tv ejabberd: use dynamic user
This commit is contained in:
parent
c6aec96a55
commit
876fd5404d
@ -62,7 +62,7 @@ in /* yaml */ ''
|
|||||||
module: ejabberd_c2s
|
module: ejabberd_c2s
|
||||||
shaper: c2s_shaper
|
shaper: c2s_shaper
|
||||||
ciphers: ${toJSON ciphers}
|
ciphers: ${toJSON ciphers}
|
||||||
dhfile: /var/lib/ejabberd/dhfile
|
dhfile: ${config.stateDir}/dhfile
|
||||||
protocol_options: ${toJSON protocol_options}
|
protocol_options: ${toJSON protocol_options}
|
||||||
starttls: true
|
starttls: true
|
||||||
starttls_required: true
|
starttls_required: true
|
||||||
@ -112,7 +112,7 @@ in /* yaml */ ''
|
|||||||
|
|
||||||
s2s_access: s2s
|
s2s_access: s2s
|
||||||
s2s_ciphers: ${toJSON ciphers}
|
s2s_ciphers: ${toJSON ciphers}
|
||||||
s2s_dhfile: /var/lib/ejabberd/dhfile
|
s2s_dhfile: ${config.stateDir}/dhfile
|
||||||
s2s_protocol_options: ${toJSON protocol_options}
|
s2s_protocol_options: ${toJSON protocol_options}
|
||||||
s2s_tls_compression: false
|
s2s_tls_compression: false
|
||||||
s2s_use_starttls: required
|
s2s_use_starttls: required
|
||||||
|
@ -33,8 +33,11 @@ in {
|
|||||||
inherit pkgs;
|
inherit pkgs;
|
||||||
config = cfg;
|
config = cfg;
|
||||||
})} \
|
})} \
|
||||||
--logs ${shell.escape cfg.user.home} \
|
--ctl-config ${toFile "ejabberdctl.cfg" /* sh */ ''
|
||||||
--spool ${shell.escape cfg.user.home} \
|
ERL_OPTIONS='-setcookie ${cfg.stateDir}/.erlang.cookie'
|
||||||
|
''} \
|
||||||
|
--logs ${cfg.stateDir} \
|
||||||
|
--spool ${cfg.stateDir} \
|
||||||
"$@"
|
"$@"
|
||||||
'')
|
'')
|
||||||
pkgs.ejabberd
|
pkgs.ejabberd
|
||||||
@ -47,12 +50,10 @@ in {
|
|||||||
config.krebs.users.tv.mail
|
config.krebs.users.tv.mail
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
user = mkOption {
|
stateDir = mkOption {
|
||||||
type = types.user;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = "/var/lib/ejabberd";
|
||||||
name = "ejabberd";
|
readOnly = true;
|
||||||
home = "/var/lib/ejabberd";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
@ -61,10 +62,13 @@ in {
|
|||||||
name = "ejabberd-sudo-wrapper";
|
name = "ejabberd-sudo-wrapper";
|
||||||
paths = [
|
paths = [
|
||||||
(pkgs.writeDashBin "ejabberdctl" ''
|
(pkgs.writeDashBin "ejabberdctl" ''
|
||||||
set -efu
|
exec ${pkgs.systemd}/bin/systemd-run \
|
||||||
cd ${shell.escape cfg.user.home}
|
--unit=ejabberdctl \
|
||||||
exec /run/wrappers/bin/sudo \
|
--property=StateDirectory=ejabberd \
|
||||||
-u ${shell.escape cfg.user.name} \
|
--property=User=ejabberd \
|
||||||
|
--collect \
|
||||||
|
--pipe \
|
||||||
|
--quiet \
|
||||||
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
|
${cfg.pkgs.ejabberd}/bin/ejabberdctl "$@"
|
||||||
'')
|
'')
|
||||||
cfg.pkgs.ejabberd
|
cfg.pkgs.ejabberd
|
||||||
@ -80,7 +84,7 @@ in {
|
|||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = pkgs.writeDash "ejabberd" ''
|
ExecStart = pkgs.writeDash "ejabberd" ''
|
||||||
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
|
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
|
||||||
${gen-dhparam} /var/lib/ejabberd/dhfile
|
${gen-dhparam} ${cfg.stateDir}/dhfile
|
||||||
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
|
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
|
||||||
'';
|
'';
|
||||||
LoadCredential = [
|
LoadCredential = [
|
||||||
@ -89,18 +93,10 @@ in {
|
|||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
SyslogIdentifier = "ejabberd";
|
SyslogIdentifier = "ejabberd";
|
||||||
StateDirectory = "ejabberd";
|
StateDirectory = "ejabberd";
|
||||||
User = cfg.user.name;
|
User = "ejabberd";
|
||||||
|
DynamicUser = true;
|
||||||
TimeoutStartSec = 60;
|
TimeoutStartSec = 60;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user.name} = {
|
|
||||||
inherit (cfg.user) home name uid;
|
|
||||||
createHome = true;
|
|
||||||
group = cfg.user.name;
|
|
||||||
isSystemUser = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.${cfg.user.name} = {};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user