nixpkgs/nixos/modules/services/networking/prosody.md
Janne Heß fcc95ff817 treewide: Fix all Nix ASTs in all markdown files
This allows for correct highlighting and maybe future automatic
formatting. The AST was verified to work with nixfmt only.
2024-03-28 09:28:12 +01:00

2.7 KiB

Prosody

Prosody is an open-source, modern XMPP server.

Basic usage

A common struggle for most XMPP newcomers is to find the right set of XMPP Extensions (XEPs) to setup. Forget to activate a few of those and your XMPP experience might turn into a nightmare!

The XMPP community tackles this problem by creating a meta-XEP listing a decent set of XEPs you should implement. This meta-XEP is issued every year, the 2020 edition being XEP-0423.

The NixOS Prosody module will implement most of these recommendend XEPs out of the box. That being said, two components still require some manual configuration: the Multi User Chat (MUC) and the HTTP File Upload ones. You'll need to create a DNS subdomain for each of those. The current convention is to name your MUC endpoint conference.example.org and your HTTP upload domain upload.example.org.

A good configuration to start with, including a Multi User Chat (MUC) endpoint as well as a HTTP File Upload endpoint will look like this:

{
  services.prosody = {
    enable = true;
    admins = [ "root@example.org" ];
    ssl.cert = "/var/lib/acme/example.org/fullchain.pem";
    ssl.key = "/var/lib/acme/example.org/key.pem";
    virtualHosts."example.org" = {
        enabled = true;
        domain = "example.org";
        ssl.cert = "/var/lib/acme/example.org/fullchain.pem";
        ssl.key = "/var/lib/acme/example.org/key.pem";
    };
    muc = [ {
        domain = "conference.example.org";
    } ];
    uploadHttp = {
        domain = "upload.example.org";
    };
  };
}

Let's Encrypt Configuration

As you can see in the code snippet from the previous section, you'll need a single TLS certificate covering your main endpoint, the MUC one as well as the HTTP Upload one. We can generate such a certificate by leveraging the ACME extraDomainNames module option.

Provided the setup detailed in the previous section, you'll need the following acme configuration to generate a TLS certificate for the three endponits:

{
  security.acme = {
    email = "root@example.org";
    acceptTerms = true;
    certs = {
      "example.org" = {
        webroot = "/var/www/example.org";
        email = "root@example.org";
        extraDomainNames = [ "conference.example.org" "upload.example.org" ];
      };
    };
  };
}