engage secrix

1 files changed, 60 insertions, 0 deletions

diff --git a/services/murmur.nix b/services/murmur.nix
new file mode 100644
index 0000000..ec8d2f3
--- /dev/null
+++ b/services/murmur.nix
@@ -0,0 +1,60 @@
+{ fqdn } :{ pkgs, config, self, ... }:
+let
+  certs = config.security.acme.certs;
+  certDirectory = "${certs.${fqdn}.directory}";
+  port = config.services.murmur.port;
+  dbfolder = "/persist/replicable/murmur/murmur.sqlite";
+in
+{
+  secrix.services.murmur = {
+    additionalRuntimeDirNames = [ "murmur" ];
+    forceRuntimeDirs = true;
+    secrets.murmursupass.encrypted.file = "${self}/secrets/murmursupass";
+  };
+
+
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    welcometext = ''crashoverburn.com Mumble'';
+    users = 50;
+    textMsgLength = 10000;
+    imgMsgLength = 12000000;
+    bandwidth = 6400000;
+    clientCertRequired = true;
+    hostName = "${fqdn}";
+    registerHostname = "${fqdn}";
+    registerName = "crashoverburn.com";
+    sslCert = "${certDirectory}/fullchain.pem";
+    sslKey = "${certDirectory}/key.pem";
+    sslCa = "${certDirectory}/full.pem";
+    extraConfig = ''
+      database=${dbfolder}
+    '';
+  };
+
+
+  systemd.services.murmur.postStart = ''
+    ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
+  '';
+  security.acme.certs.${fqdn} = {
+    group = "murmur-cert";
+    postRun = "systemctl restart murmur.service";
+  };
+  users.groups.murmur-cert.members = [ "murmur" "nginx" ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${fqdn} = {
+      listenAddresses = [
+        "10.0.1.30"
+      ];
+      #useACMEHost = "crashoverburn.com";
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 https://crashoverburn.com";
+    };
+  };
+}
+
+