Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/prosody: make module defaults comply with XEP-0423 #86067

Merged
merged 3 commits into from May 1, 2020

Conversation

@NinjaTrappeur
Copy link
Contributor

NinjaTrappeur commented Apr 26, 2020

Motivation for this change

The overall idea behind all these changes is to provide some sane defaults to make the module "just work" by default. We are trying to stay as close as possible from the meta XEP-0423.

It is now possible to be fully complient with this meta-XEP with a minimal setup.

As an illustration, I use the following configuration on my personal prosody instance to get fully compliant to the conversations test (https://compliance.conversations.m/server/chat.alternativebit.fr/):

prosody = {
      enable = true;
      admins = [ "...@chat.alternativebit.fr" ];
      ssl.cert = "/var/lib/acme/home.alternativebit.fr/fullchain.pem";
      ssl.key = "/var/lib/acme/home.alternativebit.fr/key.pem";
      virtualHosts."chat.alternativebit.fr" = {
        enabled = true;
        domain = "chat.alternativebit.fr";
        ssl.cert = "/var/lib/acme/home.alternativebit.fr/fullchain.pem";
        ssl.key = "/var/lib/acme/home.alternativebit.fr/key.pem";
      };
      muc = [ {
        domain = "conference.alternativebit.fr";
      }];
      uploadHttp = {
        domain = "upload.alternativebit.fr";
      };
    };
  };

After seeing a few prosody nixos config in the wild, I'm confident this PR will make setting up prosody much easier for a lot of people.

The NixOS test has been updated to test this compliance through a VM test.

See the commit messages for more details.


Inlined commit messages:

Setting up a XMPP chat server is a pretty deep rabbit whole to jump in
when you're not familiar with this whole universe. Your experience
with this environment will greatly depends on whether or not your
server implements the right set of XEPs.

To tackle this problem, the XMPP community came with the idea of
creating a meta-XEP in charge of listing the desirable XEPs to comply
with. This meta-XMP is issued every year under an new XEP number. The
2020 one being XEP-0423[1].

This prosody nixos module refactoring makes complying with XEP-0423
easier. All the necessary extensions are enabled by default. For some
extensions (MUC and HTTP_UPLOAD), we need some input from the user and
cannot provide a sensible default nixpkgs-wide. For those, we guide
the user using a couple of assertions explaining the remaining manual
steps to perform.

We took advantage of this substential refactoring to refresh the
associated nixos test.

Changelog:
- Update the prosody package to provide the necessary community
  modules in order to comply with XEP-0423. This is a tradeoff, as
  depending on their configuration, the user might end up not using them
  and wasting some disk space. That being said, adding those will
  allow the XEP-0423 users, which I expect to be the majority of
  users, to leverage a bit more the binary cache.
- Add a muc submodule populated with the prosody muc defaults.
- Add a http_upload submodule in charge of setting up a basic http
  server handling the user uploads. This submodule is in is
  spinning up an HTTP(s) server in charge of receiving and serving the
  user's attachments.
- Advertise both the MUCs and the http_upload endpoints using mod disco.
- Use the slixmpp library in place of the now defunct sleekxmpp for
  the prosody NixOS test.
- Update the nixos test to setup and test the MUC and http upload
  features.
- Add a couple of assertions triggered if the setup is not xep-0423
  compliant.

[1] https://xmpp.org/extensions/xep-0423.html
We are leveraging the systemd sandboxing features to prevent the
service accessing locations it shouldn't do. Most notably, we are here
preventing the prosody service from accessing /home and providing it
with a private /dev and /tmp.

Please consult man systemd.exec for further informations.
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

CC: @fpletz @globin @andir @florianjacob @flokli

@NinjaTrappeur
Copy link
Contributor Author

NinjaTrappeur commented Apr 26, 2020

@GrahamcOfBorg test prosody

@NinjaTrappeur
Copy link
Contributor Author

NinjaTrappeur commented Apr 26, 2020

I have a remaining question: I'd like to provide the user with an example let's encrypt setup.

Something along the lines of

security.acme = {
    email = "your@email.com";
    acceptTerms = true;
    certs = {
      "your.domain.com" = {
        webroot = "/var/www/your.domain.com";
        email = "your@email.com";
        allowKeysForGroup = true;
        group = "sslcertgr";
        extraDomains."chat.domain.com" = null;
        extraDomains."upload.domain.com" = null;
        extraDomains."conference.domain.com" = null;
      };
    };
  };

Where should I put this? I first thought about adding an example setup in the nixos manual, but I'm not sure people will end up reading it. Do you have any idea about were to put that?


Side note: I just realized @mmilata has been bumping prosody to 0.11.5 in the meantime (I missed that commit, I actually started this PR about a month ago, took me quite some time to fix the nixos test)! Will remove this duplicate bump from the PR in a sec.

@NinjaTrappeur NinjaTrappeur force-pushed the NinjaTrappeur:nin-sane-prosody-defaults branch 2 times, most recently from e743b21 to 44f3205 Apr 26, 2020
@ofborg ofborg bot requested review from globin and fpletz Apr 26, 2020
@flokli
Copy link
Contributor

flokli commented Apr 26, 2020

Thanks a lot for doing this! I really like how this also makes the prosody module much more composable.

It's now also very easy to define mucs, which can be reused by things like #82920.

Where should I put this?
You might just want to add a nixos/modules/services/networking/prosody.xml containing some documentation, as well as the examples you posted in this PR.

@flokli flokli mentioned this pull request Apr 27, 2020
4 of 10 tasks complete
Setting up a XMPP chat server is a pretty deep rabbit whole to jump in
when you're not familiar with this whole universe. Your experience
with this environment will greatly depends on whether or not your
server implements the right set of XEPs.

To tackle this problem, the XMPP community came with the idea of
creating a meta-XEP in charge of listing the desirable XEPs to comply
with. This meta-XMP is issued every year under an new XEP number. The
2020 one being XEP-0423[1].

This prosody nixos module refactoring makes complying with XEP-0423
easier. All the necessary extensions are enabled by default. For some
extensions (MUC and HTTP_UPLOAD), we need some input from the user and
cannot provide a sensible default nixpkgs-wide. For those, we guide
the user using a couple of assertions explaining the remaining manual
steps to perform.

We took advantage of this substential refactoring to refresh the
associated nixos test.

Changelog:
- Update the prosody package to provide the necessary community
  modules in order to comply with XEP-0423. This is a tradeoff, as
  depending on their configuration, the user might end up not using them
  and wasting some disk space. That being said, adding those will
  allow the XEP-0423 users, which I expect to be the majority of
  users, to leverage a bit more the binary cache.
- Add a muc submodule populated with the prosody muc defaults.
- Add a http_upload submodule in charge of setting up a basic http
  server handling the user uploads. This submodule is in is
  spinning up an HTTP(s) server in charge of receiving and serving the
  user's attachments.
- Advertise both the MUCs and the http_upload endpoints using mod disco.
- Use the slixmpp library in place of the now defunct sleekxmpp for
  the prosody NixOS test.
- Update the nixos test to setup and test the MUC and http upload
  features.
- Add a couple of assertions triggered if the setup is not xep-0423
  compliant.

[1] https://xmpp.org/extensions/xep-0423.html
We are leveraging the systemd sandboxing features to prevent the
service accessing locations it shouldn't do. Most notably, we are here
preventing the prosody service from accessing /home and providing it
with a private /dev and /tmp.

Please consult man systemd.exec for further informations.
@NinjaTrappeur NinjaTrappeur force-pushed the NinjaTrappeur:nin-sane-prosody-defaults branch from 9822880 to 353a8b5 Apr 30, 2020
@NinjaTrappeur
Copy link
Contributor Author

NinjaTrappeur commented May 1, 2020

As per suggested by @flokli, I added a Prosody section to the NixOS manual in df52c29 explaining how to perform a basic setup.

You can use nix-build nixos/release.nix -A manual.x86_64-linux && firefox result/share/doc/nixos/index.html to generate the doc.

nixos/modules/services/networking/prosody.xml Outdated Show resolved Hide resolved
nixos/modules/services/networking/prosody.xml Outdated Show resolved Hide resolved
nixos/modules/services/networking/prosody.xml Outdated Show resolved Hide resolved
nixos/modules/services/networking/prosody.xml Outdated Show resolved Hide resolved
nixos/modules/services/networking/prosody.xml Outdated Show resolved Hide resolved
We add a Prosody entry to the NixOS manual showing how to setup a
basic XEP-0423 compliant Prosody service. This example also showcase
how to generate the associated ACME certificates.

Note: The <programlisting> body might look poorly indented, but trust
me, it's necessary. If we try to increase their indentation level, the
HTML output will end up containing a lot of unecesseray heading spaces
breaking the formatting...
@NinjaTrappeur NinjaTrappeur force-pushed the NinjaTrappeur:nin-sane-prosody-defaults branch from df52c29 to f5b1e6b May 1, 2020
@flokli
flokli approved these changes May 1, 2020
@flokli
Copy link
Contributor

flokli commented May 1, 2020

Thanks a lot for all the nice work in here! 👍

@flokli flokli merged commit e148a72 into NixOS:master May 1, 2020
11 of 13 checks passed
11 of 13 checks passed
grahamcofborg-eval Calculating Changed Outputs
Details
grahamcofborg-eval-check-meta config.nix: checkMeta = true
Details
grahamcofborg-eval-check-maintainers matching changed paths to changed attrs...
Details
grahamcofborg-eval-darwin nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./pkgs/t
Details
grahamcofborg-eval-lib-tests nix-build --arg pkgs import ./. {} ./lib/tests/release.nix
Details
grahamcofborg-eval-nixos nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./nixos/
Details
grahamcofborg-eval-nixos-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./nixos/
Details
grahamcofborg-eval-nixos-options nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./nixos/
Details
grahamcofborg-eval-nixpkgs-manual nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-tarball nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./pkgs/t
Details
grahamcofborg-eval-nixpkgs-unstable-jobset nix-instantiate --arg nixpkgs { outPath=./.; revCount=999999; shortRev="f5b1e6b"; rev="f5b1e6bc215bf82d4a294891e7c4a2b178122731"; } ./pkgs/t
Details
grahamcofborg-eval-package-list nix-env -qa --json --file .
Details
grahamcofborg-eval-package-list-no-aliases nix-env -qa --json --file . --arg config { allowAliases = false; }
Details
@mmilata mmilata mentioned this pull request May 3, 2020
4 of 10 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.