tv ejabberd: use dynamic user

2022-08-22 14:58:40 +02:00 · 2022-08-22 14:58:40 +02:00 · 876fd5404d
parent c6aec96a55
commit 876fd5404d
2 changed files with 21 additions and 25 deletions
--- a/tv/3modules/ejabberd/config.nix
+++ b/tv/3modules/ejabberd/config.nix
@ -62,7 +62,7 @@ in /* yaml */ ''
      module: ejabberd_c2s
      shaper: c2s_shaper
      ciphers: ${toJSON ciphers}
-      dhfile: /var/lib/ejabberd/dhfile
+      dhfile: ${config.stateDir}/dhfile
      protocol_options: ${toJSON protocol_options}
      starttls: true
      starttls_required: true
@ -112,7 +112,7 @@ in /* yaml */ ''

  s2s_access: s2s
  s2s_ciphers: ${toJSON ciphers}
-  s2s_dhfile: /var/lib/ejabberd/dhfile
+  s2s_dhfile: ${config.stateDir}/dhfile
  s2s_protocol_options: ${toJSON protocol_options}
  s2s_tls_compression: false
  s2s_use_starttls: required
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@ -33,8 +33,11 @@ in {
                  inherit pkgs;
                  config = cfg;
                })} \
-                --logs ${shell.escape cfg.user.home} \
-                --spool ${shell.escape cfg.user.home} \
+                --ctl-config ${toFile "ejabberdctl.cfg" /* sh */ ''
+                  ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
+                ''} \
+                --logs ${cfg.stateDir} \
+                --spool ${cfg.stateDir} \
                "$@"
          '')
          pkgs.ejabberd
@ -47,12 +50,10 @@ in {
        config.krebs.users.tv.mail
      ];
    };
-    user = mkOption {
-      type = types.user;
-      default = {
-        name = "ejabberd";
-        home = "/var/lib/ejabberd";
-      };
+    stateDir = mkOption {
+      type = types.absolute-pathname;
+      default = "/var/lib/ejabberd";
+      readOnly = true;
    };
  };
  config = lib.mkIf cfg.enable {
@ -61,10 +62,13 @@ in {
        name = "ejabberd-sudo-wrapper";
        paths = [
          (pkgs.writeDashBin "ejabberdctl" ''
-            set -efu
-            cd ${shell.escape cfg.user.home}
-            exec /run/wrappers/bin/sudo \
-                -u ${shell.escape cfg.user.name} \
+            exec ${pkgs.systemd}/bin/systemd-run \
+                --unit=ejabberdctl \
+                --property=StateDirectory=ejabberd \
+                --property=User=ejabberd \
+                --collect \
+                --pipe \
+                --quiet \
                ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
          '')
          cfg.pkgs.ejabberd
@ -80,7 +84,7 @@ in {
      serviceConfig = {
        ExecStart = pkgs.writeDash "ejabberd" ''
          ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
-          ${gen-dhparam} /var/lib/ejabberd/dhfile
+          ${gen-dhparam} ${cfg.stateDir}/dhfile
          exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
        '';
        LoadCredential = [
@ -89,18 +93,10 @@ in {
        PrivateTmp = true;
        SyslogIdentifier = "ejabberd";
        StateDirectory = "ejabberd";
-        User = cfg.user.name;
+        User = "ejabberd";
+        DynamicUser = true;
        TimeoutStartSec = 60;
      };
    };
-
-    users.users.${cfg.user.name} = {
-      inherit (cfg.user) home name uid;
-      createHome = true;
-      group = cfg.user.name;
-      isSystemUser = true;
-    };
-
-    users.groups.${cfg.user.name} = {};
  };
 }