fix(system/services/murmur): Allow murmur's user to read certs

author: Soispha <soispha@vhack.eu> 2023-10-03 17:29:00 +0200
committer: Soispha <soispha@vhack.eu> 2023-10-03 18:08:45 +0200
commit: c154fa39a7f68a17713eff260c45c4d23835feb1 (patch)
tree: 723ceae9d305fc0bb4056bf1d521355709654515
parent: feat(system/services/murmur): Initialize (diff)
download: nixos-server-c154fa39a7f68a17713eff260c45c4d23835feb1.zip
3 files changed, 33 insertions, 4 deletions
diff --git a/system/impermanence/default.nix b/system/impermanence/default.nix
index 6e977b5..f3d792d 100644
--- a/system/impermanence/default.nix
+++ b/system/impermanence/default.nix
@@ -5,6 +5,7 @@
     ./mods/mail.nix
     ./mods/matrix.nix
     ./mods/minecraft.nix
+    ./mods/murmur.nix
     ./mods/nix-sync.nix
     ./mods/openssh.nix
     ./mods/postgresql.nix
diff --git a/system/impermanence/mods/murmur.nix b/system/impermanence/mods/murmur.nix
new file mode 100644
index 0000000..48912e1
--- /dev/null
+++ b/system/impermanence/mods/murmur.nix
@@ -0,0 +1,10 @@
+{...}: {
+  environment.persistence."/srv".directories = [
+    {
+      directory = "/var/lib/murmur";
+      user = "murmur";
+      group = "murmur";
+      mode = "0700";
+    }
+  ];
+}
diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix
index 9c04db0..1dcd781 100644
--- a/system/services/murmur/default.nix
+++ b/system/services/murmur/default.nix
@@ -1,23 +1,41 @@
-{config, ...}: {
+{...}: let
+  murmurStore = "/var/lib/murmur";
+in {
   services.murmur = {
     enable = true;
     openFirewall = true;
     welcometext = ''
-      <b>You never get a second chance to make a first impression</b>
+      <b>You never get a second chance to make a first impression</b><br>
 
       The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here!
     '';
-    sslKey = "${config.security.acme.certs.murmur.directory}/key.pem";
-    sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem";
+    sslKey = "${murmurStore}/key.pem";
+    sslCert = "${murmurStore}/fullchain.pem";
 
     registerUrl = "vhack.eu";
     registerName = "vhack";
     registerHostname = "mumble.vhack.eu";
     hostName = "mumble.vhack.eu";
     clientCertRequired = true;
+    bandwidth = 7200000;
   };
 
   security.acme.certs.murmur = {
     domain = "mumble.vhack.eu";
+    postRun =
+      /*
+      bash
+      */
+      ''
+        set -x
+        rm "${murmurStore}/key.pem"
+        rm "${murmurStore}/fullchain.pem"
+
+        cp key.pem "${murmurStore}";
+        cp fullchain.pem "${murmurStore}";
+
+        chown murmur:murmur "${murmurStore}/key.pem"
+        chown murmur:murmur "${murmurStore}/fullchain.pem"
+      '';
   };
 }
author	Soispha <soispha@vhack.eu>	2023-10-03 17:29:00 +0200
committer	Soispha <soispha@vhack.eu>	2023-10-03 18:08:45 +0200
commit	c154fa39a7f68a17713eff260c45c4d23835feb1 (patch)
tree	723ceae9d305fc0bb4056bf1d521355709654515
parent	feat(system/services/murmur): Initialize (diff)
download	nixos-server-c154fa39a7f68a17713eff260c45c4d23835feb1.zip