stuebinm
b9aa3050d7
This does two things: - add a group "mumblecert" which is allowed to read the mumble.hacc.space cert, and add both nginx and murmur's users to it - remove the website's derivation from services/murmur.nix and instead add it to the websites/ dir and handle it the same as all our other sites
23 lines
909 B
Nix
23 lines
909 B
Nix
{ config, lib, pkgs, sources, ... }:
|
|
|
|
{
|
|
hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";
|
|
|
|
services.murmur = {
|
|
enable = true;
|
|
logDays = -1;
|
|
welcometext = "Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
|
|
sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
|
|
sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
|
|
bandwidth = 128000;
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
|
|
networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
|
|
|
|
# the mumble cert has its own group so that both nginx and murmur can read it
|
|
users.groups.mumblecert = {};
|
|
security.acme.certs."mumble.hacc.space".group = "mumblecert";
|
|
users.users.nginx.extraGroups = [ "mumblecert" ];
|
|
users.users.murmur.extraGroups = [ "mumblecert" ];
|
|
}
|