{ pkgs, config, ... }: { age.secrets."prosody.env".file = ../secrets/prosody.env; services = { prosody = { package = pkgs.prosody.override { withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; }; enable = true; admins = ["root@distrust.network"]; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem"; virtualHosts."distrust.network" = { enabled = true; domain = "distrust.network"; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem"; }; muc = [{domain = "conference.distrust.network";}]; httpFileShare = { domain = "upload.distrust.network"; path = "/var/lib/prosody"; }; extraConfig = '' authentication = "ldap" ldap_base = "ou=people,dc=distrust,dc=network" ldap_server = "localhost:3890" ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" ldap_password = os.getenv("LDAP_BIND_PASSWORD") ''; }; caddy.virtualHosts."distrust.network".extraConfig = '' handle /.well-known/* { root * /var/lib/acme/ file_server } ''; caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = '' handle /.well-known/* { root * /var/lib/acme/ file_server } ''; }; security.acme = { defaults = { email = "root@distrust.network"; webroot = "/var/lib/acme"; }; acceptTerms = true; certs = { "distrust.network" = { extraDomainNames = [ "upload.distrust.network" "conference.distrust.network" ]; postRun = '' chmod -R 770 /var/lib/acme/distrust.network chown -R acme:prosody /var/lib/acme/distrust.network ''; }; }; }; networking.resolvconf.dnsExtensionMechanism = false; networking.firewall.allowedTCPPorts = [5222 5269 5281 5000]; systemd.services = { caddy.serviceConfig.SupplementaryGroups = ["acme"]; prosody.serviceConfig = { SupplementaryGroups = ["acme"]; EnvironmentFile = config.age.secrets."prosody.env".path; }; }; }