{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let cfg = config.tv.ejabberd; gen-dhparam = pkgs.writeDash "gen-dhparam" '' set -efu path=$1 bits=2048 # TODO regenerate dhfile after some time? if ! test -e "$path"; then ${pkgs.openssl}/bin/openssl dhparam "$bits" > "$path" fi ''; in { options.tv.ejabberd = { enable = mkEnableOption "tv.ejabberd"; certfile = mkOption { type = types.secret-file; default = { name = "ejabberd-certfile"; path = "${cfg.user.home}/ejabberd.pem"; owner = cfg.user; source-path = toString <secrets> + "/ejabberd.pem"; }; }; dhfile = mkOption { type = types.secret-file; default = { name = "ejabberd-dhfile"; path = "${cfg.user.home}/dhparams.pem"; owner = cfg.user; source-path = "/dev/null"; }; }; hosts = mkOption { type = with types; listOf str; }; pkgs.ejabberd = mkOption { type = types.package; default = pkgs.symlinkJoin { name = "ejabberd-wrapper"; paths = [ (pkgs.writeDashBin "ejabberdctl" '' exec ${pkgs.ejabberd}/bin/ejabberdctl \ --config ${toFile "ejabberd.yaml" (import ./config.nix { inherit pkgs; config = cfg; })} \ --logs ${shell.escape cfg.user.home} \ --spool ${shell.escape cfg.user.home} \ "$@" '') pkgs.ejabberd ]; }; }; registration_watchers = mkOption { type = types.listOf types.str; default = [ config.krebs.users.tv.mail ]; }; s2s_certfile = mkOption { type = types.secret-file; default = cfg.certfile; }; user = mkOption { type = types.user; default = { name = "ejabberd"; home = "/var/lib/ejabberd"; }; }; }; config = lib.mkIf cfg.enable { environment.systemPackages = [ (pkgs.symlinkJoin { name = "ejabberd-sudo-wrapper"; paths = [ (pkgs.writeDashBin "ejabberdctl" '' set -efu cd ${shell.escape cfg.user.home} exec /run/wrappers/bin/sudo \ -u ${shell.escape cfg.user.name} \ ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" '') cfg.pkgs.ejabberd ]; }) ]; krebs.secret.files = { ejabberd-certfile = cfg.certfile; ejabberd-s2s_certfile = cfg.s2s_certfile; }; systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; after = [ config.krebs.secret.files.ejabberd-certfile.service config.krebs.secret.files.ejabberd-s2s_certfile.service "network.target" ]; partOf = [ config.krebs.secret.files.ejabberd-certfile.service config.krebs.secret.files.ejabberd-s2s_certfile.service ]; serviceConfig = { ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; PermissionsStartOnly = true; SyslogIdentifier = "ejabberd"; User = cfg.user.name; TimeoutStartSec = 60; }; }; users.users.${cfg.user.name} = { inherit (cfg.user) home name uid; createHome = true; }; }; }