colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

ejabberd: port to dns-dns; add experimental STUN/TURN support

Browse Source 
during startup it says:
```
Ignoring TLS-enabled STUN/TURN listener
```

and later
```
Invalid certificate in /var/lib/acme/uninsane.org/fullchain.pem: at line 61: certificate is signed by unknown CA
```

the invalid cert thing has always been here. it's for the root cert. idk
if i need to tell ejabberd that one's self-signed, or what.
This commit is contained in:
colin
2022-12-20 03:26:08 +00:00
parent bd699c887c
commit 55e09c2dbf
1 changed files with 260 additions and 214 deletions
Download Patch File Download Diff File Expand all files Collapse all files

474
hosts/servo/services/ejabberd.nix
View File

@@ -3,14 +3,15 @@
# example configs: # example configs:
# - <https://github.com/vkleen/machines/blob/138a2586ce185d7cf201d4e1fe898c83c4af52eb/hosts/europium/ejabberd.nix> # - <https://github.com/vkleen/machines/blob/138a2586ce185d7cf201d4e1fe898c83c4af52eb/hosts/europium/ejabberd.nix>
# - <https://github.com/Mic92/stockholm/blob/675ef0088624c9de1cb531f318446316884a9d3d/tv/3modules/ejabberd/default.nix> # - <https://github.com/Mic92/stockholm/blob/675ef0088624c9de1cb531f318446316884a9d3d/tv/3modules/ejabberd/default.nix>
# - <https://github.com/buffet/tararice/blob/bc5b65509f4e622313af3f1f4be690628123f1f3/programs/ejabberd.nix> # - <https://github.com/buffet/tararice/blob/master/programs/ejabberd.nix>
# - enables STUN and TURN # - enables STUN and TURN
# - only over UDP 3478, not firewall-forwarding any TURN port range
# - uses stun_disco module (but with no options) # - uses stun_disco module (but with no options)
# - <https://github.com/leo60228/dotfiles/blob/39b3abba3009bdc31413d4757ca2f882a33eec8b/files/ejabberd.yml> # - <https://github.com/leo60228/dotfiles/blob/39b3abba3009bdc31413d4757ca2f882a33eec8b/files/ejabberd.yml>
# - <https://github.com/Mic92/dotfiles/blob/ddf0f4821f554f7667fc803344657367c55fb9e6/nixos/eve/modules/ejabberd.nix> # - <https://github.com/Mic92/dotfiles/blob/ddf0f4821f554f7667fc803344657367c55fb9e6/nixos/eve/modules/ejabberd.nix>
# - <nixpkgs:nixos/tests/xmpp/ejabberd.nix> # - <nixpkgs:nixos/tests/xmpp/ejabberd.nix>
# - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example> # - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example>
{ lib, ... }: { config, lib, pkgs, ... }:
# XXX: avatar support works in MUCs but not DMs # XXX: avatar support works in MUCs but not DMs
# lib.mkIf false # lib.mkIf false
@@ -19,17 +20,25 @@
{ user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; } { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
]; ];
networking.firewall.allowedTCPPorts = [ networking.firewall.allowedTCPPorts = [
3478 # STUN 3478 # STUN/TURN
5222 # XMPP client -> server 5222 # XMPP client -> server
5269 # XMPP server -> server 5269 # XMPP server -> server
5280 # bosh 5280 # bosh
5281 # bosh (https) ?? 5281 # bosh (https) ??
5349 # STUN (TLS) 5349 # STUN/TURN (TLS)
5443 # web services (file uploads, websockets, admin) 5443 # web services (file uploads, websockets, admin)
]; ];
networking.firewall.allowedUDPPorts = [ networking.firewall.allowedUDPPorts = [
3478 # STUN 3478 # STUN/TURN
]; ];
networking.firewall.allowedTCPPortRanges = [{
from = 49152; # TURN
to = 65535;
}];
networking.firewall.allowedUDPPortRanges = [{
from = 49152; # TURN
to = 65535;
}];
# provide access to certs # provide access to certs
users.users.ejabberd.extraGroups = [ "nginx" ]; users.users.ejabberd.extraGroups = [ "nginx" ];
@@ -69,229 +78,266 @@
SRV."_stun._udp" = [ "0 0 3478 native" ]; SRV."_stun._udp" = [ "0 0 3478 native" ];
SRV."_stun._tcp" = [ "0 0 3478 native" ]; SRV."_stun._tcp" = [ "0 0 3478 native" ];
SRV."_stuns._tcp" = [ "0 0 5349 native" ]; SRV."_stuns._tcp" = [ "0 0 5349 native" ];
SRV."_turn._udp" = [ "0 0 3478 native" ];
SRV."_turn._tcp" = [ "0 0 3478 native" ];
SRV."_turns._tcp" = [ "0 0 5349 native" ];
}; };
# TODO: allocate UIDs/GIDs ? # TODO: allocate UIDs/GIDs ?
services.ejabberd.enable = true; services.ejabberd.enable = true;
services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" '' services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml";
hosts: systemd.services.ejabberd.preStart = let
- uninsane.org config-in = pkgs.writeTextFile {
name = "ejabberd.yaml.in";
text = ''
hosts:
- uninsane.org
# none | emergency | alert | critical | error | warning | notice | info | debug # none | emergency | alert | critical | error | warning | notice | info | debug
loglevel: debug loglevel: debug
acme: acme:
auto: false auto: false
certfiles: certfiles:
- /var/lib/acme/uninsane.org/fullchain.pem - /var/lib/acme/uninsane.org/full.pem
- /var/lib/acme/uninsane.org/key.pem # ca_file: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt
pam_userinfotype: jid pam_userinfotype: jid
acl: acl:
admin: admin:
user: user:
- "colin@uninsane.org" - "colin@uninsane.org"
local: local:
user_regexp: "" user_regexp: ""
loopback: loopback:
ip: ip:
- 127.0.0.0/8 - 127.0.0.0/8
- ::1/128 - ::1/128
access_rules: access_rules:
local: local:
allow: local allow: local
c2s_access: c2s_access:
allow: all allow: all
announce: announce:
allow: admin allow: admin
configure: configure:
allow: admin allow: admin
muc_create: muc_create:
allow: local allow: local
pubsub_createnode_access: pubsub_createnode_access:
allow: local allow: local
trusted_network: trusted_network:
allow: loopback allow: loopback
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules> # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shaper-rules>
shaper_rules: shaper_rules:
# setting this to above 1 may break outgoing messages # setting this to above 1 may break outgoing messages
# - maybe some servers rate limit? or just don't understand simultaneous connections? # - maybe some servers rate limit? or just don't understand simultaneous connections?
max_s2s_connections: 1 max_s2s_connections: 1
max_user_sessions: 10 max_user_sessions: 10
max_user_offline_messages: 5000 max_user_offline_messages: 5000
c2s_shaper: c2s_shaper:
fast: all fast: all
s2s_shaper: s2s_shaper:
med: all med: all
# docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers> # docs: <https://docs.ejabberd.im/admin/configuration/basic/#shapers>
# this limits the bytes/sec. # this limits the bytes/sec.
# for example, burst: 3_000_000 and rate: 100_000 means: # for example, burst: 3_000_000 and rate: 100_000 means:
# - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB # - each client has a BW budget that accumulates 100kB/sec and is capped at 3 MB
shaper: shaper:
fast: 1000000 fast: 1000000
med: 500000 med: 500000
# fast: # fast:
# - rate: 1000000 # - rate: 1000000
# - burst_size: 10000000 # - burst_size: 10000000
# med: # med:
# - rate: 500000 # - rate: 500000
# - burst_size: 5000000 # - burst_size: 5000000
# see: <https://docs.ejabberd.im/admin/configuration/listen/> # see: <https://docs.ejabberd.im/admin/configuration/listen/>
# s2s_use_starttls: true # s2s_use_starttls: true
s2s_use_starttls: optional s2s_use_starttls: optional
# lessens 504: remote-server-timeout errors # lessens 504: remote-server-timeout errors
# see: <https://github.com/processone/ejabberd/issues/3105#issuecomment-562182967> # see: <https://github.com/processone/ejabberd/issues/3105#issuecomment-562182967>
negotiation_timeout: 60 negotiation_timeout: 60
listen: listen:
-
port: 5222
module: ejabberd_c2s
shaper: c2s_shaper
starttls: true
access: c2s_access
-
port: 5269
module: ejabberd_s2s_in
shaper: s2s_shaper
-
port: 5443
module: ejabberd_http
tls: true
request_handlers:
/admin: ejabberd_web_admin # TODO: ensure this actually works
/api: mod_http_api # ejabberd API endpoint (to control server)
/bosh: mod_bosh
/upload: mod_http_upload
/ws: ejabberd_http_ws
# /.well-known/host-meta: mod_host_meta
# /.well-known/host-meta.json: mod_host_meta
-
port: 3478
module: ejabberd_stun
transport: tcp
-
port: 3478
module: ejabberd_stun
transport: udp
-
port: 5349
module: ejabberd_stun
transport: tcp
tls: true
# TODO: enable mod_client_state for net optimization
# TODO: enable mod_fail2ban
# TODO(low): look into mod_http_fileserver for serving macros?
modules:
# mod_adhoc: {}
# mod_announce:
# access: admin
# allows users to set avatars in vCard
# - <https://docs.ejabberd.im/admin/configuration/modules/#mod-avatar>
mod_avatar: {}
mod_caps: {} # for mod_pubsub
mod_carboncopy: {} # allows multiple clients to receive a user's message
# mod_conversejs: TODO: enable once on 21.12
# allows clients like Dino to discover where to upload files
mod_disco:
server_info:
- -
modules: all port: 5222
name: abuse-addresses module: ejabberd_c2s
urls: shaper: c2s_shaper
- "mailto:admin.xmpp@uninsane.org" starttls: true
- "xmpp:colin@uninsane.org" access: c2s_access
- -
modules: all port: 5269
name: admin-addresses module: ejabberd_s2s_in
urls: shaper: s2s_shaper
- "mailto:admin.xmpp@uninsane.org" -
- "xmpp:colin@uninsane.org" port: 5443
mod_http_upload: module: ejabberd_http
host: upload.xmpp.uninsane.org tls: true
hosts: request_handlers:
- upload.xmpp.uninsane.org /admin: ejabberd_web_admin # TODO: ensure this actually works
put_url: "https://@HOST@:5443/upload" /api: mod_http_api # ejabberd API endpoint (to control server)
dir_mode: "0750" /bosh: mod_bosh
file_mode: "0750" /upload: mod_http_upload
rm_on_unregister: false /ws: ejabberd_http_ws
# allow discoverability of BOSH and websocket endpoints # /.well-known/host-meta: mod_host_meta
# TODO: enable once on ejabberd 22.05 (presently 21.04) # /.well-known/host-meta.json: mod_host_meta
# mod_host_meta: {} -
mod_jidprep: {} # probably not needed: lets clients normalize jids # STUN+TURN TCP
mod_last: {} # allow other users to know when i was last online # note that the full port range should be forwarded ("not NAT'd")
mod_mam: # `use_turn=true` enables both TURN *and* STUN
# Mnesia is limited to 2GB, better to use an SQL backend port: 3478
# For small servers SQLite is a good fit and is very easy module: ejabberd_stun
# to configure. Uncomment this when you have SQL configured: transport: tcp
# db_type: sql use_turn: true
assume_mam_usage: true turn_min_port: 49152
default: always turn_max_port: 65535
mod_muc: turn_ipv4_address: %NATIVE%
access: -
- allow # STUN+TURN UDP
access_admin: port: 3478
- allow: admin module: ejabberd_stun
access_create: muc_create transport: udp
access_persistent: muc_create use_turn: true
access_mam: turn_min_port: 49152
- allow turn_max_port: 65535
history_size: 100 # messages to show new participants turn_ipv4_address: %NATIVE%
host: conference.xmpp.uninsane.org -
hosts: # STUN+TURN TLS over TCP
- conference.xmpp.uninsane.org port: 5349
default_room_options: module: ejabberd_stun
anonymous: false transport: tcp
lang: en tls: true
persistent: true certfile: /var/lib/acme/uninsane.org/full.pem
mam: true use_turn: true
mod_muc_admin: {} turn_min_port: 49152
mod_offline: # store messages for a user when they're offline (TODO: understand multi-client workflow?) turn_max_port: 65535
access_max_user_messages: max_user_offline_messages turn_ipv4_address: %NATIVE%
store_groupchat: true
mod_ping: {} # TODO: enable mod_client_state for net optimization
mod_privacy: {} # deprecated, but required for `ejabberctl export_piefxis` # TODO: enable mod_fail2ban
mod_private: {} # allow local clients to persist arbitrary data on my server # TODO(low): look into mod_http_fileserver for serving macros?
mod_roster: modules:
versioning: true # mod_adhoc: {}
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback> # mod_announce:
# mod_s2s_dialback: {} # XXX: MIGHT need to enable this to federate with some servers # access: admin
mod_shared_roster: {} # creates groups for @all, @online, and anything manually administered? # allows users to set avatars in vCard
mod_stream_mgmt: # - <https://docs.ejabberd.im/admin/configuration/modules/#mod-avatar>
resend_on_timeout: if_offline # resend undelivered messages if the origin client is offline mod_avatar: {}
# fallback for when DNS-based STUN discovery is unsupported. mod_caps: {} # for mod_pubsub
# - see: <https://xmpp.org/extensions/xep-0215.html> mod_carboncopy: {} # allows multiple clients to receive a user's message
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco> # mod_conversejs: TODO: enable once on 21.12
# people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?) # allows clients like Dino to discover where to upload files
mod_stun_disco: {} mod_disco:
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-vcard> server_info:
mod_vcard: -
allow_return_all: true # all users are discoverable (?) modules: all
host: vjid.xmpp.uninsane.org name: abuse-addresses
hosts: urls:
- vjid.xmpp.uninsane.org - "mailto:admin.xmpp@uninsane.org"
search: true - "xmpp:colin@uninsane.org"
mod_vcard_xupdate: {} # needed for avatars -
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-pubsub> modules: all
mod_pubsub: # needed for avatars name: admin-addresses
access_createnode: pubsub_createnode_access urls:
host: pubsub.xmpp.uninsane.org - "mailto:admin.xmpp@uninsane.org"
hosts: - "xmpp:colin@uninsane.org"
- pubsub.xmpp.uninsane.org mod_http_upload:
plugins: host: upload.xmpp.uninsane.org
- pep hosts:
# - flat - upload.xmpp.uninsane.org
force_node_config: put_url: "https://@HOST@:5443/upload"
# avoid buggy clients to make their bookmarks public dir_mode: "0750"
# XXX: not sure if this is necessary: copying config from examples file_mode: "0750"
storage:bookmarks: rm_on_unregister: false
access_model: whitelist # allow discoverability of BOSH and websocket endpoints
mod_version: {} # TODO: enable once on ejabberd 22.05 (presently 21.04)
# mod_host_meta: {}
mod_jidprep: {} # probably not needed: lets clients normalize jids
mod_last: {} # allow other users to know when i was last online
mod_mam:
# Mnesia is limited to 2GB, better to use an SQL backend
# For small servers SQLite is a good fit and is very easy
# to configure. Uncomment this when you have SQL configured:
# db_type: sql
assume_mam_usage: true
default: always
mod_muc:
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
access_mam:
- allow
history_size: 100 # messages to show new participants
host: conference.xmpp.uninsane.org
hosts:
- conference.xmpp.uninsane.org
default_room_options:
anonymous: false
lang: en
persistent: true
mam: true
mod_muc_admin: {}
mod_offline: # store messages for a user when they're offline (TODO: understand multi-client workflow?)
access_max_user_messages: max_user_offline_messages
store_groupchat: true
mod_ping: {}
mod_privacy: {} # deprecated, but required for `ejabberctl export_piefxis`
mod_private: {} # allow local clients to persist arbitrary data on my server
mod_roster:
versioning: true
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-s2s-dialback>
# mod_s2s_dialback: {} # XXX: MIGHT need to enable this to federate with some servers
mod_shared_roster: {} # creates groups for @all, @online, and anything manually administered?
mod_stream_mgmt:
resend_on_timeout: if_offline # resend undelivered messages if the origin client is offline
# fallback for when DNS-based STUN discovery is unsupported.
# - see: <https://xmpp.org/extensions/xep-0215.html>
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco>
# people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?)
mod_stun_disco: {}
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-vcard>
mod_vcard:
allow_return_all: true # all users are discoverable (?)
host: vjid.xmpp.uninsane.org
hosts:
- vjid.xmpp.uninsane.org
search: true
mod_vcard_xupdate: {} # needed for avatars
# docs: <https://docs.ejabberd.im/admin/configuration/modules/#mod-pubsub>
mod_pubsub: # needed for avatars
access_createnode: pubsub_createnode_access
host: pubsub.xmpp.uninsane.org
hosts:
- pubsub.xmpp.uninsane.org
plugins:
- pep
# - flat
force_node_config:
# avoid buggy clients to make their bookmarks public
# XXX: not sure if this is necessary: copying config from examples
storage:bookmarks:
access_model: whitelist
mod_version: {}
'';
};
sed = "${pkgs.gnused}/bin/sed";
in ''
ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
# config is 444 (not 644), so we want to write out-of-place and then atomically move
# TODO: factor this out into `sane-woop` helper?
rm -f /var/lib/ejabberd/ejabberd.yaml.new
${sed} "s/%NATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
mv /var/lib/ejabberd/ejabberd.yaml{.new,}
''; '';
sane.services.dyn-dns.restartOnChange = [ "ejabberd.service" ];
} }