Merge remote-tracking branch 'ni/master'
This commit is contained in:
commit
9f194012bd
@ -24,13 +24,8 @@ let
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
};
|
};
|
||||||
private_key = mkOption {
|
private_key = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/${config.domain}.dkim.priv";
|
||||||
name = "exim.dkim_private_key/${config.domain}";
|
|
||||||
path = "/run/krebs.secret/${config.domain}.dkim_private_key";
|
|
||||||
owner.name = "exim";
|
|
||||||
source-path = toString <secrets> + "/${config.domain}.dkim.priv";
|
|
||||||
};
|
|
||||||
defaultText = "‹secrets/‹domain›.dkim.priv›";
|
defaultText = "‹secrets/‹domain›.dkim.priv›";
|
||||||
};
|
};
|
||||||
selector = mkOption {
|
selector = mkOption {
|
||||||
@ -111,24 +106,13 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
krebs.secret.files = listToAttrs (flip map cfg.dkim (dkim: {
|
krebs.systemd.services.exim = {};
|
||||||
name = "exim.dkim_private_key/${dkim.domain}";
|
systemd.services.exim.serviceConfig.LoadCredential =
|
||||||
value = dkim.private_key;
|
map (dkim: "${dkim.domain}.dkim_private_key:${dkim.private_key}") cfg.dkim;
|
||||||
}));
|
|
||||||
systemd.services = mkIf (cfg.dkim != []) {
|
|
||||||
exim = {
|
|
||||||
after = flip map cfg.dkim (dkim:
|
|
||||||
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
|
|
||||||
);
|
|
||||||
partOf = flip map cfg.dkim (dkim:
|
|
||||||
config.krebs.secret.files."exim.dkim_private_key/${dkim.domain}".service
|
|
||||||
);
|
|
||||||
};
|
|
||||||
};
|
|
||||||
krebs.exim = {
|
krebs.exim = {
|
||||||
enable = true;
|
enable = true;
|
||||||
config = /* exim */ ''
|
config = /* exim */ ''
|
||||||
keep_environment =
|
keep_environment = CREDENTIALS_DIRECTORY
|
||||||
|
|
||||||
primary_hostname = ${cfg.primary_hostname}
|
primary_hostname = ${cfg.primary_hostname}
|
||||||
|
|
||||||
@ -242,8 +226,9 @@ let
|
|||||||
${optionalString (cfg.dkim != []) (indent /* exim */ ''
|
${optionalString (cfg.dkim != []) (indent /* exim */ ''
|
||||||
dkim_canon = relaxed
|
dkim_canon = relaxed
|
||||||
dkim_domain = $sender_address_domain
|
dkim_domain = $sender_address_domain
|
||||||
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
|
dkim_private_key = ''${lookup{$sender_address_domain.dkim_private_key}dsearch,ret=full{''${env{CREDENTIALS_DIRECTORY}{$value}fail}}}
|
||||||
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
|
dkim_selector = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_selector}}}
|
||||||
|
dkim_strict = true
|
||||||
'')}
|
'')}
|
||||||
helo_data = ''${if eq{$acl_m_special_dom}{} \
|
helo_data = ''${if eq{$acl_m_special_dom}{} \
|
||||||
{$primary_hostname} \
|
{$primary_hostname} \
|
||||||
@ -281,10 +266,6 @@ let
|
|||||||
inherit (cfg) internet-aliases;
|
inherit (cfg) internet-aliases;
|
||||||
inherit (cfg) system-aliases;
|
inherit (cfg) system-aliases;
|
||||||
} // optionalAttrs (cfg.dkim != []) {
|
} // optionalAttrs (cfg.dkim != []) {
|
||||||
dkim_private_key = flip map cfg.dkim (dkim: {
|
|
||||||
from = dkim.domain;
|
|
||||||
to = dkim.private_key.path;
|
|
||||||
});
|
|
||||||
dkim_selector = flip map cfg.dkim (dkim: {
|
dkim_selector = flip map cfg.dkim (dkim: {
|
||||||
from = dkim.domain;
|
from = dkim.domain;
|
||||||
to = dkim.selector;
|
to = dkim.selector;
|
||||||
|
@ -122,13 +122,9 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/repo-sync.ssh.key";
|
||||||
name = "repo-sync-key";
|
defaultText = "‹secrets/repo-sync.ssh.key›";
|
||||||
path = "${cfg.stateDir}/ssh.priv";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/repo-sync.ssh.key";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
unitConfig = mkOption {
|
unitConfig = mkOption {
|
||||||
@ -144,14 +140,16 @@ let
|
|||||||
};
|
};
|
||||||
|
|
||||||
imp = {
|
imp = {
|
||||||
krebs.secret.files.repo-sync-key = cfg.privateKeyFile;
|
|
||||||
users.users.${cfg.user.name} = {
|
users.users.${cfg.user.name} = {
|
||||||
inherit (cfg.user) home name uid;
|
inherit (cfg.user) home name uid;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
group = cfg.user.name;
|
||||||
description = "repo-sync user";
|
description = "repo-sync user";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.${cfg.user.name} = {};
|
||||||
|
|
||||||
systemd.timers = mapAttrs' (name: repo:
|
systemd.timers = mapAttrs' (name: repo:
|
||||||
nameValuePair "repo-sync-${name}" {
|
nameValuePair "repo-sync-${name}" {
|
||||||
description = "repo-sync timer";
|
description = "repo-sync timer";
|
||||||
@ -160,6 +158,10 @@ let
|
|||||||
}
|
}
|
||||||
) cfg.repos;
|
) cfg.repos;
|
||||||
|
|
||||||
|
krebs.systemd.services = mapAttrs' (name: _:
|
||||||
|
nameValuePair "repo-sync-${name}" {}
|
||||||
|
) cfg.repos;
|
||||||
|
|
||||||
systemd.services = mapAttrs' (name: repo:
|
systemd.services = mapAttrs' (name: repo:
|
||||||
let
|
let
|
||||||
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
|
repo-sync-config = pkgs.writeJSON "repo-sync-config-${name}.json"
|
||||||
@ -168,16 +170,10 @@ let
|
|||||||
});
|
});
|
||||||
in nameValuePair "repo-sync-${name}" {
|
in nameValuePair "repo-sync-${name}" {
|
||||||
description = "repo-sync";
|
description = "repo-sync";
|
||||||
after = [
|
after = [ "network.target" ];
|
||||||
config.krebs.secret.files.repo-sync-key.service
|
|
||||||
"network.target"
|
|
||||||
];
|
|
||||||
partOf = [
|
|
||||||
config.krebs.secret.files.repo-sync-key.service
|
|
||||||
];
|
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i ${cfg.privateKeyFile.path}";
|
GIT_SSH_COMMAND = "${pkgs.openssh}/bin/ssh -i $CREDENTIALS_DIRECTORY/ssh_key";
|
||||||
REPONAME = "${name}.git";
|
REPONAME = "${name}.git";
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -185,6 +181,7 @@ let
|
|||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "simple";
|
Type = "simple";
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
|
LoadCredential = "ssh_key:${cfg.privateKeyFile}";
|
||||||
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
|
ExecStart = "${pkgs.repo-sync}/bin/repo-sync ${repo-sync-config}";
|
||||||
WorkingDirectory = cfg.stateDir;
|
WorkingDirectory = cfg.stateDir;
|
||||||
User = "repo-sync";
|
User = "repo-sync";
|
||||||
|
@ -31,7 +31,8 @@
|
|||||||
lib.types.absolute-pathname.check
|
lib.types.absolute-pathname.check
|
||||||
(map
|
(map
|
||||||
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
|
(lib.compose [ lib.maybeHead (lib.match "[^:]*:(.*)") ])
|
||||||
config.systemd.services.${serviceName}.serviceConfig.LoadCredential);
|
(lib.toList
|
||||||
|
config.systemd.services.${serviceName}.serviceConfig.LoadCredential));
|
||||||
}
|
}
|
||||||
) config.krebs.systemd.services;
|
) config.krebs.systemd.services;
|
||||||
|
|
||||||
|
@ -61,13 +61,13 @@ in toFile "charybdis.conf" ''
|
|||||||
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
|
vhost6 = ${toJSON config.krebs.build.host.nets.retiolum.ip6.addr};
|
||||||
|
|
||||||
/* ssl_private_key: our ssl private key */
|
/* ssl_private_key: our ssl private key */
|
||||||
ssl_private_key = ${toJSON cfg.ssl_private_key.path};
|
ssl_private_key = "/tmp/credentials/ssl_private_key";
|
||||||
|
|
||||||
/* ssl_cert: certificate for our ssl server */
|
/* ssl_cert: certificate for our ssl server */
|
||||||
ssl_cert = ${toJSON cfg.ssl_cert};
|
ssl_cert = ${toJSON cfg.ssl_cert};
|
||||||
|
|
||||||
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
|
/* ssl_dh_params: DH parameters, generate with openssl dhparam -out dh.pem 1024 */
|
||||||
ssl_dh_params = ${toJSON cfg.ssl_dh_params.path};
|
ssl_dh_params = "/tmp/credentials/ssl_dh_params";
|
||||||
|
|
||||||
/* ssld_count: number of ssld processes you want to start, if you
|
/* ssld_count: number of ssld processes you want to start, if you
|
||||||
* have a really busy server, using N-1 where N is the number of
|
* have a really busy server, using N-1 where N is the number of
|
||||||
|
@ -15,22 +15,12 @@ in {
|
|||||||
type = types.path;
|
type = types.path;
|
||||||
};
|
};
|
||||||
ssl_dh_params = mkOption {
|
ssl_dh_params = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/charybdis.dh.pem";
|
||||||
name = "charybdis-ssl_dh_params";
|
|
||||||
path = "${cfg.user.home}/dh.pem";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/charybdis.dh.pem";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
ssl_private_key = mkOption {
|
ssl_private_key = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/charybdis.key.pem";
|
||||||
name = "charybdis-ssl_private_key";
|
|
||||||
path = "${cfg.user.home}/ssl.key.pem";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/charybdis.key.pem";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
sslport = mkOption {
|
sslport = mkOption {
|
||||||
type = types.int;
|
type = types.int;
|
||||||
@ -46,22 +36,13 @@ in {
|
|||||||
};
|
};
|
||||||
config = lib.mkIf cfg.enable {
|
config = lib.mkIf cfg.enable {
|
||||||
|
|
||||||
krebs.secret.files.charybdis-ssl_dh_params = cfg.ssl_dh_params;
|
|
||||||
krebs.secret.files.charybdis-ssl_private_key = cfg.ssl_private_key;
|
|
||||||
|
|
||||||
environment.etc."charybdis-ircd.motd".text = cfg.motd;
|
environment.etc."charybdis-ircd.motd".text = cfg.motd;
|
||||||
|
|
||||||
|
krebs.systemd.services.charybdis = {};
|
||||||
|
|
||||||
systemd.services.charybdis = {
|
systemd.services.charybdis = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [
|
after = [ "network-online.target" ];
|
||||||
config.krebs.secret.files.charybdis-ssl_dh_params.service
|
|
||||||
config.krebs.secret.files.charybdis-ssl_private_key.service
|
|
||||||
"network-online.target"
|
|
||||||
];
|
|
||||||
partOf = [
|
|
||||||
config.krebs.secret.files.charybdis-ssl_dh_params.service
|
|
||||||
config.krebs.secret.files.charybdis-ssl_private_key.service
|
|
||||||
];
|
|
||||||
environment = {
|
environment = {
|
||||||
BANDB_DBPATH = "${cfg.user.home}/ban.db";
|
BANDB_DBPATH = "${cfg.user.home}/ban.db";
|
||||||
};
|
};
|
||||||
@ -70,21 +51,30 @@ in {
|
|||||||
User = cfg.user.name;
|
User = cfg.user.name;
|
||||||
PrivateTmp = true;
|
PrivateTmp = true;
|
||||||
Restart = "always";
|
Restart = "always";
|
||||||
ExecStartPre =
|
ExecStartPre = [
|
||||||
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd";
|
"${pkgs.coreutils}/bin/ln -s /etc/charybdis-ircd.motd /tmp/ircd.motd"
|
||||||
|
"${pkgs.coreutils}/bin/ln -s \${CREDENTIALS_DIRECTORY} /tmp/credentials"
|
||||||
|
];
|
||||||
ExecStart = toString [
|
ExecStart = toString [
|
||||||
"${pkgs.charybdis}/bin/charybdis"
|
"${pkgs.charybdis}/bin/charybdis"
|
||||||
"-configfile ${import ./config.nix args}"
|
"-configfile ${import ./config.nix args}"
|
||||||
"-foreground"
|
"-foreground"
|
||||||
"-logfile /dev/stderr"
|
"-logfile /dev/stderr"
|
||||||
];
|
];
|
||||||
|
LoadCredential = [
|
||||||
|
"ssl_dh_params:${cfg.ssl_dh_params}"
|
||||||
|
"ssl_private_key:${cfg.ssl_private_key}"
|
||||||
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.${cfg.user.name} = {
|
users.users.${cfg.user.name} = {
|
||||||
inherit (cfg.user) home name uid;
|
inherit (cfg.user) home name uid;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
group = cfg.user.name;
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.${cfg.user.name} = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -48,6 +48,9 @@ in /* yaml */ ''
|
|||||||
- "::1/128"
|
- "::1/128"
|
||||||
- "::FFFF:127.0.0.1/128"
|
- "::FFFF:127.0.0.1/128"
|
||||||
|
|
||||||
|
certfiles:
|
||||||
|
- /tmp/credentials/certfile
|
||||||
|
|
||||||
hosts: ${toJSON config.hosts}
|
hosts: ${toJSON config.hosts}
|
||||||
|
|
||||||
language: "en"
|
language: "en"
|
||||||
@ -58,9 +61,8 @@ in /* yaml */ ''
|
|||||||
ip: "::"
|
ip: "::"
|
||||||
module: ejabberd_c2s
|
module: ejabberd_c2s
|
||||||
shaper: c2s_shaper
|
shaper: c2s_shaper
|
||||||
certfile: ${toJSON config.certfile.path}
|
|
||||||
ciphers: ${toJSON ciphers}
|
ciphers: ${toJSON ciphers}
|
||||||
dhfile: ${toJSON config.dhfile.path}
|
dhfile: /var/lib/ejabberd/dhfile
|
||||||
protocol_options: ${toJSON protocol_options}
|
protocol_options: ${toJSON protocol_options}
|
||||||
starttls: true
|
starttls: true
|
||||||
starttls_required: true
|
starttls_required: true
|
||||||
@ -109,9 +111,8 @@ in /* yaml */ ''
|
|||||||
mod_http_api: {}
|
mod_http_api: {}
|
||||||
|
|
||||||
s2s_access: s2s
|
s2s_access: s2s
|
||||||
s2s_certfile: ${toJSON config.s2s_certfile.path}
|
|
||||||
s2s_ciphers: ${toJSON ciphers}
|
s2s_ciphers: ${toJSON ciphers}
|
||||||
s2s_dhfile: ${toJSON config.dhfile.path}
|
s2s_dhfile: /var/lib/ejabberd/dhfile
|
||||||
s2s_protocol_options: ${toJSON protocol_options}
|
s2s_protocol_options: ${toJSON protocol_options}
|
||||||
s2s_tls_compression: false
|
s2s_tls_compression: false
|
||||||
s2s_use_starttls: required
|
s2s_use_starttls: required
|
||||||
|
@ -16,22 +16,8 @@ in {
|
|||||||
options.tv.ejabberd = {
|
options.tv.ejabberd = {
|
||||||
enable = mkEnableOption "tv.ejabberd";
|
enable = mkEnableOption "tv.ejabberd";
|
||||||
certfile = mkOption {
|
certfile = mkOption {
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
default = {
|
default = toString <secrets> + "/ejabberd.pem";
|
||||||
name = "ejabberd-certfile";
|
|
||||||
path = "${cfg.user.home}/ejabberd.pem";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = toString <secrets> + "/ejabberd.pem";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
dhfile = mkOption {
|
|
||||||
type = types.secret-file;
|
|
||||||
default = {
|
|
||||||
name = "ejabberd-dhfile";
|
|
||||||
path = "${cfg.user.home}/dhparams.pem";
|
|
||||||
owner = cfg.user;
|
|
||||||
source-path = "/dev/null";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
hosts = mkOption {
|
hosts = mkOption {
|
||||||
type = with types; listOf str;
|
type = with types; listOf str;
|
||||||
@ -61,10 +47,6 @@ in {
|
|||||||
config.krebs.users.tv.mail
|
config.krebs.users.tv.mail
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
s2s_certfile = mkOption {
|
|
||||||
type = types.secret-file;
|
|
||||||
default = cfg.certfile;
|
|
||||||
};
|
|
||||||
user = mkOption {
|
user = mkOption {
|
||||||
type = types.user;
|
type = types.user;
|
||||||
default = {
|
default = {
|
||||||
@ -90,27 +72,24 @@ in {
|
|||||||
})
|
})
|
||||||
];
|
];
|
||||||
|
|
||||||
krebs.secret.files = {
|
krebs.systemd.services.ejabberd = {};
|
||||||
ejabberd-certfile = cfg.certfile;
|
|
||||||
ejabberd-s2s_certfile = cfg.s2s_certfile;
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.ejabberd = {
|
systemd.services.ejabberd = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [
|
after = [ "network.target" ];
|
||||||
config.krebs.secret.files.ejabberd-certfile.service
|
|
||||||
config.krebs.secret.files.ejabberd-s2s_certfile.service
|
|
||||||
"network.target"
|
|
||||||
];
|
|
||||||
partOf = [
|
|
||||||
config.krebs.secret.files.ejabberd-certfile.service
|
|
||||||
config.krebs.secret.files.ejabberd-s2s_certfile.service
|
|
||||||
];
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStartPre = "${gen-dhparam} ${cfg.dhfile.path}";
|
ExecStart = pkgs.writeDash "ejabberd" ''
|
||||||
ExecStart = "${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground";
|
${pkgs.coreutils}/bin/ln -s "$CREDENTIALS_DIRECTORY" /tmp/credentials
|
||||||
|
${gen-dhparam} /var/lib/ejabberd/dhfile
|
||||||
|
exec ${cfg.pkgs.ejabberd}/bin/ejabberdctl foreground
|
||||||
|
'';
|
||||||
|
LoadCredential = [
|
||||||
|
"certfile:${cfg.certfile}"
|
||||||
|
];
|
||||||
PermissionsStartOnly = true;
|
PermissionsStartOnly = true;
|
||||||
|
PrivateTmp = true;
|
||||||
SyslogIdentifier = "ejabberd";
|
SyslogIdentifier = "ejabberd";
|
||||||
|
StateDirectory = "ejabberd";
|
||||||
User = cfg.user.name;
|
User = cfg.user.name;
|
||||||
TimeoutStartSec = 60;
|
TimeoutStartSec = 60;
|
||||||
};
|
};
|
||||||
@ -119,7 +98,10 @@ in {
|
|||||||
users.users.${cfg.user.name} = {
|
users.users.${cfg.user.name} = {
|
||||||
inherit (cfg.user) home name uid;
|
inherit (cfg.user) home name uid;
|
||||||
createHome = true;
|
createHome = true;
|
||||||
|
group = cfg.user.name;
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.${cfg.user.name} = {};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -11,17 +11,12 @@ in {
|
|||||||
};
|
};
|
||||||
enable = mkEnableOption "tv.x0vncserver";
|
enable = mkEnableOption "tv.x0vncserver";
|
||||||
pwfile = mkOption {
|
pwfile = mkOption {
|
||||||
default = {
|
default = toString <secrets> + "/vncpasswd";
|
||||||
name = "x0vncserver-pwfile";
|
|
||||||
owner = cfg.user;
|
|
||||||
path = "${cfg.user.home}/.vncpasswd";
|
|
||||||
source-path = toString <secrets> + "/vncpasswd";
|
|
||||||
};
|
|
||||||
description = ''
|
description = ''
|
||||||
Use vncpasswd to edit pwfile.
|
Use vncpasswd to edit pwfile.
|
||||||
See: nix-shell -p tigervnc --run 'man vncpasswd'
|
See: nix-shell -p tigervnc --run 'man vncpasswd'
|
||||||
'';
|
'';
|
||||||
type = types.secret-file;
|
type = types.absolute-pathname;
|
||||||
};
|
};
|
||||||
rfbport = mkOption {
|
rfbport = mkOption {
|
||||||
default = 5900;
|
default = 5900;
|
||||||
@ -33,26 +28,17 @@ in {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
krebs.secret.files = {
|
krebs.systemd.services.x0vncserver = {};
|
||||||
x0vncserver-pwfile = cfg.pwfile;
|
|
||||||
};
|
|
||||||
systemd.services.x0vncserver = {
|
systemd.services.x0vncserver = {
|
||||||
after = [
|
after = [ "graphical.target" ];
|
||||||
config.krebs.secret.files.x0vncserver-pwfile.service
|
requires = [ "graphical.target" ];
|
||||||
"graphical.target"
|
|
||||||
];
|
|
||||||
partOf = [
|
|
||||||
config.krebs.secret.files.x0vncserver-pwfile.service
|
|
||||||
];
|
|
||||||
requires = [
|
|
||||||
"graphical.target"
|
|
||||||
];
|
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
|
ExecStart = "${pkgs.tigervnc}/bin/x0vncserver ${toString [
|
||||||
"-display ${cfg.display}"
|
"-display ${cfg.display}"
|
||||||
"-passwordfile ${cfg.pwfile.path}"
|
"-passwordfile \${CREDENTIALS_DIRECTORY}/pwfile"
|
||||||
"-rfbport ${toString cfg.rfbport}"
|
"-rfbport ${toString cfg.rfbport}"
|
||||||
]}";
|
]}";
|
||||||
|
LoadCredential = "ssh_key:${cfg.pwfile}";
|
||||||
User = cfg.user.name;
|
User = cfg.user.name;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user