summaryrefslogtreecommitdiffstats
path: root/tv/3modules/ejabberd
diff options
context:
space:
mode:
Diffstat (limited to 'tv/3modules/ejabberd')
-rw-r--r--tv/3modules/ejabberd/config.nix129
-rw-r--r--tv/3modules/ejabberd/default.nix107
2 files changed, 0 insertions, 236 deletions
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
deleted file mode 100644
index a022bc44..00000000
--- a/tv/3modules/ejabberd/config.nix
+++ /dev/null
@@ -1,129 +0,0 @@
-with import <stockholm/lib>;
-{ config, ... }: let
-
- # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
-
- ciphers = concatStringsSep ":" [
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-CHACHA20-POLY1305"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-SHA384"
- "ECDHE-RSA-AES256-SHA384"
- "ECDHE-ECDSA-AES128-SHA256"
- "ECDHE-RSA-AES128-SHA256"
- ];
-
- protocol_options = [
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_10"
- ];
-
-in /* yaml */ ''
-
- access_rules:
- announce:
- - allow: admin
- local:
- - allow: local
- configure:
- - allow: admin
- register:
- - allow
- s2s:
- - allow
- trusted_network:
- - allow: loopback
-
- acl:
- local:
- user_regexp: ""
- loopback:
- ip:
- - "127.0.0.0/8"
- - "::1/128"
- - "::FFFF:127.0.0.1/128"
-
- certfiles:
- - /tmp/credentials/certfile
-
- hosts: ${toJSON config.hosts}
-
- language: "en"
-
- listen:
- -
- port: 5222
- ip: "::"
- module: ejabberd_c2s
- shaper: c2s_shaper
- ciphers: ${toJSON ciphers}
- dhfile: /var/lib/ejabberd/dhfile
- protocol_options: ${toJSON protocol_options}
- starttls: true
- starttls_required: true
- tls: false
- tls_compression: false
- max_stanza_size: 65536
- -
- port: 5269
- ip: "::"
- module: ejabberd_s2s_in
- shaper: s2s_shaper
- max_stanza_size: 131072
-
- loglevel: 4
-
- modules:
- mod_adhoc: {}
- mod_admin_extra: {}
- mod_announce:
- access: announce
- mod_caps: {}
- mod_carboncopy: {}
- mod_client_state: {}
- mod_configure: {}
- mod_disco: {}
- mod_echo: {}
- mod_bosh: {}
- mod_last: {}
- mod_offline:
- access_max_user_messages: max_user_offline_messages
- mod_ping: {}
- mod_privacy: {}
- mod_private: {}
- mod_register:
- access_from: deny
- access: register
- ip_access: trusted_network
- registration_watchers: ${toJSON config.registration_watchers}
- mod_roster: {}
- mod_shared_roster: {}
- mod_stats: {}
- mod_time: {}
- mod_vcard:
- search: false
- mod_version: {}
- mod_http_api: {}
-
- s2s_access: s2s
- s2s_ciphers: ${toJSON ciphers}
- s2s_dhfile: /var/lib/ejabberd/dhfile
- s2s_protocol_options: ${toJSON protocol_options}
- s2s_tls_compression: false
- s2s_use_starttls: required
-
- shaper_rules:
- max_user_offline_messages:
- - 5000: admin
- - 100
- max_user_sessions: 10
- c2s_shaper:
- - none: admin
- - normal
- s2s_shaper: fast
-''
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
deleted file mode 100644
index 935df9a9..00000000
--- a/tv/3modules/ejabberd/default.nix
+++ /dev/null
@@ -1,107 +0,0 @@
-{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
-
- cfg = config.tv.ejabberd;
-
- gen-dhparam = pkgs.writeDash "gen-dhparam" ''
- set -efu
- path=$1
- bits=2048
- # TODO regenerate dhfile after some time?
- if ! test -e "$path"; then
- ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
- fi
- '';
-
-in {
- options.tv.ejabberd = {
- enable = mkEnableOption "tv.ejabberd";
- certfile = mkOption {
- type = types.absolute-pathname;
- default = toString <secrets> + "/ejabberd.pem";
- };
- hosts = mkOption {
- type = with types; listOf str;
- };
- pkgs.ejabberd = mkOption {
- type = types.package;
- default = pkgs.symlinkJoin {
- name = "ejabberd-wrapper";
- paths = [
- (pkgs.writeDashBin "ejabberdctl" ''
- exec ${pkgs.ejabberd}/bin/ejabberdctl \
- --config ${toFile "ejabberd.yaml" (import ./config.nix {
- inherit pkgs;
- config = cfg;
- })} \
- --logs ${shell.escape cfg.user.home} \
- --spool ${shell.escape cfg.user.home} \
- "$@"
- '')
- pkgs.ejabberd
- ];
- };
- };
- registration_watchers = mkOption {
- type = types.listOf types.str;
- default = [
- config.krebs.users.tv.mail
- ];
- };
- user = mkOption {
- type = types.user;
- default = {
- name = "ejabberd";
- home = "/var/lib/ejabberd";
- };
- };
- };
- config = lib.mkIf cfg.enable {
- environment.systemPackages = [
- (pkgs.symlinkJoin {
- name = "ejabberd-sudo-wrapper";
- paths = [
- (pkgs.writeDashBin "ejabberdctl" ''
- set -efu
- cd ${shell.escape cfg.user.home}
- exec /run/wrappers/bin/sudo \
- -u ${shell.escape cfg.user.name} \
- ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
- '')
- cfg.pkgs.ejabberd
- ];
- })
- ];
-
- krebs.systemd.services.ejabberd = {};
-
- systemd.services.ejabberd = {
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
- serviceConfig = {
- ExecStart = pkgs.writeDash "ejabberd" ''
- ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
- ${gen-dhparam} /var/lib/ejabberd/dhfile
- exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
- '';
- LoadCredential = [
- "certfile:${cfg.certfile}"
- ];
- PermissionsStartOnly = true;
- PrivateTmp = true;
- SyslogIdentifier = "ejabberd";
- StateDirectory = "ejabberd";
- User = cfg.user.name;
- TimeoutStartSec = 60;
- };
- };
-
- users.users.${cfg.user.name} = {
- inherit (cfg.user) home name uid;
- createHome = true;
- group = cfg.user.name;
- isSystemUser = true;
- };
-
- users.groups.${cfg.user.name} = {};
- };
-}
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-20 14:36:48 +0000