Add ejabberd service and website

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-12-20 01:55:08 +0100
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2019-12-20 04:12:30 +0100
commit: 3f453c7d8f79dcf2fba94287ec286d55eceb99d1 (patch)
tree: e7a2531a08d7b8f514f2a1b8ec9914ca60623beb /modules/private/ejabberd
parent: 8cf37c75c3c744717327344ff982a62d787c1dc7 (diff)
download: Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.tar.gz
Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.tar.zst
Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.zip
2 files changed, 326 insertions, 0 deletions
diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix
new file mode 100644
index 0000000..5e717f4
--- /dev/null
+++ b/modules/private/ejabberd/default.nix
@@ -0,0 +1,93 @@
+{ lib, pkgs, config, ... }:
+let
+  cfg = config.myServices.ejabberd;
+in
+{
+  options.myServices = {
+    ejabberd.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to enable ejabberd service.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    security.acme.certs = {
+      "ejabberd" = config.myServices.certificates.certConfig // {
+        user = "ejabberd";
+        group = "ejabberd";
+        domain = "eldiron.immae.eu";
+        postRun = ''
+          systemctl restart ejabberd.service
+          '';
+        extraDomains = {
+          "immae.fr" = null;
+          "conference.immae.fr" = null;
+          "proxy.immae.fr" = null;
+          "pubsub.immae.fr" = null;
+          "upload.immae.fr" = null;
+        };
+      };
+    };
+    networking.firewall.allowedTCPPorts = [ 5222 5269 ];
+    myServices.websites.tools.im.enable = true;
+    systemd.services.ejabberd.postStop = ''
+      rm /var/log/ejabberd/erl_crash*.dump
+      '';
+    secrets.keys = [
+      {
+        dest = "ejabberd/psql.yml";
+        permissions = "0400";
+        user = "ejabberd";
+        group = "ejabberd";
+        text = ''
+          sql_type: pgsql
+          sql_server: "localhost"
+          sql_database: "${config.myEnv.jabber.postgresql.database}"
+          sql_username: "${config.myEnv.jabber.postgresql.user}"
+          sql_password: "${config.myEnv.jabber.postgresql.password}"
+          '';
+      }
+      {
+        dest = "ejabberd/host.yml";
+        permissions = "0400";
+        user = "ejabberd";
+        group = "ejabberd";
+        text = ''
+          host_config:
+            "immae.fr":
+              domain_certfile: "${config.security.acme.directory}/ejabberd/full.pem"
+              auth_method: [ldap]
+              ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
+              ldap_encrypt: tls
+              ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
+              ldap_password: "${config.myEnv.jabber.ldap.password}"
+              ldap_base: "${config.myEnv.jabber.ldap.base}"
+              ldap_uids:
+                - "uid": "%u"
+                - "immaeXmppUid": "%u"
+              ldap_filter: "${config.myEnv.jabber.ldap.filter}"
+          '';
+      }
+    ];
+    users.users.ejabberd.extraGroups = [ "keys" ];
+    services.ejabberd = {
+      package = pkgs.ejabberd.override { withPgsql = true; };
+      imagemagick = true;
+      enable = true;
+      ctlConfig = ''
+        ERLANG_NODE=ejabberd@localhost
+      '';
+      configFile = pkgs.runCommand "ejabberd.yml" {
+        certificatePrivateKeyAndFullChain = "${config.security.acme.directory}/ejabberd/full.pem";
+        certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
+        sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
+        host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
+      } ''
+        substituteAll ${./ejabberd.yml} $out
+        '';
+    };
+  };
+}
diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml
new file mode 100644
index 0000000..0f678b6
--- /dev/null
+++ b/modules/private/ejabberd/ejabberd.yml
@@ -0,0 +1,233 @@
+###
+###              ejabberd configuration file
+###
+### The parameters used in this configuration file are explained at
+###
+###       https://docs.ejabberd.im/admin/configuration
+###
+### The configuration file is written in YAML.
+### *******************************************************
+### *******           !!! WARNING !!!               *******
+### *******     YAML IS INDENTATION SENSITIVE       *******
+### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY *******
+### *******************************************************
+### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
+### However, ejabberd treats different literals as different types:
+###
+### - unquoted or single-quoted strings. They are called "atoms".
+###   Example: dog, 'Jupiter', '3.14159', YELLOW
+###
+### - numeric literals. Example: 3, -45.0, .0
+###
+### - quoted or folded strings.
+###   Examples of quoted string: "Lizzard", "orange".
+###   Example of folded string:
+###   > Art thou not Romeo,
+###     and a Montague?
+###
+hosts:
+  - "immae.fr"
+loglevel: 4
+log_rotate_size: 10485760
+log_rotate_date: ""
+log_rotate_count: 1
+log_rate_limit: 100
+certfiles:
+  - "@certificatePrivateKeyAndFullChain@"
+listen:
+  - 
+    port: 5222
+    ip: "::"
+    module: ejabberd_c2s
+    max_stanza_size: 262144
+    shaper: c2s_shaper
+    access: c2s
+    starttls_required: true
+  - 
+    port: 5269
+    ip: "::"
+    module: ejabberd_s2s_in
+    max_stanza_size: 524288
+  - 
+    port: 5280
+    ip: "127.0.0.1"
+    module: ejabberd_http
+    request_handlers:
+      "/admin": ejabberd_web_admin
+      "/api": mod_http_api
+      "/bosh": mod_bosh
+      "/captcha": ejabberd_captcha
+      "/upload": mod_http_upload
+      "/ws": ejabberd_http_ws
+    tls: false
+s2s_use_starttls: optional
+s2s_cafile: "@certificateCA@"
+default_db: sql
+sql_type: pgsql
+include_config_file: @sql_config_file@
+include_config_file: @host_config_file@
+new_sql_schema: true
+acl:
+  admin:
+    - user: "ismael@immae.fr"
+  local:
+    user_regexp: ""
+  loopback:
+    ip:
+      - "127.0.0.0/8"
+      - "::1/128"
+      - "::FFFF:127.0.0.1/128"
+access_rules:
+  local:
+    - allow: local
+  c2s:
+    - deny: blocked
+    - allow
+  announce:
+    - allow: admin
+  configure:
+    - allow: admin
+  muc_admin:
+    - allow: admin
+  muc_create:
+    - allow: local
+  muc:
+    - allow
+  pubsub_createnode:
+    - allow: local
+  register:
+    - deny
+  trusted_network:
+    - allow: loopback
+api_permissions:
+  "console commands":
+    from:
+      - ejabberd_ctl
+    who: all
+    what: "*"
+  "admin access":
+    who:
+      - acl: admin
+      - oauth:
+        - scope: "ejabberd:admin"
+        - acl: admin
+    what:
+      - "*"
+      - "!stop"
+      - "!start"
+  "public commands":
+    who:
+      - ip:
+        - "0.0.0.0"
+        - "::"
+    what:
+      - "status"
+      - "connected_users_number"
+shaper:
+  normal: 1000
+  fast: 50000
+shaper_rules:
+  max_user_sessions: 10
+  max_user_offline_messages:
+    - 5000: admin
+    - 100
+  c2s_shaper:
+    - none: admin
+    - normal
+  s2s_shaper: fast
+modules:
+  mod_adhoc: {}
+  mod_admin_extra: {}
+  mod_announce:
+    access: announce
+  mod_avatar: {}
+  mod_blocking: {}
+  mod_bosh: {}
+  mod_caps: {}
+  mod_carboncopy: {}
+  mod_client_state: {}
+  mod_configure: {}
+  mod_disco: {}
+  mod_fail2ban: {}
+  mod_http_api: {}
+  mod_http_upload:
+    put_url: "https://im.immae.fr/upload"
+    custom_headers:
+      "Access-Control-Allow-Origin": "*"
+      "Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT, POST"
+      "Access-Control-Allow-Headers": "Content-Type"
+  mod_last: {}
+  mod_mam:
+    default: always
+  mod_muc:
+    access:
+      - allow
+    access_admin:
+      - allow: admin
+    access_create: muc_create
+    access_persistent: muc_create
+    default_room_options:
+      mam: true
+  mod_muc_admin: {}
+  mod_offline:
+    access_max_user_messages: max_user_offline_messages
+  mod_ping: {}
+  mod_privacy: {}
+  mod_private: {}
+  mod_proxy65:
+    access: local
+    max_connections: 5
+  mod_pubsub:
+    access_createnode: pubsub_createnode
+    plugins:
+      - "flat"
+      - "hometree"
+      - "pep"
+    force_node_config:
+      ## Change from "whitelist" to "open" to enable OMEMO support
+      ## See https://github.com/processone/ejabberd/issues/2425
+      "eu.siacs.conversations.axolotl.*":
+        access_model: open
+      ## Avoid buggy clients to make their bookmarks public
+      "storage:bookmarks":
+        access_model: whitelist
+  mod_push: {}
+  mod_push_keepalive: {}
+  mod_register:
+    ## Only accept registration requests from the "trusted"
+    ## network (see access_rules section above).
+    ## Think twice before enabling registration from any
+    ## address. See the Jabber SPAM Manifesto for details:
+    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+    ip_access: trusted_network
+    access: register
+  mod_roster:
+    versioning: true
+  mod_s2s_dialback: {}
+  mod_shared_roster: {}
+  mod_stats: {}
+  mod_stream_mgmt:
+    resend_on_timeout: if_offline
+  mod_time: {}
+  mod_vcard: {}
+  mod_vcard_xupdate: {}
+  mod_version:
+    show_os: false
+### Local Variables:
+### mode: yaml
+### End:
+### vim: set filetype=yaml tabstop=8
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-12-20 01:55:08 +0100
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2019-12-20 04:12:30 +0100
commit	3f453c7d8f79dcf2fba94287ec286d55eceb99d1 (patch)
tree	e7a2531a08d7b8f514f2a1b8ec9914ca60623beb /modules/private/ejabberd
parent	8cf37c75c3c744717327344ff982a62d787c1dc7 (diff)
download	Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.tar.gz Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.tar.zst Nix-3f453c7d8f79dcf2fba94287ec286d55eceb99d1.zip

diff --git a/modules/private/ejabberd/default.nix b/modules/private/ejabberd/default.nix new file mode 100644 index 0000000..5e717f4 --- /dev/null +++ b/modules/private/ejabberd/default.nix
@@ -0,0 +1,93 @@
	1	{ lib, pkgs, config, ... }:
	2	let
	3	cfg = config.myServices.ejabberd;
	4	in
	5	{
	6	options.myServices = {
	7	ejabberd.enable = lib.mkOption {
	8	type = lib.types.bool;
	9	default = false;
	10	description = ''
	11	Whether to enable ejabberd service.
	12	'';
	13	};
	14	};
	15
	16	config = lib.mkIf cfg.enable {
	17	security.acme.certs = {
	18	"ejabberd" = config.myServices.certificates.certConfig // {
	19	user = "ejabberd";
	20	group = "ejabberd";
	21	domain = "eldiron.immae.eu";
	22	postRun = ''
	23	systemctl restart ejabberd.service
	24	'';
	25	extraDomains = {
	26	"immae.fr" = null;
	27	"conference.immae.fr" = null;
	28	"proxy.immae.fr" = null;
	29	"pubsub.immae.fr" = null;
	30	"upload.immae.fr" = null;
	31	};
	32	};
	33	};
	34	networking.firewall.allowedTCPPorts = [ 5222 5269 ];
	35	myServices.websites.tools.im.enable = true;
	36	systemd.services.ejabberd.postStop = ''
	37	rm /var/log/ejabberd/erl_crash*.dump
	38	'';
	39	secrets.keys = [
	40	{
	41	dest = "ejabberd/psql.yml";
	42	permissions = "0400";
	43	user = "ejabberd";
	44	group = "ejabberd";
	45	text = ''
	46	sql_type: pgsql
	47	sql_server: "localhost"
	48	sql_database: "${config.myEnv.jabber.postgresql.database}"
	49	sql_username: "${config.myEnv.jabber.postgresql.user}"
	50	sql_password: "${config.myEnv.jabber.postgresql.password}"
	51	'';
	52	}
	53	{
	54	dest = "ejabberd/host.yml";
	55	permissions = "0400";
	56	user = "ejabberd";
	57	group = "ejabberd";
	58	text = ''
	59	host_config:
	60	"immae.fr":
	61	domain_certfile: "${config.security.acme.directory}/ejabberd/full.pem"
	62	auth_method: [ldap]
	63	ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
	64	ldap_encrypt: tls
	65	ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
	66	ldap_password: "${config.myEnv.jabber.ldap.password}"
	67	ldap_base: "${config.myEnv.jabber.ldap.base}"
	68	ldap_uids:
	69	- "uid": "%u"
	70	- "immaeXmppUid": "%u"
	71	ldap_filter: "${config.myEnv.jabber.ldap.filter}"
	72	'';
	73	}
	74	];
	75	users.users.ejabberd.extraGroups = [ "keys" ];
	76	services.ejabberd = {
	77	package = pkgs.ejabberd.override { withPgsql = true; };
	78	imagemagick = true;
	79	enable = true;
	80	ctlConfig = ''
	81	ERLANG_NODE=ejabberd@localhost
	82	'';
	83	configFile = pkgs.runCommand "ejabberd.yml" {
	84	certificatePrivateKeyAndFullChain = "${config.security.acme.directory}/ejabberd/full.pem";
	85	certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
	86	sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
	87	host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
	88	} ''
	89	substituteAll ${./ejabberd.yml} $out
	90	'';
	91	};
	92	};
	93	}


diff --git a/modules/private/ejabberd/ejabberd.yml b/modules/private/ejabberd/ejabberd.yml new file mode 100644 index 0000000..0f678b6 --- /dev/null +++ b/modules/private/ejabberd/ejabberd.yml
@@ -0,0 +1,233 @@
	1	###
	2	### ejabberd configuration file
	3	###
	4	### The parameters used in this configuration file are explained at
	5	###
	6	### https://docs.ejabberd.im/admin/configuration
	7	###
	8	### The configuration file is written in YAML.
	9	### *******************************************************
	10	### ***** !!! WARNING !!! *****
	11	### ***** YAML IS INDENTATION SENSITIVE *****
	12	### ***** MAKE SURE YOU INDENT SECTIONS CORRECTLY *****
	13	### *******************************************************
	14	### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
	15	### However, ejabberd treats different literals as different types:
	16	###
	17	### - unquoted or single-quoted strings. They are called "atoms".
	18	### Example: dog, 'Jupiter', '3.14159', YELLOW
	19	###
	20	### - numeric literals. Example: 3, -45.0, .0
	21	###
	22	### - quoted or folded strings.
	23	### Examples of quoted string: "Lizzard", "orange".
	24	### Example of folded string:
	25	### > Art thou not Romeo,
	26	### and a Montague?
	27	###
	28
	29	hosts:
	30	- "immae.fr"
	31
	32	loglevel: 4
	33	log_rotate_size: 10485760
	34	log_rotate_date: ""
	35	log_rotate_count: 1
	36	log_rate_limit: 100
	37
	38	certfiles:
	39	- "@certificatePrivateKeyAndFullChain@"
	40
	41	listen:
	42	-
	43	port: 5222
	44	ip: "::"
	45	module: ejabberd_c2s
	46	max_stanza_size: 262144
	47	shaper: c2s_shaper
	48	access: c2s
	49	starttls_required: true
	50	-
	51	port: 5269
	52	ip: "::"
	53	module: ejabberd_s2s_in
	54	max_stanza_size: 524288
	55	-
	56	port: 5280
	57	ip: "127.0.0.1"
	58	module: ejabberd_http
	59	request_handlers:
	60	"/admin": ejabberd_web_admin
	61	"/api": mod_http_api
	62	"/bosh": mod_bosh
	63	"/captcha": ejabberd_captcha
	64	"/upload": mod_http_upload
	65	"/ws": ejabberd_http_ws
	66	tls: false
	67
	68	s2s_use_starttls: optional
	69	s2s_cafile: "@certificateCA@"
	70
	71	default_db: sql
	72	sql_type: pgsql
	73	include_config_file: @sql_config_file@
	74	include_config_file: @host_config_file@
	75	new_sql_schema: true
	76
	77	acl:
	78	admin:
	79	- user: "ismael@immae.fr"
	80	local:
	81	user_regexp: ""
	82	loopback:
	83	ip:
	84	- "127.0.0.0/8"
	85	- "::1/128"
	86	- "::FFFF:127.0.0.1/128"
	87
	88	access_rules:
	89	local:
	90	- allow: local
	91	c2s:
	92	- deny: blocked
	93	- allow
	94	announce:
	95	- allow: admin
	96	configure:
	97	- allow: admin
	98	muc_admin:
	99	- allow: admin
	100	muc_create:
	101	- allow: local
	102	muc:
	103	- allow
	104	pubsub_createnode:
	105	- allow: local
	106	register:
	107	- deny
	108	trusted_network:
	109	- allow: loopback
	110
	111	api_permissions:
	112	"console commands":
	113	from:
	114	- ejabberd_ctl
	115	who: all
	116	what: "*"
	117	"admin access":
	118	who:
	119	- acl: admin
	120	- oauth:
	121	- scope: "ejabberd:admin"
	122	- acl: admin
	123	what:
	124	- "*"
	125	- "!stop"
	126	- "!start"
	127	"public commands":
	128	who:
	129	- ip:
	130	- "0.0.0.0"
	131	- "::"
	132	what:
	133	- "status"
	134	- "connected_users_number"
	135
	136	shaper:
	137	normal: 1000
	138	fast: 50000
	139
	140	shaper_rules:
	141	max_user_sessions: 10
	142	max_user_offline_messages:
	143	- 5000: admin
	144	- 100
	145	c2s_shaper:
	146	- none: admin
	147	- normal
	148	s2s_shaper: fast
	149
	150	modules:
	151	mod_adhoc: {}
	152	mod_admin_extra: {}
	153	mod_announce:
	154	access: announce
	155	mod_avatar: {}
	156	mod_blocking: {}
	157	mod_bosh: {}
	158	mod_caps: {}
	159	mod_carboncopy: {}
	160	mod_client_state: {}
	161	mod_configure: {}
	162	mod_disco: {}
	163	mod_fail2ban: {}
	164	mod_http_api: {}
	165	mod_http_upload:
	166	put_url: "https://im.immae.fr/upload"
	167	custom_headers:
	168	"Access-Control-Allow-Origin": "*"
	169	"Access-Control-Allow-Methods": "OPTIONS, HEAD, GET, PUT, POST"
	170	"Access-Control-Allow-Headers": "Content-Type"
	171	mod_last: {}
	172	mod_mam:
	173	default: always
	174	mod_muc:
	175	access:
	176	- allow
	177	access_admin:
	178	- allow: admin
	179	access_create: muc_create
	180	access_persistent: muc_create
	181	default_room_options:
	182	mam: true
	183	mod_muc_admin: {}
	184	mod_offline:
	185	access_max_user_messages: max_user_offline_messages
	186	mod_ping: {}
	187	mod_privacy: {}
	188	mod_private: {}
	189	mod_proxy65:
	190	access: local
	191	max_connections: 5
	192	mod_pubsub:
	193	access_createnode: pubsub_createnode
	194	plugins:
	195	- "flat"
	196	- "hometree"
	197	- "pep"
	198	force_node_config:
	199	## Change from "whitelist" to "open" to enable OMEMO support
	200	## See https://github.com/processone/ejabberd/issues/2425
	201	"eu.siacs.conversations.axolotl.*":
	202	access_model: open
	203	## Avoid buggy clients to make their bookmarks public
	204	"storage:bookmarks":
	205	access_model: whitelist
	206	mod_push: {}
	207	mod_push_keepalive: {}
	208	mod_register:
	209	## Only accept registration requests from the "trusted"
	210	## network (see access_rules section above).
	211	## Think twice before enabling registration from any
	212	## address. See the Jabber SPAM Manifesto for details:
	213	## https://github.com/ge0rg/jabber-spam-fighting-manifesto
	214	ip_access: trusted_network
	215	access: register
	216	mod_roster:
	217	versioning: true
	218	mod_s2s_dialback: {}
	219	mod_shared_roster: {}
	220	mod_stats: {}
	221	mod_stream_mgmt:
	222	resend_on_timeout: if_offline
	223	mod_time: {}
	224	mod_vcard: {}
	225	mod_vcard_xupdate: {}
	226	mod_version:
	227	show_os: false
	228
	229	### Local Variables:
	230	### mode: yaml
	231	### End:
	232	### vim: set filetype=yaml tabstop=8
	233