From c154fa39a7f68a17713eff260c45c4d23835feb1 Mon Sep 17 00:00:00 2001 From: Soispha Date: Tue, 3 Oct 2023 17:29:00 +0200 Subject: fix(system/services/murmur): Allow murmur's user to read certs --- system/impermanence/default.nix | 1 + system/impermanence/mods/murmur.nix | 10 ++++++++++ system/services/murmur/default.nix | 26 ++++++++++++++++++++++---- 3 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 system/impermanence/mods/murmur.nix diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix index 6e977b5..f3d792d 100644 --- a/system/impermanence/default.nix +++ b/system/impermanence/default.nix @@ -5,6 +5,7 @@ ./mods/mail.nix ./mods/matrix.nix ./mods/minecraft.nix + ./mods/murmur.nix ./mods/nix-sync.nix ./mods/openssh.nix ./mods/postgresql.nix diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix new file mode 100644 index 0000000..48912e1 --- /dev/null +++ b/system/impermanence/mods/murmur.nix @@ -0,0 +1,10 @@ +{...}: { + environment.persistence."/srv".directories = [ + { + directory = "/var/lib/murmur"; + user = "murmur"; + group = "murmur"; + mode = "0700"; + } + ]; +} diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix index 9c04db0..1dcd781 100644 --- a/system/services/murmur/default.nix +++ b/system/services/murmur/default.nix @@ -1,23 +1,41 @@ -{config, ...}: { +{...}: let + murmurStore = "/var/lib/murmur"; +in { services.murmur = { enable = true; openFirewall = true; welcometext = '' - You never get a second chance to make a first impression + You never get a second chance to make a first impression
The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here! ''; - sslKey = "${config.security.acme.certs.murmur.directory}/key.pem"; - sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem"; + sslKey = "${murmurStore}/key.pem"; + sslCert = "${murmurStore}/fullchain.pem"; registerUrl = "vhack.eu"; registerName = "vhack"; registerHostname = "mumble.vhack.eu"; hostName = "mumble.vhack.eu"; clientCertRequired = true; + bandwidth = 7200000; }; security.acme.certs.murmur = { domain = "mumble.vhack.eu"; + postRun = + /* + bash + */ + '' + set -x + rm "${murmurStore}/key.pem" + rm "${murmurStore}/fullchain.pem" + + cp key.pem "${murmurStore}"; + cp fullchain.pem "${murmurStore}"; + + chown murmur:murmur "${murmurStore}/key.pem" + chown murmur:murmur "${murmurStore}/fullchain.pem" + ''; }; } -- cgit 1.4.1