Commit 309bf1db authored by Felix Singer's avatar Felix Singer
Browse files

nixos/murmur: Allow hooking up to ACME certificate service 



In order to simplify using certificates provided by ACME, add the option
`services.murmur.tls.useACMEHost`. If set, the options keyPath, certPath
and caPath are pre-configured appropriately.

Also, add the appriopriate ACME systemd service to Murmur's
dependencies if useACMEHost is set.

Signed-off-by: default avatarFelix Singer <felixsinger@posteo.net>
parent 174da936

nixos/modules/services/networking/murmur.nix

+31 −4
Original line number Diff line number Diff line
@@ -7,6 +7,8 @@ 


let

  cfg = config.services.murmur;

  acmeHostDir = config.security.acme.certs."${cfg.tls.useACMEHost}".directory;



  forking = cfg.logToFile;

  configFile = pkgs.writeText "murmurd.ini" ''

    database=${cfg.stateDir}/murmur.sqlite
@@ -246,21 +248,38 @@ in 
      tls = {

        certPath = lib.mkOption {

          type = lib.types.nullOr lib.types.path;

          default = null;

          default = if (cfg.tls.useACMEHost != null) then "${acmeHostDir}/cert.pem" else null;

          defaultText = lib.literalMD "If {option}`services.murmur.tls.useACMEHost` is set, defaults to what's provided by the ACME module.";

          description = "Path to your TLS certificate.";

        };



        keyPath = lib.mkOption {

          type = lib.types.nullOr lib.types.path;

          default = null;

          default = if (cfg.tls.useACMEHost != null) then "${acmeHostDir}/key.pem" else null;

          defaultText = lib.literalMD "If {option}`services.murmur.tls.useACMEHost` is set, defaults to what's provided by the ACME module.";

          description = "Path to your TLS key.";

        };



        caPath = lib.mkOption {

          type = lib.types.nullOr lib.types.path;

          default = null;

          default = if (cfg.tls.useACMEHost != null) then "${acmeHostDir}/chain.pem" else null;

          defaultText = lib.literalMD "If {option}`services.murmur.tls.useACMEHost` is set, defaults to what's provided by the ACME module.";

          description = "Path to your TLS CA certificate.";

        };



        useACMEHost = lib.mkOption {

          type = lib.types.nullOr lib.types.str;

          default = null;

          example = "mumble.example.com";

          description = ''

            Host of an existing Let's Encrypt certificate to use for TLS.

            Make sure that the certificate directory is readable by the

            `murmur` user or group. *Note that this option does not

            create any certificates and it doesn't add subdomains to

            existing ones – you will need to create them manually using

            {option}`security.acme.certs`.*

          '';

        };

      };



      extraConfig = lib.mkOption {
@@ -324,10 +343,18 @@ in 
      allowedUDPPorts = [ cfg.port ];

    };



    security.acme.certs = lib.mkIf (cfg.tls.useACMEHost != null) {

      "${cfg.tls.useACMEHost}".reloadServices = [ "murmur.service" ];

    };



    systemd.services.murmur = {

      description = "Murmur Chat Service";

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

      after = [

        "network.target"

      ]

      ++ lib.optional (cfg.tls.useACMEHost != null) "acme-${cfg.tls.useACMEHost}.service";

      wants = lib.mkIf (cfg.tls.useACMEHost != null) [ "acme-${cfg.tls.useACMEHost}.service" ];

      preStart = ''

        ${pkgs.envsubst}/bin/envsubst \

          -o /run/murmur/murmurd.ini \