]>
Commit | Line | Data |
---|---|---|
1a64deeb | 1 | { lib, pkgs, config, mypackages-lib, ... }: |
3f453c7d IB |
2 | let |
3 | cfg = config.myServices.ejabberd; | |
4 | in | |
5 | { | |
6 | options.myServices = { | |
7 | ejabberd.enable = lib.mkOption { | |
8 | type = lib.types.bool; | |
9 | default = false; | |
10 | description = '' | |
11 | Whether to enable ejabberd service. | |
12 | ''; | |
13 | }; | |
14 | }; | |
15 | ||
16 | config = lib.mkIf cfg.enable { | |
1a64deeb IB |
17 | myServices.dns.zones."immae.fr" = with config.myServices.dns.helpers; |
18 | lib.mkMerge [ | |
19 | { | |
20 | extraConfig = '' | |
21 | notify yes; | |
22 | ''; | |
23 | slaves = [ "raito" ]; | |
24 | emailPolicies."".receive = true; | |
25 | } | |
26 | zoneHeader | |
27 | mailMX | |
28 | (mailCommon "immae.fr") | |
29 | (ips servers.eldiron.ips.main) | |
30 | { | |
31 | ns = [ "immae" "raito" ]; | |
32 | CAA = letsencrypt; | |
33 | subdomains.www = ips servers.eldiron.ips.production; | |
34 | subdomains.im = ips servers.eldiron.ips.main; | |
35 | subdomains.conference = ips servers.eldiron.ips.main; | |
36 | subdomains.pubsub = ips servers.eldiron.ips.main; | |
37 | subdomains.proxy = ips servers.eldiron.ips.main; | |
38 | subdomains.upload = ips servers.eldiron.ips.main; | |
39 | subdomains._xmppconnect.TXT = [ | |
40 | "_xmpp-client-xbosh=https://im.immae.fr/bosh" | |
41 | "_xmpp-client-websocket=wss://im.immae.fr/ws" | |
42 | ]; | |
43 | } | |
44 | ]; | |
45 | ||
5400b9b6 | 46 | security.acme.certs = { |
1a64deeb | 47 | "ejabberd" = { |
3f453c7d IB |
48 | group = "ejabberd"; |
49 | domain = "eldiron.immae.eu"; | |
70f39723 | 50 | keyType = "rsa4096"; |
3f453c7d IB |
51 | postRun = '' |
52 | systemctl restart ejabberd.service | |
53 | ''; | |
1a64deeb | 54 | extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ]; |
3f453c7d IB |
55 | }; |
56 | }; | |
57 | networking.firewall.allowedTCPPorts = [ 5222 5269 ]; | |
58 | myServices.websites.tools.im.enable = true; | |
59 | systemd.services.ejabberd.postStop = '' | |
60 | rm /var/log/ejabberd/erl_crash*.dump | |
61 | ''; | |
4c4652aa IB |
62 | secrets.keys = { |
63 | "ejabberd/psql.yml" = { | |
3f453c7d IB |
64 | permissions = "0400"; |
65 | user = "ejabberd"; | |
66 | group = "ejabberd"; | |
67 | text = '' | |
68 | sql_type: pgsql | |
69 | sql_server: "localhost" | |
70 | sql_database: "${config.myEnv.jabber.postgresql.database}" | |
71 | sql_username: "${config.myEnv.jabber.postgresql.user}" | |
72 | sql_password: "${config.myEnv.jabber.postgresql.password}" | |
73 | ''; | |
4c4652aa IB |
74 | }; |
75 | "ejabberd/host.yml" = { | |
3f453c7d IB |
76 | permissions = "0400"; |
77 | user = "ejabberd"; | |
78 | group = "ejabberd"; | |
79 | text = '' | |
80 | host_config: | |
81 | "immae.fr": | |
5400b9b6 | 82 | domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem" |
3f453c7d IB |
83 | auth_method: [ldap] |
84 | ldap_servers: ["${config.myEnv.jabber.ldap.host}"] | |
85 | ldap_encrypt: tls | |
86 | ldap_rootdn: "${config.myEnv.jabber.ldap.dn}" | |
87 | ldap_password: "${config.myEnv.jabber.ldap.password}" | |
88 | ldap_base: "${config.myEnv.jabber.ldap.base}" | |
89 | ldap_uids: | |
5400b9b6 IB |
90 | uid: "%u" |
91 | immaeXmppUid: "%u" | |
3f453c7d IB |
92 | ldap_filter: "${config.myEnv.jabber.ldap.filter}" |
93 | ''; | |
4c4652aa IB |
94 | }; |
95 | }; | |
3f453c7d IB |
96 | users.users.ejabberd.extraGroups = [ "keys" ]; |
97 | services.ejabberd = { | |
98 | package = pkgs.ejabberd.override { withPgsql = true; }; | |
99 | imagemagick = true; | |
100 | enable = true; | |
101 | ctlConfig = '' | |
102 | ERLANG_NODE=ejabberd@localhost | |
103 | ''; | |
104 | configFile = pkgs.runCommand "ejabberd.yml" { | |
5400b9b6 | 105 | certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem"; |
3f453c7d IB |
106 | certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"; |
107 | sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml"; | |
108 | host_config_file = config.secrets.fullPaths."ejabberd/host.yml"; | |
109 | } '' | |
110 | substituteAll ${./ejabberd.yml} $out | |
111 | ''; | |
112 | }; | |
1a64deeb IB |
113 | secrets.keys."postfix/scripts/ejabberd-env" = { |
114 | user = "postfixscripts"; | |
115 | group = "root"; | |
116 | permissions = "0400"; | |
117 | text = builtins.toJSON { | |
118 | jid = "notify_bot@immae.fr"; | |
119 | password = "{{ .xmpp.notify_bot }}"; | |
120 | }; | |
121 | }; | |
122 | services.postfix.extraAliases = let | |
123 | nixpkgs = builtins.fetchTarball { | |
124 | url = "https://github.com/NixOS/nixpkgs/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz"; | |
125 | sha256 = "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn"; | |
126 | }; | |
127 | pkgs' = import nixpkgs { inherit (pkgs) system; overlays = []; }; | |
128 | warn_xmpp_email = scriptEnv: pkgs'.runCommand "warn_xmpp_email" { | |
129 | inherit scriptEnv; | |
130 | pythonEnv = pkgs'.python3.withPackages (ps: [ | |
131 | ps.unidecode ps.slixmpp | |
132 | ]); | |
133 | } '' | |
134 | substituteAll ${./warn_xmpp_email.py} $out | |
135 | chmod a+x $out | |
136 | ''; | |
137 | in '' | |
138 | ejabberd: "|${mypackages-lib.postfixScript pkgs "ejabberd" (warn_xmpp_email config.secrets.fullPaths."postfix/scripts/ejabberd-env")}" | |
139 | ''; | |
3f453c7d IB |
140 | }; |
141 | } |