haccfiles/parsons/murmur.nix

{ config, lib, pkgs, ... }:

{
  services.murmur = {
    enable = true;
    logDays = -1;
    registerName = "hackers against climate change";
    welcometext = ''
      <br>Welcome to <b>mumble4future</b>!<br>Brought to you by <b style="color:red">infra4future</b>.<br>On <a href=https://mumble.hacc.space>mumble.hacc.space</a><br>Not confusing at all!
    '';
    sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
    sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
    bandwidth = 128000;
  };

  networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
  networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];

  # the mumble cert has its own group so that both nginx and murmur can read it
  users.groups.mumblecert = { };
  security.acme.certs."mumble.hacc.space" = {
    group = "mumblecert";
    extraDomainNames = [ "mumble.infra4future.de" ];
    reloadServices = [ "murmur" ];
  };
  users.users.nginx.extraGroups = [ "mumblecert" ];
  users.users.murmur.extraGroups = [ "mumblecert" ];

  hacc.bindToPersist = [ "/var/lib/murmur" ];
}