|
|
|
@ -86,7 +86,7 @@
|
|
|
|
|
This is required if Pounce is using a self-signed
|
|
|
|
|
certificate. If left blank, pounce-notify will use the
|
|
|
|
|
appropriate certificate in
|
|
|
|
|
{option}`services.pounce.certDir`. Set to `null` to disable
|
|
|
|
|
{option}`services.pounce.fullChain`. Set to `null` to disable
|
|
|
|
|
certificate pinning.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
@ -154,7 +154,7 @@
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
dataDir = mkOption {
|
|
|
|
|
socketDir = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "/run/pounce";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
@ -163,30 +163,6 @@
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
certDir = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "/var/lib/pounce/certs";
|
|
|
|
|
example = "/etc/letsencrypt/live";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Directory where each Pounce instance's TLS certificates and private
|
|
|
|
|
keys are stored. Each instance should have a folder in the certbot
|
|
|
|
|
format: a {file}`fullchain.pem` and {file}`privkey.pem` in a folder
|
|
|
|
|
with the full domain name of the instance (ex:
|
|
|
|
|
{file}`libera.example.org/`). Self-signed certificates will be
|
|
|
|
|
generated in this folder if
|
|
|
|
|
{option}`services.pounce.generateCerts` is true.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
externalHost = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
example = "example.org";
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Base domain name Calico will be accessible at. Each instance
|
|
|
|
|
will be at a subdomain of this.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
bindHost = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "localhost";
|
|
|
|
@ -201,23 +177,6 @@
|
|
|
|
|
description = lib.mdDoc "Port for Calico to listen on.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
generateCerts = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Generate a self-signed TLS certificate in the certificate directory.
|
|
|
|
|
If you would like to use {command}`certbot` instead, generate
|
|
|
|
|
certificates for each instance like this:
|
|
|
|
|
{command}`certbot certonly -d libera.example.org`.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
openFirewall = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = lib.mdDoc "Open port in the firewall for Calico.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
timeout = mkOption {
|
|
|
|
|
type = types.ints.positive;
|
|
|
|
|
default = 1000;
|
|
|
|
@ -230,11 +189,25 @@
|
|
|
|
|
networks = mkOption {
|
|
|
|
|
type = types.attrsOf (types.submodule {
|
|
|
|
|
options = {
|
|
|
|
|
fullChain = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Certificate chain for TLS connections.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
privKey = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
description = lib.mdDoc ''
|
|
|
|
|
Private key for TLS connections.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkOption {
|
|
|
|
|
type = settingsFormat.type;
|
|
|
|
|
default = {};
|
|
|
|
|
example = {
|
|
|
|
|
libera = {
|
|
|
|
|
irc.libera.chat = {
|
|
|
|
|
host = "irc.libera.chat";
|
|
|
|
|
port = 6697;
|
|
|
|
|
sasl-plain = "testname:password";
|
|
|
|
@ -362,7 +335,7 @@
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
|
systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ];
|
|
|
|
|
systemd.tmpfiles.rules = [ "d ${cfg.socketDir} 0700 ${cfg.user} ${cfg.user} -" ];
|
|
|
|
|
systemd.services = mkMerge (
|
|
|
|
|
[
|
|
|
|
|
{
|
|
|
|
@ -378,7 +351,7 @@
|
|
|
|
|
ExecStart = ''
|
|
|
|
|
${pkg}/bin/calico \
|
|
|
|
|
-H ${cfg.bindHost} -P ${toString cfg.port} \
|
|
|
|
|
-t ${toString cfg.timeout} ${cfg.dataDir}
|
|
|
|
|
-t ${toString cfg.timeout} ${cfg.socketDir}
|
|
|
|
|
'';
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
} // hardeningFlags;
|
|
|
|
@ -398,27 +371,13 @@
|
|
|
|
|
Group = cfg.user;
|
|
|
|
|
ExecStart = ''
|
|
|
|
|
${pkg}/bin/pounce \
|
|
|
|
|
-C ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
|
|
|
|
|
-K ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
|
|
|
|
|
-U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \
|
|
|
|
|
-C ${value.fullChain} \
|
|
|
|
|
-K ${value.privKey} \
|
|
|
|
|
-U ${cfg.socketDir} -H ${name} \
|
|
|
|
|
${settingsFormat.generate "${name}.cfg" value.config}
|
|
|
|
|
'';
|
|
|
|
|
Restart = "on-failure";
|
|
|
|
|
} // hardeningFlags;
|
|
|
|
|
preStart = ''
|
|
|
|
|
if [ -d /var/lib/pounce ]; then
|
|
|
|
|
chmod -R u+x /var/lib/pounce
|
|
|
|
|
fi
|
|
|
|
|
if ${boolToString cfg.generateCerts}; then
|
|
|
|
|
if [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem ] || \
|
|
|
|
|
[ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem ]; then
|
|
|
|
|
${pkgs.libressl}/bin/openssl req -x509 -newkey rsa:4096 \
|
|
|
|
|
-out ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
|
|
|
|
|
-keyout ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
|
|
|
|
|
-nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.externalHost}"
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -438,7 +397,7 @@
|
|
|
|
|
${pkg}/bin/pounce-notify \
|
|
|
|
|
${if value.notify.insecure then "-!" else
|
|
|
|
|
if value.notify.trust-cert == "" then
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
|
|
|
|
|
"-t ${value.fullChain}"
|
|
|
|
|
else if value.notify.trust-cert != null then
|
|
|
|
|
"-t ${value.notify.trust-cert}" else ""} \
|
|
|
|
|
${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
|
|
|
|
@ -447,7 +406,7 @@
|
|
|
|
|
-u ${value.notify.user} \
|
|
|
|
|
${if cfg.networks.${name}.config ? local-pass then
|
|
|
|
|
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
|
|
|
|
|
${name}.${cfg.externalHost} \
|
|
|
|
|
${name} \
|
|
|
|
|
${if value.notify.command != "" then "\"${value.notify.command}\"" else
|
|
|
|
|
pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script}
|
|
|
|
|
'';
|
|
|
|
@ -479,7 +438,7 @@
|
|
|
|
|
${pkg}/bin/pounce-palaver \
|
|
|
|
|
${if value.palaver.insecure then "-!" else
|
|
|
|
|
if value.palaver.trust-cert == "" then
|
|
|
|
|
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem"
|
|
|
|
|
"-t ${value.fullChain}"
|
|
|
|
|
else if value.palaver.trust-cert != null then
|
|
|
|
|
"-t ${value.palaver.trust-cert}" else ""} \
|
|
|
|
|
${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
|
|
|
|
@ -488,7 +447,7 @@
|
|
|
|
|
-u ${value.palaver.user} \
|
|
|
|
|
${if cfg.networks.${name}.config ? local-pass then
|
|
|
|
|
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \
|
|
|
|
|
${name}.${cfg.externalHost} \
|
|
|
|
|
${name} \
|
|
|
|
|
${if value.palaver.noPreviews then "-N" else ""} \
|
|
|
|
|
${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \
|
|
|
|
|
${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \
|
|
|
|
@ -517,8 +476,6 @@
|
|
|
|
|
|
|
|
|
|
groups.${defaultUser} = { };
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|