nix-serve: port 5000 -> 5001; prosody: enable proxy65 on port 5000

2023-10-20 04:48:30 +00:00 · 2023-10-20 04:48:30 +00:00 · 6191542805
commit 6191542805
parent b8f13cd965
3 changed files with 18 additions and 7 deletions
--- a/hosts/by-name/servo/services/prosody.nix
+++ b/hosts/by-name/servo/services/prosody.nix
@ -45,9 +45,6 @@
 # - ensure muc is working
 # - enable file uploads
 #   - "upload.xmpp.uninsane.org:http_upload: URL: <https://upload.xmpp.uninsane.org:5281/upload> - Ensure this can be reached by users"
-# - move proxy65 to own port
-#   - "portmanager: Failed to open server port 5000 on *, this port is in use by another application"
-#   - port 5000 is in use by nix-serve (`sudo lsof -P -i4`)
 # - disable or fix bosh (jabber over http):
 #   - "certmanager: No certificate/key found for client_https port 0"

@ -61,6 +58,12 @@ in
  sane.persist.sys.plaintext = [
    { user = "prosody"; group = "prosody"; path = "/var/lib/prosody"; }
  ];
+  sane.ports.ports."5000" = {
+    protocol = [ "tcp" ];
+    visibleTo.lan = true;
+    visibleTo.wan = true;
+    description = "colin-xmpp-prosody-fileshare-proxy65";
+  };
  sane.ports.ports."5222" = {
    protocol = [ "tcp" ];
    visibleTo.lan = true;
@ -207,6 +210,7 @@ in
    # - private
    #   - XEP-0049: let clients store arbitrary (private) data on the server
    # - proxy65
+    #   - XEP-0065: allow server to proxy file transfers between two clients who are behind NAT
    # - register
    # - roster
    # - saslauth
@ -217,7 +221,6 @@ in
    # - vcard_legacy
    # - version

-    modules.proxy65 = false;  # TODO: free its port 5000 and then re-enable
    extraModules = [
      # admin_shell: allows `prosodyctl shell` to work
      # see: <https://prosody.im/doc/modules/mod_admin_shell>
--- a/hosts/modules/nixcache.nix
+++ b/hosts/modules/nixcache.nix
@ -45,7 +45,7 @@ in
    # - `nix build ... --substituters http://desko:5000`
    nix.settings.substituters = mkIf cfg.enable (lib.flatten [
      (lib.optional cfg.substituters.servo  "https://nixcache.uninsane.org")
-      (lib.optional cfg.substituters.desko  "http://desko:5000")
+      (lib.optional cfg.substituters.desko  "http://desko:${builtins.toString config.sane.service.nixserve.port}")
      (lib.optional cfg.substituters.nixos  "https://cache.nixos.org/")
      (lib.optional cfg.substituters.cachix "https://nix-community.cachix.org")
    ]);
--- a/modules/services/nixserve.nix
+++ b/modules/services/nixserve.nix
@ -13,6 +13,10 @@ in
      default = false;
      type = types.bool;
    };
+    sane.services.nixserve.port = mkOption {
+      default = 5001;
+      type = types.port;
+    };
    sane.services.nixserve.secretKeyFile = mkOption {
      type = types.path;
      description = "path to file that contains the nix_serve_privkey secret (should not be in the store)";
@ -22,8 +26,12 @@ in
  config = mkIf cfg.enable {
    services.nix-serve = {
      enable = true;
-      inherit (cfg) secretKeyFile;
-      openFirewall = true;  # not needed for servo; only desko
+      inherit (cfg) port secretKeyFile;
+    };
+    sane.ports.ports."${builtins.toString cfg.port}" = {
+      visibleTo.lan = true;  # not needed for servo; only desko
+      protocol = [ "tcp" ];
+      description = "colin-nix-serve-cache";
    };
  };
 }