ashe
/
nixos-wrapper-pounce
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

remove certdir and do manual stuff

Browse Source
main
Ashelyn Dawn 1 month ago committed by Ashelyn Rose
parent 1cd9339ee4
commit 45ae9514ab
No known key found for this signature in database
GPG Key ID: D1980B8C6F349BC1
1 changed files with 26 additions and 69 deletions
Show Stats Download Patch File Download Diff File

95
flake.nix
Unescape Escape View File

@ -86,7 +86,7 @@
This is required if Pounce is using a self-signed This is required if Pounce is using a self-signed
certificate. If left blank, pounce-notify will use the certificate. If left blank, pounce-notify will use the
appropriate certificate in appropriate certificate in
{option}`services.pounce.certDir`. Set to `null` to disable {option}`services.pounce.fullChain`. Set to `null` to disable
certificate pinning. certificate pinning.
''; '';
}; };
@ -154,7 +154,7 @@
''; '';
}; };
dataDir = mkOption { socketDir = mkOption {
type = types.str; type = types.str;
default = "/run/pounce"; default = "/run/pounce";
description = lib.mdDoc '' description = lib.mdDoc ''
@ -163,30 +163,6 @@
''; '';
}; };
certDir = mkOption {
type = types.str;
default = "/var/lib/pounce/certs";
example = "/etc/letsencrypt/live";
description = lib.mdDoc ''
Directory where each Pounce instance's TLS certificates and private
keys are stored. Each instance should have a folder in the certbot
format: a {file}`fullchain.pem` and {file}`privkey.pem` in a folder
with the full domain name of the instance (ex:
{file}`libera.example.org/`). Self-signed certificates will be
generated in this folder if
{option}`services.pounce.generateCerts` is true.
'';
};
externalHost = mkOption {
type = types.str;
example = "example.org";
description = lib.mdDoc ''
Base domain name Calico will be accessible at. Each instance
will be at a subdomain of this.
'';
};
bindHost = mkOption { bindHost = mkOption {
type = types.str; type = types.str;
default = "localhost"; default = "localhost";
@ -201,23 +177,6 @@
description = lib.mdDoc "Port for Calico to listen on."; description = lib.mdDoc "Port for Calico to listen on.";
}; };
generateCerts = mkOption {
type = types.bool;
default = true;
description = lib.mdDoc ''
Generate a self-signed TLS certificate in the certificate directory.
If you would like to use {command}`certbot` instead, generate
certificates for each instance like this:
{command}`certbot certonly -d libera.example.org`.
'';
};
openFirewall = mkOption {
type = types.bool;
default = false;
description = lib.mdDoc "Open port in the firewall for Calico.";
};
timeout = mkOption { timeout = mkOption {
type = types.ints.positive; type = types.ints.positive;
default = 1000; default = 1000;
@ -230,11 +189,25 @@
networks = mkOption { networks = mkOption {
type = types.attrsOf (types.submodule { type = types.attrsOf (types.submodule {
options = { options = {
fullChain = mkOption {
type = types.str;
description = lib.mdDoc ''
Certificate chain for TLS connections.
'';
};
privKey = mkOption {
type = types.str;
description = lib.mdDoc ''
Private key for TLS connections.
'';
};
config = mkOption { config = mkOption {
type = settingsFormat.type; type = settingsFormat.type;
default = {}; default = {};
example = { example = {
libera = { irc.libera.chat = {
host = "irc.libera.chat"; host = "irc.libera.chat";
port = 6697; port = 6697;
sasl-plain = "testname:password"; sasl-plain = "testname:password";
@ -362,7 +335,7 @@
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
systemd.tmpfiles.rules = [ "d ${cfg.dataDir} 0700 ${cfg.user} ${cfg.user} -" ]; systemd.tmpfiles.rules = [ "d ${cfg.socketDir} 0700 ${cfg.user} ${cfg.user} -" ];
systemd.services = mkMerge ( systemd.services = mkMerge (
[ [
{ {
@ -378,7 +351,7 @@
ExecStart = '' ExecStart = ''
${pkg}/bin/calico \ ${pkg}/bin/calico \
-H ${cfg.bindHost} -P ${toString cfg.port} \ -H ${cfg.bindHost} -P ${toString cfg.port} \
-t ${toString cfg.timeout} ${cfg.dataDir} -t ${toString cfg.timeout} ${cfg.socketDir}
''; '';
Restart = "on-failure"; Restart = "on-failure";
} // hardeningFlags; } // hardeningFlags;
@ -398,27 +371,13 @@
Group = cfg.user; Group = cfg.user;
ExecStart = '' ExecStart = ''
${pkg}/bin/pounce \ ${pkg}/bin/pounce \
-C ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \ -C ${value.fullChain} \
-K ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \ -K ${value.privKey} \
-U ${cfg.dataDir} -H ${name}.${cfg.externalHost} \ -U ${cfg.socketDir} -H ${name} \
${settingsFormat.generate "${name}.cfg" value.config} ${settingsFormat.generate "${name}.cfg" value.config}
''; '';
Restart = "on-failure"; Restart = "on-failure";
} // hardeningFlags; } // hardeningFlags;
preStart = ''
if [ -d /var/lib/pounce ]; then
chmod -R u+x /var/lib/pounce
fi
if ${boolToString cfg.generateCerts}; then
if [ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem ] || \
[ ! -f ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem ]; then
${pkgs.libressl}/bin/openssl req -x509 -newkey rsa:4096 \
-out ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem \
-keyout ${cfg.certDir}/${name}.${cfg.externalHost}/privkey.pem \
-nodes -sha256 -days 36500 -subj "/CN=${name}.${cfg.externalHost}"
fi
fi
'';
}; };
} }
@ -438,7 +397,7 @@
${pkg}/bin/pounce-notify \ ${pkg}/bin/pounce-notify \
${if value.notify.insecure then "-!" else ${if value.notify.insecure then "-!" else
if value.notify.trust-cert == "" then if value.notify.trust-cert == "" then
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem" "-t ${value.fullChain}"
else if value.notify.trust-cert != null then else if value.notify.trust-cert != null then
"-t ${value.notify.trust-cert}" else ""} \ "-t ${value.notify.trust-cert}" else ""} \
${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \ ${if value.notify.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
@ -447,7 +406,7 @@
-u ${value.notify.user} \ -u ${value.notify.user} \
${if cfg.networks.${name}.config ? local-pass then ${if cfg.networks.${name}.config ? local-pass then
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \ "-w ${cfg.networks.${name}.config.local-pass}" else ""} \
${name}.${cfg.externalHost} \ ${name} \
${if value.notify.command != "" then "\"${value.notify.command}\"" else ${if value.notify.command != "" then "\"${value.notify.command}\"" else
pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script} pkgs.writeShellScript "pounce-${name}-notify-script" value.notify.script}
''; '';
@ -479,7 +438,7 @@
${pkg}/bin/pounce-palaver \ ${pkg}/bin/pounce-palaver \
${if value.palaver.insecure then "-!" else ${if value.palaver.insecure then "-!" else
if value.palaver.trust-cert == "" then if value.palaver.trust-cert == "" then
"-t ${cfg.certDir}/${name}.${cfg.externalHost}/fullchain.pem" "-t ${value.fullChain}"
else if value.palaver.trust-cert != null then else if value.palaver.trust-cert != null then
"-t ${value.palaver.trust-cert}" else ""} \ "-t ${value.palaver.trust-cert}" else ""} \
${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \ ${if value.palaver.client-cert != "" then "-c ${value.notify.client-cert}" else ""} \
@ -488,7 +447,7 @@
-u ${value.palaver.user} \ -u ${value.palaver.user} \
${if cfg.networks.${name}.config ? local-pass then ${if cfg.networks.${name}.config ? local-pass then
"-w ${cfg.networks.${name}.config.local-pass}" else ""} \ "-w ${cfg.networks.${name}.config.local-pass}" else ""} \
${name}.${cfg.externalHost} \ ${name} \
${if value.palaver.noPreviews then "-N" else ""} \ ${if value.palaver.noPreviews then "-N" else ""} \
${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \ ${if value.palaver.noPrivateMessagePreviews then "-N" else ""} \
${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \ ${if value.palaver.dbPath != "" then "-d ${value.palaver.dbPath}" else ""} \
@ -517,8 +476,6 @@
groups.${defaultUser} = { }; groups.${defaultUser} = { };
}; };
networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [ cfg.port ];
}; };
}; };
}; };

Write Preview
Loading…
Cancel
Save