From 45ae9514abc3a9eb45bd4bc55cdf8bd8cbcc1dcc Mon Sep 17 00:00:00 2001 From: ashelyn vi Date: Mon, 8 Apr 2024 19:32:52 -0400 Subject: [PATCH] remove certdir and do manual stuff --- flake.nix | 95 +++++++++++++++---------------------------------------- 1 file changed, 26 insertions(+), 69 deletions(-) diff --git a/flake.nix b/flake.nix index 938a45f..588a730 100644 --- a/flake.nix +++ b/flake.nix @@ -86,7 +86,7 @@ This is required if Pounce is using a self-signed certificate. If left blank, pounce-notify will use the appropriate certificate in - {option}`services.pounce.certDir`. Set to `null` to disable + {option}`services.pounce.fullChain`. Set to `null` to disable certificate pinning. ''; }; @@ -154,7 +154,7 @@ ''; }; - dataDir = mkOption { + socketDir = mkOption { type = types.str; default = "/run/pounce"; description = lib.mdDoc '' @@ -163,30 +163,6 @@ ''; }; - certDir = mkOption { - type = types.str; - default = "/var/lib/pounce/certs"; - example = "/etc/letsencrypt/live"; - description = lib.mdDoc '' - Directory where each Pounce instance's TLS certificates and private - keys are stored. Each instance should have a folder in the certbot - format: a {file}`fullchain.pem` and {file}`privkey.pem` in a folder - with the full domain name of the instance (ex: - {file}`libera.example.org/`). Self-signed certificates will be - generated in this folder if - {option}`services.pounce.generateCerts` is true. - ''; - }; - - externalHost = mkOption { - type = types.str; - example = "example.org"; - description = lib.mdDoc '' - Base domain name Calico will be accessible at. Each instance - will be at a subdomain of this. - ''; - }; - bindHost = mkOption { type = types.str; default = "localhost"; @@ -201,23 +177,6 @@ description = lib.mdDoc "Port for Calico to listen on."; }; - generateCerts = mkOption { - type = types.bool; - default = true; - description = lib.mdDoc '' - Generate a self-signed TLS certificate in the certificate directory. - If you would like to use {command}`certbot` instead, generate - certificates for each instance like this: - {command}`certbot certonly -d libera.example.org`. - ''; - }; - - openFirewall = mkOption { - type = types.bool; - default = false; - description = lib.mdDoc "Open port in the firewall for Calico."; - }; - timeout = mkOption { type = types.ints.positive; default = 1000; @@ -230,11 +189,25 @@ networks = mkOption { type = types.attrsOf (types.submodule { options = { + fullChain = mkOption { + type = types.str; + description = lib.mdDoc '' + Certificate chain for TLS connections. + ''; + }; + + privKey = mkOption { + type = types.str; + description = lib.mdDoc '' + Private key for TLS connections. + ''; + }; + config = mkOption { type = settingsFormat.type; default = {}; example = { - libera = { + irc.libera.chat = { host = "irc.libera.chat"; port = 6697; sasl-plain = "testname:password"; @@ -362,7 +335,7 @@ }; config = mkIf cfg.enable { - systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ]; + systemd.tmpfiles.rules = [ "d ${cfg.socketDir} 0700 ${cfg.user} ${cfg.user} -" ]; systemd.services = mkMerge ( [ { @@ -378,7 +351,7 @@ ExecStart = '' ${pkg}/bin/calico \ -H ${cfg.bindHost} -P ${toString cfg.port} \ - -t ${toString cfg.timeout} ${cfg.dataDir} + -t ${toString cfg.timeout} ${cfg.socketDir} ''; Restart = "on-failure"; } // hardeningFlags; @@ -398,27 +371,13 @@ Group = cfg.user; ExecStart = '' ${pkg}/bin/pounce \ - -C ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \ - -K ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \ - -U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \ + -C ${value.fullChain} \ + -K ${value.privKey} \ + -U ${cfg.socketDir} -H ${name} \ ${settingsFormat.generate "${name}.cfg" value.config} ''; Restart = "on-failure"; } // hardeningFlags; - preStart = '' - if [ -d /var/lib/pounce ]; then - chmod -R u+x /var/lib/pounce - fi - if ${boolToString cfg.generateCerts}; then - if [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem ] || \ - [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem ]; then - ${pkgs.libressl}/bin/openssl req -x509 -newkey rsa:4096 \ - -out ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \ - -keyout ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \ - -nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.externalHost}" - fi - fi - ''; }; } @@ -438,7 +397,7 @@ ${pkg}/bin/pounce-notify \ ${if value.notify.insecure then "-!" else if value.notify.trust-cert == "" then - "-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem" + "-t ${value.fullChain}" else if value.notify.trust-cert != null then "-t ${value.notify.trust-cert}" else ""} \ ${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \ @@ -447,7 +406,7 @@ -u ${value.notify.user} \ ${if cfg.networks.${name}.config ? local-pass then "-w ${cfg.networks.${name}.config.local-pass}" else ""} \ - ${name}.${cfg.externalHost} \ + ${name} \ ${if value.notify.command != "" then "\"${value.notify.command}\"" else pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script} ''; @@ -479,7 +438,7 @@ ${pkg}/bin/pounce-palaver \ ${if value.palaver.insecure then "-!" else if value.palaver.trust-cert == "" then - "-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem" + "-t ${value.fullChain}" else if value.palaver.trust-cert != null then "-t ${value.palaver.trust-cert}" else ""} \ ${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \ @@ -488,7 +447,7 @@ -u ${value.palaver.user} \ ${if cfg.networks.${name}.config ? local-pass then "-w ${cfg.networks.${name}.config.local-pass}" else ""} \ - ${name}.${cfg.externalHost} \ + ${name} \ ${if value.palaver.noPreviews then "-N" else ""} \ ${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \ ${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \ @@ -517,8 +476,6 @@ groups.${defaultUser} = { }; }; - - networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ]; }; }; };