ejabberd: port to dns-dns; add experimental STUN/TURN support

during startup it says: ``` Ignoring TLS-enabled STUN/TURN listener ``` and later ``` Invalid certificate in /var/lib/acme/uninsane.org/fullchain.pem: at line 61: certificate is signed by unknown CA ``` the invalid cert thing has always been here. it's for the root cert. idk if i need to tell ejabberd that one's self-signed, or what.
2022-12-20 03:26:08 +00:00
parent bd699c887c
commit 55e09c2dbf
1 changed files with 260 additions and 214 deletions
--- a/hosts/servo/services/ejabberd.nix
+++ b/hosts/servo/services/ejabberd.nix
@@ -3,14 +3,15 @@
 # example configs:
 # - <https://github.com/vkleen/machines/blob/138a2586ce185d7cf201d4e1fe898c83c4af52eb/hosts/europium/ejabberd.nix>
 # - <https://github.com/Mic92/stockholm/blob/675ef0088624c9de1cb531f318446316884a9d3d/tv/3modules/ejabberd/default.nix>
-# - <https://github.com/buffet/tararice/blob/bc5b65509f4e622313af3f1f4be690628123f1f3/programs/ejabberd.nix>
+# - <https://github.com/buffet/tararice/blob/master/programs/ejabberd.nix>
 #   - enables STUN and TURN
+#   - only over UDP 3478, not firewall-forwarding any TURN port range
 #   - uses stun_disco module (but with no options)
 # - <https://github.com/leo60228/dotfiles/blob/39b3abba3009bdc31413d4757ca2f882a33eec8b/files/ejabberd.yml>
 # - <https://github.com/Mic92/dotfiles/blob/ddf0f4821f554f7667fc803344657367c55fb9e6/nixos/eve/modules/ejabberd.nix>
 # - <nixpkgs:nixos/tests/xmpp/ejabberd.nix>
 # - 2013: <https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example>
-{ lib, ... }:
+{ config, lib, pkgs, ... }:

 # XXX: avatar support works in MUCs but not DMs
 # lib.mkIf false
@@ -19,17 +20,25 @@
    { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; }
  ];
  networking.firewall.allowedTCPPorts = [
-    3478  # STUN
+    3478  # STUN/TURN
    5222  # XMPP client -> server
    5269  # XMPP server -> server
    5280  # bosh
    5281  # bosh (https) ??
-    5349  # STUN (TLS)
+    5349  # STUN/TURN (TLS)
    5443  # web services (file uploads, websockets, admin)
  ];
  networking.firewall.allowedUDPPorts = [
-    3478  # STUN
+    3478  # STUN/TURN
  ];
+  networking.firewall.allowedTCPPortRanges = [{
+    from = 49152;  # TURN
+    to = 65535;
+  }];
+  networking.firewall.allowedUDPPortRanges = [{
+    from = 49152;  # TURN
+    to = 65535;
+  }];

  # provide access to certs
  users.users.ejabberd.extraGroups = [ "nginx" ];
@@ -69,11 +78,18 @@
    SRV."_stun._udp" =        [ "0 0 3478 native" ];
    SRV."_stun._tcp" =        [ "0 0 3478 native" ];
    SRV."_stuns._tcp" =       [ "0 0 5349 native" ];
+    SRV."_turn._udp" =        [ "0 0 3478 native" ];
+    SRV."_turn._tcp" =        [ "0 0 3478 native" ];
+    SRV."_turns._tcp" =       [ "0 0 5349 native" ];
  };

  # TODO: allocate UIDs/GIDs ?
  services.ejabberd.enable = true;
-  services.ejabberd.configFile = builtins.toFile "ejabberd.yaml" ''
+  services.ejabberd.configFile = "/var/lib/ejabberd/ejabberd.yaml";
+  systemd.services.ejabberd.preStart = let
+    config-in = pkgs.writeTextFile {
+      name = "ejabberd.yaml.in";
+      text = ''
        hosts:
          - uninsane.org

@@ -83,8 +99,8 @@
        acme:
          auto: false
        certfiles:
-      - /var/lib/acme/uninsane.org/fullchain.pem
-      - /var/lib/acme/uninsane.org/key.pem
+        - /var/lib/acme/uninsane.org/full.pem
+        # ca_file: ${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt

        pam_userinfotype: jid

@@ -172,18 +188,36 @@
              # /.well-known/host-meta: mod_host_meta
              # /.well-known/host-meta.json: mod_host_meta
          -
+            # STUN+TURN TCP
+            # note that the full port range should be forwarded ("not NAT'd")
+            # `use_turn=true` enables both TURN *and* STUN
            port: 3478
            module: ejabberd_stun
            transport: tcp
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%
          -
+            # STUN+TURN UDP
            port: 3478
            module: ejabberd_stun
            transport: udp
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%
          -
+            # STUN+TURN TLS over TCP
            port: 5349
            module: ejabberd_stun
            transport: tcp
            tls: true
+            certfile: /var/lib/acme/uninsane.org/full.pem
+            use_turn: true
+            turn_min_port: 49152
+            turn_max_port: 65535
+            turn_ipv4_address: %NATIVE%

        # TODO: enable mod_client_state for net optimization
        # TODO: enable mod_fail2ban
@@ -294,4 +328,16 @@
                access_model: whitelist
          mod_version: {}
      '';
+    };
+    sed = "${pkgs.gnused}/bin/sed";
+  in ''
+    ip=$(cat '${config.sane.services.dyn-dns.ipPath}')
+    # config is 444 (not 644), so we want to write out-of-place and then atomically move
+    # TODO: factor this out into `sane-woop` helper?
+    rm -f /var/lib/ejabberd/ejabberd.yaml.new
+    ${sed} "s/%NATIVE%/$ip/" ${config-in} > /var/lib/ejabberd/ejabberd.yaml.new
+    mv /var/lib/ejabberd/ejabberd.yaml{.new,}
+  '';
+
+  sane.services.dyn-dns.restartOnChange = [ "ejabberd.service" ];
 }