]> git.immae.eu Git - perso/Immae/Config/Nix.git/blobdiff - systems/eldiron/ejabberd/default.nix
projects / perso / Immae / Config / Nix.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Squash changes containing private information
[perso/Immae/Config/Nix.git] / systems / eldiron / ejabberd / default.nix
diff --git a/systems/eldiron/ejabberd/default.nix b/systems/eldiron/ejabberd/default.nix
new file mode 100644 (file)
index 0000000..5268516
--- /dev/null
+++ b/systems/eldiron/ejabberd/default.nix
@@ -0,0 +1,141 @@
+{ lib, pkgs, config, mypackages-lib, ... }:
+let
+  cfg = config.myServices.ejabberd;
+in
+{
+  options.myServices = {
+    ejabberd.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable ejabberd service.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    myServices.dns.zones."immae.fr" = with config.myServices.dns.helpers;
+      lib.mkMerge [
+        {
+          extraConfig = ''
+            notify yes;
+          '';
+          slaves = [ "raito" ];
+          emailPolicies."".receive = true;
+        }
+        zoneHeader
+        mailMX
+        (mailCommon "immae.fr")
+        (ips servers.eldiron.ips.main)
+        {
+          ns = [ "immae" "raito" ];
+          CAA = letsencrypt;
+          subdomains.www = ips servers.eldiron.ips.production;
+          subdomains.im = ips servers.eldiron.ips.main;
+          subdomains.conference = ips servers.eldiron.ips.main;
+          subdomains.pubsub = ips servers.eldiron.ips.main;
+          subdomains.proxy = ips servers.eldiron.ips.main;
+          subdomains.upload = ips servers.eldiron.ips.main;
+          subdomains._xmppconnect.TXT = [
+            "_xmpp-client-xbosh=https://im.immae.fr/bosh"
+            "_xmpp-client-websocket=wss://im.immae.fr/ws"
+          ];
+        }
+      ];
+
+    security.acme.certs = {
+      "ejabberd" = {
+        group = "ejabberd";
+        domain = "eldiron.immae.eu";
+        keyType = "rsa4096";
+        postRun = ''
+          systemctl restart ejabberd.service
+          '';
+        extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ];
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 5222 5269 ];
+    myServices.websites.tools.im.enable = true;
+    systemd.services.ejabberd.postStop = ''
+      rm /var/log/ejabberd/erl_crash*.dump
+      '';
+    secrets.keys = {
+      "ejabberd/psql.yml" = {
+        permissions = "0400";
+        user = "ejabberd";
+        group = "ejabberd";
+        text = ''
+          sql_type: pgsql
+          sql_server: "localhost"
+          sql_database: "${config.myEnv.jabber.postgresql.database}"
+          sql_username: "${config.myEnv.jabber.postgresql.user}"
+          sql_password: "${config.myEnv.jabber.postgresql.password}"
+          '';
+      };
+      "ejabberd/host.yml" = {
+        permissions = "0400";
+        user = "ejabberd";
+        group = "ejabberd";
+        text = ''
+          host_config:
+            "immae.fr":
+              domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem"
+              auth_method: [ldap]
+              ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
+              ldap_encrypt: tls
+              ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
+              ldap_password: "${config.myEnv.jabber.ldap.password}"
+              ldap_base: "${config.myEnv.jabber.ldap.base}"
+              ldap_uids:
+                uid: "%u"
+                immaeXmppUid: "%u"
+              ldap_filter: "${config.myEnv.jabber.ldap.filter}"
+          '';
+      };
+    };
+    users.users.ejabberd.extraGroups = [ "keys" ];
+    services.ejabberd = {
+      package = pkgs.ejabberd.override { withPgsql = true; };
+      imagemagick = true;
+      enable = true;
+      ctlConfig = ''
+        ERLANG_NODE=ejabberd@localhost
+      '';
+      configFile = pkgs.runCommand "ejabberd.yml" {
+        certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem";
+        certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
+        host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
+      } ''
+        substituteAll ${./ejabberd.yml} $out
+        '';
+    };
+    secrets.keys."postfix/scripts/ejabberd-env" = {
+      user = "postfixscripts";
+      group = "root";
+      permissions = "0400";
+      text = builtins.toJSON {
+        jid = "notify_bot@immae.fr";
+        password = "{{ .xmpp.notify_bot }}";
+      };
+    };
+    services.postfix.extraAliases = let
+      nixpkgs = builtins.fetchTarball {
+        url = "https://github.com/NixOS/nixpkgs/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz";
+        sha256 = "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn";
+      };
+      pkgs' = import nixpkgs { inherit (pkgs) system; overlays = []; };
+      warn_xmpp_email = scriptEnv: pkgs'.runCommand "warn_xmpp_email" {
+        inherit scriptEnv;
+        pythonEnv = pkgs'.python3.withPackages (ps: [
+          ps.unidecode ps.slixmpp
+        ]);
+      } ''
+        substituteAll ${./warn_xmpp_email.py} $out
+        chmod a+x $out
+      '';
+    in ''
+      ejabberd: "|${mypackages-lib.postfixScript pkgs "ejabberd" (warn_xmpp_email config.secrets.fullPaths."postfix/scripts/ejabberd-env")}"
+    '';
+  };
+}
My infrastructure configuration