ejabberd: port to dns-dns; add experimental STUN/TURN support

during startup it says:
```
Ignoring TLS-enabled STUN/TURN listener
```

and later
```
Invalid certificate in /var/lib/acme/uninsane.org/fullchain.pem: at line 61: certificate is signed by unknown CA
```

the invalid cert thing has always been here. it's for the root cert. idk
if i need to tell ejabberd that one's self-signed, or what.

hosts/servo/services/ejabberd.nix

@@ -3,14 +3,15 @@
 # example configs:
 # - <https://github.com/vkleen/machines/blob/138a2586ce185d7cf201d4e1fe898c83c4af52eb/hosts/europium/ejabberd.nix>
 # - <https://github.com/Mic92/stockholm/blob/675ef0088624c9de1cb531f318446316884a9d3d/tv/3modules/ejabberd/default.nix>
-# - <https://github.com/buffet/tararice/blob/bc5b65509f4e622313af3f1f4be690628123f1f3/programs/ejabberd.nix>
+# - <https://github.com/buffet/tararice/blob/master/programs/ejabberd.nix>
 #   - enables STUN and TURN
+#   - only over UDP 3478, not firewall-forwarding any TURN port range
 #   - uses stun_disco module (but with no options)
 # - <https://github.com/leo60228/dotfiles/blob/39b3abba3009bdc31413d4757ca2f882a33eec8b/files/ejabberd.yml>
 # - <https://github.com/Mic92/dotfiles/blob/ddf0f4821f554f7667fc803344657367c55fb9e6/nixos/eve/modules/ejabberd.nix>
 # - <nixpkgs:nixos/tests/xmpp/ejabberd.nix>
 # - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example>
-{ lib, ... }:
+{ config, lib, pkgs, ... }:
 
 # XXX: avatar support works in MUCs but not DMs
 # lib.mkIf false
@@ -19,17 +20,25 @@
     { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
   ];
   networking.firewall.allowedTCPPorts = [
-    3478  # STUN
+    3478  # STUN/TURN
     5222  # XMPP client -> server
     5269  # XMPP server -> server
     5280  # bosh
     5281  # bosh (https) ??
-    5349  # STUN (TLS)
+    5349  # STUN/TURN (TLS)
     5443  # web services (file uploads, websockets, admin)
   ];
   networking.firewall.allowedUDPPorts = [
-    3478  # STUN
+    3478  # STUN/TURN
   ];
+  networking.firewall.allowedTCPPortRanges = [{
+    from = 49152;  # TURN
+    to = 65535;
+  }];
+  networking.firewall.allowedUDPPortRanges = [{
+    from = 49152;  # TURN
+    to = 65535;
+  }];
 
   # provide access to certs
   users.users.ejabberd.extraGroups = [ "nginx" ];
@@ -69,11 +78,18 @@
     SRV."_stun._udp" =        [ "0 0 3478 native" ];
     SRV."_stun._tcp" =        [ "0 0 3478 native" ];
     SRV."_stuns._tcp" =       [ "0 0 5349 native" ];
+    SRV."_turn._udp" =        [ "0 0 3478 native" ];
+    SRV."_turn._tcp" =        [ "0 0 3478 native" ];
+    SRV."_turns._tcp" =       [ "0 0 5349 native" ];
   };
 
   # TODO: allocate UIDs/GIDs ?
   services.ejabberd.enable = true;
-  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+  services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml";
+  systemd.services.ejabberd.preStart = let
+    config-in = pkgs.writeTextFile {
+      name = "ejabberd.yaml.in";
+      text = ''
         hosts:
           - uninsane.org
 
@@ -83,8 +99,8 @@
         acme:
           auto: false
         certfiles:
-      - /var/lib/acme/uninsane.org/fullchain.pem
+        - /var/lib/acme/uninsane.org/full.pem
-      - /var/lib/acme/uninsane.org/key.pem
+        # ca_file: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
 
         pam_userinfotype: jid
 
@@ -172,18 +188,36 @@
               # /.well-known/host-meta: mod_host_meta
               # /.well-known/host-meta.json: mod_host_meta
           -
+            # STUN+TURN TCP
+            # note that the full port range should be forwarded ("not NAT'd")
+            # `use_turn=true` enables both TURN *and* STUN
             port: 3478
             module: ejabberd_stun
             transport: tcp
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%
           -
+            # STUN+TURN UDP
             port: 3478
             module: ejabberd_stun
             transport: udp
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%
           -
+            # STUN+TURN TLS over TCP
             port: 5349
             module: ejabberd_stun
             transport: tcp
             tls: true
+            certfile: /var/lib/acme/uninsane.org/full.pem
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%
 
         # TODO: enable mod_client_state for net optimization
         # TODO: enable mod_fail2ban
@@ -294,4 +328,16 @@
                 access_model: whitelist
           mod_version: {}
       '';
+    };
+    sed = "${pkgs.gnused}/bin/sed";
+  in ''
+    ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
+    # config is 444 (not 644), so we want to write out-of-place and then atomically move
+    # TODO: factor this out into `sane-woop` helper?
+    rm -f /var/lib/ejabberd/ejabberd.yaml.new
+    ${sed} "s/%NATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
+    mv /var/lib/ejabberd/ejabberd.yaml{.new,}
+  '';
+
+  sane.services.dyn-dns.restartOnChange = [ "ejabberd.service" ];
 }