root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
flake/services/prosody.nix
= 912308dced overhaul of backup system
2025-11-08 21:14:34 +00:00

109 lines
3 KiB
Nix
Raw Blame History

{
pkgs,
config,
...
}: {
age.secrets."prosody.env".file = ../secrets/prosody.env;
services = {
prosody = {
package = pkgs.prosody.override {
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
};
enable = true;
admins = ["root@distrust.network"];
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
virtualHosts."distrust.network" = {
enabled = true;
domain = "distrust.network";
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
ssl.key = "/var/lib/acme/distrust.network/key.pem";
};
muc = [{domain = "conference.distrust.network";}];
httpFileShare = {
domain = "upload.distrust.network";
path = "/var/lib/prosody";
};
extraConfig = ''
authentication = "ldap"
ldap_base = "ou=people,dc=distrust,dc=network"
ldap_server = "localhost:3890"
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
ldap_password = os.getenv("LDAP_BIND_PASSWORD")
'';
};
# Adjust caddy to serve the ACME challenges for prosody
caddy.virtualHosts = {
"distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
"conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
};
borgbackup.jobs."prosody" = {
repo = config.distrust.backups.borgRepository + "/./prosody";
environment = {
BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/prosody"
];
encryption = {
mode = "keyfile";
passCommand = config.distrust.backups.borgPassCommand;
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
};
};
security.acme = {
defaults = {
email = "root@distrust.network";
webroot = "/var/lib/acme";
};
acceptTerms = true;
certs = {
"distrust.network" = {
extraDomainNames = [
"upload.distrust.network"
"conference.distrust.network"
];
postRun = ''
chmod -R 770 /var/lib/acme/distrust.network
chown -R acme:prosody /var/lib/acme/distrust.network
'';
};
};
};
networking = {
# This can mess with prosody's DNS resolution, so we disable it
resolvconf.dnsExtensionMechanism = false;
firewall.allowedTCPPorts = [5222 5269 5281 5000];
};
systemd.services = {
caddy.serviceConfig.SupplementaryGroups = ["acme"];
prosody.serviceConfig = {
SupplementaryGroups = ["acme"];
# Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
EnvironmentFile = config.age.secrets."prosody.env".path;
};
};
}
Reference in a new issue View git blame Copy permalink