diff --git a/ops/nixos/bvm-prosody/default.nix b/ops/nixos/bvm-prosody/default.nix index de0d00e47a..449e763306 100644 --- a/ops/nixos/bvm-prosody/default.nix +++ b/ops/nixos/bvm-prosody/default.nix @@ -2,7 +2,7 @@ # # SPDX-License-Identifier: Apache-2.0 -{ depot, ... }: +{ config, depot, pkgs, ... }: let inherit (depot.ops) secrets; machineSecrets = secrets.machineSpecific.bvm-prosody; @@ -25,6 +25,9 @@ in { }; defaultGateway = { address = "92.118.28.1"; interface = "enp6s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp6s0"; }; + + firewall.allowedUDPPorts = [ 3478 ]; + firewall.allowedTCPPorts = [ 80 443 3478 5280 5281 5222 5223 5269 5298 ]; }; my.ip.tailscale = "100.86.22.44"; @@ -33,6 +36,68 @@ in { use-auth-secret = true; realm = "turn.lukegb.com"; static-auth-secret = machineSecrets.turnSecret; + cert = "${config.security.acme.certs."turn.lukegb.com".directory}/fullchain.pem"; + pkey = "${config.security.acme.certs."turn.lukegb.com".directory}/key.pem"; + }; + + services.prosody = { + enable = true; + admins = [ "admin@lukegb.com" "lukegb@lukegb.com" ]; + package = pkgs.prosody.override { + withCommunityModules = [ "external_services" ]; + }; + + virtualHosts."lukegb.com" = { + enabled = true; + domain = "lukegb.com"; + ssl.cert = "${config.security.acme.certs."xmpp.lukegb.com".directory}/fullchain.pem"; + ssl.key = "${config.security.acme.certs."xmpp.lukegb.com".directory}/key.pem"; + }; + muc = [{ + domain = "muc.xmpp.lukegb.com"; + }]; + uploadHttp.domain = "upload.xmpp.lukegb.com"; + + extraConfig = '' + proxy65_address = "xmpp.lukegb.com" + proxy65_acl = { "lukegb.com" } + + component_ports = { 5347 } + component_interface = { "127.0.0.1", "::1" } + + legacy_ssl_ports = { 5223 } + + external_services = { + { + type = "stun", + transport = "udp", + host = "turn.lukegb.com", + port = 3478, + }, { + type = "turn", + transport = "udp", + host = "turn.lukegb.com", + port = 3478, + secret = "${machineSecrets.turnSecret}", + } + } + ''; + }; + + security.acme = { + acceptTerms = true; + email = "letsencrypt@lukegb.com"; + certs."xmpp.lukegb.com" = { + group = "prosody"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + extraDomainNames = [ "*.xmpp.lukegb.com" "lukegb.com" ]; + }; + certs."turn.lukegb.com" = { + group = "turnserver"; + dnsProvider = "cloudflare"; + credentialsFile = secrets.cloudflareCredentials; + }; }; system.stateVersion = "21.05";