--- /dev/null
+{ lib, pkgs, config, mypackages-lib, ... }:
+let
+ cfg = config.myServices.ejabberd;
+in
+{
+ options.myServices = {
+ ejabberd.enable = lib.mkOption {
+ type = lib.types.bool;
+ default = false;
+ description = ''
+ Whether to enable ejabberd service.
+ '';
+ };
+ };
+
+ config = lib.mkIf cfg.enable {
+ myServices.dns.zones."immae.fr" = with config.myServices.dns.helpers;
+ lib.mkMerge [
+ {
+ extraConfig = ''
+ notify yes;
+ '';
+ slaves = [ "raito" ];
+ emailPolicies."".receive = true;
+ }
+ zoneHeader
+ mailMX
+ (mailCommon "immae.fr")
+ (ips servers.eldiron.ips.main)
+ {
+ ns = [ "immae" "raito" ];
+ CAA = letsencrypt;
+ subdomains.www = ips servers.eldiron.ips.production;
+ subdomains.im = ips servers.eldiron.ips.main;
+ subdomains.conference = ips servers.eldiron.ips.main;
+ subdomains.pubsub = ips servers.eldiron.ips.main;
+ subdomains.proxy = ips servers.eldiron.ips.main;
+ subdomains.upload = ips servers.eldiron.ips.main;
+ subdomains._xmppconnect.TXT = [
+ "_xmpp-client-xbosh=https://im.immae.fr/bosh"
+ "_xmpp-client-websocket=wss://im.immae.fr/ws"
+ ];
+ }
+ ];
+
+ security.acme.certs = {
+ "ejabberd" = {
+ group = "ejabberd";
+ domain = "eldiron.immae.eu";
+ keyType = "rsa4096";
+ postRun = ''
+ systemctl restart ejabberd.service
+ '';
+ extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ];
+ };
+ };
+ networking.firewall.allowedTCPPorts = [ 5222 5269 ];
+ myServices.websites.tools.im.enable = true;
+ systemd.services.ejabberd.postStop = ''
+ rm /var/log/ejabberd/erl_crash*.dump
+ '';
+ secrets.keys = {
+ "ejabberd/psql.yml" = {
+ permissions = "0400";
+ user = "ejabberd";
+ group = "ejabberd";
+ text = ''
+ sql_type: pgsql
+ sql_server: "localhost"
+ sql_database: "${config.myEnv.jabber.postgresql.database}"
+ sql_username: "${config.myEnv.jabber.postgresql.user}"
+ sql_password: "${config.myEnv.jabber.postgresql.password}"
+ '';
+ };
+ "ejabberd/host.yml" = {
+ permissions = "0400";
+ user = "ejabberd";
+ group = "ejabberd";
+ text = ''
+ host_config:
+ "immae.fr":
+ domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem"
+ auth_method: [ldap]
+ ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
+ ldap_encrypt: tls
+ ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
+ ldap_password: "${config.myEnv.jabber.ldap.password}"
+ ldap_base: "${config.myEnv.jabber.ldap.base}"
+ ldap_uids:
+ uid: "%u"
+ immaeXmppUid: "%u"
+ ldap_filter: "${config.myEnv.jabber.ldap.filter}"
+ '';
+ };
+ };
+ users.users.ejabberd.extraGroups = [ "keys" ];
+ services.ejabberd = {
+ package = pkgs.ejabberd.override { withPgsql = true; };
+ imagemagick = true;
+ enable = true;
+ ctlConfig = ''
+ ERLANG_NODE=ejabberd@localhost
+ '';
+ configFile = pkgs.runCommand "ejabberd.yml" {
+ certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem";
+ certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+ sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
+ host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
+ } ''
+ substituteAll ${./ejabberd.yml} $out
+ '';
+ };
+ secrets.keys."postfix/scripts/ejabberd-env" = {
+ user = "postfixscripts";
+ group = "root";
+ permissions = "0400";
+ text = builtins.toJSON {
+ jid = "notify_bot@immae.fr";
+ password = "{{ .xmpp.notify_bot }}";
+ };
+ };
+ services.postfix.extraAliases = let
+ nixpkgs = builtins.fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz";
+ sha256 = "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn";
+ };
+ pkgs' = import nixpkgs { inherit (pkgs) system; overlays = []; };
+ warn_xmpp_email = scriptEnv: pkgs'.runCommand "warn_xmpp_email" {
+ inherit scriptEnv;
+ pythonEnv = pkgs'.python3.withPackages (ps: [
+ ps.unidecode ps.slixmpp
+ ]);
+ } ''
+ substituteAll ${./warn_xmpp_email.py} $out
+ chmod a+x $out
+ '';
+ in ''
+ ejabberd: "|${mypackages-lib.postfixScript pkgs "ejabberd" (warn_xmpp_email config.secrets.fullPaths."postfix/scripts/ejabberd-env")}"
+ '';
+ };
+}