tv ejabberd: use LoadCredential

2 files changed, 19 insertions, 39 deletions

diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
index a0631e22..a022bc44 100644
--- a/tv/3modules/ejabberd/config.nix
+++ b/tv/3modules/ejabberd/config.nix
@@ -48,6 +48,9 @@ in /* yaml */ ''
         - "::1/128"
         - "::FFFF:127.0.0.1/128"
 
+  certfiles:
+    - /tmp/credentials/certfile
+
   hosts: ${toJSON config.hosts}
 
   language: "en"
@@ -58,9 +61,8 @@ in /* yaml */ ''
       ip: "::"
       module: ejabberd_c2s
       shaper: c2s_shaper
-      certfile: ${toJSON config.certfile.path}
       ciphers: ${toJSON ciphers}
-      dhfile: ${toJSON config.dhfile.path}
+      dhfile: /var/lib/ejabberd/dhfile
       protocol_options: ${toJSON protocol_options}
       starttls: true
       starttls_required: true
@@ -109,9 +111,8 @@ in /* yaml */ ''
     mod_http_api: {}
 
   s2s_access: s2s
-  s2s_certfile: ${toJSON config.s2s_certfile.path}
   s2s_ciphers: ${toJSON ciphers}
-  s2s_dhfile: ${toJSON config.dhfile.path}
+  s2s_dhfile: /var/lib/ejabberd/dhfile
   s2s_protocol_options: ${toJSON protocol_options}
   s2s_tls_compression: false
   s2s_use_starttls: required
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 20b79f07..935df9a9 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -16,22 +16,8 @@ in {
   options.tv.ejabberd = {
     enable = mkEnableOption "tv.ejabberd";
     certfile = mkOption {
-      type = types.secret-file;
-      default = {
-        name = "ejabberd-certfile";
-        path = "${cfg.user.home}/ejabberd.pem";
-        owner = cfg.user;
-        source-path = toString <secrets> + "/ejabberd.pem";
-      };
-    };
-    dhfile = mkOption {
-      type = types.secret-file;
-      default = {
-        name = "ejabberd-dhfile";
-        path = "${cfg.user.home}/dhparams.pem";
-        owner = cfg.user;
-        source-path = "/dev/null";
-      };
+      type = types.absolute-pathname;
+      default = toString <secrets> + "/ejabberd.pem";
     };
     hosts = mkOption {
       type = with types; listOf str;
@@ -61,10 +47,6 @@ in {
         config.krebs.users.tv.mail
       ];
     };
-    s2s_certfile = mkOption {
-      type = types.secret-file;
-      default = cfg.certfile;
-    };
     user = mkOption {
       type = types.user;
       default = {
@@ -90,27 +72,24 @@ in {
       })
     ];
 
-    krebs.secret.files = {
-      ejabberd-certfile = cfg.certfile;
-      ejabberd-s2s_certfile = cfg.s2s_certfile;
-    };
+    krebs.systemd.services.ejabberd = {};
 
     systemd.services.ejabberd = {
       wantedBy = [ "multi-user.target" ];
-      after = [
-        config.krebs.secret.files.ejabberd-certfile.service
-        config.krebs.secret.files.ejabberd-s2s_certfile.service
-        "network.target"
-      ];
-      partOf = [
-        config.krebs.secret.files.ejabberd-certfile.service
-        config.krebs.secret.files.ejabberd-s2s_certfile.service
-      ];
+      after = [ "network.target" ];
       serviceConfig = {
-        ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
-        ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
+        ExecStart = pkgs.writeDash "ejabberd" ''
+          ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
+          ${gen-dhparam} /var/lib/ejabberd/dhfile
+          exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
+        '';
+        LoadCredential = [
+          "certfile:${cfg.certfile}"
+        ];
         PermissionsStartOnly = true;
+        PrivateTmp = true;
         SyslogIdentifier = "ejabberd";
+        StateDirectory = "ejabberd";
         User = cfg.user.name;
         TimeoutStartSec = 60;
       };