diff options
| -rw-r--r-- | services/acme_server.nix | 2 | ||||
| -rw-r--r-- | services/cgit.nix | 37 | ||||
| -rw-r--r-- | services/murmur.nix | 37 |
3 files changed, 50 insertions, 26 deletions
diff --git a/services/acme_server.nix b/services/acme_server.nix index a90ae74..5204da1 100644 --- a/services/acme_server.nix +++ b/services/acme_server.nix @@ -7,7 +7,7 @@ in /* trigger the actual certificate generation for additional hostname */ security.acme.certs."${fqdn}" = { - # extraDomainNames = [ "mail.crashoverburn.com"]; + # extraDomainNames = [ "mail.crashoverburn.com"]; }; secrix.system.secrets.dns01.encrypted.file = ../secrets/gandi_dns01_token; diff --git a/services/cgit.nix b/services/cgit.nix index 72f94dc..e8e557e 100644 --- a/services/cgit.nix +++ b/services/cgit.nix @@ -22,6 +22,14 @@ }; }; + + systemd.services.uwsgi = + { + serviceConfig.ReadWritePaths = [ + "/persist/cgit" + ]; + }; + services.gitolite = { enable = true; user = "git"; @@ -59,27 +67,26 @@ ''; }; }; - }; - - systemd.services.create-cgit-cache = { - description = "Create cache directory for cgit"; - enable = true; - wantedBy = [ "uwsgi.service" ]; - serviceConfig = { - type = "oneshot"; }; - script = '' - mkdir -p /run/cgit - chmod -R 660 /run/cgit - chown -R public:nginx /run/cgit - ''; - }; + systemd.services.create-cgit-cache = { + description = "Create cache directory for cgit"; + enable = true; + wantedBy = [ "uwsgi.service" ]; + serviceConfig = { + type = "oneshot"; + }; + script = '' + mkdir -p /persist/cgit + chmod -R 750 /persist/cgit + chown -R public:nginx /persist/cgit + ''; + }; environment.etc."cgitrc".text = '' virtual-root=/ cache-size=1000 - cache-root=/run/cgit + cache-root=/persist/cgit root-title=~/projects root-desc=You got overburned, now face the ${fqdn} diff --git a/services/murmur.nix b/services/murmur.nix index a0a5d80..fb338e3 100644 --- a/services/murmur.nix +++ b/services/murmur.nix @@ -13,16 +13,27 @@ in }; systemd.services.create-murmur-database = { - description = "Create cache directory for cgit"; + description = "Create database directory for mumble"; enable = true; wantedBy = [ "murmur.service" ]; serviceConfig = { type = "oneshot"; }; script = '' - mkdir -p /persist/replicable/murmur/ - chmod -R 755 /persist/replicable/murmur/ - chown -R murmur:murmur /persist/replicable/murmur/ + mkdir -p /persist/replicable/murmur + chown -R murmur:murmur /persist/replicable/murmur + chmod 755 /persist/replicable/murmur + + # Critical: parent dir must allow murmur to create WAL/SHM files + mkdir -p /persist/replicable + chown murmur:murmur /persist/replicable + chmod 755 /persist/replicable + + DB="/persist/replicable/murmur/murmur.sqlite" + if [ -f "$DB" ]; then + chown murmur:murmur "$DB" + chmod 640 "$DB" + fi ''; }; @@ -38,18 +49,24 @@ in hostName = "10.0.1.30"; # registerHostname = "${fqdn}"; #registerName = "crashoverburn.com"; - sslCert = "${certDirectory}/fullchain.pem"; - sslKey = "${certDirectory}/key.pem"; - sslCa = "${certDirectory}/chain.pem"; + sslCert = "${certDirectory}/cert.pem"; # ← leaf certificate only + sslKey = "${certDirectory}/key.pem"; # private key + sslCa = "${certDirectory}/chain.pem"; # intermediates (optional but recommended) extraConfig = '' database=${dbfolder} ''; }; - systemd.services.murmur.postStart = '' - ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})" - ''; + systemd.services.murmur = + { + postStart = '' + ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})" + ''; + serviceConfig.ReadWritePaths = [ + "/persist/replicable/murmur" + ]; + }; security.acme.certs.${fqdn} = { #useACMEHost = "crashoverburn.com"; group = "murmur-cert"; |