Get xmpp uploads working again

The problem was that the ssl cert wasn't renewing. I added the domains to the
nginx config, and cleaned up some other stuff. During debug I also udpated
nixos-mailserver and nixos stable because I thought it would fix something; it
didn't but I might as well use the updated versions of stuff since it seems to
still work fine.

4 files changed, 58 insertions, 63 deletions

diff --git a/Omni/Bild/Sources.json b/Omni/Bild/Sources.json
index a2f695a..14abe06 100644
--- a/Omni/Bild/Sources.json
+++ b/Omni/Bild/Sources.json
@@ -130,17 +130,18 @@
         "homepage": "",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "3ffbbdbac0566a0977da3d2657b89cbcfe9a173b",
-        "sha256": "0m3zh14is40vixpv125alyacd22835v0v845dsnk5d68wvwhikq2",
+        "rev": "edf04b75c13c2ac0e54df5ec5c543e300f76f1c9",
+        "sha256": "0zffg0m7rhdpk94df578wln5lw3plamadac86cd7cfjcb1n13xmm",
         "type": "tarball",
-        "url": "https://github.com/nixos/nixpkgs/archive/3ffbbdbac0566a0977da3d2657b89cbcfe9a173b.tar.gz",
+        "url": "https://github.com/nixos/nixpkgs/archive/edf04b75c13c2ac0e54df5ec5c543e300f76f1c9.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
     "nixos-mailserver": {
+        "branch": "master",
         "repo": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver",
-        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
+        "rev": "dc0569066e79ae96184541da6fa28f35a33fbf7b",
         "sha256": "0csx2i8p7gbis0n5aqpm57z5f9cd8n9yabq04bg1h4mkfcf7mpl6",
-        "type": "tarball",
+        "type": "git",
         "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/f535d8123c4761b2ed8138f3d202ea710a334a1d/nixos-mailserver-f535d8123c4761b2ed8138f3d202ea710a334a1d.tar.gz",
         "url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/<rev>/nixos-mailserver-<rev>.tar.gz",
         "version": "master"
diff --git a/Omni/Cloud.nix b/Omni/Cloud.nix
index e9bff4b..8d5095d 100644
--- a/Omni/Cloud.nix
+++ b/Omni/Cloud.nix
@@ -5,7 +5,7 @@ bild.os {
     ./Os/Base.nix
     ./Packages.nix
     ./Users.nix
-    ./Cloud/Chat.nix
+    # ./Cloud/Chat.nix
     ./Cloud/Comms.nix
     ./Cloud/Git.nix
     ./Cloud/Hardware.nix
diff --git a/Omni/Cloud/Comms/Xmpp.nix b/Omni/Cloud/Comms/Xmpp.nix
index 5a8264b..ea50ed9 100644
--- a/Omni/Cloud/Comms/Xmpp.nix
+++ b/Omni/Cloud/Comms/Xmpp.nix
@@ -29,8 +29,8 @@ in {
     package =
       pkgs.prosody.override {withCommunityModules = ["conversejs"];};
 
-    # when i learn how to use security.acme better, and use separate certs, then i
-    # can fix this group
+    # this is necessary bc prosody needs access to the acme certs managed in Omni/Cloud/Web.nix, when
+    # i learn how to use security.acme better, and use separate certs, then i can fix this group
     group = "nginx";
     admins = ["bsima@${rootDomain}"];
     allowRegistration = true;
@@ -51,7 +51,7 @@ in {
       dialback = true;
       disco = true;
       groups = true;
-      http_files = false; # hm, look into this
+      http_files = false; # https://prosody.im/doc/modules/mod_http_files
       motd = true;
       pep = true;
       ping = true;
@@ -108,17 +108,6 @@ in {
         roomDefaultModerated = true;
         roomDefaultPublic = false;
       }
-      {
-        domain = "chat.${rootDomain}";
-        maxHistoryMessages = 10000;
-        name = "Chat Rooms";
-        restrictRoomCreation = false;
-        roomDefaultHistoryLength = 200;
-        roomDefaultMembersOnly = false;
-        roomDefaultModerated = false;
-        roomDefaultPublic = true;
-        roomDefaultPublicJids = true;
-      }
     ];
 
     virtualHosts = {
@@ -192,23 +181,8 @@ in {
 
   users.users.nginx.extraGroups = ["prosody"];
 
-  security.acme.certs.${rootDomain}.extraDomainNames = [
-    # these stopped working idk why
-    #"upload.${rootDomain}"
-    #"conference.${rootDomain}"
-    "anon.${rootDomain}"
-    "chat.${rootDomain}"
-  ];
-
-  #security.acme.certs.prosody = {
-  #  domain = "${domain}";
-  #  group = "prosody";
-  #  dnsProvider = "rfc2136";
-  #  #credentialsFile = config.secrets.files.dns_creds.path;
-  #  postRun = "systemctl restart prosody";
-  #  extraDomainNames = [
-  #    domain
-  #    "upload.${domain}"
-  #  ];
-  #};
+  # restart prosody when we renew the main cert
+  # https://github.com/NixOS/nixpkgs/issues/133904
+  systemd.services.prosody.requires = ["acme-finished-${rootDomain}.target"];
+  systemd.services.prosody.after = ["acme-finished-${rootDomain}.target"];
 }
diff --git a/Omni/Cloud/Web.nix b/Omni/Cloud/Web.nix
index 1791539..84f87d4 100644
--- a/Omni/Cloud/Web.nix
+++ b/Omni/Cloud/Web.nix
@@ -17,6 +17,8 @@ in {
     ];
   };
 
+  users.users.nginx.extraGroups = ["acme"];
+
   services = {
     libreddit = {
       enable = true;
@@ -115,7 +117,6 @@ in {
                 names.bensima = "2fa4b9ba71b6dab17c4723745bb7850dfdafcb6ae1a8642f76f9c64fa5f43436";
               }
             }'";
-            # disabled for nixpert test
             "/" = {
               root = "/var/web/simatime.com";
               extraConfig = ''
@@ -133,6 +134,24 @@ in {
           };
         };
 
+        # these are for xmpp, not sure if they are necessary but they seem to be?
+        "conference.${rootDomain}" = {
+          forceSSL = true;
+          useACMEHost = rootDomain;
+          locations."/" = {
+            root = "/var/web/simatime.com";
+            extraConfig = "autoindex on;";
+          };
+        };
+        "upload.${rootDomain}" = {
+          forceSSL = true;
+          useACMEHost = rootDomain;
+          locations."/" = {
+            root = "/var/web/simatime.com";
+            extraConfig = "autoindex on;";
+          };
+        };
+
         "bsima.me" = {
           locations."/" = {
             root = "/var/web/ben";
@@ -265,27 +284,28 @@ in {
     };
   };
 
-  # This must contain all of the other domains we host
-  security.acme.certs.${rootDomain}.extraDomainNames =
-    ["bsima.me" "www.bsima.me"]
-    ++ map (sub: "${sub}.${rootDomain}") [
-      "music"
-      "tv"
-      "matrix"
-      "chat"
-      "hoogle"
-      "dandel-rovbur"
-      "sabten"
-      "cal"
-      "notebook"
-      "nostr"
-      "reddit"
-      "old.reddit"
-      "www.reddit"
-      "youtube"
-      "www.youtube"
-      "m.youtube"
-      "sd"
-      "gerrit"
-    ];
+  security.acme.certs.${rootDomain} = {
+    group = "nginx";
+    # This must contain all of the other domains we host
+    extraDomainNames =
+      ["bsima.me" "www.bsima.me"]
+      ++ map (sub: "${sub}.${rootDomain}") [
+        "music"
+        "tv"
+        "hoogle"
+        "dandel-rovbur"
+        "sabten"
+        "cal"
+        "notebook"
+        "nostr"
+        "youtube"
+        "www.youtube"
+        "m.youtube"
+        "sd"
+        "gerrit"
+        # xmpp stuff
+        "upload"
+        "conference"
+      ];
+  };
 }