101 lines
2.8 KiB
Nix
101 lines
2.8 KiB
Nix
{
|
|
pkgs,
|
|
config,
|
|
...
|
|
}: {
|
|
age.secrets."prosody.env".file = ../secrets/prosody.env;
|
|
|
|
services = {
|
|
prosody = {
|
|
package = pkgs.prosody.override {
|
|
withExtraLuaPackages = pkgs: with pkgs.luaPackages; [lualdap];
|
|
};
|
|
enable = true;
|
|
admins = ["root@distrust.network"];
|
|
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
|
|
ssl.key = "/var/lib/acme/distrust.network/key.pem";
|
|
virtualHosts."distrust.network" = {
|
|
enabled = true;
|
|
domain = "distrust.network";
|
|
ssl.cert = "/var/lib/acme/distrust.network/fullchain.pem";
|
|
ssl.key = "/var/lib/acme/distrust.network/key.pem";
|
|
};
|
|
muc = [{domain = "conference.distrust.network";}];
|
|
httpFileShare = {
|
|
domain = "upload.distrust.network";
|
|
path = "/var/lib/prosody";
|
|
};
|
|
extraConfig = ''
|
|
authentication = "ldap"
|
|
ldap_base = "ou=people,dc=distrust,dc=network"
|
|
ldap_server = "localhost:3890"
|
|
ldap_rootdn = "uid=bind,ou=people,dc=distrust,dc=network"
|
|
ldap_password = os.getenv("LDAP_BIND_PASSWORD")
|
|
'';
|
|
};
|
|
caddy.virtualHosts."distrust.network".extraConfig = ''
|
|
handle /.well-known/* {
|
|
root * /var/lib/acme/
|
|
file_server
|
|
}
|
|
'';
|
|
|
|
caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
|
|
handle /.well-known/* {
|
|
root * /var/lib/acme/
|
|
file_server
|
|
}
|
|
'';
|
|
borgbackup.jobs."prosody" = {
|
|
repo = "ssh://u506783@u506783.your-storagebox.de:23/./prosody";
|
|
environment = {
|
|
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
|
|
};
|
|
paths = [
|
|
"/var/lib/prosody"
|
|
];
|
|
encryption = {
|
|
mode = "keyfile";
|
|
passCommand = "cat ${config.age.secrets."borg_pass".path}";
|
|
};
|
|
compression = "auto,lzma";
|
|
startAt = "daily";
|
|
prune.keep = {
|
|
daily = 7;
|
|
weekly = 4;
|
|
monthly = -1;
|
|
};
|
|
};
|
|
};
|
|
|
|
security.acme = {
|
|
defaults = {
|
|
email = "root@distrust.network";
|
|
webroot = "/var/lib/acme";
|
|
};
|
|
acceptTerms = true;
|
|
certs = {
|
|
"distrust.network" = {
|
|
extraDomainNames = [
|
|
"upload.distrust.network"
|
|
"conference.distrust.network"
|
|
];
|
|
postRun = ''
|
|
chmod -R 770 /var/lib/acme/distrust.network
|
|
chown -R acme:prosody /var/lib/acme/distrust.network
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.resolvconf.dnsExtensionMechanism = false;
|
|
networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
|
|
|
|
systemd.services = {
|
|
caddy.serviceConfig.SupplementaryGroups = ["acme"];
|
|
prosody.serviceConfig = {
|
|
SupplementaryGroups = ["acme"];
|
|
EnvironmentFile = config.age.secrets."prosody.env".path;
|
|
};
|
|
};
|
|
}
|