From 61abc965816f33f8e5cfe37daa198ed4cf4dcc92 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Tue, 31 Oct 2023 12:50:47 +0100
Subject: [PATCH] clanModules: add ejabberd

---
 clanModules/ejabberd.nix     | 199 +++++++++++++++++++++++++++++++++++
 clanModules/flake-module.nix |   1 +
 2 files changed, 200 insertions(+)
 create mode 100644 clanModules/ejabberd.nix

diff --git a/clanModules/ejabberd.nix b/clanModules/ejabberd.nix
new file mode 100644
index 000000000..d7197a34c
--- /dev/null
+++ b/clanModules/ejabberd.nix
@@ -0,0 +1,199 @@
+{ config
+, ...
+}: {
+  services.ejabberd = {
+    enable = true;
+    configFile = "/etc/ejabberd.yml";
+  };
+
+  environment.etc."ejabberd.yml" = {
+    user = "ejabberd";
+    mode = "0600";
+    text = ''
+      loglevel: 4
+
+      default_db: sql
+      new_sql_schema: true
+      sql_type: sqlite
+      sql_database: "/var/lib/ejabberd/db.sqlite"
+
+      hosts:
+      - ${config.clanCore.machineName}.local
+
+      listen:
+      -
+        port: 5222
+        ip: "::1"
+        module: ejabberd_c2s
+        max_stanza_size: 262144
+        shaper: c2s_shaper
+        access: c2s
+        starttls_required: false
+      -
+        port: 5269
+        ip: "::"
+        module: ejabberd_s2s_in
+        max_stanza_size: 524288
+
+      auth_method: [anonymous]
+      anonymous_protocol: login_anon
+      acl:
+        local:
+          user_regexp: ""
+        loopback:
+          ip:
+            - 127.0.0.0/8
+            - ::1/128
+      access_rules:
+        local:
+          allow: local
+        c2s:
+          deny: blocked
+          allow: all
+        s2s:
+          - allow
+        announce:
+          allow: admin
+        configure:
+          allow: admin
+        muc_create:
+          allow: all
+        pubsub_createnode:
+          allow: local
+        trusted_network:
+          allow: loopback
+      api_permissions:
+        "console commands":
+          from:
+            - ejabberd_ctl
+          who: all
+          what: "*"
+        "admin access":
+          who:
+            access:
+              allow:
+                acl: loopback
+                acl: admin
+            oauth:
+              scope: "ejabberd:admin"
+              access:
+                allow:
+                  acl: loopback
+                  acl: admin
+          what:
+            - "*"
+            - "!stop"
+            - "!start"
+        "public commands":
+          who:
+            ip: 127.0.0.1/8
+          what:
+            - status
+            - connected_users_number
+      shaper:
+        normal: 1000
+        fast: 50000
+
+      shaper_rules:
+        max_user_sessions: 10
+        max_user_offline_messages:
+          5000: admin
+          100: all
+        c2s_shaper:
+          none: admin
+          normal: all
+        s2s_shaper: fast
+      modules:
+        mod_adhoc: {}
+        mod_admin_extra: {}
+        mod_announce:
+          access: announce
+        mod_avatar: {}
+        mod_blocking: {}
+        mod_bosh: {}
+        mod_caps: {}
+        mod_carboncopy: {}
+        mod_client_state: {}
+        mod_configure: {}
+        mod_disco: {}
+        mod_fail2ban: {}
+        mod_http_api: {}
+        mod_http_upload:
+          put_url: https://@HOST@:5443/upload
+        mod_last: {}
+        mod_mam:
+          ## Mnesia is limited to 2GB, better to use an SQL backend
+          ## For small servers SQLite is a good fit and is very easy
+          ## to configure. Uncomment this when you have SQL configured:
+          ## db_type: sql
+          assume_mam_usage: true
+          default: always
+        mod_mqtt:
+          access_publish:
+            "homeassistant/#":
+              - allow: hass_publisher
+              - deny
+            "#":
+              - deny
+          access_subscribe:
+            "homeassistant/#":
+              - allow: hass_subscriber
+              - deny
+            "#":
+              - deny
+        mod_muc:
+          host: "muc.@HOST@"
+          access:
+            - allow
+          access_admin:
+            - allow: admin
+          access_create: muc_create
+          access_persistent: muc_create
+          access_mam:
+            - allow
+          default_room_options:
+            mam: true
+        mod_muc_admin: {}
+        mod_offline:
+          access_max_user_messages: max_user_offline_messages
+        mod_ping: {}
+        mod_privacy: {}
+        mod_private: {}
+        mod_proxy65:
+          access: local
+          max_connections: 5
+        mod_pubsub:
+          access_createnode: pubsub_createnode
+          plugins:
+            - flat
+            - pep
+          force_node_config:
+            ## Avoid buggy clients to make their bookmarks public
+            storage:bookmarks:
+              access_model: whitelist
+        mod_push: {}
+        mod_push_keepalive: {}
+        mod_register:
+          ## Only accept registration requests from the "trusted"
+          ## network (see access_rules section above).
+          ## Think twice before enabling registration from any
+          ## address. See the Jabber SPAM Manifesto for details:
+          ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
+          ip_access: trusted_network
+        mod_roster:
+          versioning: true
+        mod_s2s_dialback: {}
+        mod_shared_roster: {}
+        mod_stream_mgmt:
+          resend_on_timeout: if_offline
+        mod_vcard: {}
+        mod_vcard_xupdate: {}
+        mod_version:
+          show_os: false
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    5269 # xmpp-server
+  ];
+}
diff --git a/clanModules/flake-module.nix b/clanModules/flake-module.nix
index 6eeebdc11..d273f1a09 100644
--- a/clanModules/flake-module.nix
+++ b/clanModules/flake-module.nix
@@ -8,6 +8,7 @@
         ];
       })
       (builtins.readDir ./diskLayouts);
+    ejabberd = ./ejabberd.nix;
     dino = ./dino.nix;
     xfce = ./xfce.nix;
   };