Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: d01e4430b370
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: ba11500aa81c
Choose a head ref
  • 6 commits
  • 7 files changed
  • 2 contributors

Commits on Mar 22, 2018

  1. luaevent: 0.4.3 -> 0.4.4 

    (cherry picked from commit 0c74665)
    @florianjacob @globin
    florianjacob authored and globin committed Mar 22, 2018
    Copy the full SHA
    64301d0 View commit details

  2. prosody: 0.9.12 -> 0.10.0 

    updating config options, removing luazlib as mod_compression was removed
for security reasons.

(cherry picked from commit 226965d)
    @florianjacob @globin
    florianjacob authored and globin committed Mar 22, 2018
    Copy the full SHA
    7ef13f5 View commit details

  3. prosody: update community modules 

    (cherry picked from commit 2c0b230)
    @florianjacob @globin
    florianjacob authored and globin committed Mar 22, 2018
    Copy the full SHA
    05f206c View commit details

  4. nixos/prosody: add a basic test 

    (cherry picked from commit 88f06c5)
    @florianjacob @globin
    florianjacob authored and globin committed Mar 22, 2018
    Copy the full SHA
    b9084d0 View commit details

  5. prosody: improve module handling 

    (cherry picked from commit 0a80f2c)
    @globin
    globin committed Mar 22, 2018
    Copy the full SHA
    766a80e View commit details

  6. prosody: add test to release.nix 

    (cherry picked from commit faaf32a)
    @globin
    globin committed Mar 22, 2018
    Copy the full SHA
    ba11500 View commit details
32 changes: 32 additions & 0 deletions nixos/doc/manual/release-notes/rl-1803.xml
View file
Original file line number Diff line number Diff line change
@@ -322,6 +322,38 @@ following incompatible changes:</para>
<link xlink:href="https://github.com/rvl/pump.io-nixos">external module</link>.
</para>
</listitem>
<listitem>
<para>
The Prosody XMPP server has received a major update. The following modules were renamed:
<itemizedlist>
<listitem>
<para>
<option>services.prosody.modules.httpserver</option> is now <option>services.prosody.modules.http_files</option>
</para>
</listitem>
<listitem>
<para>
<option>services.prosody.modules.console</option> is now <option>services.prosody.modules.admin_telnet</option>
</para>
</listitem>
</itemizedlist>
</para>

<para>
Many new modules are now core modules, most notably <option>services.prosody.modules.carbons</option>
and <option>services.prosody.modules.mam</option>.
</para>

<para>
The better-performing <literal>libevent</literal> backend is now enabled by default.
</para>

<para>
<literal>withCommunityModules</literal> now passes through the modules to <option>services.prosody.extraModules</option>.
Use <literal>withOnlyInstalledCommunityModules</literal> for modules that should not be enabled directly, e.g <literal>lib_ldap</literal>.
</para>
</listitem>

</itemizedlist>

</section>
214 changes: 193 additions & 21 deletions nixos/modules/services/networking/prosody.nix
View file
Original file line number Diff line number Diff line change
@@ -15,6 +15,7 @@ let
description = "Path to the key file.";
};

# TODO: rename to certificate to match the prosody config
cert = mkOption {
type = types.path;
description = "Path to the certificate file.";
@@ -30,7 +31,7 @@ let
};

moduleOpts = {

# Generally required
roster = mkOption {
type = types.bool;
default = true;
@@ -61,12 +62,38 @@ let
description = "Service discovery";
};

legacyauth = mkOption {
# Not essential, but recommended
carbons = mkOption {
type = types.bool;
default = true;
description = "Legacy authentication. Only used by some old clients and bots";
description = "Keep multiple clients in sync";
};

pep = mkOption {
type = types.bool;
default = true;
description = "Enables users to publish their mood, activity, playing music and more";
};

private = mkOption {
type = types.bool;
default = true;
description = "Private XML storage (for room bookmarks, etc.)";
};

blocklist = mkOption {
type = types.bool;
default = true;
description = "Allow users to block communications with other users";
};

vcard = mkOption {
type = types.bool;
default = true;
description = "Allow users to set vCards";
};

# Nice to have
version = mkOption {
type = types.bool;
default = true;
@@ -91,36 +118,112 @@ let
description = "Replies to XMPP pings with pongs";
};

console = mkOption {
register = mkOption {
type = types.bool;
default = true;
description = "Allow users to register on this server using a client and change passwords";
};

mam = mkOption {
type = types.bool;
default = false;
description = "telnet to port 5582";
description = "Store messages in an archive and allow users to access it";
};

# Admin interfaces
admin_adhoc = mkOption {
type = types.bool;
default = true;
description = "Allows administration via an XMPP client that supports ad-hoc commands";
};

admin_telnet = mkOption {
type = types.bool;
default = false;
description = "Opens telnet console interface on localhost port 5582";
};

# HTTP modules
bosh = mkOption {
type = types.bool;
default = false;
description = "Enable BOSH clients, aka 'Jabber over HTTP'";
};

httpserver = mkOption {
websocket = mkOption {
type = types.bool;
default = false;
description = "Enable WebSocket support";
};

http_files = mkOption {
type = types.bool;
default = false;
description = "Serve static files from a directory over HTTP";
};

websocket = mkOption {
# Other specific functionality
limits = mkOption {
type = types.bool;
default = false;
description = "Enable WebSocket support";
description = "Enable bandwidth limiting for XMPP connections";
};

groups = mkOption {
type = types.bool;
default = false;
description = "Shared roster support";
};

server_contact_info = mkOption {
type = types.bool;
default = false;
description = "Publish contact information for this service";
};

announce = mkOption {
type = types.bool;
default = false;
description = "Send announcement to all online users";
};

welcome = mkOption {
type = types.bool;
default = false;
description = "Welcome users who register accounts";
};

watchregistrations = mkOption {
type = types.bool;
default = false;
description = "Alert admins of registrations";
};

motd = mkOption {
type = types.bool;
default = false;
description = "Send a message to users when they log in";
};

legacyauth = mkOption {
type = types.bool;
default = false;
description = "Legacy authentication. Only used by some old clients and bots";
};

proxy65 = mkOption {
type = types.bool;
default = false;
description = "Enables a file transfer proxy service which clients behind NAT can use";
};

};

toLua = x:
if builtins.isString x then ''"${x}"''
else if builtins.isBool x then toString x
else if builtins.isBool x then (if x == true then "true" else "false")
else if builtins.isInt x then toString x
else if builtins.isList x then ''{ ${lib.concatStringsSep ", " (map (n: toLua n) x) } }''
else throw "Invalid Lua value";

createSSLOptsStr = o: ''
@@ -198,6 +301,59 @@ in
description = "Allow account creation";
};

c2sRequireEncryption = mkOption {
type = types.bool;
default = true;
description = ''
Force clients to use encrypted connections? This option will
prevent clients from authenticating unless they are using encryption.
'';
};

s2sRequireEncryption = mkOption {
type = types.bool;
default = true;
description = ''
Force servers to use encrypted connections? This option will
prevent servers from authenticating unless they are using encryption.
Note that this is different from authentication.
'';
};

s2sSecureAuth = mkOption {
type = types.bool;
default = false;
description = ''
Force certificate authentication for server-to-server connections?
This provides ideal security, but requires servers you communicate
with to support encryption AND present valid, trusted certificates.
For more information see https://prosody.im/doc/s2s#security
'';
};

s2sInsecureDomains = mkOption {
type = types.listOf types.str;
default = [];
example = [ "insecure.example.com" ];
description = ''
Some servers have invalid or self-signed certificates. You can list
remote domains here that will not be required to authenticate using
certificates. They will be authenticated using DNS instead, even
when s2s_secure_auth is enabled.
'';
};

s2sSecureDomains = mkOption {
type = types.listOf types.str;
default = [];
example = [ "jabber.org" ];
description = ''
Even if you leave s2s_secure_auth disabled, you can still require valid
certificates for some domains by specifying a list here.
'';
};


modules = moduleOpts;

extraModules = mkOption {
@@ -206,6 +362,12 @@ in
description = "Enable custom modules";
};

extraPluginPaths = mkOption {
type = types.listOf types.path;
default = [];
description = "Addtional path in which to look find plugins/modules";
};

virtualHosts = mkOption {

description = "Define the virtual hosts";
@@ -255,37 +417,47 @@ in

config = mkIf cfg.enable {

environment.systemPackages = [ pkgs.prosody ];
environment.systemPackages = [ cfg.package ];

environment.etc."prosody/prosody.cfg.lua".text = ''
pidfile = "/var/lib/prosody/prosody.pid"
log = "*syslog"
data_path = "/var/lib/prosody"
allow_registration = ${boolToString cfg.allowRegistration};
${ optionalString cfg.modules.console "console_enabled = true;" }
plugin_paths = {
${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.extraPluginPaths) }
}
${ optionalString (cfg.ssl != null) (createSSLOptsStr cfg.ssl) }
admins = { ${lib.concatStringsSep ", " (map (n: "\"${n}\"") cfg.admins) } };
admins = ${toLua cfg.admins}
-- we already build with libevent, so we can just enable it for a more performant server
use_libevent = true
modules_enabled = {
${ lib.concatStringsSep "\n\ \ " (lib.mapAttrsToList
(name: val: optionalString val ''"${name}";'')
(name: val: optionalString val "${toLua name};")
cfg.modules) }
${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.package.communityModules)}
${ lib.concatStringsSep "\n" (map (x: "${toLua x};") cfg.extraModules)}
};
${ optionalString cfg.allowRegistration "\"register\"\;" }
allow_registration = ${toLua cfg.allowRegistration}
${ lib.concatStringsSep "\n" (map (x: "\"${x}\";") cfg.extraModules)}
c2s_require_encryption = ${toLua cfg.c2sRequireEncryption}
s2s_require_encryption = ${toLua cfg.s2sRequireEncryption}
s2s_secure_auth = ${toLua cfg.s2sSecureAuth}
s2s_insecure_domains = ${toLua cfg.s2sInsecureDomains}
s2s_secure_domains = ${toLua cfg.s2sSecureDomains}
"posix";
};
${ cfg.extraConfig }
1 change: 1 addition & 0 deletions nixos/release.nix
View file
Original file line number Diff line number Diff line change
@@ -344,6 +344,7 @@ in rec {
tests.predictable-interface-names = callSubTests tests/predictable-interface-names.nix {};
tests.printing = callTest tests/printing.nix {};
tests.prometheus = callTest tests/prometheus.nix {};
tests.prosody = callTest tests/prosody.nix {};
tests.proxy = callTest tests/proxy.nix {};
# tests.quagga = callTest tests/quagga.nix {};
tests.quake3 = callTest tests/quake3.nix {};
Loading