diff options
author | Ben Sima <ben@bsima.me> | 2023-04-24 15:11:15 -0400 |
---|---|---|
committer | Ben Sima <ben@bsima.me> | 2023-04-28 08:05:28 -0400 |
commit | 02b2d3fa43bbfd8002fc6271f54a3d09e74b7cc4 (patch) | |
tree | 57c7ddda9f6f42f821f95368960910d1a3816e63 /Biz/Nixpert.nix | |
parent | e78c58ef9d2d89dea91c40251dd93404d182e8fd (diff) |
Reorganize to Biz/Cloud/Comms
Diffstat (limited to 'Biz/Nixpert.nix')
-rw-r--r-- | Biz/Nixpert.nix | 173 |
1 files changed, 1 insertions, 172 deletions
diff --git a/Biz/Nixpert.nix b/Biz/Nixpert.nix index d009182..d6d6d4f 100644 --- a/Biz/Nixpert.nix +++ b/Biz/Nixpert.nix @@ -1,7 +1,5 @@ { config, pkgs, ... }: -# -# xmpp chat service -# + let salespage = pkgs.runCommand "salespage" {} '' mkdir -p $out @@ -14,113 +12,7 @@ let ${./Nixpert.md} \ > $out/index.html ''; - ssl = { - cert = "/var/lib/acme/simatime.com/fullchain.pem"; - key = "/var/lib/acme/simatime.com/key.pem"; - }; in { - networking.firewall.allowedTCPPorts = [ - # https://prosody.im/doc/ports - 5000 # file transfer - 5222 # client connections - 5269 # server-to-server - 5280 # http - 5281 # https - 5347 # external components - 5582 # telnet console - ]; - - services.prosody = { - enable = true; - package = pkgs.prosody.override { - withCommunityModules = [ - "conversejs" - ]; - }; - # when i learn how to use security.acme better, and use separate certs, then i - # can fix this group - group = "nginx"; - admins = [ "bsima@simatime.com" ]; - allowRegistration = true; - inherit ssl; - uploadHttp = { - domain = "upload.simatime.com"; - uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds - }; - modules = { - announce = true; - bosh = true; - groups = true; - motd = true; - register = true; - server_contact_info = true; - vcard = true; - watchregistrations = true; - websocket = true; - welcome = true; - }; - extraConfig = '' - conversejs_options = { - allow_registration = true; - --- authentication = "internal_plain"; - bosh_service_url = "https://simatime.com/http-bind"; - debug = true; - loglevel = "debug"; - -- default_domain = "simatime.com"; - -- domain_placeholder = "simatime.com"; - -- jid = "simatime.com"; - -- keepalive = true; - -- registration_domain = "simatime.com"; - websocket_url = "wss://simatime.com/xmpp-websocket"; - } - - cross_domain_websocket = { "https://simatime.com", "https://anon.simatime.com" } - cross_domain_bosh = false; -- handle this with nginx - consider_bosh_secure = true; - - -- this is a virtualhost that allows anonymous authentication. use this - -- for the sales lobby. the nix module doesn't support 'authentication' - -- so i have to do this here. - VirtualHost "anon.simatime.com" - authentication = "anonymous" - ssl = { - cafile = "/etc/ssl/certs/ca-bundle.crt"; - key = "/var/lib/acme/simatime.com/key.pem"; - certificate = "/var/lib/acme/simatime.com/fullchain.pem"; - }; - ''; - muc = [ - { - domain = "conference.simatime.com"; - maxHistoryMessages = 10000; - name = "Chat Rooms"; - restrictRoomCreation = "admin"; - roomDefaultHistoryLength = 20; - roomDefaultMembersOnly = true; - roomDefaultModerated = true; - roomDefaultPublic = false; - } - ]; - virtualHosts = { - "simatime.com" = { - domain = "simatime.com"; - enabled = true; - inherit ssl; - }; - }; - }; - - services.nginx.virtualHosts."simatime.com".locations."/http-bind" = { - proxyPass = "https://simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - services.nginx.virtualHosts."nixpert.chat" = { forceSSL = true; enableACME = true; @@ -131,67 +23,4 @@ in { ''; }; }; - - services.nginx.virtualHosts."simatime.com".locations."/xmpp-websocket" = { - proxyPass = "https://simatime.com:5281/xmpp-websocket"; - extraConfig = '' - proxy_http_version 1.1; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."simatime.com".locations."/chat" = { - proxyPass = "https://simatime.com:5281/conversejs"; - extraConfig = '' - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."anon.simatime.com" = { - useACMEHost = "simatime.com"; - forceSSL = true; - locations = { - "/http-bind" = { - proxyPass = "https://anon.simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - if ($request_method ~* "(GET|POST)") { - add_header Access-Control-Allow-Origin "*"; - } - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; - add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; - return 200; - } - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "prosody" ]; - - security.acme.certs.${config.networking.domain}.extraDomainNames = [ - "upload.simatime.com" "conference.simatime.com" "simatime.com" "anon.simatime.com" - ]; - - #security.acme.certs.prosody = { - # domain = "${domain}"; - # group = "prosody"; - # dnsProvider = "rfc2136"; - # #credentialsFile = config.secrets.files.dns_creds.path; - # postRun = "systemctl restart prosody"; - # extraDomainNames = [ - # domain - # "upload.${domain}" - # ]; - #}; } |