nixos-dotfiles

https://git.tonybtw.com/nixos-dotfiles.git git://git.tonybtw.com/nixos-dotfiles.git

5,537 bytes raw

# xmpp.nix - Prosody XMPP server configuration
# A modern, privacy-focused alternative to Discord
#
# Usage:
#   1. Import this module in your configuration.nix
#   2. Update "yourdomain.com" to your actual domain
#   3. nixos-rebuild switch
#   4. Create user accounts: prosodyctl adduser user@yourdomain.com
#
{ config, pkgs, lib, ... }:

let
  domain = "yourdomain.com";  # CHANGE THIS to your domain
  mucDomain = "conference.${domain}";
  uploadDomain = "upload.${domain}";
in
{
  services.prosody = {
    enable = true;

    # Package with community modules for modern XMPP features
    package = pkgs.prosody.override {
      withCommunityModules = [
        "http_upload"
        "cloud_notify"
        "bookmarks2"
        "smacks"
      ];
    };

    # Admin users (can create/delete rooms, manage users, see server stats)
    # Add accounts here AFTER you create them with prosodyctl
    admins = [ "admin@${domain}" ];

    # SSL/TLS certificates (Let's Encrypt)
    ssl = {
      cert = "/var/lib/acme/${domain}/fullchain.pem";
      key = "/var/lib/acme/${domain}/key.pem";
    };

    # File uploads (for images, documents, etc.)
    # Users can share files up to 100MB
    uploadHttp = {
      domain = uploadDomain;
      uploadFileSizeLimit = "100 * 1024 * 1024";  # 100MB
      uploadExpireAfter = "60 * 60 * 24 * 30";    # 30 days
    };

    # Group chat (Multi-User Chat / MUC)
    # This is where your channels/rooms live
    muc = [
      {
        domain = mucDomain;
        name = "Chat Rooms";
        restrictRoomCreation = false;  # Anyone can create rooms
        maxHistoryMessages = 50;       # Room history sent to new joiners
      }
    ];

    # Your main XMPP domain
    virtualHosts.${domain} = {
      enabled = true;
      domain = domain;
      ssl = {
        cert = "/var/lib/acme/${domain}/fullchain.pem";
        key = "/var/lib/acme/${domain}/key.pem";
      };
    };

    # Enable modern XMPP features
    modules = {
      # Core features
      roster = true;              # Contact lists
      saslauth = true;            # Authentication
      tls = true;                 # Encryption in transit
      dialback = true;            # Server-to-server auth
      disco = true;               # Service discovery

      # Modern messaging features
      carbons = true;             # Sync messages across devices
      mam = true;                 # Message history (Message Archive Management)
      smacks = true;              # Stream management (better mobile connections)
      csi = true;                 # Client state indication (battery saving)
      cloud_notify = true;        # Push notifications

      # Privacy and security
      blocklist = true;           # Block unwanted users
      bookmarks = true;           # Save favorite rooms
      bookmarks2 = true;          # Modern bookmarks (XEP-0402)

      # Convenience
      ping = true;                # Keep-alive
      register = false;           # Disable public registration (you create accounts manually)
      admin_adhoc = true;         # Admin commands via client
      admin_telnet = true;        # Admin console (telnet to localhost:5582)

      # HTTP
      http_files = true;          # Serve files over HTTP
      http_upload = true;         # File upload support

      # Room features
      muc_mam = true;             # Message history in group chats
    };

    # Extra configuration (Lua)
    extraConfig = ''
      -- Logging
      log = {
        info = "/var/log/prosody/prosody.log";
        error = "/var/log/prosody/prosody.err";
        "*syslog";
      }

      -- Message Archive Management (history) settings
      archive_expires_after = "1y"  -- Keep messages for 1 year
      mam_default_config = { always = true }  -- Enable history by default

      -- Connection limits
      c2s_stanza_size_limit = 256 * 1024  -- 256KB (for file upload stanzas)

      -- TLS/SSL settings
      ssl = {
        protocol = "tlsv1_2+";
        ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";
        options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
      }

      -- Certificates for additional domains
      certificates = "/var/lib/acme"

      -- Enable OMEMO encryption support
      modules_enabled = { "omemo_all_access" }
    '';
  };

  # Let's Encrypt for SSL certificates
  security.acme = {
    acceptTerms = true;
    defaults.email = "admin@${domain}";  # CHANGE THIS to your email

    certs.${domain} = {
      group = "prosody";

      # Reload Prosody after certificate renewal
      postRun = "systemctl reload prosody.service";

      # Extra domain names (for MUC and uploads)
      extraDomainNames = [ mucDomain uploadDomain ];
    };
  };

  # Open firewall ports
  networking.firewall.allowedTCPPorts = [
    5222  # Client-to-server (C2S) - your friends connect here
    5269  # Server-to-server (S2S) - federation with other XMPP servers (optional)
    5281  # HTTPS for file uploads and admin interface
  ];

  # Create log directory
  systemd.tmpfiles.rules = [
    "d /var/log/prosody 0750 prosody prosody -"
  ];

  # Optional: Firewall rules to rate-limit connection attempts
  # Uncomment to prevent brute-force attacks
  # networking.firewall.extraCommands = ''
  #   iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set
  #   iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
  # '';
}

1	`# xmpp.nix - Prosody XMPP server configuration`
2	`# A modern, privacy-focused alternative to Discord`
3	`#`
4	`# Usage:`
5	`# 1. Import this module in your configuration.nix`
6	`# 2. Update "yourdomain.com" to your actual domain`
7	`# 3. nixos-rebuild switch`
8	`# 4. Create user accounts: prosodyctl adduser user@yourdomain.com`
9	`#`
10	`{ config, pkgs, lib, ... }:`
11
12	`let`
13	`domain = "yourdomain.com"; # CHANGE THIS to your domain`
14	`mucDomain = "conference.${domain}";`
15	`uploadDomain = "upload.${domain}";`
16	`in`
17	`{`
18	`services.prosody = {`
19	`enable = true;`
20
21	`# Package with community modules for modern XMPP features`
22	`package = pkgs.prosody.override {`
23	`withCommunityModules = [`
24	`"http_upload"`
25	`"cloud_notify"`
26	`"bookmarks2"`
27	`"smacks"`
28	`];`
29	`};`
30
31	`# Admin users (can create/delete rooms, manage users, see server stats)`
32	`# Add accounts here AFTER you create them with prosodyctl`
33	`admins = [ "admin@${domain}" ];`
34
35	`# SSL/TLS certificates (Let's Encrypt)`
36	`ssl = {`
37	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
38	`key = "/var/lib/acme/${domain}/key.pem";`
39	`};`
40
41	`# File uploads (for images, documents, etc.)`
42	`# Users can share files up to 100MB`
43	`uploadHttp = {`
44	`domain = uploadDomain;`
45	`uploadFileSizeLimit = "100 * 1024 * 1024"; # 100MB`
46	`uploadExpireAfter = "60 * 60 * 24 * 30"; # 30 days`
47	`};`
48
49	`# Group chat (Multi-User Chat / MUC)`
50	`# This is where your channels/rooms live`
51	`muc = [`
52	`{`
53	`domain = mucDomain;`
54	`name = "Chat Rooms";`
55	`restrictRoomCreation = false; # Anyone can create rooms`
56	`maxHistoryMessages = 50; # Room history sent to new joiners`
57	`}`
58	`];`
59
60	`# Your main XMPP domain`
61	`virtualHosts.${domain} = {`
62	`enabled = true;`
63	`domain = domain;`
64	`ssl = {`
65	`cert = "/var/lib/acme/${domain}/fullchain.pem";`
66	`key = "/var/lib/acme/${domain}/key.pem";`
67	`};`
68	`};`
69
70	`# Enable modern XMPP features`
71	`modules = {`
72	`# Core features`
73	`roster = true; # Contact lists`
74	`saslauth = true; # Authentication`
75	`tls = true; # Encryption in transit`
76	`dialback = true; # Server-to-server auth`
77	`disco = true; # Service discovery`
78
79	`# Modern messaging features`
80	`carbons = true; # Sync messages across devices`
81	`mam = true; # Message history (Message Archive Management)`
82	`smacks = true; # Stream management (better mobile connections)`
83	`csi = true; # Client state indication (battery saving)`
84	`cloud_notify = true; # Push notifications`
85
86	`# Privacy and security`
87	`blocklist = true; # Block unwanted users`
88	`bookmarks = true; # Save favorite rooms`
89	`bookmarks2 = true; # Modern bookmarks (XEP-0402)`
90
91	`# Convenience`
92	`ping = true; # Keep-alive`
93	`register = false; # Disable public registration (you create accounts manually)`
94	`admin_adhoc = true; # Admin commands via client`
95	`admin_telnet = true; # Admin console (telnet to localhost:5582)`
96
97	`# HTTP`
98	`http_files = true; # Serve files over HTTP`
99	`http_upload = true; # File upload support`
100
101	`# Room features`
102	`muc_mam = true; # Message history in group chats`
103	`};`
104
105	`# Extra configuration (Lua)`
106	`extraConfig = ''`
107	`-- Logging`
108	`log = {`
109	`info = "/var/log/prosody/prosody.log";`
110	`error = "/var/log/prosody/prosody.err";`
111	`"*syslog";`
112	`}`
113
114	`-- Message Archive Management (history) settings`
115	`archive_expires_after = "1y" -- Keep messages for 1 year`
116	`mam_default_config = { always = true } -- Enable history by default`
117
118	`-- Connection limits`
119	`c2s_stanza_size_limit = 256 * 1024 -- 256KB (for file upload stanzas)`
120
121	`-- TLS/SSL settings`
122	`ssl = {`
123	`protocol = "tlsv1_2+";`
124	`ciphers = "HIGH+kEDH:HIGH+kEECDH:HIGH:!PSK:!SRP:!3DES:!aNULL";`
125	`options = { "no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };`
126	`}`
127
128	`-- Certificates for additional domains`
129	`certificates = "/var/lib/acme"`
130
131	`-- Enable OMEMO encryption support`
132	`modules_enabled = { "omemo_all_access" }`
133	`'';`
134	`};`
135
136	`# Let's Encrypt for SSL certificates`
137	`security.acme = {`
138	`acceptTerms = true;`
139	`defaults.email = "admin@${domain}"; # CHANGE THIS to your email`
140
141	`certs.${domain} = {`
142	`group = "prosody";`
143
144	`# Reload Prosody after certificate renewal`
145	`postRun = "systemctl reload prosody.service";`
146
147	`# Extra domain names (for MUC and uploads)`
148	`extraDomainNames = [ mucDomain uploadDomain ];`
149	`};`
150	`};`
151
152	`# Open firewall ports`
153	`networking.firewall.allowedTCPPorts = [`
154	`5222 # Client-to-server (C2S) - your friends connect here`
155	`5269 # Server-to-server (S2S) - federation with other XMPP servers (optional)`
156	`5281 # HTTPS for file uploads and admin interface`
157	`];`
158
159	`# Create log directory`
160	`systemd.tmpfiles.rules = [`
161	`"d /var/log/prosody 0750 prosody prosody -"`
162	`];`
163
164	`# Optional: Firewall rules to rate-limit connection attempts`
165	`# Uncomment to prevent brute-force attacks`
166	`# networking.firewall.extraCommands = ''`
167	`# iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --set`
168	`# iptables -A INPUT -p tcp --dport 5222 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP`
169	`# '';`
170	`}`