diff options
| author | W. Kosior <koszko@koszko.org> | 2025-02-14 12:00:21 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2025-02-14 12:00:21 +0100 |
| commit | ddad86141f3cc809bfee806fd6dec36f5cec19e6 (patch) | |
| tree | 06c572942e39035e347b043e2544166c57095989 | |
| parent | 1aec87a4966772428ade576895d419c61fd16ef8 (diff) | |
| download | koszko-org-guix-server-ddad86141f3cc809bfee806fd6dec36f5cec19e6.tar.gz koszko-org-guix-server-ddad86141f3cc809bfee806fd6dec36f5cec19e6.zip | |
This has already been running for some time, actually.
| -rw-r--r-- | salamina.scm | 75 |
1 files changed, 72 insertions, 3 deletions
diff --git a/salamina.scm b/salamina.scm index 73278d2..648833b 100644 --- a/salamina.scm +++ b/salamina.scm @@ -29,6 +29,7 @@ ((gnu services ssh) #:select (openssh-service-type openssh-configuration)) ((gnu services sysctl) #:select (sysctl-service-type)) + ((gnu services messaging) #:prefix msg:) ((gnu services networking) #:prefix net:) ((gnu services overlayfs) #:select (overlayfs-service-type overlayfs-mount-configuration)) @@ -148,6 +149,7 @@ ("hydrillabugs.koszko.org" "www.hydrillabugs.koszko.org" "hachettebugs.koszko.org" "www.hachettebugs.koszko.org") ("imap.koszko.org") + ("muc.koszko.org" "xmpp-uploads.koszko.org") ("pray.koszko.org" "www.pray.koszko.org") ("sheets.koszko.org" "www.sheets.koszko.org") ("smtp.koszko.org"))))) @@ -496,7 +498,8 @@ (kill (call-with-input-file pidfile read) SIGHUP))) '("/var/run/httpd" "/var/spool/exim/exim-daemon.pid" - "/var/run/dovecot/master.pid")))) + "/var/run/dovecot/master.pid" + "/var/run/prosody/prosody.pid")))) (prepend %services (service cb:certbot-sans-nginx-service-type @@ -521,6 +524,8 @@ (("hydrillabugs.koszko.org" "www.hydrillabugs.koszko.org" "hachettebugs.koszko.org" "www.hachettebugs.koszko.org") . #f) (("imap.koszko.org") . #f) + (("muc.koszko.org" "xmpp-proxy.koszko.org" + "xmpp-uploads.koszko.org" "koszko.org") . "xmpp-certificates") (("pray.koszko.org" "www.pray.koszko.org") . #f) (("sheets.koszko.org" "www.sheets.koszko.org") . #f) (("smtp.koszko.org") . "smtp-certificates")))) @@ -535,6 +540,46 @@ (prepend %services + (service msg:prosody-service-type + (msg:prosody-configuration + (modules-enabled (cons* "mam" msg:%default-modules-enabled)) + (authentication "internal_hashed") + (ssl (msg:ssl-configuration + (certificate "/etc/certs/muc.koszko.org/fullchain.pem") + (key "/etc/certs/muc.koszko.org/privkey.pem") + (protocol "tlsv1_1+"))) + (c2s-require-encryption? #t) + (s2s-require-encryption? #t) + (int-components + (list (msg:int-component-configuration + (modules-enabled '("muc_mam" "vcard_muc")) + (hostname "muc.koszko.org") + (plugin "muc") + (mod-muc (msg:mod-muc-configuration + (restrict-room-creation "local") + ;; We'd use lua's `math.huge' but Guix only allows a + ;; number here. + (max-history-messages (* 1024 1024 1024))))) + (msg:int-component-configuration + (hostname "xmpp-uploads.koszko.org") + ;; Haxx: relevant fields are not currently supported by Guix. + (plugin (format #f "http_file_share\" +http_file_share_size_limit = ~d +http_file_share_expire_after = ~d +-- " + (* 1024 1024 2) + (* 60 60 24 365 2)))) + (msg:int-component-configuration + (hostname "xmpp-proxy.koszko.org") + (plugin "proxy65\" +proxy65_acl = { \"koszko.org\" } +-- ")))) + (virtualhosts + (list (msg:virtualhost-configuration + (domain "koszko.org"))))))) + + +(prepend %services (service net:iptables-service-type (net:iptables-configuration (ipv4-rules (plain-file "iptables.rules" (format #f "\ @@ -585,12 +630,29 @@ COMMIT ("hydrillabugs" "" "IN" "CNAME" "@") ("www.hydrillabugs" "" "IN" "CNAME" "hydrillabugs") ("imap" "" "IN" "CNAME" "salamina") + ("muc" "" "IN" "CNAME" "@") ("ns2" "" "IN" "CNAME" "salamina") ("pray" "" "IN" "CNAME" "@") ("www.pray" "" "IN" "CNAME" "pray") ("sheets" "" "IN" "CNAME" "@") ("www.sheets" "" "IN" "CNAME" "sheets") ("smtp" "" "IN" "CNAME" "salamina") + ;; Pointed to by an SRV record and should thus be an A rather than CNAME. + ("xmpp" "" "IN" "A" %salamina-v4-addr) + ;; We don't have SRV records for xmpp-proxy and xmpp-uploads but `prosodyctl + ;; check' complains about their missing A records anyway, let's silence it. + ("xmpp-proxy" "" "IN" "A" %salamina-v4-addr) + ("xmpp-uploads" "" "IN" "A" %salamina-v4-addr) + + ;; XMPP. + ;; + ;; SRV record expects priority, weight and port fields that + ;; `define-zone-entries' is unaware of. It's OK to put these + ;; space-separated in the record data string — that string is not being + ;; escaped during serialization + ("_xmpp-server._tcp" "" "IN" "SRV" "0 5 5269 xmpp.koszko.org.") + ("_xmpp-client._tcp" "" "IN" "SRV" "0 5 5222 xmpp.koszko.org.") + ("_xmpp-server._tcp.muc" "" "IN" "SRV" "0 5 5269 xmpp.koszko.org.") ;; mail ("@" "" "IN" "MX 10" "smtp.koszko.org.") @@ -901,6 +963,9 @@ authorityKeyIdentifier = keyid,issuer:always (gss:user-group (name "smtp-certificates") (system? #t)) + (gss:user-group + (name "xmpp-certificates") + (system? #t)) gss:%base-groups)) (extra-groups (list (gss:user-extra-groups @@ -908,7 +973,10 @@ authorityKeyIdentifier = keyid,issuer:always (groups '("smtp-certificates"))) (gss:user-extra-groups (user "httpd") - (groups '("git"))))) + (groups '("git"))) + (gss:user-extra-groups + (user "prosody") + (groups '("xmpp-certificates"))))) (packages (append (specifications->packages '("file" @@ -916,7 +984,8 @@ authorityKeyIdentifier = keyid,issuer:always "net-tools" "man-pages-posix" "emacs" - "minetest")) + "minetest" + "prosody")) %base-packages)) (services %services)) |