diff options
| -rw-r--r-- | ejabberd.nix | 284 | ||||
| -rw-r--r-- | flake.nix | 92 | ||||
| -rw-r--r-- | password.file | 1 | ||||
| -rw-r--r-- | website.nix | 66 |
4 files changed, 366 insertions, 77 deletions
diff --git a/ejabberd.nix b/ejabberd.nix new file mode 100644 index 0000000..d207ee7 --- /dev/null +++ b/ejabberd.nix @@ -0,0 +1,284 @@ +{ fqdn }:{ config, lib, pkgs, ... }: +let + certs = config.security.acme.certs; + certDirectory = "${certs.${fqdn}.directory}"; +in +{ + services.ejabberd = + { + enable = true; + imagemagick = true; + configFile = "/etc/ejabberd.yml"; + package = pkgs.ejabberd.override { + withZlib = true; + withTools = true; + }; + }; + security.acme.certs.${fqdn} = { + group = "ejabberd-cert"; + postRun = "systemctl restart ejabberd.service"; + }; + users.groups.ejabberd-cert.members = [ "ejabberd" "nginx" ]; + + environment.etc."ejabberd.yml" = { + user = "ejabberd"; + mode = "0600"; + text = '' +### +### ejabberd configuration file +### +### The parameters used in this configuration file are explained at +### +### https://docs.ejabberd.im/admin/configuration +### +### The configuration file is written in YAML. +### ******************************************************* +### ******* !!! WARNING !!! ******* +### ******* YAML IS INDENTATION SENSITIVE ******* +### ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* +### ******************************************************* +### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. +### + +hosts: + - "crashoverburn.com + +loglevel: info + +## If you already have certificates, list them here +certfiles: + - ${certDirectory}/full.pem + - ${certDirectory}/key.pem + +listen: + - + port: 5222 + ip: "::" + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + - + port: 5223 + ip: "::" + tls: true + module: ejabberd_c2s + max_stanza_size: 262144 + shaper: c2s_shaper + access: c2s + starttls_required: true + - + port: 5269 + ip: "::" + module: ejabberd_s2s_in + max_stanza_size: 524288 + - + port: 5443 + ip: "::" + module: ejabberd_http + tls: true + request_handlers: + /admin: ejabberd_web_admin + /api: mod_http_api + /bosh: mod_bosh + /captcha: ejabberd_captcha + /upload: mod_http_upload + /ws: ejabberd_http_ws + - + port: 5280 + ip: "::" + module: ejabberd_http + request_handlers: + /admin: ejabberd_web_admin + /.well-known/acme-challenge: ejabberd_acme + - + port: 3478 + ip: "::" + transport: udp + module: ejabberd_stun + use_turn: true + ## The server's public IPv4 address: + # turn_ipv4_address: "203.0.113.3" + ## The server's public IPv6 address: + # turn_ipv6_address: "2001:db8::3" + - + port: 1883 + ip: "::" + module: mod_mqtt + backlog: 1000 + +s2s_use_starttls: optional + +acl: + local: + user_regexp: "" + loopback: + ip: + - 127.0.0.0/8 + - ::1/128 + acl: + admin: + user: + - "crash@crashoverburn.com" + +access_rules: + local: + allow: local + c2s: + deny: blocked + allow: all + announce: + allow: admin + configure: + allow: admin + muc_create: + allow: local + pubsub_createnode: + allow: local + trusted_network: + allow: loopback + +api_permissions: + "console commands": + from: + - ejabberd_ctl + who: all + what: "*" + "admin access": + who: + access: + allow: + - acl: loopback + - acl: admin + oauth: + scope: "ejabberd:admin" + access: + allow: + - acl: loopback + - acl: admin + what: + - "*" + - "!stop" + - "!start" + "public commands": + who: + ip: 127.0.0.1/8 + what: + - status + - connected_users_number +acme: + contact:"mailto:crash@crashoverburn.com" +shaper: + normal: + rate: 3000 + burst_size: 20000 + fast: 100000 + +shaper_rules: + max_user_sessions: 10 + max_user_offline_messages: + 5000: admin + 100: all + c2s_shaper: + none: admin + normal: all + s2s_shaper: fast + +modules: + mod_adhoc: {} + mod_admin_extra: {} + mod_announce: + access: announce + mod_avatar: {} + mod_blocking: {} + mod_bosh: {} + mod_caps: {} + mod_carboncopy: {} + mod_client_state: {} + mod_configure: {} + mod_disco: {} + mod_fail2ban: {} + mod_http_api: {} + mod_http_upload: + put_url: https://@HOST@:5443/upload + custom_headers: + "Access-Control-Allow-Origin": "https://@HOST@" + "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS" + "Access-Control-Allow-Headers": "Content-Type" + mod_last: {} + mod_mam: + ## Mnesia is limited to 2GB, better to use an SQL backend + ## For small servers SQLite is a good fit and is very easy + ## to configure. Uncomment this when you have SQL configured: + ## db_type: sql + assume_mam_usage: true + default: always + mod_mqtt: {} + mod_muc: + access: + - allow + access_admin: + - allow: admin + access_create: muc_create + access_persistent: muc_create + access_mam: + - allow + default_room_options: + mam: true + mod_muc_admin: {} + mod_offline: + access_max_user_messages: max_user_offline_messages + mod_ping: {} + mod_privacy: {} + mod_private: {} + mod_proxy65: + access: local + max_connections: 5 + mod_pubsub: + access_createnode: pubsub_createnode + plugins: + - flat + - pep + force_node_config: + ## Avoid buggy clients to make their bookmarks public + storage:bookmarks: + access_model: whitelist + mod_push: {} + mod_push_keepalive: {} + mod_register: + ## Only accept registration requests from the "trusted" + ## network (see access_rules section above). + ## Think twice before enabling registration from any + ## address. See the Jabber SPAM Manifesto for details: + ## https://github.com/ge0rg/jabber-spam-fighting-manifesto + ip_access: trusted_network + mod_roster: + versioning: true + mod_s2s_dialback: {} + mod_shared_roster: {} + mod_stream_mgmt: + resend_on_timeout: if_offline + mod_stun_disco: {} + mod_vcard: {} + mod_vcard_xupdate: {} + mod_version: + show_os: false + +### Local Variables: +### mode: yaml +### End: +### vim: set filetype=yaml tabstop=8 + + }; + security.dhparams = { + enable = true; + params.nginx = { }; + }; + networking.firewall.allowedTCPPorts = [ + 5222 # xmpp-client + 5269 # xmpp-server + 5280 # xmpp-bosh + 5443 # https + ]; +} @@ -1,5 +1,5 @@ { - description = "Cybertrike.org"; + description = "Cybertrike.com"; inputs = { nixinate.url = "github:matthewcroughan/nixinate"; @@ -13,6 +13,7 @@ let pkgs = nixpkgs.legacyPackages.x86_64-linux; webroot = "${self}/webroot"; + fqdn = "crashoverburn.com"; in { formatter.x86_64-linux = pkgs.nixpkgs-fmt; @@ -54,53 +55,56 @@ tmux attach-session -t $session''; }; nixosConfigurations = { - crash-over-burn-1 = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - simple-nixos-mailserver.nixosModule - { - mailserver = { - fqdn = "mail.crashoverburn.com"; - domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; - enable = true; - # A list of all login accounts. To create the password hashes, use - # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' - loginAccounts = { - "crash@crashoverburn.com" = { - hashedPasswordFile = "${self}/password.file"; - aliases = [ "postmaster@mail.cybertrike.org" "overburn@cybertrike.org"]; + crash-over-burn-1 = + nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + simple-nixos-mailserver.nixosModule + { + mailserver = { + fqdn = "mail.crashoverburn.com"; + domains = [ "mail.crashoverburn.com" "crashoverburn.com" ]; + enable = true; + # A list of all login accounts. To create the password hashes, use + # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt' + loginAccounts = { + "crash@crashoverburn.com" = { + hashedPasswordFile = "${self}/password.file"; + aliases = [ "postmaster@mail.crashoverburn.com" "overburn@crashoverburn.com" ]; + }; }; + certificateScheme = "acme-nginx"; }; - certificateScheme = "acme-nginx"; - }; - } - agenix.nixosModules.default - ./openstack.nix - (import ./website.nix { inherit webroot; }) - ./commander.nix - { + } + agenix.nixosModules.default + ./openstack.nix + (import ./website.nix { inherit webroot; }) + (import ./ejabberd.nix { inherit fqdn; }) + ./commander.nix + { + networking.hostName = "crashoverburn"; security.acme = { - acceptTerms = true; - defaults.email = "security@mail.cybertrike.org"; + acceptTerms = true; + defaults.email = "postmaster@mail.crashoverburn.com"; }; - environment.systemPackages = [ - pkgs.btop - pkgs.tmux - pkgs.neovim - ]; - imports = [ - "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" - ]; - _module.args.nixinate = { - host = "193.16.42.36"; - sshUser = "commander"; - substituteOnTarget = true; - hermetic = true; - buildOn = "local"; - }; - } - ]; - }; + environment.systemPackages = [ + pkgs.btop + pkgs.tmux + pkgs.neovim + ]; + imports = [ + "${nixpkgs}/nixos/modules/virtualisation/openstack-config.nix" + ]; + _module.args.nixinate = { + host = "193.16.42.36"; + sshUser = "commander"; + substituteOnTarget = true; + hermetic = true; + buildOn = "local"; + }; + } + ]; + }; }; }; } diff --git a/password.file b/password.file new file mode 100644 index 0000000..04af523 --- /dev/null +++ b/password.file @@ -0,0 +1 @@ +$2b$05$NfG3m1y.b5GIqQDnpCaB1eOmwu311teMOjC9KQUKTnivOlsLnzs.C
\ No newline at end of file diff --git a/website.nix b/website.nix index fe61856..1936574 100644 --- a/website.nix +++ b/website.nix @@ -1,34 +1,34 @@ -{ webroot }:{ config, lib, pkgs, ... }: +{ webroot }: { config, lib, pkgs, ... }: { - services.nginx.enable = true; - services.nginx.virtualHosts."crash-over-burn.com" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crash-over-burn.site" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crash-over-burn.online" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crashoverburn.com" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crashoverburn.site" = { - addSSL = true; - enableACME = true; - root = webroot; - }; - services.nginx.virtualHosts."crashoverburn.online" = { - addSSL = true; - enableACME = true; - root = webroot; - }; -}
\ No newline at end of file + services.nginx.enable = true; + services.nginx.virtualHosts."crash-over-burn.com" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crash-over-burn.site" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crash-over-burn.online" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.com" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.site" = { + addSSL = true; + enableACME = true; + root = webroot; + }; + services.nginx.virtualHosts."crashoverburn.online" = { + addSSL = true; + enableACME = true; + root = webroot; + }; +} |