diff options
Diffstat (limited to 'lass/3modules')
-rw-r--r-- | lass/3modules/default.nix | 1 | ||||
-rw-r--r-- | lass/3modules/ejabberd/config.nix | 128 | ||||
-rw-r--r-- | lass/3modules/ejabberd/default.nix | 103 |
3 files changed, 0 insertions, 232 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix index 8bee08caa..3587e0f88 100644 --- a/lass/3modules/default.nix +++ b/lass/3modules/default.nix @@ -3,7 +3,6 @@ _: imports = [ ./bindfs.nix ./dnsmasq.nix - ./ejabberd ./folderPerms.nix ./hosts.nix ./klem.nix diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix deleted file mode 100644 index 4630f25c1..000000000 --- a/lass/3modules/ejabberd/config.nix +++ /dev/null @@ -1,128 +0,0 @@ -with import <stockholm/lib>; -{ config, ... }: let - - # See https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example - - ciphers = concatStringsSep ":" [ - "ECDHE-ECDSA-AES256-GCM-SHA384" - "ECDHE-RSA-AES256-GCM-SHA384" - "ECDHE-ECDSA-CHACHA20-POLY1305" - "ECDHE-RSA-CHACHA20-POLY1305" - "ECDHE-ECDSA-AES128-GCM-SHA256" - "ECDHE-RSA-AES128-GCM-SHA256" - "ECDHE-ECDSA-AES256-SHA384" - "ECDHE-RSA-AES256-SHA384" - "ECDHE-ECDSA-AES128-SHA256" - "ECDHE-RSA-AES128-SHA256" - ]; - - protocol_options = [ - "no_sslv2" - "no_sslv3" - "no_tlsv1" - "no_tlsv1_10" - ]; - -in /* yaml */ '' - - access_rules: - announce: - - allow: admin - local: - - allow: local - configure: - - allow: admin - register: - - allow - s2s: - - allow - trusted_network: - - allow: loopback - - acl: - local: - user_regexp: "" - loopback: - ip: - - "127.0.0.0/8" - - "::1/128" - - "::FFFF:127.0.0.1/128" - - hosts: ${toJSON config.hosts} - - language: "en" - - listen: - - - port: 5222 - ip: "::" - module: ejabberd_c2s - shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} - ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} - protocol_options: ${toJSON protocol_options} - starttls: true - starttls_required: true - tls: false - tls_compression: false - max_stanza_size: 65536 - - - port: 5269 - ip: "::" - module: ejabberd_s2s_in - shaper: s2s_shaper - max_stanza_size: 131072 - - loglevel: 4 - - modules: - mod_adhoc: {} - mod_admin_extra: {} - mod_announce: - access: announce - mod_caps: {} - mod_carboncopy: {} - mod_client_state: {} - mod_configure: {} - mod_disco: {} - mod_echo: {} - mod_bosh: {} - mod_last: {} - mod_offline: - access_max_user_messages: max_user_offline_messages - mod_ping: {} - mod_privacy: {} - mod_private: {} - mod_register: - access_from: allow - access: register - # ip_access: trusted_network - registration_watchers: ${toJSON config.registration_watchers} - mod_roster: {} - mod_shared_roster: {} - mod_stats: {} - mod_time: {} - mod_vcard: - search: false - mod_version: {} - mod_http_api: {} - - s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} - s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} - s2s_protocol_options: ${toJSON protocol_options} - s2s_tls_compression: false - s2s_use_starttls: required - - shaper_rules: - max_user_offline_messages: - - 5000: admin - - 100 - max_user_sessions: 10 - c2s_shaper: - - none: admin - - normal - s2s_shaper: fast -'' diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix deleted file mode 100644 index 20a38d572..000000000 --- a/lass/3modules/ejabberd/default.nix +++ /dev/null @@ -1,103 +0,0 @@ -{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let - cfg = config.lass.ejabberd; - - gen-dhparam = pkgs.writeDash "gen-dhparam" '' - set -efu - path=$1 - bits=2048 - # TODO regenerate dhfile after some time? - if ! test -e "$path"; then - ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" - fi - ''; - -in { - options.lass.ejabberd = { - enable = mkEnableOption "lass.ejabberd"; - certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = "/var/lib/acme/lassul.us/full.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; - }; - hosts = mkOption { - type = with types; listOf str; - }; - pkgs.ejabberdctl = mkOption { - type = types.package; - default = pkgs.writeDashBin "ejabberdctl" '' - exec ${pkgs.ejabberd}/bin/ejabberdctl \ - --config ${toFile "ejabberd.yaml" (import ./config.nix { - inherit pkgs; - config = cfg; - })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ - "$@" - ''; - }; - registration_watchers = mkOption { - type = types.listOf types.str; - default = [ - config.krebs.users.tv.mail - ]; - }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/ejabberd"; - }; - }; - }; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ cfg.pkgs.ejabberdctl ]; - - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; - - systemd.services.ejabberd = { - wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; - serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl foreground"; - PermissionsStartOnly = true; - SyslogIdentifier = "ejabberd"; - User = cfg.user.name; - TimeoutStartSec = 60; - }; - }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - }; - }; -} |