summaryrefslogtreecommitdiffstats
path: root/tv
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2016-02-21 06:05:49 +0100
committertv <tv@krebsco.de>2016-02-21 06:41:28 +0100
commit8a7e4b95c23c45b9d341f38b7bb96c3acfecff8a (patch)
tree48466c5a253154c985c88086e846789d95805fc6 /tv
parentd488e5fe7236a74ab63a21d97db10923482b18dd (diff)
tv.ejabberd: refactor
Diffstat (limited to 'tv')
-rw-r--r--tv/3modules/default.nix2
-rw-r--r--tv/3modules/ejabberd.nix173
-rw-r--r--tv/3modules/ejabberd/config.nix93
-rw-r--r--tv/3modules/ejabberd/default.nix76
4 files changed, 170 insertions, 174 deletions
diff --git a/tv/3modules/default.nix b/tv/3modules/default.nix
index f7889b245..22f3d8019 100644
--- a/tv/3modules/default.nix
+++ b/tv/3modules/default.nix
@@ -2,7 +2,7 @@ _:
{
imports = [
- ./ejabberd.nix
+ ./ejabberd
./iptables.nix
];
}
diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix
deleted file mode 100644
index 7ecd0a87e..000000000
--- a/tv/3modules/ejabberd.nix
+++ /dev/null
@@ -1,173 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with config.krebs.lib;
-let
- cfg = config.tv.ejabberd;
-
- out = {
- options.tv.ejabberd = api;
- config = lib.mkIf cfg.enable imp;
- };
-
- api = {
- enable = mkEnableOption "tv.ejabberd";
-
- certfile = mkOption {
- type = types.secret-file;
- default = {
- path = "/etc/ejabberd/ejabberd.pem";
- owner-name = "ejabberd";
- source-path = toString <secrets> + "/ejabberd.pem";
- };
- };
- s2s_certfile = mkOption {
- type = types.secret-file;
- default = cfg.certfile;
- };
-
- hosts = mkOption {
- type = with types; listOf str;
- };
- };
-
- imp = {
- environment.systemPackages = [ my-ejabberdctl ];
-
- krebs.secret.files = {
- ejabberd-certfile = cfg.certfile;
- ejabberd-s2s_certfile = cfg.s2s_certfile;
- };
-
- systemd.services.ejabberd = {
- wantedBy = [ "multi-user.target" ];
- requires = [ "secret.service" ];
- after = [ "network.target" "secret.service" ];
- serviceConfig = {
- Type = "oneshot";
- RemainAfterExit = "yes";
- PermissionsStartOnly = "true";
- SyslogIdentifier = "ejabberd";
- User = user.name;
- ExecStart = pkgs.writeDash "ejabberd" ''
- ${my-ejabberdctl}/bin/ejabberdctl start
- '';
- };
- };
-
- users.extraUsers = singleton {
- inherit (user) name uid;
- home = "/var/ejabberd";
- createHome = true;
- };
- };
-
- user = rec {
- name = "ejabberd";
- uid = genid name;
- };
-
- my-ejabberdctl = pkgs.writeScriptBin "ejabberdctl" ''
- #! /bin/sh
- set -euf
- exec env \
- SPOOLDIR=/var/ejabberd \
- EJABBERD_CONFIG_PATH=${config-file} \
- ${pkgs.ejabberd}/bin/ejabberdctl \
- --logs /var/ejabberd \
- "$@"
- '';
-
- config-file = pkgs.writeText "ejabberd.cfg" ''
- {loglevel, 3}.
- {hosts, ${toErlang cfg.hosts}}.
- {listen,
- [
- {5222, ejabberd_c2s, [
- starttls,
- {certfile, ${toErlang cfg.certfile.path}},
- {access, c2s},
- {shaper, c2s_shaper},
- {max_stanza_size, 65536}
- ]},
- {5269, ejabberd_s2s_in, [
- {shaper, s2s_shaper},
- {max_stanza_size, 131072}
- ]},
- {5280, ejabberd_http, [
- captcha,
- http_bind,
- http_poll,
- web_admin
- ]}
- ]}.
- {s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
- {auth_method, internal}.
- {shaper, normal, {maxrate, 1000}}.
- {shaper, fast, {maxrate, 50000}}.
- {max_fsm_queue, 1000}.
- {acl, local, {user_regexp, ""}}.
- {access, max_user_sessions, [{10, all}]}.
- {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
- {access, local, [{allow, local}]}.
- {access, c2s, [{deny, blocked},
- {allow, all}]}.
- {access, c2s_shaper, [{none, admin},
- {normal, all}]}.
- {access, s2s_shaper, [{fast, all}]}.
- {access, announce, [{allow, admin}]}.
- {access, configure, [{allow, admin}]}.
- {access, muc_admin, [{allow, admin}]}.
- {access, muc_create, [{allow, local}]}.
- {access, muc, [{allow, all}]}.
- {access, pubsub_createnode, [{allow, local}]}.
- {access, register, [{allow, all}]}.
- {language, "en"}.
- {modules,
- [
- {mod_adhoc, []},
- {mod_announce, [{access, announce}]},
- {mod_blocking,[]},
- {mod_caps, []},
- {mod_configure,[]},
- {mod_disco, []},
- {mod_irc, []},
- {mod_http_bind, []},
- {mod_last, []},
- {mod_muc, [
- {access, muc},
- {access_create, muc_create},
- {access_persistent, muc_create},
- {access_admin, muc_admin}
- ]},
- {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
- {mod_ping, []},
- {mod_privacy, []},
- {mod_private, []},
- {mod_pubsub, [
- {access_createnode, pubsub_createnode},
- {ignore_pep_from_offline, true},
- {last_item_cache, false},
- {plugins, ["flat", "hometree", "pep"]}
- ]},
- {mod_register, [
- {welcome_message, {"Welcome!",
- "Hi.\nWelcome to this XMPP server."}},
- {ip_access, [{allow, "127.0.0.0/8"},
- {deny, "0.0.0.0/0"}]},
- {access, register}
- ]},
- {mod_roster, []},
- {mod_shared_roster,[]},
- {mod_stats, []},
- {mod_time, []},
- {mod_vcard, []},
- {mod_version, []}
- ]}.
- '';
-
-
- # XXX this is a placeholder that happens to work the default strings.
- toErlang = builtins.toJSON;
-
-in out
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
new file mode 100644
index 000000000..49bded855
--- /dev/null
+++ b/tv/3modules/ejabberd/config.nix
@@ -0,0 +1,93 @@
+{ config, ... }: with config.krebs.lib; let
+ cfg = config.tv.ejabberd;
+
+ # XXX this is a placeholder that happens to work the default strings.
+ toErlang = builtins.toJSON;
+in toFile "ejabberd.conf" ''
+ {loglevel, 3}.
+ {hosts, ${toErlang cfg.hosts}}.
+ {listen,
+ [
+ {5222, ejabberd_c2s, [
+ starttls,
+ {certfile, ${toErlang cfg.certfile.path}},
+ {access, c2s},
+ {shaper, c2s_shaper},
+ {max_stanza_size, 65536}
+ ]},
+ {5269, ejabberd_s2s_in, [
+ {shaper, s2s_shaper},
+ {max_stanza_size, 131072}
+ ]},
+ {5280, ejabberd_http, [
+ captcha,
+ http_bind,
+ http_poll,
+ web_admin
+ ]}
+ ]}.
+ {s2s_use_starttls, required}.
+ {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
+ {auth_method, internal}.
+ {shaper, normal, {maxrate, 1000}}.
+ {shaper, fast, {maxrate, 50000}}.
+ {max_fsm_queue, 1000}.
+ {acl, local, {user_regexp, ""}}.
+ {access, max_user_sessions, [{10, all}]}.
+ {access, max_user_offline_messages, [{5000, admin}, {100, all}]}.
+ {access, local, [{allow, local}]}.
+ {access, c2s, [{deny, blocked},
+ {allow, all}]}.
+ {access, c2s_shaper, [{none, admin},
+ {normal, all}]}.
+ {access, s2s_shaper, [{fast, all}]}.
+ {access, announce, [{allow, admin}]}.
+ {access, configure, [{allow, admin}]}.
+ {access, muc_admin, [{allow, admin}]}.
+ {access, muc_create, [{allow, local}]}.
+ {access, muc, [{allow, all}]}.
+ {access, pubsub_createnode, [{allow, local}]}.
+ {access, register, [{allow, all}]}.
+ {language, "en"}.
+ {modules,
+ [
+ {mod_adhoc, []},
+ {mod_announce, [{access, announce}]},
+ {mod_blocking,[]},
+ {mod_caps, []},
+ {mod_configure,[]},
+ {mod_disco, []},
+ {mod_irc, []},
+ {mod_http_bind, []},
+ {mod_last, []},
+ {mod_muc, [
+ {access, muc},
+ {access_create, muc_create},
+ {access_persistent, muc_create},
+ {access_admin, muc_admin}
+ ]},
+ {mod_offline, [{access_max_user_messages, max_user_offline_messages}]},
+ {mod_ping, []},
+ {mod_privacy, []},
+ {mod_private, []},
+ {mod_pubsub, [
+ {access_createnode, pubsub_createnode},
+ {ignore_pep_from_offline, true},
+ {last_item_cache, false},
+ {plugins, ["flat", "hometree", "pep"]}
+ ]},
+ {mod_register, [
+ {welcome_message, {"Welcome!",
+ "Hi.\nWelcome to this XMPP server."}},
+ {ip_access, [{allow, "127.0.0.0/8"},
+ {deny, "0.0.0.0/0"}]},
+ {access, register}
+ ]},
+ {mod_roster, []},
+ {mod_shared_roster,[]},
+ {mod_stats, []},
+ {mod_time, []},
+ {mod_vcard, []},
+ {mod_version, []}
+ ]}.
+''
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
new file mode 100644
index 000000000..51a3060fd
--- /dev/null
+++ b/tv/3modules/ejabberd/default.nix
@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+ cfg = config.tv.ejabberd;
+in {
+ options.tv.ejabberd = {
+ enable = mkEnableOption "tv.ejabberd";
+ certfile = mkOption {
+ type = types.secret-file;
+ default = {
+ path = "${cfg.user.home}/ejabberd.pem";
+ owner-name = "ejabberd";
+ source-path = toString <secrets> + "/ejabberd.pem";
+ };
+ };
+ hosts = mkOption {
+ type = with types; listOf str;
+ };
+ pkgs.ejabberdctl = mkOption {
+ type = types.package;
+ default = pkgs.writeDashBin "ejabberdctl" ''
+ set -efu
+ export SPOOLDIR=${shell.escape cfg.user.home}
+ export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
+ exec ${pkgs.ejabberd}/bin/ejabberdctl \
+ --logs ${shell.escape cfg.user.home} \
+ "$@"
+ '';
+ };
+ s2s_certfile = mkOption {
+ type = types.secret-file;
+ default = cfg.certfile;
+ };
+ user = mkOption {
+ type = types.submodule {
+ options = {
+ name = mkOption {
+ type = types.str;
+ default = "ejabberd";
+ };
+ home = mkOption {
+ type = types.str;
+ default = "/var/ejabberd";
+ };
+ };
+ };
+ default = {};
+ };
+ };
+ config = lib.mkIf cfg.enable {
+ environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
+
+ krebs.secret.files = {
+ ejabberd-certfile = cfg.certfile;
+ ejabberd-s2s_certfile = cfg.s2s_certfile;
+ };
+
+ systemd.services.ejabberd = {
+ wantedBy = [ "multi-user.target" ];
+ requires = [ "secret.service" ];
+ after = [ "network.target" "secret.service" ];
+ serviceConfig = {
+ Type = "oneshot";
+ RemainAfterExit = "yes";
+ PermissionsStartOnly = "true";
+ SyslogIdentifier = "ejabberd";
+ User = cfg.user.name;
+ ExecStart = "${cfg.pkgs.ejabberdctl}/bin/ejabberdctl start";
+ };
+ };
+
+ users.users.${cfg.user.name} = {
+ inherit (cfg.user) home name;
+ createHome = true;
+ uid = genid cfg.user.name;
+ };
+ };
+}