openfire: init project

ngi-nix · Sep 26, 2024 · 0dec929 · 0dec929
1 parent 3104b50
commit 0dec929
Show file tree

Hide file tree

Showing 4 changed files with 181 additions and 0 deletions.
diff --git a/projects/Openfire-IPv6/default.nix b/projects/Openfire-IPv6/default.nix
@@ -0,0 +1,15 @@
+{pkgs, ...} @ args: {
+  packages = {
+    inherit (pkgs) openfire;
+  };
+  nixos = {
+    modules.services.openfire-server = ./service.nix;
+    examples = {
+      base = {
+        path = ./example.nix;
+        description = "Basic configuration, mainly used for testing purposes.";
+      };
+    };
+    tests.openfire-server = import ./test.nix args;
+  };
+}
diff --git a/projects/Openfire-IPv6/example.nix b/projects/Openfire-IPv6/example.nix
@@ -0,0 +1,6 @@
+{...}: {
+  services.openfire-server = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/projects/Openfire-IPv6/service.nix b/projects/Openfire-IPv6/service.nix
@@ -0,0 +1,113 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  cfg = config.services.openfire-server;
+in {
+  options.services.openfire-server = {
+    enable = lib.mkEnableOption "Openfire XMPP server";
+    package = lib.mkPackageOption pkgs "openfire" {};
+
+    servicePort = lib.mkOption {
+      type = lib.types.port;
+      default = 9090;
+      description = ''
+        The port on which Openfire should listen for insecure Admin Console access.
+      '';
+    };
+
+    securePort = lib.mkOption {
+      type = lib.types.port;
+      default = 9091;
+      description = ''
+        The port on which Openfire should listen for secure Admin Console access.
+      '';
+    };
+
+    openFirewall = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      description = ''
+        Whether to open ports in the firewall for the server.
+      '';
+    };
+
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      default = "${cfg.package}/opt";
+      defaultText = lib.literalExpression ''"''${config.services.openfire.package}/opt"'';
+      description = ''
+        Where to load readonly data from.
+      '';
+    };
+
+    stateDir = lib.mkOption {
+      type = lib.types.str;
+      default = "/var/lib/openfire";
+      description = ''
+        Where to store runtime data (logs, plugins, ...).
+
+        If left at the default, this will be automatically created on server
+        startup if it does not already exist. If changed, it is the admin's
+        responsibility to make sure that the directory exists and is writeable
+        by the `openfire` user.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users.users.openfire = {
+      description = "openfire server daemon user";
+      home = cfg.stateDir;
+      createHome = false;
+      isSystemUser = true;
+      group = "openfire";
+    };
+    users.groups.openfire = {};
+
+    systemd.services.openfire-server = {
+      description = "Openfire Server Daemon";
+      serviceConfig = lib.mkMerge [
+        {
+          ExecStart = "${cfg.package}/bin/openfire.sh";
+          User = "openfire";
+          Group = "openfire";
+          Restart = "on-failure";
+          WorkingDirectory = cfg.stateDir;
+        }
+        (lib.mkIf (cfg.stateDir == "/var/lib/openfire") {
+          StateDirectory = "openfire";
+        })
+      ];
+      environment.OPENFIRE_HOME = cfg.stateDir;
+      wantedBy = ["multi-user.target"];
+      after = ["network.target"];
+
+      # Files under `OPENFIRE_HOME` require read-write permissions for Openfire
+      # to work correctly, so we can't directly run it from the nix store.
+      #
+      # Instead, we need to copy those files into a directory which has proper
+      # permissions, but we must only do this once, otherwise we risk
+      # ovewriting server state information every time the server is upgraded.
+      #
+      # As such, if `conf/openfire.xml` already exists, we assume the rest of
+      # the files do as well, and copy nothing.
+      # TODO: how to handle package updates?
+      preStart = ''
+        if [ ! -e "${cfg.stateDir}"/conf/openfire.xml ]; then
+          ${pkgs.rsync}/bin/rsync -a --chmod=u=rwX,go=rX \
+            "${cfg.package}/opt/" "${cfg.stateDir}/"
+        fi
+      '';
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [
+        cfg.servicePort
+        cfg.securePort
+      ];
+    };
+  };
+}
diff --git a/projects/Openfire-IPv6/test.nix b/projects/Openfire-IPv6/test.nix
@@ -0,0 +1,47 @@
+{
+  lib,
+  sources,
+  ...
+}: {
+  # NOTE:
+  # - Run the test interactively to access the server: nix run .#nixosTests.Openfire-IPv6.openfire-server.driverInteractive
+  # - Diable `Restrict Admin Console Access` in the `Server Settings`, else you won't be able to login.
+
+  name = "openfire";
+  meta = {
+    maintainers = [];
+  };
+
+  nodes = {
+    server = {lib, ...}: {
+      imports = [
+        sources.modules.default
+        sources.modules."services.openfire-server"
+      ];
+
+      services.openfire-server = {
+        enable = true;
+        openFirewall = true;
+      };
+
+      virtualisation.forwardPorts = [
+        {
+          from = "host";
+          host.port = 9090;
+          guest.port = 9090;
+        }
+        {
+          from = "host";
+          host.port = 9091;
+          guest.port = 9091;
+        }
+      ];
+    };
+  };
+
+  testScript = ''
+    start_all()
+    server.wait_for_unit("openfire-server.service")
+    server.wait_for_open_port(9090)
+  '';
+}