engage secrix

3 files changed, 102 insertions, 11 deletions

diff --git a/services/cgit.nix b/services/cgit.nix
index a7795ac..fcfa77f 100644
--- a/services/cgit.nix
+++ b/services/cgit.nix
@@ -1,10 +1,10 @@
-{ pkgs, fqdn, ... }:
+{ fqdn } :{ pkgs, ... }:
 {
  services.uwsgi = {
     enable = true;
     user  = "public";
-    group = "users";
-    plugins = [ "cgi" ];
+    group = "nginx";
+    plugins = [ "cgi" "python3" ];
 
     instance = {
       type = "emperor";
@@ -13,6 +13,7 @@
           type = "normal";
           master = "true";
           socket = "/run/uwsgi/cgit.sock";
+          chmod-socket = 664;
           procname-master = "uwsgi cgit";
           plugins = [ "cgi" ];
           cgi = "${pkgs.cgit}/cgit/cgit.cgi";
@@ -34,11 +35,12 @@
 
   users.extraUsers.public = 
   {
+     extraGroups = [ "git" "nginx"];
      isSystemUser = true;
-     group = "git";
+     group = "users";
   };
 
-  services.nginx.virtualHosts."code.${fqdn}" = {
+  services.nginx.virtualHosts."${fqdn}" = {
     addSSL     = true;
     enableACME = true;
     root = "${pkgs.cgit}/cgit";
@@ -53,6 +55,7 @@
           uwsgi_pass unix:/run/uwsgi/cgit.sock;
           include ${pkgs.nginx}/conf/uwsgi_params;
           uwsgi_modifier1 9;
+          uwsgi_read_timeout 600;
         '';
       };
     }; 
@@ -66,8 +69,9 @@
       type = "oneshot";
     };
     script = ''
-      mkdir /run/cgit
-      chown -R public:users /run/cgit
+      mkdir -p /run/cgit
+      chmod -R 660 /run/cgit
+      chown -R public:nginx /run/cgit
     '';
   };
 
@@ -78,11 +82,11 @@
     cache-root=/run/cgit
 
     root-title=~/projects
-    root-desc=code.${fqdn}
-    footer=
+    root-desc=You got overburned, now face the ${fqdn}
+    footer=CrashOverBurn reserves all rights to everything.
 
     enable-index-owner=0
-    enable-http-clone=1
+    enable-http-clone=0
     noplainemail=1
 
     max-atom-items=50
@@ -93,6 +97,33 @@
 
     snapshots=all
     readme=master:README.md
+    readme=:readme.md
+    readme=:README.mkd
+    readme=:readme.mkd
+    readme=:README.rst
+    readme=:readme.rst
+    readme=:README.html
+    readme=:readme.html
+    readme=:README.htm
+    readme=:readme.htm
+    readme=:README.txt
+    readme=:readme.txt
+    readme=:README
+    readme=:readme
+    readme=:INSTALL.md
+    readme=:install.md
+    readme=:INSTALL.mkd
+    readme=:install.mkd
+    readme=:INSTALL.rst
+    readme=:install.rst
+    readme=:INSTALL.html
+    readme=:install.html
+    readme=:INSTALL.htm
+    readme=:install.htm
+    readme=:INSTALL.txt
+    readme=:install.txt
+    readme=:INSTALL
+    readme=:install
 
     source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py
     about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh
diff --git a/services/mailserver.nix b/services/mailserver.nix
index 7d6f1d8..3bd75a4 100644
--- a/services/mailserver.nix
+++ b/services/mailserver.nix
@@ -1,4 +1,4 @@
-{ pkgs, hashedPasswordFile, ... }:
+{ hashedPasswordFile } :{ pkgs,... }:
 {
                 mailserver = {
                   fqdn = "mail.crashoverburn.com";
diff --git a/services/murmur.nix b/services/murmur.nix
new file mode 100644
index 0000000..ec8d2f3
--- /dev/null
+++ b/services/murmur.nix
@@ -0,0 +1,60 @@
+{ fqdn } :{ pkgs, config, self, ... }:
+let
+  certs = config.security.acme.certs;
+  certDirectory = "${certs.${fqdn}.directory}";
+  port = config.services.murmur.port;
+  dbfolder = "/persist/replicable/murmur/murmur.sqlite";
+in
+{
+  secrix.services.murmur = {
+    additionalRuntimeDirNames = [ "murmur" ];
+    forceRuntimeDirs = true;
+    secrets.murmursupass.encrypted.file = "${self}/secrets/murmursupass";
+  };
+
+
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    welcometext = ''crashoverburn.com Mumble'';
+    users = 50;
+    textMsgLength = 10000;
+    imgMsgLength = 12000000;
+    bandwidth = 6400000;
+    clientCertRequired = true;
+    hostName = "${fqdn}";
+    registerHostname = "${fqdn}";
+    registerName = "crashoverburn.com";
+    sslCert = "${certDirectory}/fullchain.pem";
+    sslKey = "${certDirectory}/key.pem";
+    sslCa = "${certDirectory}/full.pem";
+    extraConfig = ''
+      database=${dbfolder}
+    '';
+  };
+
+
+  systemd.services.murmur.postStart = ''
+    ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
+  '';
+  security.acme.certs.${fqdn} = {
+    group = "murmur-cert";
+    postRun = "systemctl restart murmur.service";
+  };
+  users.groups.murmur-cert.members = [ "murmur" "nginx" ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${fqdn} = {
+      listenAddresses = [
+        "10.0.1.30"
+      ];
+      #useACMEHost = "crashoverburn.com";
+      enableACME = true;
+      forceSSL = true;
+      locations."/".return = "301 https://crashoverburn.com";
+    };
+  };
+}
+
+