|
|
|
@ -178,13 +178,20 @@
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
host = mkOption {
|
|
|
|
|
externalHost = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "localhost";
|
|
|
|
|
example = "example.org";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Base domain name for Calico to listen at. Each instance will be at a
|
|
|
|
|
subdomain of this.
|
|
|
|
|
Base domain name Calico will be accessible at. Each instance
|
|
|
|
|
will be at a subdomain of this.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
bindHost = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "localhost";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
The IP or host for Calico to bind to.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
@ -370,7 +377,7 @@
|
|
|
|
|
Group = cfg.user;
|
|
|
|
|
ExecStart = ''
|
|
|
|
|
${pkg}/bin/calico \
|
|
|
|
|
-H ${cfg.host} -P ${toString cfg.port} \
|
|
|
|
|
-H ${cfg.bindHost} -P ${toString cfg.port} \
|
|
|
|
|
-t ${toString cfg.timeout} ${cfg.dataDir}
|
|
|
|
|
'';
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
@ -391,22 +398,22 @@
|
|
|
|
|
Group = cfg.user;
|
|
|
|
|
ExecStart = ''
|
|
|
|
|
${pkg}/bin/pounce \
|
|
|
|
|
-C ${cfg.certDir}/${name}.${cfg.host}/fullchain.pem \
|
|
|
|
|
-K ${cfg.certDir}/${name}.${cfg.host}/privkey.pem \
|
|
|
|
|
-U ${cfg.dataDir} -H ${name}.${cfg.host} \
|
|
|
|
|
-C ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
|
|
|
|
|
-K ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
|
|
|
|
|
-U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \
|
|
|
|
|
${settingsFormat.generate "${name}.cfg" value.config}
|
|
|
|
|
'';
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
} // hardeningFlags;
|
|
|
|
|
preStart = ''
|
|
|
|
|
mkdir -p ${cfg.certDir}/${name}.${cfg.host}
|
|
|
|
|
mkdir -p ${cfg.certDir}/${name}.${cfg.externalHost}
|
|
|
|
|
if ${boolToString cfg.generateCerts}; then
|
|
|
|
|
if [ ! -f ${cfg.certDir}/${name}.${cfg.host}/fullchain.pem ] || \
|
|
|
|
|
[ ! -f ${cfg.certDir}/${name}.${cfg.host}/privkey.pem ]; then
|
|
|
|
|
if [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem ] || \
|
|
|
|
|
[ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem ]; then
|
|
|
|
|
${pkgs.libressl}/bin/openssl req -x509 -newkey rsa:4096 \
|
|
|
|
|
-out ${cfg.certDir}/${name}.${cfg.host}/fullchain.pem \
|
|
|
|
|
-keyout ${cfg.certDir}/${name}.${cfg.host}/privkey.pem \
|
|
|
|
|
-nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.host}"
|
|
|
|
|
-out ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
|
|
|
|
|
-keyout ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
|
|
|
|
|
-nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.externalHost}"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
@ -429,7 +436,7 @@
|
|
|
|
|
${pkg}/bin/pounce-notify \
|
|
|
|
|
${if value.notify.insecure then "-!" else
|
|
|
|
|
if value.notify.trust-cert == "" then
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.host}/fullchain.pem"
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
|
|
|
|
|
else if value.notify.trust-cert != null then
|
|
|
|
|
"-t ${value.notify.trust-cert}" else ""} \
|
|
|
|
|
${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
|
|
|
|
@ -438,7 +445,7 @@
|
|
|
|
|
-u ${value.notify.user} \
|
|
|
|
|
${if cfg.networks.${name}.config ? local-pass then
|
|
|
|
|
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
|
|
|
|
|
${name}.${cfg.host} \
|
|
|
|
|
${name}.${cfg.externalHost} \
|
|
|
|
|
${if value.notify.command != "" then "\"${value.notify.command}\"" else
|
|
|
|
|
pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script}
|
|
|
|
|
'';
|
|
|
|
@ -470,7 +477,7 @@
|
|
|
|
|
${pkg}/bin/pounce-palaver \
|
|
|
|
|
${if value.palaver.insecure then "-!" else
|
|
|
|
|
if value.palaver.trust-cert == "" then
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.host}/fullchain.pem"
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
|
|
|
|
|
else if value.palaver.trust-cert != null then
|
|
|
|
|
"-t ${value.palaver.trust-cert}" else ""} \
|
|
|
|
|
${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
|
|
|
|
@ -479,7 +486,7 @@
|
|
|
|
|
-u ${value.palaver.user} \
|
|
|
|
|
${if cfg.networks.${name}.config ? local-pass then
|
|
|
|
|
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
|
|
|
|
|
${name}.${cfg.host} \
|
|
|
|
|
${name}.${cfg.externalHost} \
|
|
|
|
|
${if value.palaver.noPreviews then "-N" else ""} \
|
|
|
|
|
${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \
|
|
|
|
|
${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \
|
|
|
|
|