{ config, lib, pkgs, ... }: with lib; let hostname = config.instance.hostname; secrets = config.fudo.secrets.host-secrets.${hostname}; cfg = config.fudo.france.jabber; generate-auth-file = name: files: let make-entry = name: passwd-file: ''("${name}" . "${readFile passwd-file}")''; entries = mapAttrsToList make-entry files; content = concatStringsSep "\n" entries; in pkgs.writeText "${name}-backplane-auth.scm" "'(${content})"; host-auth-file = generate-auth-file "host" cfg.backplane.host-passwd-files; service-auth-file = generate-auth-file "service" cfg.backplane.service-passwd-files; ldap-password-file = pkgs.lib.fudo.passwd.random-passwd-file "ejabberd-ldap-auth-user" 30; ldap-hashed-password = pkgs.lib.fudo.passwd.hash-ldap-passwd "ejabberd-ldap-hashed-passwd" ldap-password-file; in { options.fudo.france = with types; { jabber = { ldap-user = mkOption { type = str; description = "System user as which to authenticate to LDAP."; default = "ejabberd"; }; ldap-servers = mkOption { type = listOf str; description = "LDAP servers to use for user authentication."; }; listen-ips = mkOption { type = listOf str; description = "IPs on which to listen for incoming connections."; }; backplane = { host-passwd-files = mkOption { type = attrsOf str; description = "Map of hostname to password file, for backplane host authentication."; default = {}; }; service-passwd-files = mkOption { type = attrsOf str; description = "Map of service to password file, for backplane service authentication."; default = {}; }; }; }; }; config = { fudo = { system-users.${cfg.ldap-user} = { description = "ejabberd authentication user."; ldap-hashed-password = ldap-hashed-password; }; secrets.host-secrets.${hostname} = let user = config.services.ejabberd.user; in { host-auth = { source-file = host-auth-file; target-file = "/run/backplane/host-auth-file.scm"; user = user; }; service-auth = { source-file = service-auth-file; target-file = "/run/backplane/service-auth-file.scm"; user = user; }; ldap-password = { source-file = ldap-password-file; target-file = "/run/ejabberd/ldap.passwd"; user = user; }; }; jabber = { enable = true; listen-ips = cfg.listen-ips; environment = { FUDO_HOST_PASSWD_FILE = secrets.host-auth.target-file; FUDO_SERVICE_PASSWD_FILE = secrets.service-auth.target-file; }; secret-files = { LDAP_PASSWORD = secrets.ldap-password.target-file; }; sites = { "fudo.im" = { site-config = { auth_method = "ldap"; ldap_servers = cfg.ldap-servers; ldap_port = 389; ldap_rootdn = "cn=${cfg.ldap-user},dc=fudo,dc=org"; ldap_password = ''"LDAP_PASSWD"''; ldap_base = "ou=members,dc=fudo,dc=org"; ldap_filter = "(objectClass=posixAccount)"; ldap_uids = { uid = "%u"; }; modules = { mod_adhoc = {}; mod_announce = {}; mod_avatar = {}; mod_blocking = {}; mod_caps = {}; mod_carboncopy = {}; mod_client_state = {}; mod_configure = {}; mod_disco = {}; mod_fail2ban = {}; mod_last = {}; mod_offline = { access_max_user_messages = 5000; }; mod_ping = {}; mod_privacy = {}; mod_private = {}; mod_pubsub = { access_createnode = "pubsub_createnode"; ignore_pep_from_offline = true; last_item_cache = false; plugins = [ "flat" "pep" ]; }; mod_roster = {}; mod_stream_mgmt = {}; mod_time = {}; mod_vcard = { search = false; }; mod_vcard_xupdate = {}; mod_version = {}; }; }; }; "backplane.fudo.org" = { site-config = { auth_method = "external"; extauth_program = "${pkgs.guile}/bin/guile -s ${pkgs.backplane-auth}/backplane-auth.scm"; extauth_pool_size = 3; auth_use_cache = true; modules = { mod_adhoc = {}; mod_caps = {}; mod_carboncopy = {}; mod_client_state = {}; mod_configure = {}; mod_disco = {}; mod_fail2ban = {}; mod_last = {}; mod_offline = { access_max_user_messages = 5000; }; mod_ping = {}; mod_pubsub = { access_createnode = "pubsub_createnode"; ignore_pep_from_offline = true; last_item_cache = false; plugins = [ "flat" "pep" ]; }; mod_roster = {}; mod_stream_mgmt = {}; mod_time = {}; mod_version = {}; }; }; }; }; }; }; }; }