haccfiles/services/murmur.nix

{ config, lib, pkgs, sources, ... }:

let
  mumblesite = pkgs.stdenv.mkDerivation {
    name = "mumble.hacc.space-website";
    src = sources.mumble-website.outPath.outPath;
    buildPhase = ''
      ${pkgs.jekyll.outPath}/bin/jekyll build
    '';
    installPhase = ''
      mkdir -p $out
      cp -r _site/* $out
    '';
  };
in
{
  hexchen.bindmounts."/var/lib/murmur" = "/persist/var/lib/murmur";

  services.murmur = {
    enable = true;
    logDays = -1;
    welcometext = "Welcome to mumble4future! Brought to you by infra4future. The server is now reachable under mumble.hacc.space, please update your bookmarks.";
    sslKey = "/var/lib/acme/mumble.hacc.space/key.pem";
    sslCert = "/var/lib/acme/mumble.hacc.space/fullchain.pem";
    bandwidth = 128000;
  };

  networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
  networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];

#  services.nginx.virtualHosts =
#    let  vhost = {
#      forceSSL = true;
#      enableACME = true;
#      root = mumblesite.outPath;
#    };
#  in {
#    "mumble.infra4future.de" = vhost;
#    "mumble.hacc.space" = vhost;
#  };

  # set ACLs so that the murmur user can read the certificates
  security.acme.certs."mumble.hacc.space".postRun = "${pkgs.acl}/bin/setfacl -Rm u:murmur:rX /var/lib/acme/mumble.hacc.space";
  security.acme.certs."mumble.hacc.space".group = "murmur";
}