Revert "Checkpoint: Shut down Prosody and matterbridge"

This reverts commit 21ebd9be57a8dcdc97d333c6cf2ba19d2642f405.

3 files changed, 154 insertions, 25 deletions

diff --git a/TODOs.org b/TODOs.org
index 6a8a6b5..7b6baca 100644
--- a/TODOs.org
+++ b/TODOs.org
@@ -1,4 +1,42 @@
 * Tasks - v4
+** DONE Prosody in localhost
+CLOSED: [2020-08-14 ven. 09:29]
+** CANCELLED Prosody in NixOS with NGINX
+https://www.reddit.com/r/linuxadmin/comments/7z0ahv/prosody_behind_reverse_proxy/dunbdmv/:
+#+BEGIN_SRC nginx
+server {
+  listen 80;
+  listen [::]:80;
+  server_name xmpp.domain.com
+
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  ssl on;
+  ssl_certificate /path/to/cert;
+  ssl_certificate_key /path/to/key;
+
+  location / {
+    proxy_pass http://192.168.2.101:5222;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection 'upgrade';
+    proxy_set_header Host $host;
+    proxy_cache_bypass $http_upgrade;
+  }
+}
+#+END_SRC
+Use Prosody as a server itself
+** DONE Prosody TLS
+CLOSED: [2020-08-16 dim. 18:52]
+** DONE matterbridge
+CLOSED: [2020-08-16 dim. 21:58]
+** DONE Converse
+CLOSED: [2020-08-16 dim. 21:58]
 ** DONE cgit
 CLOSED: [2020-08-14 ven. 09:29]
 ** TODO cgit: show README in about section
@@ -34,6 +72,7 @@ resource "vultr_block_storage" "vps_storage" {
   live        = "yes"
 }
 #+END_SRC
+** TODO Stop doing chmod to share certificates
 * Tasks - v5
 ** TODO Run cgit from nginx instead of using lighttpd
 ** TODO EteSync?
@@ -41,11 +80,21 @@ resource "vultr_block_storage" "vps_storage" {
 * Services - v2
 ** DONE =cloud.$tld=: Nextcloud: storage, calendar, contacts, notes and talk
 CLOSED: [2020-08-14 ven. 09:29]
+** DONE =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server
+CLOSED: [2020-08-16 dim. 21:58]
+Setup under Prosody server, and bridge it with Telegram and WhatsApp using matterbridge.
+#+BEGIN_SRC nix
+muc = [{
+  domain = envsubstConfiguration.prosodyMUCTLD;
+}];
+uploadHttp = {
+  domain = envsubstConfiguration.prosodyHTTPUploadTLD;
+};
+#+END_SRC
 ** DONE =git.$tld=: cgit server with repositories from ~/dev/libre/
 CLOSED: [2020-08-14 ven. 09:29]
 ** DONE =boneco.$tld=: [[https://git.sr.ht/~euandreh/boneco][boneco]] deployment
 CLOSED: [2020-08-15 sam. 18:17]
-** CANCELLED =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server
 ** TODO =mail.$tld=: postfix, dovecot, spamassasin, opendkim, etc
 No need for roundcube, Nextcloud has a web interface client.
 ** TODO =$tld=: current Jekyll blog
@@ -108,27 +157,8 @@ Instead, explicitly call =ansible-playbook= after =terraform apply= finished run
 This way we test the DNS A record -> Floating IP -> Droplet IP path. We can't do that inside Terraform declaration because the =local-exec= provisioning command runs before the =digitalocean_floating_ip_assignment= is created, and we can't create a cyclic dependency between the two resources.
 
 We could use the raw Droplet IP instead of the DNS A record, but I prefer calling it later in order to always test the full DNS resolution.
-** On shutting down Prosody and matterbridge
-Only after having a fully working configuration between Prosody, matterbridge
-and the gateways, I realized that matterbridge only support private groups for a
-few of their integrations. I should have read the whole documentation instead of
-just jumping in and start configuring.
-
-Instead of finishing the desired setup (missing things listed below), I'll
-remove the existing configuration.
-
-I do like XMPP over everything else, but I see little point in maintaining it if
-nobody I want to talk to wants to use it.
-
-I'll have to search for other solutions, or other ways to approach this problem.
-*** XMPP tasks
-**** Setup MUC on Prosody
-**** Setup DNS =SRV= records
-**** =xmpp.$tld=: Prosody server
-**** =chat.$tld=: [[https://conversejs.org/][Converse]] interface to Prosody server
-=proxyPass= from =chat.$tld= to =xmpp.$tld/conversejs=.
-**** Stop doing chmod to share certificates
 * Questions
 ** How to best handle IP changes when the server changes? How does this affect the email sending IP reputation?
 ** Enable 2FA for Nextcloud?
-* Scratch
+Do XMPP support that too?
+* Scrath
diff --git a/nixos-switch.sh b/nixos-switch.sh
index 6a75a69..c972ea4 100755
--- a/nixos-switch.sh
+++ b/nixos-switch.sh
@@ -7,3 +7,13 @@ cd "$(dirname "${BASH_SOURCE[0]}")"
 envsubst < vps-configuration.env.nix | ssh "$TLD" 'cat > /etc/nixos/configuration.nix'
 echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S nix-channel --add "https://nixos.org/channels/nixos-${SYSTEM_STATE_VERSION}" nixos
 echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S -i nixos-rebuild switch --upgrade
+
+# Ugly hack to change TLS certificates permissions
+echo "${USER_PASSWORD}" | ssh "$TLD" sudo -S "\
+sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/key.pem;                 \
+sudo chmod 640 /var/lib/acme/chat.arrobaponto.org/fullchain.pem;           \
+sudo chmod 770 /var/lib/acme/chat.arrobaponto.org/;                        \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/fullchain.pem; \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/key.pem;       \
+sudo chown nginx:prosody /var/lib/acme/chat.arrobaponto.org/;              \
+sudo systemctl restart prosody.service"
diff --git a/vps-configuration.env.nix b/vps-configuration.env.nix
index 9013fb8..831a714 100644
--- a/vps-configuration.env.nix
+++ b/vps-configuration.env.nix
@@ -5,6 +5,7 @@ let
     TLD = "$TLD";
     nextcloudTLD = "$NEXTCLOUD_TLD";
     gitTLD = "$GIT_TLD";
+    prosodyTLD = "$PROSODY_TLD";
     bonecoTLD = "$BONECO_TLD";
     letsencryptEmail = "$LETSENCRYPT_EMAIL";
     authorizedKey = "$AUTHORIZED_KEY";
@@ -18,7 +19,18 @@ let
     gitRoot = "$GIT_ROOT";
     gitPort = "$GIT_PORT";
     systemStateVersion = "$SYSTEM_STATE_VERSION";
-    songbooksDocumentationTLD = "$SONGBOOKS_DOCUMENTATION_TLD";
+    prosodyAdminUser = "$PROSODY_ADMIN_USER";
+    prosodyMUCTLD = "$PROSODY_MUC_TLD";
+    prosodyPort = "$PROSODY_PORT";
+    prosodyHTTPPort = "$PROSODY_HTTP_PORT";
+    matterbridgeTelegramToken = "$MATTERBRIDGE_TELEGRAM_TOKEN";
+    matterbridgeTelegramChannel = "$MATTERBRIDGE_TELEGRAM_CHANNEL";
+    matterbridgeBotJID = "$MATTERBRIDGE_BOT_JID";
+    matterbridgeBotPassword = "$MATTERBRIDGE_BOT_PASSWORD";
+    matterbridgeBotNick = "$MATTERBRIDGE_BOT_NICK";
+    matterbridgeMUCServer = "$MATTERBRIDGE_MUC_SERVER";
+    matterbridgeXMPPServer = "$MATTERBRIDGE_XMPP_SERVER";
+    matterbridgeXMPPChannel = "$MATTERBRIDGE_XMPP_CHANNEL";
   };
   boneco = pkgs.stdenv.mkDerivation {
     name = "boneco";
@@ -54,6 +66,16 @@ in {
     # HTTP and HTPPS: NGINX
     80
     443
+
+    # XMPP: Prosody
+    # https://prosody.im/doc/ports
+    5000
+    5222
+    5269
+    5280
+    5281
+    5347
+    5582
   ];
 
   security.acme = {
@@ -91,10 +113,16 @@ in {
           enableACME = true;
           root = boneco;
         };
-        "${envsubstConfiguration.songbooksDocumentationTLD}" = {
+        "${envsubstConfiguration.prosodyTLD}" = {
           forceSSL = true;
           enableACME = true;
-          root = "/home/${envsubstConfiguration.userName}/songbooks/";
+          serverAliases = [ envsubstConfiguration.prosodyMUCTLD ];
+          locations = {
+            "/" = {
+              proxyPass =
+                "http://localhost:${envsubstConfiguration.prosodyHTTPPort}/";
+            };
+          };
         };
       };
     };
@@ -129,6 +157,67 @@ in {
       };
     };
 
+    prosody = let
+      fullchainPEM =
+        "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/fullchain.pem";
+      keyPEM = "/var/lib/acme/${envsubstConfiguration.prosodyTLD}/key.pem";
+    in {
+      enable = true;
+      admins = [ envsubstConfiguration.prosodyAdminUser ];
+      allowRegistration = false;
+      modules = { websocket = true; };
+      package = pkgs.prosody.override {
+        withCommunityModules = [ "http_upload" "conversejs" "bookmarks" ];
+      };
+      extraModules = [ "http_upload" "conversejs" "bookmarks" ];
+      ssl = {
+        cert = fullchainPEM;
+        key = keyPEM;
+      };
+      virtualHosts = {
+        "${envsubstConfiguration.prosodyTLD}" = {
+          enabled = true;
+          domain = "${envsubstConfiguration.prosodyTLD}";
+          ssl = {
+            cert = fullchainPEM;
+            key = keyPEM;
+          };
+        };
+      };
+      # muc = [{
+      #   domain = envsubstConfiguration.prosodyMUCTLD;
+      # }];
+    };
+
+    matterbridge = {
+      enable = true;
+      configFile = ''
+        [telegram.mytelegram]
+        Token="${envsubstConfiguration.matterbridgeTelegramToken}"
+        RemoteNickFormat="[{PROTOCOL}] <{NICK}>"
+
+        [xmpp.myxmpp]
+        Server="${envsubstConfiguration.matterbridgeXMPPServer}"
+        Jid="${envsubstConfiguration.matterbridgeBotJID}"
+        Password="${envsubstConfiguration.matterbridgeBotPassword}"
+        Muc="${envsubstConfiguration.matterbridgeMUCServer}"
+        Nick="${envsubstConfiguration.matterbridgeBotNick}"
+        RemoteNickFormat="[{PROTOCOL}] <{NICK}>"
+
+        [[gateway]]
+        name="gateway1"
+        enable=true
+
+        [[gateway.inout]]
+        account="telegram.mytelegram"
+        channel="${envsubstConfiguration.matterbridgeTelegramChannel}"
+
+        [[gateway.inout]]
+        account="xmpp.myxmpp"
+        channel="${envsubstConfiguration.matterbridgeXMPPChannel}"
+      '';
+    };
+
     lighttpd = {
       enable = true;
       port = pkgs.lib.toInt envsubstConfiguration.gitPort;