{ pkgs, lib, config, ... }: { age.secrets."bind_pw".file = ../secrets/bind_pw; services.prosody = { package = pkgs.prosody.override { withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap]; }; enable = true; admins = ["root@distrust.network"]; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem"; virtualHosts."distrust.network" = { enabled = true; domain = "distrust.network"; ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem"; ssl.key = "/var/lib/acme/distrust.network/key.pem"; }; muc = [{domain = "conference.distrust.network";}]; httpFileShare = { domain = "upload.distrust.network"; path = "/var/lib/prosody"; }; extraConfig = '' authentication = "ldap" ldap_base = "ou=people,dc=distrust,dc=network" ldap_server = "localhost:3890" ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network" ldap_password = "${builtins.readFile config.age.secrets."bind_pw".path}" ''; }; security.acme = { defaults = { email = "root@distrust.network"; webroot = "/var/lib/acme"; }; acceptTerms = true; certs = { "distrust.network" = { extraDomainNames = [ "upload.distrust.network" "conference.distrust.network" ]; postRun = '' chmod -R 770 /var/lib/acme/distrust.network chown -R acme:prosody /var/lib/acme/distrust.network ''; }; }; }; networking.resolvconf.dnsExtensionMechanism = false; networking.firewall.allowedTCPPorts = [5222 5269 5281 5000]; systemd.services.caddy.serviceConfig.SupplementaryGroups = ["acme"]; systemd.services.prosody = { # requires = [ "acme-order-renew-chat.distrust.network.service" ]; # after = [ "acme-order-renew-chat.distrust.network.service" ]; serviceConfig.SupplementaryGroups = ["acme"]; }; services.caddy.virtualHosts."distrust.network".extraConfig = '' handle /.well-known/* { root * /var/lib/acme/ file_server } ''; services.caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = '' handle /.well-known/* { root * /var/lib/acme/ file_server } ''; }