From cb34da30f3f699c1fcad71b80426e8d87886a2a5 Mon Sep 17 00:00:00 2001 From: Ben Sima Date: Wed, 23 Feb 2022 22:37:15 -0500 Subject: Test out nixpert chat service This is rough, I should move it up in the directory hierarchy and clean up the nix files, but that can all come later. Just gonna test it out for now. Will announce it tomorrow afternoon. --- Biz/Nixpert/Chat.nix | 191 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 191 insertions(+) create mode 100644 Biz/Nixpert/Chat.nix (limited to 'Biz/Nixpert/Chat.nix') diff --git a/Biz/Nixpert/Chat.nix b/Biz/Nixpert/Chat.nix new file mode 100644 index 0000000..2eae9d6 --- /dev/null +++ b/Biz/Nixpert/Chat.nix @@ -0,0 +1,191 @@ +{ config, pkgs, ... }: +# +# xmpp chat service +# +let + salespage = pkgs.runCommand "salespage" {} '' + mkdir -p $out + ${pkgs.pandoc}/bin/pandoc \ + --standalone \ + -f commonmark_x \ + -t html ${./Chat.md} \ + > $out/index.html + ''; + ports = import ../Cloud/Ports.nix; + ssl = { + cert = "/var/lib/acme/simatime.com/fullchain.pem"; + key = "/var/lib/acme/simatime.com/key.pem"; + }; +in { + networking.firewall.allowedTCPPorts = [ + # https://prosody.im/doc/ports + 5000 # file transfer + 5222 # client connections + 5269 # server-to-server + 5280 # http + 5281 # https + 5347 # external components + 5582 # telnet console + ]; + + services.prosody = { + enable = true; + package = pkgs.prosody.override { + withCommunityModules = [ + "conversejs" + ]; + }; + # when i learn how to use security.acme better, and use separate certs, then i + # can fix this group + group = "nginx"; + admins = [ "bsima@simatime.com" ]; + allowRegistration = true; + inherit ssl; + uploadHttp = { + domain = "upload.simatime.com"; + uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds + }; + modules = { + announce = true; + bosh = true; + groups = true; + motd = true; + register = true; + server_contact_info = true; + vcard = true; + watchregistrations = true; + websocket = true; + welcome = true; + }; + extraConfig = '' + conversejs_options = { + allow_registration = true; + --- authentication = "internal_plain"; + bosh_service_url = "https://simatime.com/http-bind"; + debug = true; + loglevel = "debug"; + -- default_domain = "simatime.com"; + -- domain_placeholder = "simatime.com"; + -- jid = "simatime.com"; + -- keepalive = true; + -- registration_domain = "simatime.com"; + websocket_url = "wss://simatime.com/xmpp-websocket"; + } + + cross_domain_websocket = { "https://simatime.com", "https://anon.simatime.com" } + cross_domain_bosh = false; -- handle this with nginx + consider_bosh_secure = true; + + -- this is a virtualhost that allows anonymous authentication. use this + -- for the sales lobby. the nix module doesn't support 'authentication' + -- so i have to do this here. + VirtualHost "anon.simatime.com" + authentication = "anonymous" + ssl = { + cafile = "/etc/ssl/certs/ca-bundle.crt"; + key = "/var/lib/acme/simatime.com/key.pem"; + certificate = "/var/lib/acme/simatime.com/fullchain.pem"; + }; + ''; + muc = [ + { + domain = "conference.simatime.com"; + maxHistoryMessages = 10000; + name = "Chat Rooms"; + restrictRoomCreation = "admin"; + roomDefaultHistoryLength = 20; + roomDefaultMembersOnly = true; + roomDefaultModerated = true; + roomDefaultPublic = false; + } + ]; + virtualHosts = { + "simatime.com" = { + domain = "simatime.com"; + enabled = true; + inherit ssl; + }; + }; + }; + + services.nginx.virtualHosts."simatime.com".locations."/http-bind" = { + proxyPass = "https://simatime.com:5281/http-bind"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + services.nginx.virtualHosts."simatime.com".locations."/" = { + root = "${salespage}"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + services.nginx.virtualHosts."simatime.com".locations."/xmpp-websocket" = { + proxyPass = "https://simatime.com:5281/xmpp-websocket"; + extraConfig = '' + proxy_http_version 1.1; + proxy_buffering off; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 86400; + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + services.nginx.virtualHosts."simatime.com".locations."/chat" = { + proxyPass = "https://simatime.com:5281/conversejs"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + ''; + }; + + services.nginx.virtualHosts."anon.simatime.com" = { + useACMEHost = "simatime.com"; + forceSSL = true; + locations = { + "/http-bind" = { + proxyPass = "https://anon.simatime.com:5281/http-bind"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; + if ($request_method ~* "(GET|POST)") { + add_header Access-Control-Allow-Origin "*"; + } + if ($request_method = OPTIONS) { + add_header Access-Control-Allow-Origin "*"; + add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; + add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; + return 200; + } + ''; + }; + }; + }; + + users.users.nginx.extraGroups = [ "prosody" ]; + + security.acme.certs.${config.networking.domain}.extraDomainNames = [ + "upload.simatime.com" "conference.simatime.com" "simatime.com" "anon.simatime.com" + ]; + + #security.acme.certs.prosody = { + # domain = "${domain}"; + # group = "prosody"; + # dnsProvider = "rfc2136"; + # #credentialsFile = config.secrets.files.dns_creds.path; + # postRun = "systemctl restart prosody"; + # extraDomainNames = [ + # domain + # "upload.${domain}" + # ]; + #}; +} -- cgit v1.2.3