summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--krebs/2configs/gitlab-runner-shackspace.nix27
-rw-r--r--krebs/2configs/ircd.nix1
-rw-r--r--krebs/2configs/shack/muell_caller.nix2
-rw-r--r--krebs/2configs/shack/radioactive.nix2
-rw-r--r--krebs/2configs/shack/worlddomination.nix2
-rw-r--r--krebs/3modules/bepasty-server.nix2
-rw-r--r--krebs/3modules/buildbot/slave.nix2
-rw-r--r--krebs/3modules/lass/ssh/android.rsa2
-rw-r--r--krebs/3modules/tinc.nix6
-rw-r--r--krebs/5pkgs/simple/Reaktor/default.nix2
-rw-r--r--krebs/5pkgs/simple/bepasty-client-cli/default.nix2
-rw-r--r--krebs/5pkgs/simple/cac-panel/default.nix2
-rw-r--r--krebs/5pkgs/simple/treq/default.nix2
-rw-r--r--krebs/5pkgs/simple/urlwatch/default.nix2
-rw-r--r--krebs/source.nix2
-rw-r--r--lass/1systems/prism/config.nix7
-rw-r--r--lass/2configs/bepasty.nix1
-rw-r--r--lass/2configs/copyq.nix5
-rw-r--r--lass/2configs/pass.nix2
-rw-r--r--lass/2configs/websites/lassulus.nix32
-rw-r--r--lass/2configs/websites/sqlBackup.nix3
-rw-r--r--lass/2configs/weechat.nix5
-rw-r--r--lass/2configs/wine.nix2
-rw-r--r--lass/3modules/ejabberd/config.nix218
-rw-r--r--lass/3modules/ejabberd/default.nix41
-rw-r--r--lass/5pkgs/default.nix3
-rw-r--r--lass/5pkgs/ejabberd/default.nix28
-rw-r--r--lass/source.nix9
-rw-r--r--mv/source.nix4
-rw-r--r--tv/1systems/alnus/source.nix2
-rw-r--r--tv/1systems/mu/config.nix4
-rw-r--r--tv/2configs/br.nix1
-rw-r--r--tv/2configs/gitrepos.nix2
-rw-r--r--tv/5pkgs/default.nix10
-rw-r--r--tv/5pkgs/simple/mfcl2700dncupswrapper/default.nix45
-rw-r--r--tv/5pkgs/simple/mfcl2700dnlpr/default.nix44
-rw-r--r--tv/source.nix4
37 files changed, 233 insertions, 297 deletions
diff --git a/krebs/2configs/gitlab-runner-shackspace.nix b/krebs/2configs/gitlab-runner-shackspace.nix
index d9b4cd589..f4247b6da 100644
--- a/krebs/2configs/gitlab-runner-shackspace.nix
+++ b/krebs/2configs/gitlab-runner-shackspace.nix
@@ -1,4 +1,4 @@
-{ config, ... }:
+{ config, pkgs, ... }:
let
url = "https://git.shackspace.de/";
# generate token from CI-token via:
@@ -6,7 +6,7 @@ let
## cat /etc/gitlab-runner/config.toml
token = import <secrets/shackspace-gitlab-ci-token.nix> ;
in {
- systemd.services.gitlab-runner.path = [
+ systemd.services.gitlab-runner.path = [
"/run/wrappers" # /run/wrappers/bin/su
"/" # /bin/sh
];
@@ -16,19 +16,18 @@ in {
enable = true;
# configFile, configOptions and gracefulTimeout not yet in stable
# gracefulTimeout = "120min";
- configText = ''
- concurrent = 1
- check_interval = 0
-
- [[runners]]
- name = "krebs-shell"
- url = "${url}"
- token = "${token}"
- executor = "shell"
- shell = "sh"
- environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
- [runners.cache]
+ configFile = pkgs.writeText "gitlab-runner.cfg" ''
+ concurrent = 1
+ check_interval = 0
+ [[runners]]
+ name = "krebs-shell"
+ url = "${url}"
+ token = "${token}"
+ executor = "shell"
+ shell = "sh"
+ environment = ["PATH=/bin:/run/wrappers/bin:/etc/per-user/gitlab-runner/bin:/etc/per-user-pkgs/gitlab-runner/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"]
+ [runners.cache]
'';
};
}
diff --git a/krebs/2configs/ircd.nix b/krebs/2configs/ircd.nix
index 116337733..38f58952e 100644
--- a/krebs/2configs/ircd.nix
+++ b/krebs/2configs/ircd.nix
@@ -92,6 +92,7 @@
};
general {
#maybe we want ident someday?
+ default_floodcount = 1000;
disable_auth = yes;
throttle_duration = 1;
throttle_count = 1000;
diff --git a/krebs/2configs/shack/muell_caller.nix b/krebs/2configs/shack/muell_caller.nix
index 7e8d278f6..19768cb2e 100644
--- a/krebs/2configs/shack/muell_caller.nix
+++ b/krebs/2configs/shack/muell_caller.nix
@@ -12,7 +12,7 @@ let
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
- requests2
+ requests
paramiko
python
]))
diff --git a/krebs/2configs/shack/radioactive.nix b/krebs/2configs/shack/radioactive.nix
index 378b54056..566146d6e 100644
--- a/krebs/2configs/shack/radioactive.nix
+++ b/krebs/2configs/shack/radioactive.nix
@@ -12,7 +12,7 @@ let
buildInputs = [
(pkgs.python3.withPackages (pythonPackages: with pythonPackages; [
docopt
- requests2
+ requests
python
]))
];
diff --git a/krebs/2configs/shack/worlddomination.nix b/krebs/2configs/shack/worlddomination.nix
index d0f9f5fa6..828b6cd70 100644
--- a/krebs/2configs/shack/worlddomination.nix
+++ b/krebs/2configs/shack/worlddomination.nix
@@ -37,7 +37,7 @@ let
docopt
LinkHeader
aiocoap
- requests2
+ requests
paramiko
python
]))
diff --git a/krebs/3modules/bepasty-server.nix b/krebs/3modules/bepasty-server.nix
index 0ca13366b..dd29a4e17 100644
--- a/krebs/3modules/bepasty-server.nix
+++ b/krebs/3modules/bepasty-server.nix
@@ -3,7 +3,7 @@
with import <stockholm/lib>;
let
gunicorn = pkgs.pythonPackages.gunicorn;
- bepasty = pkgs.pythonPackages.bepasty-server;
+ bepasty = pkgs.bepasty;
gevent = pkgs.pythonPackages.gevent;
python = pkgs.pythonPackages.python;
cfg = config.krebs.bepasty;
diff --git a/krebs/3modules/buildbot/slave.nix b/krebs/3modules/buildbot/slave.nix
index 544f9c4e0..0af553c5d 100644
--- a/krebs/3modules/buildbot/slave.nix
+++ b/krebs/3modules/buildbot/slave.nix
@@ -160,6 +160,8 @@ let
# TODO: maybe also prepare buildbot.tac?
ExecStartPre = pkgs.writeDash "buildbot-master-init" ''
set -efux
+ #remove garbage from old versions
+ rm -r ${workdir}
mkdir -p ${workdir}/info
cp ${buildbot-slave-init} ${workdir}/buildbot.tac
echo ${contact} > ${workdir}/info/admin
diff --git a/krebs/3modules/lass/ssh/android.rsa b/krebs/3modules/lass/ssh/android.rsa
index b39f7ce1e..f5190f45c 100644
--- a/krebs/3modules/lass/ssh/android.rsa
+++ b/krebs/3modules/lass/ssh/android.rsa
@@ -1 +1 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDjesiOnhpT9XgWZqw/64M5lVQg3q0k22BtMyCv+33sGX8VmfTyD11GuwSjNGf5WiswKLqFvYBQsHfDDtS3k0ZNTDncGw3Pbilm6QoCuHEyDPaQYin0P+JmkocrL/6QF5uhZVFnsXCH5wntwOa00VFGwpMgQYSfRlReRx42Pu9Jk+iJduZMRBbOMvJI68Z7iJ4DgW/1U9J4MQdCsk7QlFgUstQQfV1zk4VfVfXuxDP3hjx6Q05nDChjpmzJbFunzb7aiy/1/Sl0QhROTpvxrQLksg7yYLw4BRs9ptjehX45A2Sxi8WKOb/g5u3xJNy0X07rE+N+o5v2hS7wF0DLQdK5+4TGtO+Y+ABUCqqA+T1ynAjNBWvsgY5uD4PZjuPgCMSw0JBmIy/P0THi3v5/8Cohvfnspl7Jpf80qENMu3unvvE9EePzgSRZY1PvDjPQfkWy0yBX1yQMhHuVGke9QgaletitwuahRujml37waeUuOl8Rpz+2iV+6OIS4tfO368uLFHKWbobXTbTDXODBgxZ/IyvO7vxM2uDX/kIWaeYKrip3nSyWBYnixwrcS4vm6ZQcoejwp2KCfGQwIE4MnGYRlwcOEYjvyjLkZHDiZEivUQ0rThMYBzec8bQ08QW8oxF+NXkFKG3awt3f7TKTRkYqQcOMpFKmV24KDiwgwm0miQ== JuiceSSH
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAEZgGgImN/9D4yJBjYlkAvT3X45kzt4n8hmgsqPcdcHWNC7fofWG4fZe8NNrTLdKsK+xYxTstj49l8Vb3YDvw4fAyyyhms/eFRlD2BRqAISwc39EIeTC4g3PXNeUtUGdczXKxsJf5iWf4kxUrUOuZ3FeKxeYXDMSqzzk1oKalhWNl4PmgRc5FzjeRJ2WziilwFq7ntLswoeTBW3c53fbcp3XuPza3M1/sN3NHJx9ZMpWVfJhZ/CXr+nqpc25ZIr5HZVZbgDTyJQimlTF5JCfU0NiiBIh7ep7x4o93tARmilit7+mWUkkxk6ba+zG6nr+s+zyd85AFAYRioOEczbC6mI44UZUB11KkEzOon5JWSA8pK+DPqsqhFkwWYMHLXZp8zemdp9kushRZ6nuI9MzBwacngro1vAvDL6jrS5MR7zf7rMAo6wexovWoEowvZz629mjC3OAt9iOm4VJdvEmq+rHLfjjznVEY6llF7DUu2QNEazaXhxZH9V9N1gyubIE97SQVqmwDrf8BGC0Hq+hC4OOweqfo4XP0etbqAfDozZbqcqyE1m9Bj8DpjrSXka1PuJf5fgEtoxPadd2qdiHMfIx9sM+4uu2nI5aFvWO3OlJmhF80QzNdFzZWjsyvJ24C1/a2FAyzoab1Sg9ljstQThseTtvlXcX8jfFn0U3RbgXgCgOWad3Oy9vA0OCdsHut0nzv3UO+T5+wv2+lvE3QSSKOlmVtdKMhCFb+Rg+FliKxyd820h9yR3wDYmkurVkAxaj8Kx5MaY/7aypOi8fRAV2FSDtCKkuMyPv4xEtdPi/4lj55pRBEO8lJkeb+WurCzZ7ZeaPdrW1YIQtToPpiz3dXeRhkts6jq8247xIplzHh9Iu18gOrnZ+ygn70g19x842vvcfLQNAghDPS93msJdSe+EtulMCwNTjUaF9LyzhW9ptLG9NmwgbT5kGsFiRw3BFdyfcQVWVzDhuP3hPPx+hjiZtFfpIKpxV9MjO1xQ830Ngk3JpSphMZTQ432yfvu9yEsUWmAa8ax1jxJ361AiIp0U2xioJmdVd3E2sxkpOUYqE89IR9X6hS3fH38Gc5IL5+BnhuZvRgXuA+nrqdU4pMB3TIoC5oXlOMRXpxaS91YiO4ERx2t6WkBRCoaDuRWnLpewV6lhjwi1+4Emlrs2q1R0K64emZTv7O1MKwWRHOlBJD3HLyCCS763OzYW4mEQcfBAQtbm6sTooJ+D/zbmYgbnZt0z/nP9R/n25pzlSPpZ49fCiRV7QN6D9mksISTz8qIiCzNBn1F7DUewXqkrdPopl4npeNVcOyyo7P1lFFGde+jq/7REdzD+vno1h9+17WZbyzQtlOyipQYzb6l4QuXq/zejJrELJAQdN4yRQq5NJzIh0HXaPnPC083T791moBflyqiwPEIWsSMfILqSqL1jVVNgvV4fHnMixgH2zK9f0EyE3fG9PnuRribPR2DlESqpHZTcBixgh660EPKh0gCLYoWKgU= lass-android@XperiaXCompact
diff --git a/krebs/3modules/tinc.nix b/krebs/3modules/tinc.nix
index 8af15c13b..b032f3148 100644
--- a/krebs/3modules/tinc.nix
+++ b/krebs/3modules/tinc.nix
@@ -1,5 +1,5 @@
-{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
+{ config, pkgs, ... }:
let
out = {
options.krebs.tinc = api;
@@ -11,7 +11,7 @@ let
description = ''
define a tinc network
'';
- type = with types; attrsOf (submodule (tinc: {
+ type = types.attrsOf (types.submodule (tinc: {
options = let
netname = tinc.config._module.args.name;
in {
@@ -116,7 +116,7 @@ let
phases = [ "installPhase" ];
installPhase = ''
mkdir $out
- ${concatStrings (lib.mapAttrsToList (_: host: ''
+ ${concatStrings (mapAttrsToList (_: host: ''
echo ${shell.escape host.nets."${tinc.config.netname}".tinc.config} \
> $out/${shell.escape host.name}
'') tinc.config.hosts)}
diff --git a/krebs/5pkgs/simple/Reaktor/default.nix b/krebs/5pkgs/simple/Reaktor/default.nix
index fc3710820..6989bb02b 100644
--- a/krebs/5pkgs/simple/Reaktor/default.nix
+++ b/krebs/5pkgs/simple/Reaktor/default.nix
@@ -8,7 +8,7 @@ python3Packages.buildPythonPackage rec {
propagatedBuildInputs = with pkgs;[
python3Packages.docopt
- python3Packages.requests2
+ python3Packages.requests
];
src = fetchurl {
url = "https://pypi.python.org/packages/source/R/Reaktor/Reaktor-${version}.tar.gz";
diff --git a/krebs/5pkgs/simple/bepasty-client-cli/default.nix b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
index c58e637b3..7811ef5fc 100644
--- a/krebs/5pkgs/simple/bepasty-client-cli/default.nix
+++ b/krebs/5pkgs/simple/bepasty-client-cli/default.nix
@@ -5,7 +5,7 @@ with pythonPackages; buildPythonPackage rec {
propagatedBuildInputs = [
python_magic
click
- requests2
+ requests
];
src = fetchFromGitHub {
diff --git a/krebs/5pkgs/simple/cac-panel/default.nix b/krebs/5pkgs/simple/cac-panel/default.nix
index fd4799535..57f58f4de 100644
--- a/krebs/5pkgs/simple/cac-panel/default.nix
+++ b/krebs/5pkgs/simple/cac-panel/default.nix
@@ -11,7 +11,7 @@ python3Packages.buildPythonPackage rec {
propagatedBuildInputs = with python3Packages; [
docopt
- requests2
+ requests
beautifulsoup4
];
}
diff --git a/krebs/5pkgs/simple/treq/default.nix b/krebs/5pkgs/simple/treq/default.nix
index 20387b9cb..7cb826a51 100644
--- a/krebs/5pkgs/simple/treq/default.nix
+++ b/krebs/5pkgs/simple/treq/default.nix
@@ -11,7 +11,7 @@ pythonPackages.buildPythonPackage rec {
propagatedBuildInputs = with pythonPackages; [
twisted
pyopenssl
- requests2
+ requests
service-identity
];
}
diff --git a/krebs/5pkgs/simple/urlwatch/default.nix b/krebs/5pkgs/simple/urlwatch/default.nix
index 509555669..adaefbc4d 100644
--- a/krebs/5pkgs/simple/urlwatch/default.nix
+++ b/krebs/5pkgs/simple/urlwatch/default.nix
@@ -13,7 +13,7 @@ python3Packages.buildPythonPackage rec {
minidb
pycodestyle
pyyaml
- requests2
+ requests
];
meta = {
diff --git a/krebs/source.nix b/krebs/source.nix
index 1aba3d7ff..09edc817b 100644
--- a/krebs/source.nix
+++ b/krebs/source.nix
@@ -14,6 +14,6 @@ in
stockholm.file = toString <stockholm>;
nixpkgs.git = {
url = https://github.com/NixOS/nixpkgs;
- ref = "8ed299faacbf8813fc47b4fca34f32b835d6481e"; # nixos-17.03 @ 2017-09-09
+ ref = "07ca7b64d2ff2fa7a79e4eab1aba70ff746fed8c"; # nixos-17.09 @ 2017-10-02
};
}
diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix
index 5b3091a39..8e44b113b 100644
--- a/lass/1systems/prism/config.nix
+++ b/lass/1systems/prism/config.nix
@@ -115,7 +115,12 @@ in {
};
services.nginx.virtualHosts."hackerfleet.de-s" = {
serverName = "hackerfleet.de";
- port = 443;
+ listen = [
+ {
+ addr = "0.0.0.0";
+ port = 443;
+ }
+ ];
serverAliases = [
"*.hackerfleet.de"
];
diff --git a/lass/2configs/bepasty.nix b/lass/2configs/bepasty.nix
index b2d40d4f3..43647892f 100644
--- a/lass/2configs/bepasty.nix
+++ b/lass/2configs/bepasty.nix
@@ -31,7 +31,6 @@ in {
} //
genAttrs ext-doms (ext-dom: {
nginx = {
- enableSSL = true;
forceSSL = true;
enableACME = true;
};
diff --git a/lass/2configs/copyq.nix b/lass/2configs/copyq.nix
index b255254f2..fa01a99c9 100644
--- a/lass/2configs/copyq.nix
+++ b/lass/2configs/copyq.nix
@@ -25,12 +25,15 @@ in {
environment = {
DISPLAY = ":0";
};
+ path = with pkgs; [
+ qt5.full
+ ];
serviceConfig = {
SyslogIdentifier = "copyq";
ExecStart = "${pkgs.copyq}/bin/copyq";
ExecStartPost = copyqConfig;
Restart = "always";
- RestartSec = "2s";
+ RestartSec = "15s";
StartLimitBurst = 0;
User = "lass";
};
diff --git a/lass/2configs/pass.nix b/lass/2configs/pass.nix
index 5bd2f2f7f..43eb0db9b 100644
--- a/lass/2configs/pass.nix
+++ b/lass/2configs/pass.nix
@@ -3,7 +3,7 @@
{
krebs.per-user.lass.packages = with pkgs; [
pass
- gnupg1
+ gnupg
];
}
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 17c39a5f4..77790e8b8 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -73,17 +73,6 @@ in {
allowKeysForGroup = true;
group = "lasscert";
};
- certs."cgit.lassul.us" = {
- email = "lassulus@gmail.com";
- webroot = "/var/lib/acme/acme-challenges";
- plugins = [
- "account_key.json"
- "key.pem"
- "fullchain.pem"
- ];
- group = "nginx";
- allowKeysForGroup = true;
- };
};
krebs.tinc_graphs.enable = true;
@@ -119,6 +108,7 @@ in {
];
services.nginx.virtualHosts."lassul.us" = {
+ addSSL = true;
enableACME = true;
serverAliases = [ "lassul.us" ];
locations."/".extraConfig = ''
@@ -158,30 +148,14 @@ in {
in ''
alias ${initscript};
'';
-
- enableSSL = true;
- extraConfig = ''
- listen 80;
- listen [::]:80;
- '';
- sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
- sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
};
services.nginx.virtualHosts.cgit = {
+ addSSL = true;
+ enableACME = true;
serverAliases = [
"cgit.lassul.us"
];
- locations."/.well-known/acme-challenge".extraConfig = ''
- root /var/lib/acme/acme-challenges;
- '';
- enableSSL = true;
- extraConfig = ''
- listen 80;
- listen [::]:80;
- '';
- sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
- sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
};
users.users.blog = {
diff --git a/lass/2configs/websites/sqlBackup.nix b/lass/2configs/websites/sqlBackup.nix
index 7cb4b320e..2fffa6cc9 100644
--- a/lass/2configs/websites/sqlBackup.nix
+++ b/lass/2configs/websites/sqlBackup.nix
@@ -3,12 +3,13 @@
{
krebs.secret.files.mysql_rootPassword = {
path = "${config.services.mysql.dataDir}/mysql_rootPassword";
- owner.name = "root";
+ owner.name = "mysql";
source-path = toString <secrets> + "/mysql_rootPassword";
};
services.mysql = {
enable = true;
+ dataDir = "/var/mysql";
package = pkgs.mariadb;
rootPassword = config.krebs.secret.files.mysql_rootPassword.path;
};
diff --git a/lass/2configs/weechat.nix b/lass/2configs/weechat.nix
index 4b6445619..d5496ac09 100644
--- a/lass/2configs/weechat.nix
+++ b/lass/2configs/weechat.nix
@@ -21,6 +21,11 @@ in {
];
};
+ # mosh
+ krebs.iptables.tables.filter.INPUT.rules = [
+ { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";}
+ ];
+
#systemd.services.chat = {
# description = "chat environment setup";
# after = [ "network.target" ];
diff --git a/lass/2configs/wine.nix b/lass/2configs/wine.nix
index 2444d32d3..0d2b731ca 100644
--- a/lass/2configs/wine.nix
+++ b/lass/2configs/wine.nix
@@ -5,7 +5,7 @@ let
in {
krebs.per-user.wine.packages = with pkgs; [
- wineFull
+ wine
#(wineFull.override { wineBuild = "wine64"; })
];
users.users= {
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index b1fca08d3..68bcfa340 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -1,93 +1,129 @@
-{ config, ... }: with import <stockholm/lib>; let
- cfg = config.lass.ejabberd;
+with import <stockholm/lib>;
+{ config, ... }: let
- # XXX this is a placeholder that happens to work the default strings.
- toErlang = builtins.toJSON;
-in toFile "ejabberd.conf" ''
- {loglevel, 3}.
- {hosts, ${toErlang cfg.hosts}}.
- {listen,
- [
- {5222, ejabberd_c2s, [
- starttls,
- {certfile, ${toErlang cfg.certfile.path}},
- {access, c2s},
- {shaper, c2s_shaper},
- {max_stanza_size, 65536}
- ]},
- {5269, ejabberd_s2s_in, [
- {shaper, s2s_shaper},
- {max_stanza_size, 131072}
- ]},
- {5280, ejabberd_http, [
- captcha,
- http_bind,
- http_poll,
- web_admin
- ]}
- ]}.
- {s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
- {auth_method, internal}.
- {shaper, normal, {maxrate, 1000}}.
- {shaper, fast, {maxrate, 50000}}.
- {max_fsm_queue, 1000}.
- {acl, local, {user_regexp, ""}}.
- {access, max_user_sessions, [{10, all}]}.
- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
- {access, local, [{allow, local}]}.
- {access, c2s, [{deny, blocked},
- {allow, all}]}.
- {access, c2s_shaper, [{none, admin},
- {normal, all}]}.
- {access, s2s_shaper, [{fast, all}]}.
- {access, announce, [{allow, admin}]}.
- {access, configure, [{allow, admin}]}.
- {access, muc_admin, [{allow, admin}]}.
- {access, muc_create, [{allow, local}]}.
- {access, muc, [{allow, all}]}.
- {access, pubsub_createnode, [{allow, local}]}.
- {access, register, [{allow, local}]}.
- {language, "en"}.
- {modules,
- [
- {mod_adhoc, []},
- {mod_announce, [{access, announce}]},
- {mod_blocking,[]},
- {mod_caps, []},
- {mod_configure,[]},
- {mod_disco, []},
- {mod_irc, []},
- {mod_http_bind, []},
- {mod_last, []},
- {mod_muc, [
- {access, muc},
- {access_create, muc_create},
- {access_persistent, muc_create},
- {access_admin, muc_admin}
- ]},
- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
- {mod_ping, []},
- {mod_privacy, []},
- {mod_private, []},
- {mod_pubsub, [
- {access_createnode, pubsub_createnode},
- {ignore_pep_from_offline, true},
- {last_item_cache, false},
- {plugins, ["flat", "hometree", "pep"]}
- ]},
- {mod_register, [
- {welcome_message, {"Welcome!",
- "Hi.\nWelcome to this XMPP server."}},
- {ip_access, [{allow, "127.0.0.0/8"},
- {allow, "0.0.0.0/0"}]},
- {access, register}
- ]},
- {mod_roster, []},
- {mod_shared_roster,[]},
- {mod_stats, []},
- {mod_time, []},
- {mod_vcard, []},
- {mod_version, []}
- ]}.
+ # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
+
+ ciphers = concatStringsSep ":" [
+ "ECDHE-ECDSA-AES256-GCM-SHA384"
+ "ECDHE-RSA-AES256-GCM-SHA384"
+ "ECDHE-ECDSA-CHACHA20-POLY1305"
+ "ECDHE-RSA-CHACHA20-POLY1305"
+ "ECDHE-ECDSA-AES128-GCM-SHA256"
+ "ECDHE-RSA-AES128-GCM-SHA256"
+ "ECDHE-ECDSA-AES256-SHA384"
+ "ECDHE-RSA-AES256-SHA384"
+ "ECDHE-ECDSA-AES128-SHA256"
+ "ECDHE-RSA-AES128-SHA256"
+ ];
+
+ protocol_options = [
+ "no_sslv2"
+ "no_sslv3"
+ "no_tlsv1"
+ "no_tlsv1_10"
+ ];
+
+in /* yaml */ ''
+
+ access_rules:
+ announce:
+ - allow: admin
+ local:
+ - allow: local
+ configure:
+ - allow: admin
+ register:
+ - allow
+ s2s:
+ - allow
+ trusted_network:
+ - allow: loopback
+
+ acl:
+ local:
+ user_regexp: ""
+ loopback:
+ ip:
+ - "127.0.0.0/8"
+ - "::1/128"
+ - "::FFFF:127.0.0.1/128"
+
+ hosts: ${toJSON config.hosts}
+
+ language: "en"
+
+ listen:
+ -
+ port: 5222
+ ip: "::"
+ module: ejabberd_c2s
+ shaper: c2s_shaper
+ certfile: ${toJSON config.certfile.path}
+ ciphers: ${toJSON ciphers}
+ dhfile: ${toJSON config.dhfile.path}
+ protocol_options: ${toJSON protocol_options}
+ starttls: true
+ starttls_required: true
+ tls: false
+ tls_compression: false
+ max_stanza_size: 65536
+ -
+ port: 5269
+ ip: "::"
+ module: ejabberd_s2s_in
+ shaper: s2s_shaper
+ max_stanza_size: 131072
+
+ loglevel: 4
+
+ modules:
+ mod_adhoc: {}
+ mod_admin_extra: {}
+ mod_announce:
+ access: announce
+ mod_caps: {}
+ mod_carboncopy: {}
+ mod_client_state: {}
+ mod_configure: {}
+ mod_disco: {}
+ mod_echo: {}
+ mod_irc: {}
+ mod_bosh: {}
+ mod_last: {}
+ mod_offline:
+ access_max_user_messages: max_user_offline_messages
+ mod_ping: {}
+ mod_privacy: {}
+ mod_private: {}
+ mod_register:
+ access_from: deny
+ access: register
+ ip_access: trusted_network
+ registration_watchers: ${toJSON config.registration_watchers}
+ mod_roster: {}
+ mod_shared_roster: {}
+ mod_stats: {}
+ mod_time: {}
+ mod_vcard:
+ search: false
+ mod_version: {}
+ mod_http_api: {}
+
+ s2s_access: s2s
+ s2s_certfile: ${toJSON config.s2s_certfile.path}
+ s2s_ciphers: ${toJSON ciphers}
+ s2s_dhfile: ${toJSON config.dhfile.path}
+ s2s_protocol_options: ${toJSON protocol_options}
+ s2s_tls_compression: false
+ s2s_use_starttls: required
+
+ shaper_rules:
+ max_user_offline_messages:
+ - 5000: admin
+ - 100
+ max_user_sessions: 10
+ c2s_shaper:
+ - none: admin
+ - normal
+ s2s_shaper: fast
''
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index e2fba5ff5..4838a9093 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -1,5 +1,16 @@
{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let
cfg = config.lass.ejabberd;
+
+ gen-dhparam = pkgs.writeDash "gen-dhparam" ''
+ set -efu
+ path=$1
+ bits=2048
+ # TODO regenerate dhfile after some time?
+ if ! test -e "$path"; then
+ ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path"
+ fi
+ '';
+
in {
options.lass.ejabberd = {
enable = mkEnableOption "lass.ejabberd";
@@ -11,20 +22,36 @@ in {
source-path = "/var/lib/acme/lassul.us/full.pem";
};
};
+ dhfile = mkOption {
+ type = types.secret-file;
+ default = {
+ path = "${cfg.user.home}/dhparams.pem";
+ owner = cfg.user;
+ source-path = "/dev/null";
+ };
+ };
hosts = mkOption {
type = with types; listOf str;
};
pkgs.ejabberdctl = mkOption {
type = types.package;
default = pkgs.writeDashBin "ejabberdctl" ''
- set -efu
-