diff options
Diffstat (limited to 'Biz/Nixpert/Chat.nix')
-rw-r--r-- | Biz/Nixpert/Chat.nix | 191 |
1 files changed, 0 insertions, 191 deletions
diff --git a/Biz/Nixpert/Chat.nix b/Biz/Nixpert/Chat.nix deleted file mode 100644 index 2eae9d6..0000000 --- a/Biz/Nixpert/Chat.nix +++ /dev/null @@ -1,191 +0,0 @@ -{ config, pkgs, ... }: -# -# xmpp chat service -# -let - salespage = pkgs.runCommand "salespage" {} '' - mkdir -p $out - ${pkgs.pandoc}/bin/pandoc \ - --standalone \ - -f commonmark_x \ - -t html ${./Chat.md} \ - > $out/index.html - ''; - ports = import ../Cloud/Ports.nix; - ssl = { - cert = "/var/lib/acme/simatime.com/fullchain.pem"; - key = "/var/lib/acme/simatime.com/key.pem"; - }; -in { - networking.firewall.allowedTCPPorts = [ - # https://prosody.im/doc/ports - 5000 # file transfer - 5222 # client connections - 5269 # server-to-server - 5280 # http - 5281 # https - 5347 # external components - 5582 # telnet console - ]; - - services.prosody = { - enable = true; - package = pkgs.prosody.override { - withCommunityModules = [ - "conversejs" - ]; - }; - # when i learn how to use security.acme better, and use separate certs, then i - # can fix this group - group = "nginx"; - admins = [ "bsima@simatime.com" ]; - allowRegistration = true; - inherit ssl; - uploadHttp = { - domain = "upload.simatime.com"; - uploadExpireAfter = toString (60*60*24*30); # 30 days, as seconds - }; - modules = { - announce = true; - bosh = true; - groups = true; - motd = true; - register = true; - server_contact_info = true; - vcard = true; - watchregistrations = true; - websocket = true; - welcome = true; - }; - extraConfig = '' - conversejs_options = { - allow_registration = true; - --- authentication = "internal_plain"; - bosh_service_url = "https://simatime.com/http-bind"; - debug = true; - loglevel = "debug"; - -- default_domain = "simatime.com"; - -- domain_placeholder = "simatime.com"; - -- jid = "simatime.com"; - -- keepalive = true; - -- registration_domain = "simatime.com"; - websocket_url = "wss://simatime.com/xmpp-websocket"; - } - - cross_domain_websocket = { "https://simatime.com", "https://anon.simatime.com" } - cross_domain_bosh = false; -- handle this with nginx - consider_bosh_secure = true; - - -- this is a virtualhost that allows anonymous authentication. use this - -- for the sales lobby. the nix module doesn't support 'authentication' - -- so i have to do this here. - VirtualHost "anon.simatime.com" - authentication = "anonymous" - ssl = { - cafile = "/etc/ssl/certs/ca-bundle.crt"; - key = "/var/lib/acme/simatime.com/key.pem"; - certificate = "/var/lib/acme/simatime.com/fullchain.pem"; - }; - ''; - muc = [ - { - domain = "conference.simatime.com"; - maxHistoryMessages = 10000; - name = "Chat Rooms"; - restrictRoomCreation = "admin"; - roomDefaultHistoryLength = 20; - roomDefaultMembersOnly = true; - roomDefaultModerated = true; - roomDefaultPublic = false; - } - ]; - virtualHosts = { - "simatime.com" = { - domain = "simatime.com"; - enabled = true; - inherit ssl; - }; - }; - }; - - services.nginx.virtualHosts."simatime.com".locations."/http-bind" = { - proxyPass = "https://simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."simatime.com".locations."/" = { - root = "${salespage}"; - extraConfig = '' - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."simatime.com".locations."/xmpp-websocket" = { - proxyPass = "https://simatime.com:5281/xmpp-websocket"; - extraConfig = '' - proxy_http_version 1.1; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_read_timeout 86400; - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."simatime.com".locations."/chat" = { - proxyPass = "https://simatime.com:5281/conversejs"; - extraConfig = '' - add_header Access-Control-Allow-Origin "*"; - ''; - }; - - services.nginx.virtualHosts."anon.simatime.com" = { - useACMEHost = "simatime.com"; - forceSSL = true; - locations = { - "/http-bind" = { - proxyPass = "https://anon.simatime.com:5281/http-bind"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_buffering off; - if ($request_method ~* "(GET|POST)") { - add_header Access-Control-Allow-Origin "*"; - } - if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin "*"; - add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, HEAD"; - add_header Access-Control-Allow-Headers "Authorization, Origin, X-Requested-With, Content-Type, Accept"; - return 200; - } - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "prosody" ]; - - security.acme.certs.${config.networking.domain}.extraDomainNames = [ - "upload.simatime.com" "conference.simatime.com" "simatime.com" "anon.simatime.com" - ]; - - #security.acme.certs.prosody = { - # domain = "${domain}"; - # group = "prosody"; - # dnsProvider = "rfc2136"; - # #credentialsFile = config.secrets.files.dns_creds.path; - # postRun = "systemctl restart prosody"; - # extraDomainNames = [ - # domain - # "upload.${domain}" - # ]; - #}; -} |