From b9aa3050d7a62c9f9699fa5b9c16ee67d7f8634d Mon Sep 17 00:00:00 2001
From: stuebinm <stuebinm@disroot.org>
Date: Tue, 18 Jan 2022 09:08:27 +0100
Subject: [PATCH] fix mumble website

This does two things:
 - add a group "mumblecert" which is allowed to read the mumble.hacc.space
   cert, and add both nginx and murmur's users to it
 - remove the website's derivation from services/murmur.nix and instead
   add it to the websites/ dir and handle it the same as all our other sites
---
 nix/sources.json                       |  6 -----
 services/murmur.nix                    | 32 ++++----------------------
 websites/mumble.hacc.space/default.nix |  1 +
 3 files changed, 6 insertions(+), 33 deletions(-)
 create mode 100644 websites/mumble.hacc.space/default.nix

diff --git a/nix/sources.json b/nix/sources.json
index 7717bc6..528b4d9 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -37,12 +37,6 @@
         "url_template": "https://releases.mattermost.com/<version>/mattermost-<version>-linux-amd64.tar.gz",
         "version": "6.1.0"
     },
-    "mumble-website": {
-        "branch": "master",
-        "repo": "https://gitlab.infra4future.de/hacc/infra4future/mumble.infra4future.de.git",
-        "rev": "3a70bf8aa1f4bb56524d36153b84cfb538c4f787",
-        "type": "git"
-    },
     "niv": {
         "branch": "master",
         "description": "Easy dependency management for Nix projects",
diff --git a/services/murmur.nix b/services/murmur.nix
index e73fcdc..6ba6393 100644
--- a/services/murmur.nix
+++ b/services/murmur.nix
@@ -1,18 +1,5 @@
 { config, lib, pkgs, sources, ... }:
 
-let
-  mumblesite = pkgs.stdenv.mkDerivation {
-    name = "mumble.hacc.space-website";
-    src = sources.mumble-website.outPath.outPath;
-    buildPhase = ''
-      ${pkgs.jekyll.outPath}/bin/jekyll build
-    '';
-    installPhase = ''
-      mkdir -p $out
-      cp -r _site/* $out
-    '';
-  };
-in
 {
   hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
 
@@ -28,18 +15,9 @@ in
   networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
   networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
 
-#  services.nginx.virtualHosts =
-#    let  vhost = {
-#      forceSSL = true;
-#      enableACME = true;
-#      root = mumblesite.outPath;
-#    };
-#  in {
-#    "mumble.infra4future.de" = vhost;
-#    "mumble.hacc.space" = vhost;
-#  };
-
-  # set ACLs so that the murmur user can read the certificates
-  security.acme.certs."mumble.hacc.space".postRun = "${pkgs.acl}/bin/setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
-  security.acme.certs."mumble.hacc.space".group = "murmur";
+  # the mumble cert has its own group so that both nginx and murmur can read it
+  users.groups.mumblecert = {};
+  security.acme.certs."mumble.hacc.space".group = "mumblecert";
+  users.users.nginx.extraGroups = [ "mumblecert" ];
+  users.users.murmur.extraGroups = [ "mumblecert" ];
 }
diff --git a/websites/mumble.hacc.space/default.nix b/websites/mumble.hacc.space/default.nix
new file mode 100644
index 0000000..7427f74
--- /dev/null
+++ b/websites/mumble.hacc.space/default.nix
@@ -0,0 +1 @@
+import ../mumble.infra4future.de