +02:00
|
|
|
trusted_proxies = { "127.0.0.1", "::1", "${hostRegistry.public-access-proxy.ip4}", "${hostRegistry.public-access-proxy.ip6}" }
|
2023-05-22 00:44:40 +02:00
|
|
|
http_default_host = "${domain}"
|
|
|
|
http_host = "${domain}"
|
|
|
|
http_external_url = "https://${domain}/"
|
|
|
|
http_upload_file_size_limit = 10 * 1024 * 1024
|
|
|
|
http_upload_expire_after = 60 * 60 * 24 * 7 -- a week in seconds
|
|
|
|
|
|
|
|
external_services = {
|
2023-10-12 01:21:24 +02:00
|
|
|
["turn.${domain}"] = {
|
|
|
|
username = "${coturnUser}";
|
|
|
|
password = "${coturnPassword}";
|
|
|
|
port = "3478";
|
|
|
|
transport = "udp";
|
|
|
|
type = "turn";
|
|
|
|
};
|
|
|
|
["${zentralwerk.lib.dns.publicIPv4}"] = {
|
|
|
|
username = "${coturnUser}";
|
|
|
|
password = "${coturnPassword}";
|
|
|
|
port = "3478";
|
|
|
|
transport = "udp";
|
|
|
|
type = "turn";
|
|
|
|
};
|
|
|
|
};
|
2023-05-22 00:44:40 +02:00
|
|
|
'';
|
|
|
|
};
|
2021-10-18 03:46:25 +02:00
|
|
|
};
|
|
|
|
|
2022-12-27 02:24:17 +01:00
|
|
|
sops = {
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
2023-05-22 00:48:40 +02:00
|
|
|
secrets = {
|
|
|
|
"acme/credentials-file".owner = "root";
|
|
|
|
"restic/password".owner = "root";
|
2023-08-09 00:36:09 +02:00
|
|
|
"restic/repositories/server8".owner = "root";
|
2023-05-22 00:48:40 +02:00
|
|
|
};
|
2022-12-27 02:24:17 +01:00
|
|
|
};
|
|
|
|
|
2023-05-22 00:44:40 +02:00
|
|
|
systemd.services = {
|
|
|
|
collectd.requires = [ "prosody.service" ];
|
|
|
|
|
|
|
|
prosody.serviceConfig = {
|
|
|
|
# Allow binding ports <1024
|
|
|
|
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
|
|
|
|
|
|
|
Restart = "always";
|
|
|
|
RestartSec = "3";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2021-10-18 03:46:25 +02:00
|
|
|
system.stateVersion = "21.05";
|
|
|
|
}
|