From a1a0f11af481d94fea38f0f6f71e3340587503ac Mon Sep 17 00:00:00 2001 From: tv Date: Sat, 25 Dec 2021 11:41:20 +0100 Subject: tv ejabberd: use LoadCredential --- tv/3modules/ejabberd/config.nix | 9 ++++---- tv/3modules/ejabberd/default.nix | 49 ++++++++++++---------------------------- 2 files changed, 19 insertions(+), 39 deletions(-) diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index a0631e226..a022bc448 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -48,6 +48,9 @@ in /* yaml */ '' - "::1/128" - "::FFFF:127.0.0.1/128" + certfiles: + - /tmp/credentials/certfile + hosts: ${toJSON config.hosts} language: "en" @@ -58,9 +61,8 @@ in /* yaml */ '' ip: "::" module: ejabberd_c2s shaper: c2s_shaper - certfile: ${toJSON config.certfile.path} ciphers: ${toJSON ciphers} - dhfile: ${toJSON config.dhfile.path} + dhfile: /var/lib/ejabberd/dhfile protocol_options: ${toJSON protocol_options} starttls: true starttls_required: true @@ -109,9 +111,8 @@ in /* yaml */ '' mod_http_api: {} s2s_access: s2s - s2s_certfile: ${toJSON config.s2s_certfile.path} s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: ${toJSON config.dhfile.path} + s2s_dhfile: /var/lib/ejabberd/dhfile s2s_protocol_options: ${toJSON protocol_options} s2s_tls_compression: false s2s_use_starttls: required diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 20b79f07f..935df9a9c 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -16,22 +16,8 @@ in { options.tv.ejabberd = { enable = mkEnableOption "tv.ejabberd"; certfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-certfile"; - path = "${cfg.user.home}/ejabberd.pem"; - owner = cfg.user; - source-path = toString + "/ejabberd.pem"; - }; - }; - dhfile = mkOption { - type = types.secret-file; - default = { - name = "ejabberd-dhfile"; - path = "${cfg.user.home}/dhparams.pem"; - owner = cfg.user; - source-path = "/dev/null"; - }; + type = types.absolute-pathname; + default = toString + "/ejabberd.pem"; }; hosts = mkOption { type = with types; listOf str; @@ -61,10 +47,6 @@ in { config.krebs.users.tv.mail ]; }; - s2s_certfile = mkOption { - type = types.secret-file; - default = cfg.certfile; - }; user = mkOption { type = types.user; default = { @@ -90,27 +72,24 @@ in { }) ]; - krebs.secret.files = { - ejabberd-certfile = cfg.certfile; - ejabberd-s2s_certfile = cfg.s2s_certfile; - }; + krebs.systemd.services.ejabberd = {}; systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - "network.target" - ]; - partOf = [ - config.krebs.secret.files.ejabberd-certfile.service - config.krebs.secret.files.ejabberd-s2s_certfile.service - ]; + after = [ "network.target" ]; serviceConfig = { - ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}"; - ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground"; + ExecStart = pkgs.writeDash "ejabberd" '' + ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials + ${gen-dhparam} /var/lib/ejabberd/dhfile + exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground + ''; + LoadCredential = [ + "certfile:${cfg.certfile}" + ]; PermissionsStartOnly = true; + PrivateTmp = true; SyslogIdentifier = "ejabberd"; + StateDirectory = "ejabberd"; User = cfg.user.name; TimeoutStartSec = 60; }; -- cgit v1.2.3