| blob | 8af378322aa93f3f5aa9d215b767a05024f8d313 |
1 let
2 cert =
3 pkgs:
4 pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
5 openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=example.com/CN=muc.example.com' -days 36500
6 mkdir -p $out
7 cp key.pem cert.pem $out
8 '';
9 in
10 import ../make-test-python.nix (
11 { pkgs, ... }:
12 {
13 name = "ejabberd";
14 meta = with pkgs.lib.maintainers; {
15 maintainers = [ ];
16 };
17 nodes = {
18 client =
19 { nodes, pkgs, ... }:
20 {
21 security.pki.certificateFiles = [ "${cert pkgs}/cert.pem" ];
22 networking.extraHosts = ''
23 ${nodes.server.config.networking.primaryIPAddress} example.com
24 '';
26 environment.systemPackages = [
27 (pkgs.callPackage ./xmpp-sendmessage.nix {
28 connectTo = nodes.server.config.networking.primaryIPAddress;
29 })
30 ];
31 };
32 server =
33 { config, pkgs, ... }:
34 {
35 security.pki.certificateFiles = [ "${cert pkgs}/cert.pem" ];
36 networking.extraHosts = ''
37 ${config.networking.primaryIPAddress} example.com
38 '';
40 services.ejabberd = {
41 enable = true;
42 configFile = "/etc/ejabberd.yml";
43 };
45 systemd.services.ejabberd.serviceConfig.TimeoutStartSec = "15min";
46 environment.etc."ejabberd.yml" = {
47 user = "ejabberd";
48 mode = "0600";
49 text = ''
50 loglevel: 3
52 hosts:
53 - "example.com"
55 listen:
56 -
57 port: 5222
58 module: ejabberd_c2s
59 zlib: false
60 max_stanza_size: 65536
61 shaper: c2s_shaper
62 access: c2s
63 starttls: true
64 -
65 port: 5269
66 ip: "::"
67 module: ejabberd_s2s_in
68 -
69 port: 5347
70 ip: "127.0.0.1"
71 module: ejabberd_service
72 access: local
73 shaper: fast
74 -
75 port: 5444
76 module: ejabberd_http
77 request_handlers:
78 "/upload": mod_http_upload
80 certfiles:
81 - ${cert pkgs}/key.pem
82 - ${cert pkgs}/cert.pem
84 ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
85 ## password storage (see auth_password_format option).
86 disable_sasl_mechanisms: "digest-md5"
88 ## Outgoing S2S options
89 ## Preferred address families (which to try first) and connect timeout
90 ## in seconds.
91 outgoing_s2s_families:
92 - ipv4
93 - ipv6
95 ## auth_method: Method used to authenticate the users.
96 ## The default method is the internal.
97 ## If you want to use a different method,
98 ## comment this line and enable the correct ones.
99 auth_method: internal
101 ## Store the plain passwords or hashed for SCRAM:
102 ## auth_password_format: plain
103 auth_password_format: scram
105 ###' TRAFFIC SHAPERS
106 shaper:
107 # in B/s
108 normal: 1000000
109 fast: 50000000
111 ## This option specifies the maximum number of elements in the queue
112 ## of the FSM. Refer to the documentation for details.
113 max_fsm_queue: 1000
115 ###' ACCESS CONTROL LISTS
116 acl:
117 ## The 'admin' ACL grants administrative privileges to XMPP accounts.
118 ## You can put here as many accounts as you want.
119 admin:
120 user:
121 - "root": "example.com"
123 ## Local users: don't modify this.
124 local:
125 user_regexp: ""
127 ## Loopback network
128 loopback:
129 ip:
130 - "127.0.0.0/8"
131 - "::1/128"
132 - "::FFFF:127.0.0.1/128"
134 ###' SHAPER RULES
135 shaper_rules:
136 ## Maximum number of simultaneous sessions allowed for a single user:
137 max_user_sessions: 10
138 ## Maximum number of offline messages that users can have:
139 max_user_offline_messages:
140 - 5000: admin
141 - 1024
142 ## For C2S connections, all users except admins use the "normal" shaper
143 c2s_shaper:
144 - none: admin
145 - normal
146 ## All S2S connections use the "fast" shaper
147 s2s_shaper: fast
149 ###' ACCESS RULES
150 access_rules:
151 ## This rule allows access only for local users:
152 local:
153 - allow: local
154 ## Only non-blocked users can use c2s connections:
155 c2s:
156 - deny: blocked
157 - allow
158 ## Only admins can send announcement messages:
159 announce:
160 - allow: admin
161 ## Only admins can use the configuration interface:
162 configure:
163 - allow: admin
164 ## Only accounts of the local ejabberd server can create rooms:
165 muc_create:
166 - allow: local
167 ## Only accounts on the local ejabberd server can create Pubsub nodes:
168 pubsub_createnode:
169 - allow: local
170 ## In-band registration allows registration of any possible username.
171 ## To disable in-band registration, replace 'allow' with 'deny'.
172 register:
173 - allow
174 ## Only allow to register from localhost
175 trusted_network:
176 - allow: loopback
178 ## ===============
179 ## API PERMISSIONS
180 ## ===============
181 ##
182 ## This section allows you to define who and using what method
183 ## can execute commands offered by ejabberd.
184 ##
185 ## By default "console commands" section allow executing all commands
186 ## issued using ejabberdctl command, and "admin access" section allows
187 ## users in admin acl that connect from 127.0.0.1 to execute all
188 ## commands except start and stop with any available access method
189 ## (ejabberdctl, http-api, xmlrpc depending what is enabled on server).
190 ##
191 ## If you remove "console commands" there will be one added by
192 ## default allowing executing all commands, but if you just change
193 ## permissions in it, version from config file will be used instead
194 ## of default one.
195 ##
196 api_permissions:
197 "console commands":
198 from:
199 - ejabberd_ctl
200 who: all
201 what: "*"
203 language: "en"
205 ###' MODULES
206 ## Modules enabled in all ejabberd virtual hosts.
207 modules:
208 mod_adhoc: {}
209 mod_announce: # recommends mod_adhoc
210 access: announce
211 mod_blocking: {} # requires mod_privacy
212 mod_caps: {}
213 mod_carboncopy: {}
214 mod_client_state: {}
215 mod_configure: {} # requires mod_adhoc
216 ## mod_delegation: {} # for xep0356
217 mod_disco: {}
218 #mod_irc:
219 # host: "irc.@HOST@"
220 # default_encoding: "utf-8"
221 ## mod_bosh: {}
222 ## mod_http_fileserver:
223 ## docroot: "/var/www"
224 ## accesslog: "/var/log/ejabberd/access.log"
225 mod_http_upload:
226 thumbnail: false # otherwise needs the identify command from ImageMagick installed
227 put_url: "http://@HOST@:5444/upload"
228 ## # docroot: "@HOME@/upload"
229 #mod_http_upload_quota:
230 # max_days: 14
231 mod_last: {}
232 ## XEP-0313: Message Archive Management
233 ## You might want to setup a SQL backend for MAM because the mnesia database is
234 ## limited to 2GB which might be exceeded on large servers
235 mod_mam: {}
236 mod_muc:
237 host: "muc.@HOST@"
238 access:
239 - allow
240 access_admin:
241 - allow: admin
242 access_create: muc_create
243 access_persistent: muc_create
244 mod_muc_admin: {}
245 mod_muc_log: {}
246 mod_offline:
247 access_max_user_messages: max_user_offline_messages
248 mod_ping: {}
249 ## mod_pres_counter:
250 ## count: 5
251 ## interval: 60
252 mod_privacy: {}
253 mod_private: {}
254 mod_roster:
255 versioning: true
256 mod_shared_roster: {}
257 mod_stats: {}
258 mod_time: {}
259 mod_vcard:
260 search: false
261 mod_vcard_xupdate: {}
262 ## Convert all avatars posted by Android clients from WebP to JPEG
263 mod_avatar: {}
264 # convert:
265 # webp: jpeg
266 mod_version: {}
267 mod_stream_mgmt: {}
268 ## The module for S2S dialback (XEP-0220). Please note that you cannot
269 ## rely solely on dialback if you want to federate with other servers,
270 ## because a lot of servers have dialback disabled and instead rely on
271 ## PKIX authentication. Make sure you have proper certificates installed
272 ## and check your accessibility at https://check.messaging.one/
273 mod_s2s_dialback: {}
274 mod_pubsub:
275 plugins:
276 - "pep"
277 mod_push: {}
278 '';
279 };
281 networking.firewall.enable = false;
282 };
283 };
285 testScript =
286 { nodes, ... }:
287 ''
288 ejabberd_prefix = "su ejabberd -s $(which ejabberdctl) "
290 server.wait_for_unit("ejabberd.service")
292 assert "status: started" in server.succeed(ejabberd_prefix + "status")
294 server.succeed(
295 ejabberd_prefix + "register azurediamond example.com hunter2",
296 ejabberd_prefix + "register cthon98 example.com nothunter2",
297 )
298 server.fail(ejabberd_prefix + "register asdf wrong.domain")
299 client.succeed("send-message")
300 server.succeed(
301 ejabberd_prefix + "unregister cthon98 example.com",
302 ejabberd_prefix + "unregister azurediamond example.com",
303 )
304 '';
305 }
306 )