summaryrefslogtreecommitdiffstats
path: root/lass/3modules/ejabberd
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2021-01-27 22:57:15 +0100
committermakefu <github@syntax-fehler.de>2021-01-27 22:57:15 +0100
commit144edeee1030d647bcc64083efc5834d1628341d (patch)
tree92f32df8dbc09b1bc36061267967b605628409b7 /lass/3modules/ejabberd
parent9c6c20f69e7b76e4231ffeae715d2ee5d453bb4d (diff)
parenta2ca5f2e214be259fdb0f9ea92b79d74e6216a51 (diff)
Merge remote-tracking branch 'lass/master'
Diffstat (limited to 'lass/3modules/ejabberd')
-rw-r--r--lass/3modules/ejabberd/config.nix128
-rw-r--r--lass/3modules/ejabberd/default.nix103
2 files changed, 0 insertions, 231 deletions
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
deleted file mode 100644
index 4630f25c1..000000000
--- a/lass/3modules/ejabberd/config.nix
+++ /dev/null
@@ -1,128 +0,0 @@
-with import <stockholm/lib>;
-{ config, ... }: let
-
- # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
-
- ciphers = concatStringsSep ":" [
- "ECDHE-ECDSA-AES256-GCM-SHA384"
- "ECDHE-RSA-AES256-GCM-SHA384"
- "ECDHE-ECDSA-CHACHA20-POLY1305"
- "ECDHE-RSA-CHACHA20-POLY1305"
- "ECDHE-ECDSA-AES128-GCM-SHA256"
- "ECDHE-RSA-AES128-GCM-SHA256"
- "ECDHE-ECDSA-AES256-SHA384"
- "ECDHE-RSA-AES256-SHA384"
- "ECDHE-ECDSA-AES128-SHA256"
- "ECDHE-RSA-AES128-SHA256"
- ];
-
- protocol_options = [
- "no_sslv2"
- "no_sslv3"
- "no_tlsv1"
- "no_tlsv1_10"
- ];
-
-in /* yaml */ ''
-
- access_rules:
- announce:
- - allow: admin
- local:
- - allow: local
- configure:
- - allow: admin
- register:
- - allow
- s2s:
- - allow
- trusted_network:
- - allow: loopback
-
- acl:
- local:
- user_regexp: ""
- loopback:
- ip:
- - "127.0.0.0/8"
- - "::1/128"
- - "::FFFF:127.0.0.1/128"
-
- hosts: ${toJSON config.hosts}
-
- language: "en"
-
- listen:
- -
- port: 5222
- ip: "::"
- module: ejabberd_c2s
- shaper: c2s_shaper
- certfile: ${toJSON config.certfile.path}
- ciphers: ${toJSON ciphers}
- dhfile: ${toJSON config.dhfile.path}
- protocol_options: ${toJSON protocol_options}
- starttls: true
- starttls_required: true
- tls: false
- tls_compression: false
- max_stanza_size: 65536
- -
- port: 5269
- ip: "::"
- module: ejabberd_s2s_in
- shaper: s2s_shaper
- max_stanza_size: 131072
-
- loglevel: 4
-
- modules:
- mod_adhoc: {}
- mod_admin_extra: {}
- mod_announce:
- access: announce
- mod_caps: {}
- mod_carboncopy: {}
- mod_client_state: {}
- mod_configure: {}
- mod_disco: {}
- mod_echo: {}
- mod_bosh: {}
- mod_last: {}
- mod_offline:
- access_max_user_messages: max_user_offline_messages
- mod_ping: {}
- mod_privacy: {}
- mod_private: {}
- mod_register:
- access_from: allow
- access: register
- # ip_access: trusted_network
- registration_watchers: ${toJSON config.registration_watchers}
- mod_roster: {}
- mod_shared_roster: {}
- mod_stats: {}
- mod_time: {}
- mod_vcard:
- search: false
- mod_version: {}
- mod_http_api: {}
-
- s2s_access: s2s
- s2s_certfile: ${toJSON config.s2s_certfile.path}
- s2s_ciphers: ${toJSON ciphers}
- s2s_dhfile: ${toJSON config.dhfile.path}
- s2s_protocol_options: ${toJSON protocol_options}
- s2s_tls_compression: false
- s2s_use_starttls: required
-
- shaper_rules:
- max_user_offline_messages:
- - 5000: admin
- - 100
- max_user_sessions: 10
- c2s_shaper:
- - none: admin
- - normal
- s2s_shaper: fast
-''
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
deleted file mode 100644
index 20a38d572..000000000
--- a/lass/3modules/ejabberd/default.nix
+++ /dev/null
@@ -1,103 +0,0 @@
-{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
- cfg = config.lass.ejabberd;
-
- gen-dhparam = pkgs.writeDash "gen-dhparam" ''
- set -efu
- path=$1
- bits=2048
- # TODO regenerate dhfile after some time?
- if ! test -e "$path"; then
- ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
- fi
- '';
-
-in {
- options.lass.ejabberd = {
- enable = mkEnableOption "lass.ejabberd";
- certfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-certfile";
- path = "${cfg.user.home}/ejabberd.pem";
- owner = cfg.user;
- source-path = "/var/lib/acme/lassul.us/full.pem";
- };
- };
- dhfile = mkOption {
- type = types.secret-file;
- default = {
- name = "ejabberd-dhfile";
- path = "${cfg.user.home}/dhparams.pem";
- owner = cfg.user;
- source-path = "/dev/null";
- };
- };
- hosts = mkOption {
- type = with types; listOf str;
- };
- pkgs.ejabberdctl = mkOption {
- type = types.package;
- default = pkgs.writeDashBin "ejabberdctl" ''
- exec ${pkgs.ejabberd}/bin/ejabberdctl \
- --config ${toFile "ejabberd.yaml" (import ./config.nix {
- inherit pkgs;
- config = cfg;
- })} \
- --logs ${shell.escape cfg.user.home} \
- --spool ${shell.escape cfg.user.home} \
- "$@"
- '';
- };
- registration_watchers = mkOption {
- type = types.listOf types.str;
- default = [
- config.krebs.users.tv.mail
- ];
- };
- s2s_certfile = mkOption {
- type = types.secret-file;
- default = cfg.certfile;
- };
- user = mkOption {
- type = types.user;
- default = {
- name = "ejabberd";
- home = "/var/ejabberd";
- };
- };
- };
- config = lib.mkIf cfg.enable {
- environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
-
- krebs.secret.files = {
- ejabberd-certfile = cfg.certfile;
- ejabberd-s2s_certfile = cfg.s2s_certfile;
- };
-
- systemd.services.ejabberd = {
- wantedBy = [ "multi-user.target" ];
- after = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- "network.target"
- ];
- partOf = [
- config.krebs.secret.files.ejabberd-certfile.service
- config.krebs.secret.files.ejabberd-s2s_certfile.service
- ];
- serviceConfig = {
- ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
- ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground";
- PermissionsStartOnly = true;
- SyslogIdentifier = "ejabberd";
- User = cfg.user.name;
- TimeoutStartSec = 60;
- };
- };
-
- users.users.${cfg.user.name} = {
- inherit (cfg.user) home name uid;
- createHome = true;
- };
- };
-}