diff options
Diffstat (limited to 'tv/3modules/ejabberd')
-rw-r--r-- | tv/3modules/ejabberd/config.nix | 129 | ||||
-rw-r--r-- | tv/3modules/ejabberd/default.nix | 107 |
2 files changed, 0 insertions, 236 deletions
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix deleted file mode 100644 index a022bc44..00000000 --- a/tv/3modules/ejabberd/config.nix +++ /dev/null @@ -1,129 +0,0 @@ -with import <stockholm/lib>; -{ config, ... }: let - - # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - - ciphers = concatStringsSep ":" [ - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-SHA384" - "ECDHE-RSA-AES256-SHA384" - "ECDHE-ECDSA-AES128-SHA256" - "ECDHE-RSA-AES128-SHA256" - ]; - - protocol_options = [ - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_10" - ]; - -in /* yaml */ '' - - access_rules: - announce: - - allow: admin - local: - - allow: local - configure: - - allow: admin - register: - - allow - s2s: - - allow - trusted_network: - - allow: loopback - - acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - certfiles: - - /tmp/credentials/certfile - - hosts: ${toJSON config.hosts} - - language: "en" - - listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - shaper: c2s_shaper - ciphers: ${toJSON ciphers} - dhfile: /var/lib/ejabberd/dhfile - protocol_options: ${toJSON protocol_options} - starttls: true - starttls_required: true - tls: false - tls_compression: false - max_stanza_size: 65536 - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - shaper: s2s_shaper - max_stanza_size: 131072 - - loglevel: 4 - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_echo: {} - mod_bosh: {} - mod_last: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_register: - access_from: deny - access: register - ip_access: trusted_network - registration_watchers: ${toJSON config.registration_watchers} - mod_roster: {} - mod_shared_roster: {} - mod_stats: {} - mod_time: {} - mod_vcard: - search: false - mod_version: {} - mod_http_api: {} - - s2s_access: s2s - s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: /var/lib/ejabberd/dhfile - s2s_protocol_options: ${toJSON protocol_options} - s2s_tls_compression: false - s2s_use_starttls: required - - shaper_rules: - max_user_offline_messages: - - 5000: admin - - 100 - max_user_sessions: 10 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast -'' diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix deleted file mode 100644 index 935df9a9..00000000 --- a/tv/3modules/ejabberd/default.nix +++ /dev/null @@ -1,107 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let - - cfg = config.tv.ejabberd; - - gen-dhparam = pkgs.writeDash "gen-dhparam" '' - set -efu - path=$1 - bits=2048 - # TODO regenerate dhfile after some time? - if ! test -e "$path"; then - ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" - fi - ''; - -in { - options.tv.ejabberd = { - enable = mkEnableOption "tv.ejabberd"; - certfile = mkOption { - type = types.absolute-pathname; - default = toString <secrets> + "/ejabberd.pem"; - }; - hosts = mkOption { - type = with types; listOf str; - }; - pkgs.ejabberd = mkOption { - type = types.package; - default = pkgs.symlinkJoin { - name = "ejabberd-wrapper"; - paths = [ - (pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - '') - pkgs.ejabberd - ]; - }; - }; - registration_watchers = mkOption { - type = types.listOf types.str; - default = [ - config.krebs.users.tv.mail - ]; - }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/lib/ejabberd"; - }; - }; - }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ - (pkgs.symlinkJoin { - name = "ejabberd-sudo-wrapper"; - paths = [ - (pkgs.writeDashBin "ejabberdctl" '' - set -efu - cd ${shell.escape cfg.user.home} - exec /run/wrappers/bin/sudo \ - -u ${shell.escape cfg.user.name} \ - ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" - '') - cfg.pkgs.ejabberd - ]; - }) - ]; - - krebs.systemd.services.ejabberd = {}; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - serviceConfig = { - ExecStart = pkgs.writeDash "ejabberd" '' - ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials - ${gen-dhparam} /var/lib/ejabberd/dhfile - exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground - ''; - LoadCredential = [ - "certfile:${cfg.certfile}" - ]; - PermissionsStartOnly = true; - PrivateTmp = true; - SyslogIdentifier = "ejabberd"; - StateDirectory = "ejabberd"; - User = cfg.user.name; - TimeoutStartSec = 60; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - group = cfg.user.name; - isSystemUser = true; - }; - - users.groups.${cfg.user.name} = {}; - }; -} |