tv ejabberd: add option certFile

2015-06-24 18:38:44 +02:00 · 2015-06-24 18:38:44 +02:00 · 1c71216a05
commit 1c71216a05
parent 45a0cb01d3
2 changed files with 15 additions and 4 deletions
--- a/bin/copy-secrets
+++ b/bin/copy-secrets
@ -18,7 +18,7 @@ fi
 retiolum_secret=$(nixos-query $system_name tv.retiolum.privateKeyFile)
 retiolum_uid=$(nixos-query $system_name users.extraUsers.retiolum-tinc.uid)

-ejabberd_secret=/etc/ejabberd/ejabberd.pem
+ejabberd_secret=$(nixos-query $system_name services.ejabberd-cd.certFile)
 ejabberd_uid=$(nixos-query $system_name users.extraUsers.ejabberd.uid)

 rsync -cz --chown=0:0 -vr "$secrets_rsync/" "$target:/"
--- a/modules/tv/ejabberd.nix
+++ b/modules/tv/ejabberd.nix
@ -9,7 +9,8 @@ let

  cfg = config.services.ejabberd-cd;

-
+  # XXX this is a placeholder that happens to work the default strings.
+  toErlang = builtins.toJSON;

 in

@ -26,6 +27,16 @@ in
        description = "Whether to enable ejabberd server";
      };

+      certFile = mkOption {
+        # TODO if it's types.path then it gets copied to /nix/store with
+        #      bad unsafe permissions...
+        type = types.string;
+        default = "/etc/ejabberd/ejabberd.pem";
+        description = ''
+          TODO
+        '';
+      };
+
      config = mkOption {
        type = types.string;
        default = "";
@ -221,7 +232,7 @@ in
                %% file and uncomment this line:
                %%
                starttls,
-                {certfile, "/etc/ejabberd/ejabberd.pem"},
+                {certfile, ${toErlang cfg.certFile}},

                {access, c2s},
                {shaper, c2s_shaper},
@ -274,7 +285,7 @@ in
          %%
          %% s2s_certfile: Specify a certificate file.
          %%
-          {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
+          {s2s_certfile, ${toErlang cfg.certFile}}.

          %%
          %% domain_certfile: Specify a different certificate for each served hostname.