split!

2025-11-09 23:28:16 +00:00 · 2025-11-09 23:28:16 +00:00 · b9c6c1da6a
commit b9c6c1da6a
parent 68704bc88e
25 changed files with 87 additions and 6 deletions
--- a/services/distrust/prosody.nix
+++ b/services/distrust/prosody.nix
@ -0,0 +1,109 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  age.secrets."prosody.env".file = ../secrets/prosody.env;
+
+  services = {
+    prosody = {
+      package = pkgs.prosody.override {
+        withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
+      };
+      enable = true;
+      admins = ["root@distrust.network"];
+      ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+      ssl.key = "/var/lib/acme/distrust.network/key.pem";
+      virtualHosts."distrust.network" = {
+        enabled = true;
+        domain = "distrust.network";
+        ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
+        ssl.key = "/var/lib/acme/distrust.network/key.pem";
+      };
+      muc = [{domain = "conference.distrust.network";}];
+      httpFileShare = {
+        domain = "upload.distrust.network";
+        path = "/var/lib/prosody";
+      };
+      extraConfig = ''
+        authentication = "ldap"
+        ldap_base = "ou=people,dc=distrust,dc=network"
+        ldap_server = "localhost:3890"
+        ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
+        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
+      '';
+    };
+
+    # Adjust caddy to serve the ACME challenges for prosody
+    caddy.virtualHosts = {
+      "distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+      "conference.distrust.network upload.distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+    };
+
+    borgbackup.jobs."prosody" = {
+      repo = config.distrust.backups.borgRepository + "/./prosody";
+      environment = {
+        BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
+      };
+      paths = [
+        "/var/lib/prosody"
+      ];
+      encryption = {
+        mode = "keyfile";
+        passCommand = config.distrust.backups.borgPassCommand;
+      };
+      compression = "auto,lzma";
+      startAt = "daily";
+      prune.keep = {
+        daily = 7;
+        weekly = 4;
+        monthly = -1;
+      };
+    };
+  };
+
+  security.acme = {
+    defaults = {
+      email = "root@distrust.network";
+      webroot = "/var/lib/acme";
+    };
+    acceptTerms = true;
+    certs = {
+      "distrust.network" = {
+        extraDomainNames = [
+          "upload.distrust.network"
+          "conference.distrust.network"
+        ];
+        postRun = ''
+          chmod -R 770 /var/lib/acme/distrust.network
+          chown -R acme:prosody /var/lib/acme/distrust.network
+        '';
+      };
+    };
+  };
+
+  networking = {
+    # This can mess with prosody's DNS resolution, so we disable it
+    resolvconf.dnsExtensionMechanism = false;
+    firewall.allowedTCPPorts = [5222 5269 5281 5000];
+  };
+
+  systemd.services = {
+    caddy.serviceConfig.SupplementaryGroups = ["acme"];
+    prosody.serviceConfig = {
+      SupplementaryGroups = ["acme"];
+      # Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
+      EnvironmentFile = config.age.secrets."prosody.env".path;
+    };
+  };
+}