mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-10 04:49:19 -08:00
166 lines
3.9 KiB
Nix
166 lines
3.9 KiB
Nix
{ tf, config, pkgs, lib, ... }: with lib; let
|
|
ctcfg = config.services.coturn;
|
|
in {
|
|
networks.internet = {
|
|
extra_domains = [
|
|
"xmpp.kittywit.ch"
|
|
"conference.kittywit.ch"
|
|
"upload.kittywit.ch"
|
|
"turn.kittywit.ch"
|
|
];
|
|
tcp = [
|
|
# XMPP
|
|
5000
|
|
5222
|
|
5223
|
|
5269
|
|
5280
|
|
5281
|
|
5347
|
|
5582
|
|
# TURN/STUN
|
|
ctcfg.listening-port
|
|
ctcfg.alt-listening-port
|
|
ctcfg.tls-listening-port
|
|
ctcfg.alt-tls-listening-port
|
|
];
|
|
udp = [
|
|
ctcfg.listening-port
|
|
ctcfg.alt-listening-port
|
|
ctcfg.tls-listening-port
|
|
ctcfg.alt-tls-listening-port
|
|
[ ctcfg.min-port ctcfg.max-port ]
|
|
];
|
|
};
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "prosody" ];
|
|
ensureUsers = [{
|
|
name = "prosody";
|
|
ensurePermissions."DATABASE prosody" = "ALL PRIVILEGES";
|
|
}];
|
|
};
|
|
|
|
secrets = {
|
|
variables.turn-external-secret = {
|
|
path = "gensokyo/coturn";
|
|
field = "static-auth";
|
|
};
|
|
files.turn-external-secret = {
|
|
text = tf.variables.turn-external-secret.ref;
|
|
owner = "prosody";
|
|
group = "domain-auth";
|
|
};
|
|
};
|
|
deploy.tf.variables.turn-external-secret.export = true;
|
|
|
|
services.coturn = {
|
|
enable = true;
|
|
cert = config.networks.internet.cert_path;
|
|
pkey = config.networks.internet.key_path;
|
|
static-auth-secret-file = config.secrets.files.turn-external-secret.path;
|
|
realm = "turn.kittywit.ch";
|
|
};
|
|
|
|
services.prosody = {
|
|
enable = true;
|
|
ssl.cert = config.networks.internet.cert_path;
|
|
ssl.key = config.networks.internet.key_path;
|
|
admins = singleton "kat@kittywit.ch";
|
|
package =
|
|
let
|
|
package = pkgs.prosody.override (old: {
|
|
withExtraLuaPackages = p: singleton p.luadbi-postgresql;
|
|
}); in
|
|
package;
|
|
extraConfig = ''
|
|
legacy_ssl_ports = { 5223 }
|
|
storage = "sql"
|
|
sql = {
|
|
driver = "PostgreSQL";
|
|
host = "";
|
|
database = "prosody";
|
|
username = "prosody";
|
|
}
|
|
turn_external_host = "turn.kittywit.ch"
|
|
'' + optionalString tf.state.enable ''
|
|
turn_external_secret = "${tf.variables.turn-external-secret.get}"
|
|
'';
|
|
virtualHosts = {
|
|
"xmpp.kittywit.ch" = {
|
|
domain = "kittywit.ch";
|
|
enabled = true;
|
|
ssl.cert = config.networks.internet.cert_path;
|
|
ssl.key = config.networks.internet.key_path;
|
|
};
|
|
};
|
|
muc = [{ domain = "conference.kittywit.ch"; }];
|
|
uploadHttp = { domain = "upload.kittywit.ch"; };
|
|
};
|
|
|
|
users.groups.domain-auth.members = [ "prosody" ];
|
|
|
|
deploy.tf.dns.records = {
|
|
services_prosody_muc = {
|
|
inherit (config.networks.internet) zone;
|
|
domain = "conference";
|
|
srv = {
|
|
service = "xmpp-server";
|
|
proto = "tcp";
|
|
priority = 0;
|
|
weight = 5;
|
|
port = 5269;
|
|
target = config.networks.internet.target;
|
|
};
|
|
};
|
|
|
|
services_prosody_client_srv = {
|
|
inherit (config.networks.internet) zone;
|
|
domain = "@";
|
|
srv = {
|
|
service = "xmpp-client";
|
|
proto = "tcp";
|
|
priority = 0;
|
|
weight = 5;
|
|
port = 5222;
|
|
target = config.networks.internet.target;
|
|
};
|
|
};
|
|
|
|
services_prosody_secure_client_srv = {
|
|
inherit (config.networks.internet) zone;
|
|
domain = "@";
|
|
srv = {
|
|
service = "xmpps-client";
|
|
proto = "tcp";
|
|
priority = 0;
|
|
weight = 5;
|
|
port = 5223;
|
|
target = config.networks.internet.target;
|
|
};
|
|
};
|
|
|
|
services_prosody_server_srv = {
|
|
inherit (config.networks.internet) zone;
|
|
domain = "@";
|
|
srv = {
|
|
service = "xmpp-server";
|
|
proto = "tcp";
|
|
priority = 0;
|
|
weight = 5;
|
|
port = 5269;
|
|
target = config.networks.internet.target;
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts = {
|
|
"upload.kittywit.ch" = {
|
|
};
|
|
|
|
"conference.kittywit.ch" = {
|
|
};
|
|
};
|
|
|
|
users.users.nginx.extraGroups = [ "prosody" ];
|
|
}
|