From d488e5fe7236a74ab63a21d97db10923482b18dd Mon Sep 17 00:00:00 2001 From: tv Date: Sun, 21 Feb 2016 05:41:59 +0100 Subject: tv.ejabberd: use krebs.secret --- tv/3modules/ejabberd.nix | 36 ++++++++++++++++++++++-------------- 1 file changed, 22 insertions(+), 14 deletions(-) diff --git a/tv/3modules/ejabberd.nix b/tv/3modules/ejabberd.nix index c9d9b48b1..7ecd0a87e 100644 --- a/tv/3modules/ejabberd.nix +++ b/tv/3modules/ejabberd.nix @@ -12,9 +12,17 @@ let api = { enable = mkEnableOption "tv.ejabberd"; - certFile = mkOption { - type = types.str; - default = toString ; + certfile = mkOption { + type = types.secret-file; + default = { + path = "/etc/ejabberd/ejabberd.pem"; + owner-name = "ejabberd"; + source-path = toString + "/ejabberd.pem"; + }; + }; + s2s_certfile = mkOption { + type = types.secret-file; + default = cfg.certfile; }; hosts = mkOption { @@ -25,21 +33,22 @@ let imp = { environment.systemPackages = [ my-ejabberdctl ]; + krebs.secret.files = { + ejabberd-certfile = cfg.certfile; + ejabberd-s2s_certfile = cfg.s2s_certfile; + }; + systemd.services.ejabberd = { wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; + requires = [ "secret.service" ]; + after = [ "network.target" "secret.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = "yes"; PermissionsStartOnly = "true"; SyslogIdentifier = "ejabberd"; User = user.name; - ExecStartPre = pkgs.writeScript "ejabberd-start" '' - #! /bin/sh - install -o ${user.name} -m 0400 ${cfg.certFile} /etc/ejabberd/ejabberd.pem - ''; - ExecStart = pkgs.writeScript "ejabberd-service" '' - #! /bin/sh + ExecStart = pkgs.writeDash "ejabberd" '' ${my-ejabberdctl}/bin/ejabberdctl start ''; }; @@ -75,7 +84,7 @@ let [ {5222, ejabberd_c2s, [ starttls, - {certfile, "/etc/ejabberd/ejabberd.pem"}, + {certfile, ${toErlang cfg.certfile.path}}, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} @@ -92,7 +101,7 @@ let ]} ]}. {s2s_use_starttls, required}. - {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. + {s2s_certfile, ${toErlang cfg.s2s_certfile.path}}. {auth_method, internal}. {shaper, normal, {maxrate, 1000}}. {shaper, fast, {maxrate, 50000}}. @@ -161,5 +170,4 @@ let # XXX this is a placeholder that happens to work the default strings. toErlang = builtins.toJSON; -in -out +in out -- cgit v1.2.3