tv ejabberd: use dynamic user

This commit is contained in:
tv 2022-08-22 14:58:40 +02:00
parent c6aec96a55
commit 876fd5404d
2 changed files with 21 additions and 25 deletions

View File

@ -62,7 +62,7 @@ in /* yaml */ ''
module: ejabberd_c2s module: ejabberd_c2s
shaper: c2s_shaper shaper: c2s_shaper
ciphers: ${toJSON ciphers} ciphers: ${toJSON ciphers}
dhfile: /var/lib/ejabberd/dhfile dhfile: ${config.stateDir}/dhfile
protocol_options: ${toJSON protocol_options} protocol_options: ${toJSON protocol_options}
starttls: true starttls: true
starttls_required: true starttls_required: true
@ -112,7 +112,7 @@ in /* yaml */ ''
s2s_access: s2s s2s_access: s2s
s2s_ciphers: ${toJSON ciphers} s2s_ciphers: ${toJSON ciphers}
s2s_dhfile: /var/lib/ejabberd/dhfile s2s_dhfile: ${config.stateDir}/dhfile
s2s_protocol_options: ${toJSON protocol_options} s2s_protocol_options: ${toJSON protocol_options}
s2s_tls_compression: false s2s_tls_compression: false
s2s_use_starttls: required s2s_use_starttls: required

View File

@ -33,8 +33,11 @@ in {
inherit pkgs; inherit pkgs;
config = cfg; config = cfg;
})} \ })} \
--logs ${shell.escape cfg.user.home} \ --ctl-config ${toFile "ejabberdctl.cfg" /* sh */ ''
--spool ${shell.escape cfg.user.home} \ ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
''} \
--logs ${cfg.stateDir} \
--spool ${cfg.stateDir} \
"$@" "$@"
'') '')
pkgs.ejabberd pkgs.ejabberd
@ -47,12 +50,10 @@ in {
config.krebs.users.tv.mail config.krebs.users.tv.mail
]; ];
}; };
user = mkOption { stateDir = mkOption {
type = types.user; type = types.absolute-pathname;
default = { default = "/var/lib/ejabberd";
name = "ejabberd"; readOnly = true;
home = "/var/lib/ejabberd";
};
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
@ -61,10 +62,13 @@ in {
name = "ejabberd-sudo-wrapper"; name = "ejabberd-sudo-wrapper";
paths = [ paths = [
(pkgs.writeDashBin "ejabberdctl" '' (pkgs.writeDashBin "ejabberdctl" ''
set -efu exec ${pkgs.systemd}/bin/systemd-run \
cd ${shell.escape cfg.user.home} --unit=ejabberdctl \
exec /run/wrappers/bin/sudo \ --property=StateDirectory=ejabberd \
-u ${shell.escape cfg.user.name} \ --property=User=ejabberd \
--collect \
--pipe \
--quiet \
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@" ${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
'') '')
cfg.pkgs.ejabberd cfg.pkgs.ejabberd
@ -80,7 +84,7 @@ in {
serviceConfig = { serviceConfig = {
ExecStart = pkgs.writeDash "ejabberd" '' ExecStart = pkgs.writeDash "ejabberd" ''
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials ${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
${gen-dhparam} /var/lib/ejabberd/dhfile ${gen-dhparam} ${cfg.stateDir}/dhfile
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
''; '';
LoadCredential = [ LoadCredential = [
@ -89,18 +93,10 @@ in {
PrivateTmp = true; PrivateTmp = true;
SyslogIdentifier = "ejabberd"; SyslogIdentifier = "ejabberd";
StateDirectory = "ejabberd"; StateDirectory = "ejabberd";
User = cfg.user.name; User = "ejabberd";
DynamicUser = true;
TimeoutStartSec = 60; TimeoutStartSec = 60;
}; };
}; };
users.users.${cfg.user.name} = {
inherit (cfg.user) home name uid;
createHome = true;
group = cfg.user.name;
isSystemUser = true;
};
users.groups.${cfg.user.name} = {};
}; };
} }