jabber: format
This commit is contained in:
parent
af67b84800
commit
8593ef3e2e
|
@ -4,45 +4,38 @@ let
|
|||
domain = "jabber.c3d2.de";
|
||||
|
||||
inherit (pkgs.jabber-secrets) coturnUser coturnPassword;
|
||||
prosodyFirewall = pkgs.writeText "antispam.pfw" ''
|
||||
%ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, jabber.ccc.de, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, deshalbfrei.org, nixnet.services, marxist.club, dw.live, 01337.io, yax.im, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one
|
||||
|
||||
IN ROSTER?
|
||||
PASS.
|
||||
|
||||
LEAVING: spam
|
||||
BOUNCE=policy-violation (Your domain has been blacklisted due to spam.)
|
||||
'';
|
||||
in
|
||||
{
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
|
||||
microvm.mem = 2048;
|
||||
|
||||
networking = {
|
||||
hostName = "jabber";
|
||||
firewall.allowedTCPPorts = [
|
||||
# Prosody
|
||||
5222 5223 5269
|
||||
80 5280 443 5281
|
||||
5222
|
||||
5223
|
||||
5269
|
||||
80
|
||||
5280
|
||||
443
|
||||
5281
|
||||
# Coturn
|
||||
3478 3479
|
||||
3478
|
||||
3479
|
||||
];
|
||||
firewall.allowedUDPPorts = [
|
||||
# Coturn
|
||||
3478 3479
|
||||
3478
|
||||
3479
|
||||
];
|
||||
# TODO: allowedSCTPPorts
|
||||
};
|
||||
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
};
|
||||
|
||||
services.collectd.plugins.exec = ''
|
||||
Exec "${config.services.collectd.user}" "${pkgs.ruby}/bin/ruby" "${./prosody-stats.rb}"
|
||||
'';
|
||||
systemd.services.collectd.requires = [ "prosody.service" ];
|
||||
|
||||
security.acme.certs."${domain}" = {
|
||||
extraDomainNames = [
|
||||
"chat.c3d2.de"
|
||||
|
@ -55,7 +48,23 @@ in
|
|||
inherit (config.services.prosody) group;
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
services = {
|
||||
collectd.plugins.exec = ''
|
||||
Exec "${config.services.collectd.user}" "${pkgs.ruby}/bin/ruby" "${./prosody-stats.rb}"
|
||||
'';
|
||||
|
||||
coturn = {
|
||||
enable = true;
|
||||
realm = "turn.${domain}";
|
||||
lt-cred-mech = true;
|
||||
extraConfig = with zentralwerk.lib.config.site; ''
|
||||
external-ip=${hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address}/${net.serv.hosts4.jabber}
|
||||
|
||||
user=${coturnUser}:${coturnPassword}
|
||||
'';
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureDatabases = [
|
||||
"prosody"
|
||||
|
@ -100,10 +109,13 @@ in
|
|||
# Some TLS hardening we've had on the old setup, probably to
|
||||
# defend against downgrading attacks.
|
||||
extraOptions.options = [
|
||||
"no_sslv2" "no_sslv3"
|
||||
"no_ticket" "no_compression"
|
||||
"no_sslv2"
|
||||
"no_sslv3"
|
||||
"no_ticket"
|
||||
"no_compression"
|
||||
"cipher_server_preference"
|
||||
"single_dh_use" "single_ecdh_use"
|
||||
"single_dh_use"
|
||||
"single_ecdh_use"
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -137,7 +149,19 @@ in
|
|||
uploadExpireAfter = "2 * 60 * 60";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
extraConfig =
|
||||
let
|
||||
prosodyFirewall = pkgs.writeText "antispam.pfw" ''
|
||||
%ZONE spam: creep.im, default.rs, sj.ms, anonym.im, xmpp.jp, safetyjabber.com, im.hot-chilli.net, jabb3r.org, draugr.de, laba.im, xmpp.sh, jabber.bitactive.com, 404.city, jabber.cd, jabber.jc-otto.de, jabster.pl, jabber.no, anoxinon.me, ubuntu-jabber.net, anonarchy.im, jabber.freenet.de, exploit.im, 616.pub, omemo.im, rsocks.net, chatwith.xyz, jabber.cz, jabbim.cz, blabber.im, jabber.root.cz, jabb.im, jabber.infos.ru, jabbim.pl, jabbim.com, linuxlovers.at, jabbim.ru, jabber.sk, njs.netlab.cz, jabba.biz, chatterboxtown.us, crime.io, 0nl1ne.at, verdammung.org, im.apinc.org, 0day.la, 0day.im, xabber.de, conversations.im, jabber.de, chinwag.im, jabber.ccc.de, thesecure.biz, shad0w.ru, yourdata.forsale, linux.monster, xmpp.international, paranoid.network, og.im, 4ept.net, darknet.im, ubuntu-jabber.de, deshalbfrei.org, nixnet.services, marxist.club, dw.live, 01337.io, yax.im, sqli.io, breached.im, pwned.life, jabber.fr, chatterboxtown.us, xmpp.xxx, ybgood.de, ejabber.co, jabbers.one
|
||||
|
||||
IN ROSTER?
|
||||
PASS.
|
||||
|
||||
LEAVING: spam
|
||||
BOUNCE=policy-violation (Your domain has been blacklisted due to spam.)
|
||||
'';
|
||||
in
|
||||
''
|
||||
legacy_ssl_ports = { 5223 }
|
||||
legacy_ssl_ssl = {
|
||||
key = "/var/lib/acme/${domain}/key.pem",
|
||||
|
@ -184,23 +208,6 @@ in
|
|||
-- proxy65_ports = { 5000 }
|
||||
'';
|
||||
};
|
||||
systemd.services.prosody.serviceConfig = {
|
||||
# Allow binding ports <1024
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = "3";
|
||||
};
|
||||
|
||||
services.coturn = {
|
||||
enable = true;
|
||||
realm = "turn.${domain}";
|
||||
lt-cred-mech = true;
|
||||
extraConfig = with zentralwerk.lib.config.site; ''
|
||||
external-ip=${hosts.upstream4.interfaces.up4-pppoe.upstream.staticIpv4Address}/${net.serv.hosts4.jabber}
|
||||
|
||||
user=${coturnUser}:${coturnPassword}
|
||||
'';
|
||||
};
|
||||
|
||||
sops = {
|
||||
|
@ -208,5 +215,17 @@ in
|
|||
secrets."acme/credentials-file".owner = "root";
|
||||
};
|
||||
|
||||
systemd.services = {
|
||||
collectd.requires = [ "prosody.service" ];
|
||||
|
||||
prosody.serviceConfig = {
|
||||
# Allow binding ports <1024
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
|
||||
Restart = "always";
|
||||
RestartSec = "3";
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "21.05";
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue