systems/eldiron/ejabberd/default.nix

   1 { lib, pkgs, config, mypackages-lib, ... }:
   2 let
   3   cfg = config.myServices.ejabberd;
   4 in
   5 {
   6   options.myServices = {
   7     ejabberd.enable = lib.mkOption {
   8       type = lib.types.bool;
   9       default = false;
  10       description = ''
  11         Whether to enable ejabberd service.
  12       '';
  13     };
  14   };
  15
  16   config = lib.mkIf cfg.enable {
  17     myServices.dns.zones."immae.fr" = with config.myServices.dns.helpers;
  18       lib.mkMerge [
  19         {
  20           extraConfig = ''
  21             notify yes;
  22           '';
  23           slaves = [ "raito" ];
  24           emailPolicies."".receive = true;
  25         }
  26         zoneHeader
  27         mailMX
  28         (mailCommon "immae.fr")
  29         (ips servers.eldiron.ips.main)
  30         {
  31           ns = [ "immae" "raito" ];
  32           CAA = letsencrypt;
  33           subdomains.www = ips servers.eldiron.ips.production;
  34           subdomains.im = ips servers.eldiron.ips.main;
  35           subdomains.conference = ips servers.eldiron.ips.main;
  36           subdomains.pubsub = ips servers.eldiron.ips.main;
  37           subdomains.proxy = ips servers.eldiron.ips.main;
  38           subdomains.upload = ips servers.eldiron.ips.main;
  39           subdomains._xmppconnect.TXT = [
  40             "_xmpp-client-xbosh=https://im.immae.fr/bosh"
  41             "_xmpp-client-websocket=wss://im.immae.fr/ws"
  42           ];
  43         }
  44       ];
  45
  46     security.acme.certs = {
  47       "ejabberd" = {
  48         group = "ejabberd";
  49         domain = "eldiron.immae.eu";
  50         keyType = "rsa4096";
  51         postRun = ''
  52           systemctl restart ejabberd.service
  53           '';
  54         extraDomainNames = [ "immae.fr" "conference.immae.fr" "proxy.immae.fr" "pubsub.immae.fr" "upload.immae.fr" ];
  55       };
  56     };
  57     networking.firewall.allowedTCPPorts = [ 5222 5269 ];
  58     myServices.websites.tools.im.enable = true;
  59     systemd.services.ejabberd.postStop = ''
  60       rm /var/log/ejabberd/erl_crash*.dump
  61       '';
  62     secrets.keys = {
  63       "ejabberd/psql.yml" = {
  64         permissions = "0400";
  65         user = "ejabberd";
  66         group = "ejabberd";
  67         text = ''
  68           sql_type: pgsql
  69           sql_server: "localhost"
  70           sql_database: "${config.myEnv.jabber.postgresql.database}"
  71           sql_username: "${config.myEnv.jabber.postgresql.user}"
  72           sql_password: "${config.myEnv.jabber.postgresql.password}"
  73           '';
  74       };
  75       "ejabberd/host.yml" = {
  76         permissions = "0400";
  77         user = "ejabberd";
  78         group = "ejabberd";
  79         text = ''
  80           host_config:
  81             "immae.fr":
  82               domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem"
  83               auth_method: [ldap]
  84               ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
  85               ldap_encrypt: tls
  86               ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
  87               ldap_password: "${config.myEnv.jabber.ldap.password}"
  88               ldap_base: "${config.myEnv.jabber.ldap.base}"
  89               ldap_uids:
  90                 uid: "%u"
  91                 immaeXmppUid: "%u"
  92               ldap_filter: "${config.myEnv.jabber.ldap.filter}"
  93           '';
  94       };
  95     };
  96     users.users.ejabberd.extraGroups = [ "keys" ];
  97     services.ejabberd = {
  98       package = pkgs.ejabberd.override { withPgsql = true; };
  99       imagemagick = true;
 100       enable = true;
 101       ctlConfig = ''
 102         ERLANG_NODE=ejabberd@localhost
 103       '';
 104       configFile = pkgs.runCommand "ejabberd.yml" {
 105         certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem";
 106         certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
 107         sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
 108         host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
 109       } ''
 110         substituteAll ${./ejabberd.yml} $out
 111         '';
 112     };
 113     secrets.keys."postfix/scripts/ejabberd-env" = {
 114       user = "postfixscripts";
 115       group = "root";
 116       permissions = "0400";
 117       text = builtins.toJSON {
 118         jid = "notify_bot@immae.fr";
 119         password = "{{ .xmpp.notify_bot }}";
 120       };
 121     };
 122     services.postfix.extraAliases = let
 123       nixpkgs = builtins.fetchTarball {
 124         url = "https://github.com/NixOS/nixpkgs/archive/840c782d507d60aaa49aa9e3f6d0b0e780912742.tar.gz";
 125         sha256 = "14q3kvnmgz19pgwyq52gxx0cs90ddf24pnplmq33pdddbb6c51zn";
 126       };
 127       pkgs' = import nixpkgs { inherit (pkgs) system; overlays = []; };
 128       warn_xmpp_email = scriptEnv: pkgs'.runCommand "warn_xmpp_email" {
 129         inherit scriptEnv;
 130         pythonEnv = pkgs'.python3.withPackages (ps: [
 131           ps.unidecode ps.slixmpp
 132         ]);
 133       } ''
 134         substituteAll ${./warn_xmpp_email.py} $out
 135         chmod a+x $out
 136       '';
 137     in ''
 138       ejabberd: "|${mypackages-lib.postfixScript pkgs "ejabberd" (warn_xmpp_email config.secrets.fullPaths."postfix/scripts/ejabberd-env")}"
 139     '';
 140   };
 141 }