# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { config, depot, pkgs, ... }: { imports = [ ../lib/bvm.nix ]; # Networking! networking = { hostName = "bvm-prosody"; hostId = "5c62ee63"; interfaces.enp1s0 = { ipv4.addresses = [{ address = "10.100.0.202"; prefixLength = 23; }]; }; interfaces.enp6s0 = { ipv4.addresses = [{ address = "92.118.28.3"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2a09:a441::3"; prefixLength = 32; }]; }; defaultGateway = { address = "92.118.28.1"; interface = "enp6s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp6s0"; }; firewall.allowedUDPPorts = [ 3478 ]; firewall.allowedTCPPorts = [ 80 443 3478 5280 5281 5222 5223 5269 5298 ]; }; my.ip.tailscale = "100.86.22.44"; services.coturn = { enable = true; use-auth-secret = true; realm = "turn.lukegb.com"; static-auth-secret-file = config.my.vault.secrets.turn.path; cert = "/var/lib/acme/turn.lukegb.com/fullchain.pem"; pkey = "/var/lib/acme/turn.lukegb.com/privkey.pem"; }; my.vault.secrets.turn = { restartUnits = ["coturn.service"]; group = "turnserver"; template = '' {{- with secret "kv/apps/turn" -}} {{ .Data.data.secret }} {{- end -}} ''; }; my.vault.secrets.turn-prosody = { restartUnits = ["prosody.service"]; group = "prosody"; template = '' {{- with secret "kv/apps/turn" -}} {{ .Data.data.secret }} {{- end -}} ''; }; services.prosody = { enable = true; admins = [ "admin@lukegb.com" "lukegb@lukegb.com" ]; package = pkgs.prosody.override { withCommunityModules = [ "external_services" ]; }; virtualHosts."lukegb.com" = { enabled = true; domain = "lukegb.com"; ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem"; ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem"; }; muc = [{ domain = "muc.xmpp.lukegb.com"; }]; uploadHttp = { domain = "upload.xmpp.lukegb.com"; }; ssl.cert = "/var/lib/acme/xmpp.lukegb.com/fullchain.pem"; ssl.key = "/var/lib/acme/xmpp.lukegb.com/privkey.pem"; extraConfig = '' archive_expires_after = "never" -- keep messages forever proxy65_address = "xmpp.lukegb.com" proxy65_acl = { "lukegb.com" } component_ports = { 5347 } component_interface = { "127.0.0.1", "::1" } legacy_ssl_ports = { 5223 } local turn_secret_file = io.open("${config.my.vault.secrets.turn-prosody.path}", "r") local turn_secret = turn_secret_file:read() turn_secret_file:close() external_services = { { type = "stun", transport = "udp", host = "turn.lukegb.com", port = 3478, }, { type = "turn", transport = "udp", host = "turn.lukegb.com", port = 3478, secret = turn_secret, } } ''; }; my.vault.acmeCertificates = { "xmpp.lukegb.com" = { group = "prosody"; hostnames = [ "xmpp.lukegb.com" "*.xmpp.lukegb.com" "lukegb.com" ]; reloadOrRestartUnits = [ "prosody.service" ]; }; "turn.lukegb.com" = { group = "turnserver"; hostnames = [ "turn.lukegb.com" ]; reloadOrRestartUnits = [ "coturn.service" ]; }; }; system.stateVersion = "21.05"; }