tv ejabberd: use dynamic user
This commit is contained in:
parent
c6aec96a55
commit
876fd5404d
@ -62,7 +62,7 @@ in /* yaml */ ''
|
||||
module: ejabberd_c2s
|
||||
shaper: c2s_shaper
|
||||
ciphers: ${toJSON ciphers}
|
||||
dhfile: /var/lib/ejabberd/dhfile
|
||||
dhfile: ${config.stateDir}/dhfile
|
||||
protocol_options: ${toJSON protocol_options}
|
||||
starttls: true
|
||||
starttls_required: true
|
||||
@ -112,7 +112,7 @@ in /* yaml */ ''
|
||||
|
||||
s2s_access: s2s
|
||||
s2s_ciphers: ${toJSON ciphers}
|
||||
s2s_dhfile: /var/lib/ejabberd/dhfile
|
||||
s2s_dhfile: ${config.stateDir}/dhfile
|
||||
s2s_protocol_options: ${toJSON protocol_options}
|
||||
s2s_tls_compression: false
|
||||
s2s_use_starttls: required
|
||||
|
@ -33,8 +33,11 @@ in {
|
||||
inherit pkgs;
|
||||
config = cfg;
|
||||
})} \
|
||||
--logs ${shell.escape cfg.user.home} \
|
||||
--spool ${shell.escape cfg.user.home} \
|
||||
--ctl-config ${toFile "ejabberdctl.cfg" /* sh */ ''
|
||||
ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
|
||||
''} \
|
||||
--logs ${cfg.stateDir} \
|
||||
--spool ${cfg.stateDir} \
|
||||
"$@"
|
||||
'')
|
||||
pkgs.ejabberd
|
||||
@ -47,12 +50,10 @@ in {
|
||||
config.krebs.users.tv.mail
|
||||
];
|
||||
};
|
||||
user = mkOption {
|
||||
type = types.user;
|
||||
default = {
|
||||
name = "ejabberd";
|
||||
home = "/var/lib/ejabberd";
|
||||
};
|
||||
stateDir = mkOption {
|
||||
type = types.absolute-pathname;
|
||||
default = "/var/lib/ejabberd";
|
||||
readOnly = true;
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
@ -61,10 +62,13 @@ in {
|
||||
name = "ejabberd-sudo-wrapper";
|
||||
paths = [
|
||||
(pkgs.writeDashBin "ejabberdctl" ''
|
||||
set -efu
|
||||
cd ${shell.escape cfg.user.home}
|
||||
exec /run/wrappers/bin/sudo \
|
||||
-u ${shell.escape cfg.user.name} \
|
||||
exec ${pkgs.systemd}/bin/systemd-run \
|
||||
--unit=ejabberdctl \
|
||||
--property=StateDirectory=ejabberd \
|
||||
--property=User=ejabberd \
|
||||
--collect \
|
||||
--pipe \
|
||||
--quiet \
|
||||
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
|
||||
'')
|
||||
cfg.pkgs.ejabberd
|
||||
@ -80,7 +84,7 @@ in {
|
||||
serviceConfig = {
|
||||
ExecStart = pkgs.writeDash "ejabberd" ''
|
||||
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
|
||||
${gen-dhparam} /var/lib/ejabberd/dhfile
|
||||
${gen-dhparam} ${cfg.stateDir}/dhfile
|
||||
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
|
||||
'';
|
||||
LoadCredential = [
|
||||
@ -89,18 +93,10 @@ in {
|
||||
PrivateTmp = true;
|
||||
SyslogIdentifier = "ejabberd";
|
||||
StateDirectory = "ejabberd";
|
||||
User = cfg.user.name;
|
||||
User = "ejabberd";
|
||||
DynamicUser = true;
|
||||
TimeoutStartSec = 60;
|
||||
};
|
||||
};
|
||||
|
||||
users.users.${cfg.user.name} = {
|
||||
inherit (cfg.user) home name uid;
|
||||
createHome = true;
|
||||
group = cfg.user.name;
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
users.groups.${cfg.user.name} = {};
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user