modules/private/ejabberd/default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.ejabberd;
in
{
  options.myServices = {
    ejabberd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = ''
        Whether to enable ejabberd service.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    security.acme.certs = {
      "ejabberd" = config.myServices.certificates.certConfig // {
        user = "ejabberd";
        group = "ejabberd";
        domain = "eldiron.immae.eu";
        keyType = "rsa4096";
        postRun = ''
          systemctl restart ejabberd.service
          '';
        extraDomains = {
          "immae.fr" = null;
          "conference.immae.fr" = null;
          "proxy.immae.fr" = null;
          "pubsub.immae.fr" = null;
          "upload.immae.fr" = null;
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 5222 5269 ];
    myServices.websites.tools.im.enable = true;
    systemd.services.ejabberd.postStop = ''
      rm /var/log/ejabberd/erl_crash*.dump
      '';
    secrets.keys = {
      "ejabberd/psql.yml" = {
        permissions = "0400";
        user = "ejabberd";
        group = "ejabberd";
        text = ''
          sql_type: pgsql
          sql_server: "localhost"
          sql_database: "${config.myEnv.jabber.postgresql.database}"
          sql_username: "${config.myEnv.jabber.postgresql.user}"
          sql_password: "${config.myEnv.jabber.postgresql.password}"
          '';
      };
      "ejabberd/host.yml" = {
        permissions = "0400";
        user = "ejabberd";
        group = "ejabberd";
        text = ''
          host_config:
            "immae.fr":
              domain_certfile: "${config.security.acme.certs.ejabberd.directory}/full.pem"
              auth_method: [ldap]
              ldap_servers: ["${config.myEnv.jabber.ldap.host}"]
              ldap_encrypt: tls
              ldap_rootdn: "${config.myEnv.jabber.ldap.dn}"
              ldap_password: "${config.myEnv.jabber.ldap.password}"
              ldap_base: "${config.myEnv.jabber.ldap.base}"
              ldap_uids:
                uid: "%u"
                immaeXmppUid: "%u"
              ldap_filter: "${config.myEnv.jabber.ldap.filter}"
          '';
      };
    };
    users.users.ejabberd.extraGroups = [ "keys" ];
    services.ejabberd = {
      package = pkgs.ejabberd.override { withPgsql = true; };
      imagemagick = true;
      enable = true;
      ctlConfig = ''
        ERLANG_NODE=ejabberd@localhost
      '';
      configFile = pkgs.runCommand "ejabberd.yml" {
        certificatePrivateKeyAndFullChain = "${config.security.acme.certs.ejabberd.directory}/full.pem";
        certificateCA = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
        sql_config_file = config.secrets.fullPaths."ejabberd/psql.yml";
        host_config_file = config.secrets.fullPaths."ejabberd/host.yml";
      } ''
        substituteAll ${./ejabberd.yml} $out
        '';
    };
  };
}