From 876fd5404d0bc9f838119505a4b7a9b7bdb60e9e Mon Sep 17 00:00:00 2001 From: tv Date: Mon, 22 Aug 2022 14:58:40 +0200 Subject: [PATCH] tv ejabberd: use dynamic user --- tv/3modules/ejabberd/config.nix | 4 +-- tv/3modules/ejabberd/default.nix | 42 +++++++++++++++----------------- 2 files changed, 21 insertions(+), 25 deletions(-) diff --git a/tv/3modules/ejabberd/config.nix b/tv/3modules/ejabberd/config.nix index a022bc448..cc4dbcfb1 100644 --- a/tv/3modules/ejabberd/config.nix +++ b/tv/3modules/ejabberd/config.nix @@ -62,7 +62,7 @@ in /* yaml */ '' module: ejabberd_c2s shaper: c2s_shaper ciphers: ${toJSON ciphers} - dhfile: /var/lib/ejabberd/dhfile + dhfile: ${config.stateDir}/dhfile protocol_options: ${toJSON protocol_options} starttls: true starttls_required: true @@ -112,7 +112,7 @@ in /* yaml */ '' s2s_access: s2s s2s_ciphers: ${toJSON ciphers} - s2s_dhfile: /var/lib/ejabberd/dhfile + s2s_dhfile: ${config.stateDir}/dhfile s2s_protocol_options: ${toJSON protocol_options} s2s_tls_compression: false s2s_use_starttls: required diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix index 67683b186..147e53d61 100644 --- a/tv/3modules/ejabberd/default.nix +++ b/tv/3modules/ejabberd/default.nix @@ -33,8 +33,11 @@ in { inherit pkgs; config = cfg; })} \ - --logs ${shell.escape cfg.user.home} \ - --spool ${shell.escape cfg.user.home} \ + --ctl-config ${toFile "ejabberdctl.cfg" /* sh */ '' + ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie' + ''} \ + --logs ${cfg.stateDir} \ + --spool ${cfg.stateDir} \ "$@" '') pkgs.ejabberd @@ -47,12 +50,10 @@ in { config.krebs.users.tv.mail ]; }; - user = mkOption { - type = types.user; - default = { - name = "ejabberd"; - home = "/var/lib/ejabberd"; - }; + stateDir = mkOption { + type = types.absolute-pathname; + default = "/var/lib/ejabberd"; + readOnly = true; }; }; config = lib.mkIf cfg.enable { @@ -61,10 +62,13 @@ in { name = "ejabberd-sudo-wrapper"; paths = [ (pkgs.writeDashBin "ejabberdctl" '' - set -efu - cd ${shell.escape cfg.user.home} - exec /run/wrappers/bin/sudo \ - -u ${shell.escape cfg.user.name} \ + exec ${pkgs.systemd}/bin/systemd-run \ + --unit=ejabberdctl \ + --property=StateDirectory=ejabberd \ + --property=User=ejabberd \ + --collect \ + --pipe \ + --quiet \ ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" '') cfg.pkgs.ejabberd @@ -80,7 +84,7 @@ in { serviceConfig = { ExecStart = pkgs.writeDash "ejabberd" '' ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials - ${gen-dhparam} /var/lib/ejabberd/dhfile + ${gen-dhparam} ${cfg.stateDir}/dhfile exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground ''; LoadCredential = [ @@ -89,18 +93,10 @@ in { PrivateTmp = true; SyslogIdentifier = "ejabberd"; StateDirectory = "ejabberd"; - User = cfg.user.name; + User = "ejabberd"; + DynamicUser = true; TimeoutStartSec = 60; }; }; - - users.users.${cfg.user.name} = { - inherit (cfg.user) home name uid; - createHome = true; - group = cfg.user.name; - isSystemUser = true; - }; - - users.groups.${cfg.user.name} = {}; }; }