summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2021-12-25 11:41:15 +0100
committertv <tv@krebsco.de>2021-12-25 16:43:51 +0100
commit95fd872e158c092db7d04a16640b0679fc9b6d40 (patch)
tree73bda09d9c5b6a393e97617cf207fea8a76613fe
parent4b4c397e838aed1cf7ce1fdd8dbae10b0cba2749 (diff)
tv charybdis: use LoadCredential
-rw-r--r--tv/3modules/charybdis/config.nix4
-rw-r--r--tv/3modules/charybdis/default.nix43
2 files changed, 17 insertions, 30 deletions
diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix
index 3c73d25..dccbfde 100644
--- a/tv/3modules/charybdis/config.nix
+++ b/tv/3modules/charybdis/config.nix
@@ -61,13 +61,13 @@ in toFile "charybdis.conf" ''
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
/* ssl_private_key: our ssl private key */
- ssl_private_key = ${toJSON cfg.ssl_private_key.path};
+ ssl_private_key = "/tmp/credentials/ssl_private_key";
/* ssl_cert: certificate for our ssl server */
ssl_cert = ${toJSON cfg.ssl_cert};
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
- ssl_dh_params = ${toJSON cfg.ssl_dh_params.path};
+ ssl_dh_params = "/tmp/credentials/ssl_dh_params";
/* ssld_count: number of ssld processes you want to start, if you
* have a really busy server, using N-1 where N is the number of
diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix
index 1917ab7..96aae70 100644
--- a/tv/3modules/charybdis/default.nix
+++ b/tv/3modules/charybdis/default.nix
@@ -15,22 +15,12 @@ in {
type = types.path;
};
ssl_dh_params = mkOption {
- type = types.secret-file;
- default = {
- name = "charybdis-ssl_dh_params";
- path = "${cfg.user.home}/dh.pem";
- owner = cfg.user;
- source-path = toString <secrets> + "/charybdis.dh.pem";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/charybdis.dh.pem";
};
ssl_private_key = mkOption {
- type = types.secret-file;
- default = {
- name = "charybdis-ssl_private_key";
- path = "${cfg.user.home}/ssl.key.pem";
- owner = cfg.user;
- source-path = toString <secrets> + "/charybdis.key.pem";
- };
+ type = types.absolute-pathname;
+ default = toString <secrets> + "/charybdis.key.pem";
};
sslport = mkOption {
type = types.int;
@@ -46,22 +36,13 @@ in {
};
config = lib.mkIf cfg.enable {
- krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params;
- krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key;
-
environment.etc."charybdis-ircd.motd".text = cfg.motd;
+ krebs.systemd.services.charybdis = {};
+
systemd.services.charybdis = {
wantedBy = [ "multi-user.target" ];
- after = [
- config.krebs.secret.files.charybdis-ssl_dh_params.service
- config.krebs.secret.files.charybdis-ssl_private_key.service
- "network-online.target"
- ];
- partOf = [
- config.krebs.secret.files.charybdis-ssl_dh_params.service
- config.krebs.secret.files.charybdis-ssl_private_key.service
- ];
+ after = [ "network-online.target" ];
environment = {
BANDB_DBPATH = "${cfg.user.home}/ban.db";
};
@@ -70,14 +51,20 @@ in {
User = cfg.user.name;
PrivateTmp = true;
Restart = "always";
- ExecStartPre =
- "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd";
+ ExecStartPre = [
+ "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
+ "${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
+ ];
ExecStart = toString [
"${pkgs.charybdis}/bin/charybdis"
"-configfile ${import ./config.nix args}"
"-foreground"
"-logfile /dev/stderr"
];
+ LoadCredential = [
+ "ssl_dh_params:${cfg.ssl_dh_params}"
+ "ssl_private_key:${cfg.ssl_private_key}"
+ ];
};
};