ashe
/
nixos-wrapper-pounce
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove certdir and do manual stuff

Browse Source
main
Ashelyn Dawn 3 weeks ago committed by Ashelyn Rose
parent 1cd9339ee4
commit 45ae9514ab
No known key found for this signature in database
GPG Key ID: D1980B8C6F349BC1
1 changed files with 26 additions and 69 deletions
Show Stats Download Patch File Download Diff File

95
flake.nix
Unescape Escape View File

@ -86,7 +86,7 @@
This is required if Pounce is using a self-signed
certificate. If left blank, pounce-notify will use the
appropriate certificate in
{option}`services.pounce.certDir`. Set to `null` to disable
{option}`services.pounce.fullChain`. Set to `null` to disable
certificate pinning.
'';
};
@ -154,7 +154,7 @@
'';
};
dataDir = mkOption {
socketDir = mkOption {
type = types.str;
default = "/run/pounce";
description = lib.mdDoc ''
@ -163,30 +163,6 @@
'';
};
certDir = mkOption {
type = types.str;
default = "/var/lib/pounce/certs";
example = "/etc/letsencrypt/live";
description = lib.mdDoc ''
Directory where each Pounce instance's TLS certificates and private
keys are stored. Each instance should have a folder in the certbot
format: a {file}`fullchain.pem` and {file}`privkey.pem` in a folder
with the full domain name of the instance (ex:
{file}`libera.example.org/`). Self-signed certificates will be
generated in this folder if
{option}`services.pounce.generateCerts` is true.
'';
};
externalHost = mkOption {
type = types.str;
example = "example.org";
description = lib.mdDoc ''
Base domain name Calico will be accessible at. Each instance
will be at a subdomain of this.
'';
};
bindHost = mkOption {
type = types.str;
default = "localhost";
@ -201,23 +177,6 @@
description = lib.mdDoc "Port for Calico to listen on.";
};
generateCerts = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Generate a self-signed TLS certificate in the certificate directory.
If you would like to use {command}`certbot` instead, generate
certificates for each instance like this:
{command}`certbot certonly -d libera.example.org`.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open port in the firewall for Calico.";
};
timeout = mkOption {
type = types.ints.positive;
default = 1000;
@ -230,11 +189,25 @@
networks = mkOption {
type = types.attrsOf (types.submodule {
options = {
fullChain = mkOption {
type = types.str;
description = lib.mdDoc ''
Certificate chain for TLS connections.
'';
};
privKey = mkOption {
type = types.str;
description = lib.mdDoc ''
Private key for TLS connections.
'';
};
config = mkOption {
type = settingsFormat.type;
default = {};
example = {
libera = {
irc.libera.chat = {
host = "irc.libera.chat";
port = 6697;
sasl-plain = "testname:password";
@ -362,7 +335,7 @@
};
config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ];
systemd.tmpfiles.rules = [ "d ${cfg.socketDir} 0700 ${cfg.user} ${cfg.user} -" ];
systemd.services = mkMerge (
[
{
@ -378,7 +351,7 @@
ExecStart = ''
${pkg}/bin/calico \
-H ${cfg.bindHost} -P ${toString cfg.port} \
-t ${toString cfg.timeout} ${cfg.dataDir}
-t ${toString cfg.timeout} ${cfg.socketDir}
'';
Restart = "on-failure";
} // hardeningFlags;
@ -398,27 +371,13 @@
Group = cfg.user;
ExecStart = ''
${pkg}/bin/pounce \
-C ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
-K ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
-U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \
-C ${value.fullChain} \
-K ${value.privKey} \
-U ${cfg.socketDir} -H ${name} \
${settingsFormat.generate "${name}.cfg" value.config}
'';
Restart = "on-failure";
} // hardeningFlags;
preStart = ''
if [ -d /var/lib/pounce ]; then
chmod -R u+x /var/lib/pounce
fi
if ${boolToString cfg.generateCerts}; then
if [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem ] || \
[ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem ]; then
${pkgs.libressl}/bin/openssl req -x509 -newkey rsa:4096 \
-out ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
-keyout ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
-nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.externalHost}"
fi
fi
'';
};
}
@ -438,7 +397,7 @@
${pkg}/bin/pounce-notify \
${if value.notify.insecure then "-!" else
if value.notify.trust-cert == "" then
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
"-t ${value.fullChain}"
else if value.notify.trust-cert != null then
"-t ${value.notify.trust-cert}" else ""} \
${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
@ -447,7 +406,7 @@
-u ${value.notify.user} \
${if cfg.networks.${name}.config ? local-pass then
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
${name}.${cfg.externalHost} \
${name} \
${if value.notify.command != "" then "\"${value.notify.command}\"" else
pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script}
'';
@ -479,7 +438,7 @@
${pkg}/bin/pounce-palaver \
${if value.palaver.insecure then "-!" else
if value.palaver.trust-cert == "" then
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
"-t ${value.fullChain}"
else if value.palaver.trust-cert != null then
"-t ${value.palaver.trust-cert}" else ""} \
${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
@ -488,7 +447,7 @@
-u ${value.palaver.user} \
${if cfg.networks.${name}.config ? local-pass then
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
${name}.${cfg.externalHost} \
${name} \
${if value.palaver.noPreviews then "-N" else ""} \
${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \
${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \
@ -517,8 +476,6 @@
groups.${defaultUser} = { };
};
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
};
};
};

Write Preview
Loading…
Cancel
Save