summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2022-08-22 14:58:40 +0200
committertv <tv@krebsco.de>2022-10-08 23:29:23 +0200
commit876fd5404d0bc9f838119505a4b7a9b7bdb60e9e (patch)
treea5878cb74d7b4c454fbf20f04a9c71ea2223de7a
parentc6aec96a556e56f7faf9eeb53202dd5a1a6cefc8 (diff)
tv ejabberd: use dynamic user
-rw-r--r--tv/3modules/ejabberd/config.nix4
-rw-r--r--tv/3modules/ejabberd/default.nix42
2 files changed, 21 insertions, 25 deletions
diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix
index a022bc448..cc4dbcfb1 100644
--- a/tv/3modules/ejabberd/config.nix
+++ b/tv/3modules/ejabberd/config.nix
@@ -62,7 +62,7 @@ in /* yaml */ ''
module: ejabberd_c2s
shaper: c2s_shaper
ciphers: ${toJSON ciphers}
- dhfile: /var/lib/ejabberd/dhfile
+ dhfile: ${config.stateDir}/dhfile
protocol_options: ${toJSON protocol_options}
starttls: true
starttls_required: true
@@ -112,7 +112,7 @@ in /* yaml */ ''
s2s_access: s2s
s2s_ciphers: ${toJSON ciphers}
- s2s_dhfile: /var/lib/ejabberd/dhfile
+ s2s_dhfile: ${config.stateDir}/dhfile
s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false
s2s_use_starttls: required
diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 67683b186..147e53d61 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -33,8 +33,11 @@ in {
inherit pkgs;
config = cfg;
})} \
- --logs ${shell.escape cfg.user.home} \
- --spool ${shell.escape cfg.user.home} \
+ --ctl-config ${toFile "ejabberdctl.cfg" /* sh */ ''
+ ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
+ ''} \
+ --logs ${cfg.stateDir} \
+ --spool ${cfg.stateDir} \
"$@"
'')
pkgs.ejabberd
@@ -47,12 +50,10 @@ in {
config.krebs.users.tv.mail
];
};
- user = mkOption {
- type = types.user;
- default = {
- name = "ejabberd";
- home = "/var/lib/ejabberd";
- };
+ stateDir = mkOption {
+ type = types.absolute-pathname;
+ default = "/var/lib/ejabberd";
+ readOnly = true;
};
};
config = lib.mkIf cfg.enable {
@@ -61,10 +62,13 @@ in {
name = "ejabberd-sudo-wrapper";
paths = [
(pkgs.writeDashBin "ejabberdctl" ''
- set -efu
- cd ${shell.escape cfg.user.home}
- exec /run/wrappers/bin/sudo \
- -u ${shell.escape cfg.user.name} \
+ exec ${pkgs.systemd}/bin/systemd-run \
+ --unit=ejabberdctl \
+ --property=StateDirectory=ejabberd \
+ --property=User=ejabberd \
+ --collect \
+ --pipe \
+ --quiet \
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
'')
cfg.pkgs.ejabberd
@@ -80,7 +84,7 @@ in {
serviceConfig = {
ExecStart = pkgs.writeDash "ejabberd" ''
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
- ${gen-dhparam} /var/lib/ejabberd/dhfile
+ ${gen-dhparam} ${cfg.stateDir}/dhfile
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
'';
LoadCredential = [
@@ -89,18 +93,10 @@ in {
PrivateTmp = true;
SyslogIdentifier = "ejabberd";
StateDirectory = "ejabberd";
- User = cfg.user.name;
+ User = "ejabberd";
+ DynamicUser = true;
TimeoutStartSec = 60;
};
};
-
- users.users.${cfg.user.name} = {
- inherit (cfg.user) home name uid;
- createHome = true;
- group = cfg.user.name;
- isSystemUser = true;
- };
-
- users.groups.${cfg.user.name} = {};
};
}