jitsi-meet: Add option to disable Prosody services not used by Jitsi Meet

The default Prosody config assumes that Prosody will be used as a federated
XMPP server, while the usecase for Jitsi Meet is much narrower.

nixos/modules/services/web-apps/jitsi-meet.md

@@ -19,6 +19,13 @@ A minimal configuration using Let's Encrypt for TLS certificates looks like this
 }
 ```
 
+Jitsi Meet depends on the Prosody XMPP server only for message passing from
+the web browser while the default Prosody configuration is intended for use
+with standalone XMPP clients and XMPP federation. If you only use Prosody as
+a backend for Jitsi Meet it is therefore recommended to also enable
+{option}`services.jitsi-meet.prosody.lockdown` option to disable unnecessary
+Prosody features such as federation or the file proxy.
+
 ## Configuration {#module-services-jitsi-configuration}
 
 Here is the minimal configuration with additional configurations:
@@ -27,6 +34,7 @@ Here is the minimal configuration with additional configurations:
   services.jitsi-meet = {
     enable = true;
     hostName = "jitsi.example.com";
+    prosody.lockdown = true;
     config = {
       enableWelcomePage = false;
       prejoinPageEnabled = true;

nixos/modules/services/web-apps/jitsi-meet.nix

@@ -175,11 +175,26 @@ in
     prosody.enable = mkOption {
       type = bool;
       default = true;
+      example = false;
       description = ''
         Whether to configure Prosody to relay XMPP messages between Jitsi Meet components. Turn this
         off if you want to configure it manually.
       '';
     };
+    prosody.lockdown = mkOption {
+      type = bool;
+      default = false;
+      example = true;
+      description = ''
+        Whether to disable Prosody features not needed by Jitsi Meet.
+
+        The default Prosody configuration assumes that it will be used as a
+        general-purpose XMPP server rather than as a companion service for
+        Jitsi Meet. This option reconfigures Prosody to only listen on
+        localhost without support for TLS termination, XMPP federation or
+        the file transfer proxy.
+      '';
+    };
 
     excalidraw.enable = mkEnableOption "Excalidraw collaboration backend for Jitsi";
     excalidraw.port = mkOption {
@@ -211,7 +226,10 @@ in
         smacks = mkDefault true;
         tls = mkDefault true;
         websocket = mkDefault true;
+        proxy65 = mkIf cfg.prosody.lockdown (mkDefault false);
       };
+      httpInterfaces = mkIf cfg.prosody.lockdown (mkDefault [ "127.0.0.1" ]);
+      httpsPorts = mkIf cfg.prosody.lockdown (mkDefault []);
       muc = [
         {
           domain = "conference.${cfg.hostName}";
@@ -300,7 +318,7 @@ in
             muc_component = "conference.${cfg.hostName}"
             breakout_rooms_component = "breakout.${cfg.hostName}"
         '')
-        (mkBefore ''
+        (mkBefore (''
           muc_mapper_domain_base = "${cfg.hostName}"
 
           cross_domain_websocket = true;
@@ -310,7 +328,10 @@ in
             "focus@auth.${cfg.hostName}",
             "jvb@auth.${cfg.hostName}"
           }
-        '')
+        '' + optionalString cfg.prosody.lockdown ''
+          c2s_interfaces = { "127.0.0.1" };
+          modules_disabled = { "s2s" };
+        ''))
       ];
       virtualHosts.${cfg.hostName} = {
         enabled = true;