nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

3,641 bytes raw

# xmpp-home.nix - XMPP server for home hosting
#
# Differences from VPS version:
# - Uses chat.tonybtw.com (your actual domain)
# - Cloudflare DNS challenge for SSL (works behind NAT)
# - Less strict resource limits
# - Assumes you're on a residential connection
#
{ config, pkgs, lib, ... }:

let
  domain = "chat.tonybtw.com";
  mucDomain = "conference.chat.tonybtw.com";
  uploadDomain = "upload.chat.tonybtw.com";
in
{
  services.prosody = {
    enable = true;

    # Package with community modules
    package = pkgs.prosody.override {
      withCommunityModules = [
        "http_upload"
        "cloud_notify"
        "bookmarks2"
        "smacks"
      ];
    };

    # Admin accounts (create these after deployment)
    admins = [ "tony@${domain}" ];  # CHANGE THIS to your username

    # SSL certificates (managed by ACME in home-server-base.nix)
    ssl = {
      cert = "/var/lib/acme/${domain}/fullchain.pem";
      key = "/var/lib/acme/${domain}/key.pem";
    };

    # File uploads (100MB limit)
    uploadHttp = {
      domain = uploadDomain;
      uploadFileSizeLimit = "100 * 1024 * 1024";
      uploadExpireAfter = "60 * 60 * 24 * 30";  # 30 days
    };

    # Multi-User Chat (group chat rooms)
    muc = [
      {
        domain = mucDomain;
        name = "Tony's Chat Rooms";
        restrictRoomCreation = false;  # Anyone can create rooms
        maxHistoryMessages = 50;
      }
    ];

    # Main XMPP domain
    virtualHosts.${domain} = {
      enabled = true;
      domain = domain;
      ssl = {
        cert = "/var/lib/acme/${domain}/fullchain.pem";
        key = "/var/lib/acme/${domain}/key.pem";
      };
    };

    # Modern XMPP features
    modules = {
      # Core
      roster = true;
      saslauth = true;
      tls = true;
      dialback = true;
      disco = true;

      # Modern messaging
      carbons = true;
      mam = true;
      smacks = true;
      csi = true;
      cloud_notify = true;

      # Privacy
      blocklist = true;
      bookmarks = true;
      bookmarks2 = true;

      # Convenience
      ping = true;
      register = false;  # Manual account creation only
      admin_adhoc = true;
      admin_telnet = true;

      # HTTP
      http_files = true;
      http_upload = true;

      # MUC
      muc_mam = true;
    };

    extraConfig = ''
      -- Logging
      log = {
        info = "/var/log/prosody/prosody.log";
        error = "/var/log/prosody/prosody.err";
        "*syslog";
      }

      -- Message history (keep for 1 year)
      archive_expires_after = "1y"
      mam_default_config = { always = true }

      -- Connection settings
      c2s_stanza_size_limit = 256 * 1024  -- 256KB

      -- TLS settings
      ssl = {
        protocol = "tlsv1_2+";
        ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
        options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
      }

      -- OMEMO encryption support
      modules_enabled = { "omemo_all_access" }

      -- Disable federation if you only want private server (optional)
      -- Uncomment to prevent federation with other XMPP servers:
      -- modules_disabled = { "s2s" }
    '';
  };

  # Create log directory
  systemd.tmpfiles.rules = [
    "d /var/log/prosody 0750 prosody prosody -"
  ];

  # Optional: Nginx reverse proxy for XMPP web client (if you want one later)
  # services.nginx.virtualHosts."${domain}" = {
  #   enableACME = true;
  #   forceSSL = true;
  #   locations."/" = {
  #     # Could serve a web client like Converse.js here
  #     root = "/var/www/xmpp";
  #   };
  # };
}

1	`# xmpp-home.nix - XMPP server for home hosting`
2	`#`
3	`# Differences from VPS version:`
4	`# - Uses chat.tonybtw.com (your actual domain)`
5	`# - Cloudflare DNS challenge for SSL (works behind NAT)`
6	`# - Less strict resource limits`
7	`# - Assumes you're on a residential connection`
8	`#`
9	`{ config, pkgs, lib, ... }:`
10
11	`let`
12	`domain = "chat.tonybtw.com";`
13	`mucDomain = "conference.chat.tonybtw.com";`
14	`uploadDomain = "upload.chat.tonybtw.com";`
15	`in`
16	`{`
17	`services.prosody = {`
18	`enable = true;`
19
20	`# Package with community modules`
21	`package = pkgs.prosody.override {`
22	`withCommunityModules = [`
23	`"http_upload"`
24	`"cloud_notify"`
25	`"bookmarks2"`
26	`"smacks"`
27	`];`
28	`};`
29
30	`# Admin accounts (create these after deployment)`
31	`admins = [ "tony@${domain}" ]; # CHANGE THIS to your username`
32
33	`# SSL certificates (managed by ACME in home-server-base.nix)`
34	`ssl = {`
35	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
36	`key = "/var/lib/acme/${domain}/key.pem";`
37	`};`
38
39	`# File uploads (100MB limit)`
40	`uploadHttp = {`
41	`domain = uploadDomain;`
42	`uploadFileSizeLimit = "100 * 1024 * 1024";`
43	`uploadExpireAfter = "60 * 60 * 24 * 30"; # 30 days`
44	`};`
45
46	`# Multi-User Chat (group chat rooms)`
47	`muc = [`
48	`{`
49	`domain = mucDomain;`
50	`name = "Tony's Chat Rooms";`
51	`restrictRoomCreation = false; # Anyone can create rooms`
52	`maxHistoryMessages = 50;`
53	`}`
54	`];`
55
56	`# Main XMPP domain`
57	`virtualHosts.${domain} = {`
58	`enabled = true;`
59	`domain = domain;`
60	`ssl = {`
61	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
62	`key = "/var/lib/acme/${domain}/key.pem";`
63	`};`
64	`};`
65
66	`# Modern XMPP features`
67	`modules = {`
68	`# Core`
69	`roster = true;`
70	`saslauth = true;`
71	`tls = true;`
72	`dialback = true;`
73	`disco = true;`
74
75	`# Modern messaging`
76	`carbons = true;`
77	`mam = true;`
78	`smacks = true;`
79	`csi = true;`
80	`cloud_notify = true;`
81
82	`# Privacy`
83	`blocklist = true;`
84	`bookmarks = true;`
85	`bookmarks2 = true;`
86
87	`# Convenience`
88	`ping = true;`
89	`register = false; # Manual account creation only`
90	`admin_adhoc = true;`
91	`admin_telnet = true;`
92
93	`# HTTP`
94	`http_files = true;`
95	`http_upload = true;`
96
97	`# MUC`
98	`muc_mam = true;`
99	`};`
100
101	`extraConfig = ''`
102	`-- Logging`
103	`log = {`
104	`info = "/var/log/prosody/prosody.log";`
105	`error = "/var/log/prosody/prosody.err";`
106	`"*syslog";`
107	`}`
108
109	`-- Message history (keep for 1 year)`
110	`archive_expires_after = "1y"`
111	`mam_default_config = { always = true }`
112
113	`-- Connection settings`
114	`c2s_stanza_size_limit = 256 * 1024 -- 256KB`
115
116	`-- TLS settings`
117	`ssl = {`
118	`protocol = "tlsv1_2+";`
119	`ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";`
120	`options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };`
121	`}`
122
123	`-- OMEMO encryption support`
124	`modules_enabled = { "omemo_all_access" }`
125
126	`-- Disable federation if you only want private server (optional)`
127	`-- Uncomment to prevent federation with other XMPP servers:`
128	`-- modules_disabled = { "s2s" }`
129	`'';`
130	`};`
131
132	`# Create log directory`
133	`systemd.tmpfiles.rules = [`
134	`"d /var/log/prosody 0750 prosody prosody -"`
135	`];`
136
137	`# Optional: Nginx reverse proxy for XMPP web client (if you want one later)`
138	`# services.nginx.virtualHosts."${domain}" = {`
139	`# enableACME = true;`
140	`# forceSSL = true;`
141	`# locations."/" = {`
142	`# # Could serve a web client like Converse.js here`
143	`# root = "/var/www/xmpp";`
144	`# };`
145	`# };`
146	`}`