diff options
author | tv <tv@krebsco.de> | 2016-02-21 05:41:59 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2016-02-21 05:41:59 +0100 |
commit | d488e5fe7236a74ab63a21d97db10923482b18dd (patch) | |
tree | c1895513397a22243b5cf28fb92d3f92e5cb10c8 /tv/3modules | |
parent | b5fbca3a365b1188c1274e3288ba39a88ecad2e3 (diff) |
tv.ejabberd: use krebs.secret
Diffstat (limited to 'tv/3modules')
-rw-r--r-- | tv/3modules/ejabberd.nix | 36 |
1 files changed, 22 insertions, 14 deletions
diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix index c9d9b48b1..7ecd0a87e 100644 --- a/tv/3modules/ejabberd.nix +++ b/tv/3modules/ejabberd.nix @@ -12,9 +12,17 @@ let api = { enable = mkEnableOption "tv.ejabberd"; - certFile = mkOption { - type = types.str; - default = toString <secrets/ejabberd.pem>; + certfile = mkOption { + type = types.secret-file; + default = { + path = "/etc/ejabberd/ejabberd.pem"; + owner-name = "ejabberd"; + source-path = toString <secrets> + "/ejabberd.pem"; + }; + }; + s2s_certfile = mkOption { + type = types.secret-file; + default = cfg.certfile; }; hosts = mkOption { @@ -25,21 +33,22 @@ let imp = { environment.systemPackages = [ my-ejabberdctl ]; + krebs.secret.files = { + ejabberd-certfile = cfg.certfile; + ejabberd-s2s_certfile = cfg.s2s_certfile; + }; + systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + requires = [ "secret.service" ]; + after = [ "network.target" "secret.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; PermissionsStartOnly = "true"; SyslogIdentifier = "ejabberd"; User = user.name; - ExecStartPre = pkgs.writeScript "ejabberd-start" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.certFile} /etc/ejabberd/ejabberd.pem - ''; - ExecStart = pkgs.writeScript "ejabberd-service" '' - #! /bin/sh + ExecStart = pkgs.writeDash "ejabberd" '' ${my-ejabberdctl}/bin/ejabberdctl start ''; }; @@ -75,7 +84,7 @@ let [ {5222, ejabberd_c2s, [ starttls, - {certfile, "/etc/ejabberd/ejabberd.pem"}, + {certfile, ${toErlang cfg.certfile.path}}, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} @@ -92,7 +101,7 @@ let ]} ]}. {s2s_use_starttls, required}. - {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. + {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. {auth_method, internal}. {shaper, normal, {maxrate, 1000}}. {shaper, fast, {maxrate, 50000}}. @@ -161,5 +170,4 @@ let # XXX this is a placeholder that happens to work the default strings. toErlang = builtins.toJSON; -in -out +in out |