nixpkgs/nixos/tests/xmpp/ejabberd.nix
Chuang Zhu 6f5510289e nixos/tests/ejabberd: fix tests
It seems that SASL SCRAM in ejabberd now requires TLS to work, even if
disable_sasl_scram_downgrade_protection is true. The certificate
generation code is copied from nixos/tests/prosody.
2024-07-19 03:00:09 +08:00

294 lines
9.9 KiB
Nix

let
cert = pkgs: pkgs.runCommand "selfSignedCerts" { buildInputs = [ pkgs.openssl ]; } ''
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -nodes -subj '/CN=example.com/CN=muc.example.com' -days 36500
mkdir -p $out
cp key.pem cert.pem $out
'';
in
import ../make-test-python.nix ({ pkgs, ... }: {
name = "ejabberd";
meta = with pkgs.lib.maintainers; {
maintainers = [ ];
};
nodes = {
client = { nodes, pkgs, ... }: {
security.pki.certificateFiles = [ "${cert pkgs}/cert.pem" ];
networking.extraHosts = ''
${nodes.server.config.networking.primaryIPAddress} example.com
'';
environment.systemPackages = [
(pkgs.callPackage ./xmpp-sendmessage.nix { connectTo = nodes.server.config.networking.primaryIPAddress; })
];
};
server = { config, pkgs, ... }: {
security.pki.certificateFiles = [ "${cert pkgs}/cert.pem" ];
networking.extraHosts = ''
${config.networking.primaryIPAddress} example.com
'';
services.ejabberd = {
enable = true;
configFile = "/etc/ejabberd.yml";
};
systemd.services.ejabberd.serviceConfig.TimeoutStartSec = "15min";
environment.etc."ejabberd.yml" = {
user = "ejabberd";
mode = "0600";
text = ''
loglevel: 3
hosts:
- "example.com"
listen:
-
port: 5222
module: ejabberd_c2s
zlib: false
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
starttls: true
-
port: 5269
ip: "::"
module: ejabberd_s2s_in
-
port: 5347
ip: "127.0.0.1"
module: ejabberd_service
access: local
shaper: fast
-
port: 5444
module: ejabberd_http
request_handlers:
"/upload": mod_http_upload
certfiles:
- ${cert pkgs}/key.pem
- ${cert pkgs}/cert.pem
## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
## password storage (see auth_password_format option).
disable_sasl_mechanisms: "digest-md5"
## Outgoing S2S options
## Preferred address families (which to try first) and connect timeout
## in seconds.
outgoing_s2s_families:
- ipv4
- ipv6
## auth_method: Method used to authenticate the users.
## The default method is the internal.
## If you want to use a different method,
## comment this line and enable the correct ones.
auth_method: internal
## Store the plain passwords or hashed for SCRAM:
## auth_password_format: plain
auth_password_format: scram
###' TRAFFIC SHAPERS
shaper:
# in B/s
normal: 1000000
fast: 50000000
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
max_fsm_queue: 1000
###' ACCESS CONTROL LISTS
acl:
## The 'admin' ACL grants administrative privileges to XMPP accounts.
## You can put here as many accounts as you want.
admin:
user:
- "root": "example.com"
## Local users: don't modify this.
local:
user_regexp: ""
## Loopback network
loopback:
ip:
- "127.0.0.0/8"
- "::1/128"
- "::FFFF:127.0.0.1/128"
###' SHAPER RULES
shaper_rules:
## Maximum number of simultaneous sessions allowed for a single user:
max_user_sessions: 10
## Maximum number of offline messages that users can have:
max_user_offline_messages:
- 5000: admin
- 1024
## For C2S connections, all users except admins use the "normal" shaper
c2s_shaper:
- none: admin
- normal
## All S2S connections use the "fast" shaper
s2s_shaper: fast
###' ACCESS RULES
access_rules:
## This rule allows access only for local users:
local:
- allow: local
## Only non-blocked users can use c2s connections:
c2s:
- deny: blocked
- allow
## Only admins can send announcement messages:
announce:
- allow: admin
## Only admins can use the configuration interface:
configure:
- allow: admin
## Only accounts of the local ejabberd server can create rooms:
muc_create:
- allow: local
## Only accounts on the local ejabberd server can create Pubsub nodes:
pubsub_createnode:
- allow: local
## In-band registration allows registration of any possible username.
## To disable in-band registration, replace 'allow' with 'deny'.
register:
- allow
## Only allow to register from localhost
trusted_network:
- allow: loopback
## ===============
## API PERMISSIONS
## ===============
##
## This section allows you to define who and using what method
## can execute commands offered by ejabberd.
##
## By default "console commands" section allow executing all commands
## issued using ejabberdctl command, and "admin access" section allows
## users in admin acl that connect from 127.0.0.1 to execute all
## commands except start and stop with any available access method
## (ejabberdctl, http-api, xmlrpc depending what is enabled on server).
##
## If you remove "console commands" there will be one added by
## default allowing executing all commands, but if you just change
## permissions in it, version from config file will be used instead
## of default one.
##
api_permissions:
"console commands":
from:
- ejabberd_ctl
who: all
what: "*"
language: "en"
###' MODULES
## Modules enabled in all ejabberd virtual hosts.
modules:
mod_adhoc: {}
mod_announce: # recommends mod_adhoc
access: announce
mod_blocking: {} # requires mod_privacy
mod_caps: {}
mod_carboncopy: {}
mod_client_state: {}
mod_configure: {} # requires mod_adhoc
## mod_delegation: {} # for xep0356
mod_disco: {}
#mod_irc:
# host: "irc.@HOST@"
# default_encoding: "utf-8"
## mod_bosh: {}
## mod_http_fileserver:
## docroot: "/var/www"
## accesslog: "/var/log/ejabberd/access.log"
mod_http_upload:
thumbnail: false # otherwise needs the identify command from ImageMagick installed
put_url: "http://@HOST@:5444/upload"
## # docroot: "@HOME@/upload"
#mod_http_upload_quota:
# max_days: 14
mod_last: {}
## XEP-0313: Message Archive Management
## You might want to setup a SQL backend for MAM because the mnesia database is
## limited to 2GB which might be exceeded on large servers
mod_mam: {}
mod_muc:
host: "muc.@HOST@"
access:
- allow
access_admin:
- allow: admin
access_create: muc_create
access_persistent: muc_create
mod_muc_admin: {}
mod_muc_log: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {}
## mod_pres_counter:
## count: 5
## interval: 60
mod_privacy: {}
mod_private: {}
mod_roster:
versioning: true
mod_shared_roster: {}
mod_stats: {}
mod_time: {}
mod_vcard:
search: false
mod_vcard_xupdate: {}
## Convert all avatars posted by Android clients from WebP to JPEG
mod_avatar: {}
# convert:
# webp: jpeg
mod_version: {}
mod_stream_mgmt: {}
## The module for S2S dialback (XEP-0220). Please note that you cannot
## rely solely on dialback if you want to federate with other servers,
## because a lot of servers have dialback disabled and instead rely on
## PKIX authentication. Make sure you have proper certificates installed
## and check your accessibility at https://check.messaging.one/
mod_s2s_dialback: {}
mod_pubsub:
plugins:
- "pep"
mod_push: {}
'';
};
networking.firewall.enable = false;
};
};
testScript = { nodes, ... }: ''
ejabberd_prefix = "su ejabberd -s $(which ejabberdctl) "
server.wait_for_unit("ejabberd.service")
assert "status: started" in server.succeed(ejabberd_prefix + "status")
server.succeed(
ejabberd_prefix + "register azurediamond example.com hunter2",
ejabberd_prefix + "register cthon98 example.com nothunter2",
)
server.fail(ejabberd_prefix + "register asdf wrong.domain")
client.succeed("send-message")
server.succeed(
ejabberd_prefix + "unregister cthon98 example.com",
ejabberd_prefix + "unregister azurediamond example.com",
)
'';
})