summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lass/3modules/ejabberd/config.nix4
-rw-r--r--lass/3modules/ejabberd/default.nix18
2 files changed, 16 insertions, 6 deletions
diff --git a/lass/3modules/ejabberd/config.nix b/lass/3modules/ejabberd/config.nix
index 9a4882644..83ca5dc2a 100644
--- a/lass/3modules/ejabberd/config.nix
+++ b/lass/3modules/ejabberd/config.nix
@@ -10,7 +10,7 @@ in toFile "ejabberd.conf" ''
[
{5222, ejabberd_c2s, [
starttls,
- {certfile, ${toErlang cfg.certfile}},
+ {certfile, ${toErlang cfg.certfile.path}},
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
@@ -27,7 +27,7 @@ in toFile "ejabberd.conf" ''
]}
]}.
{s2s_use_starttls, required}.
- {s2s_certfile, ${toErlang cfg.s2s_certfile}}.
+ {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}.
{auth_method, internal}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
diff --git a/lass/3modules/ejabberd/default.nix b/lass/3modules/ejabberd/default.nix
index c68f32ef0..18c7cd656 100644
--- a/lass/3modules/ejabberd/default.nix
+++ b/lass/3modules/ejabberd/default.nix
@@ -4,7 +4,12 @@ in {
options.lass.ejabberd = {
enable = mkEnableOption "lass.ejabberd";
certfile = mkOption {
- type = types.str;
+ type = types.secret-file;
+ default = {
+ path = "${cfg.user.home}/ejabberd.pem";
+ owner = cfg.user;
+ source-path = "/var/lib/acme/lassul.us/full.pem";
+ };
};
hosts = mkOption {
type = with types; listOf str;
@@ -17,12 +22,11 @@ in {
export EJABBERD_CONFIG_PATH=${shell.escape (import ./config.nix args)}
exec ${pkgs.ejabberd}/bin/ejabberdctl \
--logs ${shell.escape cfg.user.home} \
- --spool ${shell.escape cfg.user.home} \
"$@"
'';
};
s2s_certfile = mkOption {
- type = types.str;
+ type = types.secret-file;
default = cfg.certfile;
};
user = mkOption {
@@ -36,9 +40,15 @@ in {
config = lib.mkIf cfg.enable {
environment.systemPackages = [ cfg.pkgs.ejabberdctl ];
+ krebs.secret.files = {
+ ejabberd-certfile = cfg.certfile;
+ ejabberd-s2s_certfile = cfg.s2s_certfile;
+ };
+
systemd.services.ejabberd = {
wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
+ requires = [ "secret.service" ];
+ after = [ "network.target" "secret.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = "yes";