nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

2,476 bytes raw

{
  config,
  pkgs,
  lib,
  ...
}: let
  domain = "xmpp.tonybtw.com";
  mucDomain = "conference.${domain}";
  uploadDomain = "upload.${domain}";
in {
  services.prosody = {
    enable = true;

    package = pkgs.prosody.override {
      withCommunityModules = [
        "cloud_notify"
        "bookmarks2"
        "smacks"
      ];
    };

    admins = ["admin@${domain}"];

    ssl = {
      cert = "/var/lib/acme/${domain}/fullchain.pem";
      key = "/var/lib/acme/${domain}/key.pem";
    };

    httpFileShare = {
      domain = uploadDomain;
      uploadFileSizeLimit = 100 * 1024 * 1024;
      uploadExpireAfter = 60 * 60 * 24 * 30;
    };

    muc = [
      {
        domain = mucDomain;
        name = "Chat Rooms";
        restrictRoomCreation = false;
        maxHistoryMessages = 50;
      }
    ];

    virtualHosts.${domain} = {
      enabled = true;
      domain = domain;
      ssl = {
        cert = "/var/lib/acme/${domain}/fullchain.pem";
        key = "/var/lib/acme/${domain}/key.pem";
      };
    };

    modules = {
      roster = true;
      saslauth = true;
      tls = true;
      dialback = true;
      disco = true;
      carbons = true;
      mam = true;
      csi = true;
      blocklist = true;
      bookmarks = true;
      ping = true;
      register = true;
      admin_adhoc = true;
      admin_telnet = true;
      http_files = true;
    };

    extraConfig = ''
      archive_expires_after = "1y"
      mam_default_config = { always = true }
      c2s_stanza_size_limit = 256 * 1024
      certificates = "/var/lib/acme"
    '';
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "tony@tonybtw.com";

    certs.${domain} = {
      group = "certs";
      webroot = "/var/lib/acme/acme-challenge";
      postRun = "systemctl reload prosody.service";
      extraDomainNames = [mucDomain uploadDomain];
    };
  };

  users.groups.certs.members = ["prosody" "nginx"];

  services.nginx.virtualHosts.${domain} = {
    locations."/.well-known/acme-challenge" = {
      root = "/var/lib/acme/acme-challenge";
    };
  };

  networking.firewall.allowedTCPPorts = [
    5222
    5269
    5281
  ];

  systemd.tmpfiles.rules = [
    "d /var/log/prosody 0750 prosody prosody -"
  ];

  networking.firewall.extraCommands = ''
    iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set
    iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  '';

}

1	`{`
2	`config,`
3	`pkgs,`
4	`lib,`
5	`...`
6	`}: let`
7	`domain = "xmpp.tonybtw.com";`
8	`mucDomain = "conference.${domain}";`
9	`uploadDomain = "upload.${domain}";`
10	`in {`
11	`services.prosody = {`
12	`enable = true;`
13
14	`package = pkgs.prosody.override {`
15	`withCommunityModules = [`
16	`"cloud_notify"`
17	`"bookmarks2"`
18	`"smacks"`
19	`];`
20	`};`
21
22	`admins = ["admin@${domain}"];`
23
24	`ssl = {`
25	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
26	`key = "/var/lib/acme/${domain}/key.pem";`
27	`};`
28
29	`httpFileShare = {`
30	`domain = uploadDomain;`
31	`uploadFileSizeLimit = 100 * 1024 * 1024;`
32	`uploadExpireAfter = 60 * 60 * 24 * 30;`
33	`};`
34
35	`muc = [`
36	`{`
37	`domain = mucDomain;`
38	`name = "Chat Rooms";`
39	`restrictRoomCreation = false;`
40	`maxHistoryMessages = 50;`
41	`}`
42	`];`
43
44	`virtualHosts.${domain} = {`
45	`enabled = true;`
46	`domain = domain;`
47	`ssl = {`
48	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
49	`key = "/var/lib/acme/${domain}/key.pem";`
50	`};`
51	`};`
52
53	`modules = {`
54	`roster = true;`
55	`saslauth = true;`
56	`tls = true;`
57	`dialback = true;`
58	`disco = true;`
59	`carbons = true;`
60	`mam = true;`
61	`csi = true;`
62	`blocklist = true;`
63	`bookmarks = true;`
64	`ping = true;`
65	`register = true;`
66	`admin_adhoc = true;`
67	`admin_telnet = true;`
68	`http_files = true;`
69	`};`
70
71	`extraConfig = ''`
72	`archive_expires_after = "1y"`
73	`mam_default_config = { always = true }`
74	`c2s_stanza_size_limit = 256 * 1024`
75	`certificates = "/var/lib/acme"`
76	`'';`
77	`};`
78
79	`security.acme = {`
80	`acceptTerms = true;`
81	`defaults.email = "tony@tonybtw.com";`
82
83	`certs.${domain} = {`
84	`group = "certs";`
85	`webroot = "/var/lib/acme/acme-challenge";`
86	`postRun = "systemctl reload prosody.service";`
87	`extraDomainNames = [mucDomain uploadDomain];`
88	`};`
89	`};`
90
91	`users.groups.certs.members = ["prosody" "nginx"];`
92
93	`services.nginx.virtualHosts.${domain} = {`
94	`locations."/.well-known/acme-challenge" = {`
95	`root = "/var/lib/acme/acme-challenge";`
96	`};`
97	`};`
98
99	`networking.firewall.allowedTCPPorts = [`
100	`5222`
101	`5269`
102	`5281`
103	`];`
104
105	`systemd.tmpfiles.rules = [`
106	`"d /var/log/prosody 0750 prosody prosody -"`
107	`];`
108
109	`networking.firewall.extraCommands = ''`
110	`iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set`
111	`iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP`
112	`'';`
113
114	`}`