diff options
author | tv <tv@krebsco.de> | 2022-08-22 14:58:40 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2022-10-08 23:29:23 +0200 |
commit | 876fd5404d0bc9f838119505a4b7a9b7bdb60e9e (patch) | |
tree | a5878cb74d7b4c454fbf20f04a9c71ea2223de7a | |
parent | c6aec96a556e56f7faf9eeb53202dd5a1a6cefc8 (diff) |
tv ejabberd: use dynamic user
-rw-r--r-- | tv/3modules/ejabberd/config.nix | 4 | ||||
-rw-r--r-- | tv/3modules/ejabberd/default.nix | 42 |
2 files changed, 21 insertions, 25 deletions
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index a022bc448..cc4dbcfb1 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -62,7 +62,7 @@ in /* yaml */ '' module: ejabberd_c2s shaper: c2s_shaper ciphers: ${toJSON ciphers} - dhfile: /var/lib/ejabberd/dhfile + dhfile: ${config.stateDir}/dhfile protocol_options: ${toJSON protocol_options} starttls: true starttls_required: true @@ -112,7 +112,7 @@ in /* yaml */ '' s2s_access: s2s s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: /var/lib/ejabberd/dhfile + s2s_dhfile: ${config.stateDir}/dhfile s2s_protocol_options: ${toJSON protocol_options} s2s_tls_compression: false s2s_use_starttls: required diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 67683b186..147e53d61 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -33,8 +33,11 @@ in { inherit pkgs; config = cfg; })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ + --ctl-config ${toFile "ejabberdctl.cfg" /* sh */ '' + ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie' + ''} \ + --logs ${cfg.stateDir} \ + --spool ${cfg.stateDir} \ "$@" '') pkgs.ejabberd @@ -47,12 +50,10 @@ in { config.krebs.users.tv.mail ]; }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/lib/ejabberd"; - }; + stateDir = mkOption { + type = types.absolute-pathname; + default = "/var/lib/ejabberd"; + readOnly = true; }; }; config = lib.mkIf cfg.enable { @@ -61,10 +62,13 @@ in { name = "ejabberd-sudo-wrapper"; paths = [ (pkgs.writeDashBin "ejabberdctl" '' - set -efu - cd ${shell.escape cfg.user.home} - exec /run/wrappers/bin/sudo \ - -u ${shell.escape cfg.user.name} \ + exec ${pkgs.systemd}/bin/systemd-run \ + --unit=ejabberdctl \ + --property=StateDirectory=ejabberd \ + --property=User=ejabberd \ + --collect \ + --pipe \ + --quiet \ ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" '') cfg.pkgs.ejabberd @@ -80,7 +84,7 @@ in { serviceConfig = { ExecStart = pkgs.writeDash "ejabberd" '' ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials - ${gen-dhparam} /var/lib/ejabberd/dhfile + ${gen-dhparam} ${cfg.stateDir}/dhfile exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground ''; LoadCredential = [ @@ -89,18 +93,10 @@ in { PrivateTmp = true; SyslogIdentifier = "ejabberd"; StateDirectory = "ejabberd"; - User = cfg.user.name; + User = "ejabberd"; + DynamicUser = true; TimeoutStartSec = 60; }; }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - group = cfg.user.name; - isSystemUser = true; - }; - - users.groups.${cfg.user.name} = {}; }; } |