diff options
author | tv <tv@krebsco.de> | 2021-12-25 11:41:15 +0100 |
---|---|---|
committer | tv <tv@krebsco.de> | 2021-12-25 16:43:51 +0100 |
commit | 95fd872e158c092db7d04a16640b0679fc9b6d40 (patch) | |
tree | 73bda09d9c5b6a393e97617cf207fea8a76613fe | |
parent | 4b4c397e838aed1cf7ce1fdd8dbae10b0cba2749 (diff) |
tv charybdis: use LoadCredential
-rw-r--r-- | tv/3modules/charybdis/config.nix | 4 | ||||
-rw-r--r-- | tv/3modules/charybdis/default.nix | 43 |
2 files changed, 17 insertions, 30 deletions
diff --git a/tv/3modules/charybdis/config.nix b/tv/3modules/charybdis/config.nix index 3c73d25..dccbfde 100644 --- a/tv/3modules/charybdis/config.nix +++ b/tv/3modules/charybdis/config.nix @@ -61,13 +61,13 @@ in toFile "charybdis.conf" '' vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr}; /* ssl_private_key: our ssl private key */ - ssl_private_key = ${toJSON cfg.ssl_private_key.path}; + ssl_private_key = "/tmp/credentials/ssl_private_key"; /* ssl_cert: certificate for our ssl server */ ssl_cert = ${toJSON cfg.ssl_cert}; /* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */ - ssl_dh_params = ${toJSON cfg.ssl_dh_params.path}; + ssl_dh_params = "/tmp/credentials/ssl_dh_params"; /* ssld_count: number of ssld processes you want to start, if you * have a really busy server, using N-1 where N is the number of diff --git a/tv/3modules/charybdis/default.nix b/tv/3modules/charybdis/default.nix index 1917ab7..96aae70 100644 --- a/tv/3modules/charybdis/default.nix +++ b/tv/3modules/charybdis/default.nix @@ -15,22 +15,12 @@ in { type = types.path; }; ssl_dh_params = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_dh_params"; - path = "${cfg.user.home}/dh.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.dh.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.dh.pem"; }; ssl_private_key = mkOption { - type = types.secret-file; - default = { - name = "charybdis-ssl_private_key"; - path = "${cfg.user.home}/ssl.key.pem"; - owner = cfg.user; - source-path = toString <secrets> + "/charybdis.key.pem"; - }; + type = types.absolute-pathname; + default = toString <secrets> + "/charybdis.key.pem"; }; sslport = mkOption { type = types.int; @@ -46,22 +36,13 @@ in { }; config = lib.mkIf cfg.enable { - krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params; - krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key; - environment.etc."charybdis-ircd.motd".text = cfg.motd; + krebs.systemd.services.charybdis = {}; + systemd.services.charybdis = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - "network-online.target" - ]; - partOf = [ - config.krebs.secret.files.charybdis-ssl_dh_params.service - config.krebs.secret.files.charybdis-ssl_private_key.service - ]; + after = [ "network-online.target" ]; environment = { BANDB_DBPATH = "${cfg.user.home}/ban.db"; }; @@ -70,14 +51,20 @@ in { User = cfg.user.name; PrivateTmp = true; Restart = "always"; - ExecStartPre = - "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"; + ExecStartPre = [ + "${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd" + "${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials" + ]; ExecStart = toString [ "${pkgs.charybdis}/bin/charybdis" "-configfile ${import ./config.nix args}" "-foreground" "-logfile /dev/stderr" ]; + LoadCredential = [ + "ssl_dh_params:${cfg.ssl_dh_params}" + "ssl_private_key:${cfg.ssl_private_key}" + ]; }; }; |