colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

ejabberd: port config to structured nix attrs

Browse Source
This commit is contained in:
Colin 2023-09-22 22:50:51 +00:00
parent 69ab1c1b8f
commit 2f12fd8ae7
1 changed files with 265 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

529
hosts/by-name/servo/services/ejabberd.nix
View File

@ -179,284 +179,285 @@ in
services.ejabberd.enable = true; services.ejabberd.enable = true;
services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml"; services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml";
systemd.services.ejabberd.preStart = let systemd.services.ejabberd.preStart = let
config-in = pkgs.writeTextFile { config-in = pkgs.writeText "ejabberd.yaml.in" (lib.generators.toYAML {} {
name = "ejabberd.yaml.in"; hosts = [ "uninsane.org" ];
text = '' # none | emergency | alert | critical | error | warning | notice | info | debug
hosts: loglevel = "debug";
- uninsane.org acme.auto = false;
certfiles = [ "/var/lib/acme/uninsane.org/full.pem" ];
# ca_file = "${pkgs.cacert.unbundled}/etc/ssl/certs/";
# ca_file = "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt";
# none | emergency | alert | critical | error | warning | notice | info | debug pam_userinfotype = "jid";
loglevel: debug acl = {
# loglevel: info admin.user = [ "colin@uninsane.org" ];
# loglevel: notice local.user_regexp = "";
loopback.ip = [ "127.0.0.0/8" "::1/128" ];
};
acme: access_rules = {
auto: false local.allow = "local";
certfiles: c2s_access.allow = "all";
- /var/lib/acme/uninsane.org/full.pem announce.allow = "admin";
# ca_file: ${pkgs.cacert.unbundled}/etc/ssl/certs/ configure.allow = "admin";
# ca_file: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt muc_create.allow = "local";
pubsub_createnode_access.allow = "all";
trusted_network.allow = "loopback";
};
pam_userinfotype: jid # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
shaper_rules = {
# setting this to above 1 may break outgoing messages
# - maybe some servers rate limit? or just don't understand simultaneous connections?
max_s2s_connections = 1;
max_user_sessions = 10;
max_user_offline_messages = 5000;
c2s_shaper.fast = "all";
s2s_shaper.med = "all";
};
acl: # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers>
admin: # this limits the bytes/sec.
user: # for example, burst: 3_000_000 and rate: 100_000 means:
- "colin@uninsane.org" # - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB
local: shaper.fast = 1000000;
user_regexp: "" shaper.med = 500000;
loopback: # shaper.fast.rate = 1000000;
ip: # shaper.fast.burst_size = 10000000;
- 127.0.0.0/8 # shaper.med.rate = 500000;
- ::1/128 # shaper.med.burst_size = 5000000;
access_rules: # see: <https://docs.ejabberd.im/admin/configuration/listen/>
local: # s2s_use_starttls = true;
allow: local s2s_use_starttls = "optional";
c2s_access: # lessens 504: remote-server-timeout errors
allow: all # see: <https://github.com/processone/ejabberd/issues/3105#issuecomment-562182967>
announce: negotiation_timeout = 60;
allow: admin
configure:
allow: admin
muc_create:
allow: local
pubsub_createnode_access:
allow: all
trusted_network:
allow: loopback
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules> listen = [
shaper_rules: {
# setting this to above 1 may break outgoing messages port = 5222;
# - maybe some servers rate limit? or just don't understand simultaneous connections? module = "ejabberd_c2s";
max_s2s_connections: 1 shaper = "c2s_shaper";
max_user_sessions: 10 starttls = true;
max_user_offline_messages: 5000 access = "c2s_access";
c2s_shaper: }
fast: all {
s2s_shaper: port = 5223;
med: all module = "ejabberd_c2s";
shaper = "c2s_shaper";
tls = true;
access = "c2s_access";
}
{
port = 5269;
module = "ejabberd_s2s_in";
shaper = "s2s_shaper";
}
{
port = 5270;
module = "ejabberd_s2s_in";
shaper = "s2s_shaper";
tls = true;
}
{
port = 5443;
module = "ejabberd_http";
tls = true;
request_handlers = {
"/admin" = "ejabberd_web_admin"; # TODO: ensure this actually works
"/api" = "mod_http_api"; # ejabberd API endpoint (to control server)
"/bosh" = "mod_bosh";
"/upload" = "mod_http_upload";
"/ws" = "ejabberd_http_ws";
# "/.well-known/host-meta" = "mod_host_meta";
# "/.well-known/host-meta.json" = "mod_host_meta";
};
}
{
# STUN+TURN TCP
# note that the full port range should be forwarded ("not NAT'd")
# `use_turn=true` enables both TURN *and* STUN
port = 3478;
module = "ejabberd_stun";
transport = "tcp";
use_turn = true;
turn_min_port = turnPortLow;
turn_max_port = turnPortHigh;
turn_ipv4_address = "%ANATIVE%";
}
{
# STUN+TURN UDP
port = 3478;
module = "ejabberd_stun";
transport = "udp";
use_turn = true;
turn_min_port = turnPortLow;
turn_max_port = turnPortHigh;
turn_ipv4_address = "%ANATIVE%";
}
{
# STUN+TURN TLS over TCP
port = 5349;
module = "ejabberd_stun";
transport = "tcp";
tls = true;
certfile = "/var/lib/acme/uninsane.org/full.pem";
use_turn = true;
turn_min_port = turnPortLow;
turn_max_port = turnPortHigh;
turn_ipv4_address = "%ANATIVE%";
}
];
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers> # TODO: enable mod_fail2ban
# this limits the bytes/sec. # TODO(low): look into mod_http_fileserver for serving macros?
# for example, burst: 3_000_000 and rate: 100_000 means: modules = {
# - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB # mod_adhoc = {};
shaper: # mod_announce = {
fast: 1000000 # access = "admin";
med: 500000 # };
# fast: # allows users to set avatars in vCard
# - rate: 1000000 # - <https://docs.ejabberd.im/admin/configuration/modules/#mod-avatar>
# - burst_size: 10000000 mod_avatar = {};
# med: mod_caps = {}; # for mod_pubsub
# - rate: 500000 mod_carboncopy = {}; # allows multiple clients to receive a user's message
# - burst_size: 5000000 # queues messages when recipient is offline, including PEP and presence messages.
# compliance test suggests this be enabled
mod_client_state = {};
# see: <https://docs.ejabberd.im/admin/configuration/listen/> # mod_conversejs: TODO: enable once on 21.12
# s2s_use_starttls: true # allows clients like Dino to discover where to upload files
s2s_use_starttls: optional mod_disco.server_info = [
# lessens 504: remote-server-timeout errors {
# see: <https://github.com/processone/ejabberd/issues/3105#issuecomment-562182967> modules = "all";
negotiation_timeout: 60 name = "abuse-addresses";
urls = [
listen: "mailto:admin.xmpp@uninsane.org"
- "xmpp:colin@uninsane.org"
port: 5222 ];
module: ejabberd_c2s }
shaper: c2s_shaper {
starttls: true modules = "all";
access: c2s_access name = "admin-addresses";
- urls = [
port: 5223 "mailto:admin.xmpp@uninsane.org"
module: ejabberd_c2s "xmpp:colin@uninsane.org"
shaper: c2s_shaper ];
tls: true }
access: c2s_access ];
- mod_http_upload = {
port: 5269 host = "upload.xmpp.uninsane.org";
module: ejabberd_s2s_in hosts = [ "upload.xmpp.uninsane.org" ];
shaper: s2s_shaper put_url = "https://@HOST@:5443/upload";
- dir_mode = "0750";
port: 5270 file_mode = "0750";
module: ejabberd_s2s_in rm_on_unregister = false;
shaper: s2s_shaper };
tls: true # allow discoverability of BOSH and websocket endpoints
- # TODO: enable once on ejabberd 22.05 (presently 21.04)
port: 5443 # mod_host_meta = {};
module: ejabberd_http mod_jidprep = {}; # probably not needed: lets clients normalize jids
tls: true mod_last = {}; # allow other users to know when i was last online
request_handlers: mod_mam = {
/admin: ejabberd_web_admin # TODO: ensure this actually works # Mnesia is limited to 2GB, better to use an SQL backend
/api: mod_http_api # ejabberd API endpoint (to control server) # For small servers SQLite is a good fit and is very easy
/bosh: mod_bosh # to configure. Uncomment this when you have SQL configured:
/upload: mod_http_upload # db_type: sql
/ws: ejabberd_http_ws assume_mam_usage = true;
# /.well-known/host-meta: mod_host_meta default = "always";
# /.well-known/host-meta.json: mod_host_meta };
- mod_muc = {
# STUN+TURN TCP access = [ "allow" ];
# note that the full port range should be forwarded ("not NAT'd") access_admin = { allow = "admin"; };
# `use_turn=true` enables both TURN *and* STUN access_create = "muc_create";
port: 3478 access_persistent = "muc_create";
module: ejabberd_stun access_mam = [ "allow" ];
transport: tcp history_size = 100; # messages to show new participants
use_turn: true host = "muc.xmpp.uninsane.org";
turn_min_port: ${builtins.toString turnPortLow} hosts = [ "muc.xmpp.uninsane.org" ];
turn_max_port: ${builtins.toString turnPortHigh} default_room_options = {
turn_ipv4_address: %ANATIVE% anonymous = false;
- lang = "en";
# STUN+TURN UDP persistent = true;
port: 3478 mam = true;
module: ejabberd_stun };
transport: udp };
use_turn: true mod_muc_admin = {};
turn_min_port: ${builtins.toString turnPortLow} mod_offline = {
turn_max_port: ${builtins.toString turnPortHigh} # store messages for a user when they're offline (TODO: understand multi-client workflow?)
turn_ipv4_address: %ANATIVE% access_max_user_messages = "max_user_offline_messages";
- store_groupchat = true;
# STUN+TURN TLS over TCP };
port: 5349 mod_ping = {};
module: ejabberd_stun mod_privacy = {}; # deprecated, but required for `ejabberctl export_piefxis`
transport: tcp mod_private = {}; # allow local clients to persist arbitrary data on my server
tls: true # push notifications to services integrated with e.g. Apple/Android.
certfile: /var/lib/acme/uninsane.org/full.pem # default is for a maximum amount of PII to be withheld, since these push notifs
use_turn: true # generally traverse 3rd party services. can opt to include message body, etc, though.
turn_min_port: ${builtins.toString turnPortLow} mod_push = {};
turn_max_port: ${builtins.toString turnPortHigh} # i don't fully understand what this does, but it seems aimed at making push notifs more reliable.
turn_ipv4_address: %ANATIVE% mod_push_keepalive = {};
mod_roster = {
# TODO: enable mod_fail2ban versioning = true;
# TODO(low): look into mod_http_fileserver for serving macros? };
modules: # docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback>
# mod_adhoc: {} # s2s dialback to verify inbound messages
# mod_announce: # unclear to what degree the XMPP network requires this
# access: admin mod_s2s_dialback = {};
# allows users to set avatars in vCard mod_shared_roster = {}; # creates groups for @all, @online, and anything manually administered?
# - <https://docs.ejabberd.im/admin/configuration/modules/#mod-avatar> mod_stream_mgmt = {
mod_avatar: {} # resend undelivered messages if the origin client is offline
mod_caps: {} # for mod_pubsub resend_on_timeout = "if_offline";
mod_carboncopy: {} # allows multiple clients to receive a user's message };
# queues messages when recipient is offline, including PEP and presence messages. # fallback for when DNS-based STUN discovery is unsupported.
# compliance test suggests this be enabled # - see: <https://xmpp.org/extensions/xep-0215.html>
mod_client_state: {} # docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco>
# mod_conversejs: TODO: enable once on 21.12 # people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?)
# allows clients like Dino to discover where to upload files mod_stun_disco = {};
mod_disco: # docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-vcard>
server_info: mod_vcard = {
- allow_return_all = true; # all users are discoverable (?)
modules: all host = "vjid.xmpp.uninsane.org";
name: abuse-addresses hosts = [ "vjid.xmpp.uninsane.org" ];
urls: search = true;
- "mailto:admin.xmpp@uninsane.org" };
- "xmpp:colin@uninsane.org" mod_vcard_xupdate = {}; # needed for avatars
- # docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-pubsub>
modules: all mod_pubsub = {
name: admin-addresses #^ needed for avatars
urls: access_createnode = "pubsub_createnode_access";
- "mailto:admin.xmpp@uninsane.org" host = "pubsub.xmpp.uninsane.org";
- "xmpp:colin@uninsane.org" hosts = [ "pubsub.xmpp.uninsane.org" ];
mod_http_upload: ignore_pep_from_offline = false;
host: upload.xmpp.uninsane.org last_item_cache = true;
hosts: plugins = [
- upload.xmpp.uninsane.org "pep"
put_url: "https://@HOST@:5443/upload" "flat"
dir_mode: "0750" ];
file_mode: "0750" force_node_config = {
rm_on_unregister: false # ensure client bookmarks are private
# allow discoverability of BOSH and websocket endpoints "storage:bookmarks:" = {
# TODO: enable once on ejabberd 22.05 (presently 21.04) "access_model" = "whitelist";
# mod_host_meta: {} };
mod_jidprep: {} # probably not needed: lets clients normalize jids "urn:xmpp:avatar:data" = {
mod_last: {} # allow other users to know when i was last online "access_model" = "open";
mod_mam: };
# Mnesia is limited to 2GB, better to use an SQL backend "urn:xmpp:avatar:metadata" = {
# For small servers SQLite is a good fit and is very easy "access_model" = "open";
# to configure. Uncomment this when you have SQL configured: };
# db_type: sql };
assume_mam_usage: true };
default: always mod_version = {};
mod_muc: };
access: });
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
history_size: 100 # messages to show new participants
host: muc.xmpp.uninsane.org
hosts:
- muc.xmpp.uninsane.org
default_room_options:
anonymous: false
lang: en
persistent: true
mam: true
mod_muc_admin: {}
mod_offline: # store messages for a user when they're offline (TODO: understand multi-client workflow?)
access_max_user_messages: max_user_offline_messages
store_groupchat: true
mod_ping: {}
mod_privacy: {} # deprecated, but required for `ejabberctl export_piefxis`
mod_private: {} # allow local clients to persist arbitrary data on my server
# push notifications to services integrated with e.g. Apple/Android.
# default is for a maximum amount of PII to be withheld, since these push notifs
# generally traverse 3rd party services. can opt to include message body, etc, though.
mod_push: {}
# i don't fully understand what this does, but it seems aimed at making push notifs more reliable.
mod_push_keepalive: {}
mod_roster:
versioning: true
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback>
# s2s dialback to verify inbound messages
# unclear to what degree the XMPP network requires this
mod_s2s_dialback: {}
mod_shared_roster: {} # creates groups for @all, @online, and anything manually administered?
mod_stream_mgmt:
resend_on_timeout: if_offline # resend undelivered messages if the origin client is offline
# fallback for when DNS-based STUN discovery is unsupported.
# - see: <https://xmpp.org/extensions/xep-0215.html>
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco>
# people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?)
mod_stun_disco: {}
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-vcard>
mod_vcard:
allow_return_all: true # all users are discoverable (?)
host: vjid.xmpp.uninsane.org
hosts:
- vjid.xmpp.uninsane.org
search: true
mod_vcard_xupdate: {} # needed for avatars
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-pubsub>
mod_pubsub: # needed for avatars
access_createnode: pubsub_createnode_access
host: pubsub.xmpp.uninsane.org
hosts:
- pubsub.xmpp.uninsane.org
ignore_pep_from_offline: false
last_item_cache: true
plugins:
- pep
- flat
force_node_config:
# ensure client bookmarks are private
storage:bookmarks:
access_model: whitelist
urn:xmpp:avatar:data:
access_model: open
urn:xmpp:avatar:metadata:
access_model: open
mod_version: {}
'';
};
sed = "${pkgs.gnused}/bin/sed"; sed = "${pkgs.gnused}/bin/sed";
in '' in ''
ip=$(cat '${config.sane.services.dyn-dns.ipPath}') ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
# config is 444 (not 644), so we want to write out-of-place and then atomically move # config is 444 (not 644), so we want to write out-of-place and then atomically move
# TODO: factor this out into `sane-woop` helper? # TODO: factor this out into `sane-woop` helper?
rm -f /var/lib/ejabberd/ejabberd.yaml.new rm -f /var/lib/ejabberd/ejabberd.yaml.new
${sed} "s/%ANATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new ${sed} "s/%ANATIVE%/$ip/g" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
mv /var/lib/ejabberd/ejabberd.yaml{.new,} mv /var/lib/ejabberd/ejabberd.yaml{.new,}
''; '';