From 8a745a9b8a8659cb9cd654b4814fe4e2e0e2e35a Mon Sep 17 00:00:00 2001 From: colin Date: Mon, 19 Dec 2022 01:10:44 +0000 Subject: [PATCH] ejabberd: enable STUN (with partial discovery support) discovery is probably not working: ``` Won't auto-announce STUN/TURN service on port 3478 (udp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address' Won't auto-announce STUN/TURN service on port 3478 (tcp) without public IP address, please specify 'turn_ipv4_address' and optionally 'turn_ipv6_address' ``` no messages for the TLS implementation, so maybe that's working? --- hosts/servo/services/ejabberd.nix | 42 +++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/hosts/servo/services/ejabberd.nix b/hosts/servo/services/ejabberd.nix index c49aee29..9be5b6e8 100644 --- a/hosts/servo/services/ejabberd.nix +++ b/hosts/servo/services/ejabberd.nix @@ -4,6 +4,8 @@ # - # - # - +# - enables STUN and TURN +# - uses stun_disco module (but with no options) # - # - # - @@ -17,12 +19,17 @@ { user = "ejabberd"; group = "ejabberd"; directory = "/var/lib/ejabberd"; } ]; networking.firewall.allowedTCPPorts = [ + 3478 # STUN 5222 # XMPP client -> server 5269 # XMPP server -> server 5280 # bosh 5281 # bosh (https) ?? + 5349 # STUN (TLS) 5443 # web services (file uploads, websockets, admin) ]; + networking.firewall.allowedUDPPorts = [ + 3478 # STUN + ]; # provide access to certs users.users.ejabberd.extraGroups = [ "nginx" ]; @@ -49,15 +56,18 @@ }; sane.services.trust-dns.zones."uninsane.org".records = '' - xmpp CNAME native - conference.xmpp CNAME native - pubsub.xmpp CNAME native - upload.xmpp CNAME native - vjid.xmpp CNAME native + xmpp CNAME native + conference.xmpp CNAME native + pubsub.xmpp CNAME native + upload.xmpp CNAME native + vjid.xmpp CNAME native ; _Service._Proto.Name TTL Class SRV Priority Weight Port Target - _xmpp-client._tcp SRV 0 0 5222 native - _xmpp-server._tcp SRV 0 0 5269 native + _xmpp-client._tcp SRV 0 0 5222 native + _xmpp-server._tcp SRV 0 0 5269 native + _stun._udp SRV 0 0 3478 native + _stun._tcp SRV 0 0 3478 native + _stuns._tcp SRV 0 0 5349 native ''; # TODO: allocate UIDs/GIDs ? @@ -160,6 +170,19 @@ /ws: ejabberd_http_ws # /.well-known/host-meta: mod_host_meta # /.well-known/host-meta.json: mod_host_meta + - + port: 3478 + module: ejabberd_stun + transport: tcp + - + port: 3478 + module: ejabberd_stun + transport: udp + - + port: 5349 + module: ejabberd_stun + transport: tcp + tls: true # TODO: enable mod_client_state for net optimization # TODO: enable mod_fail2ban @@ -241,6 +264,11 @@ mod_shared_roster: {} # creates groups for @all, @online, and anything manually administered? mod_stream_mgmt: resend_on_timeout: if_offline # resend undelivered messages if the origin client is offline + # fallback for when DNS-based STUN discovery is unsupported. + # - see: + # docs: + # people say to just keep this defaulted (i guess ejabberd knows to return its `host` option of uninsane.org?) + mod_stun_disco: {} # docs: mod_vcard: allow_return_all: true # all users are discoverable (?)