Merge pull request 'clanModules/murmur: improve secret loading logic' (#2174) from kenji/clan-core:kenji-mumble-improvements into main

2024-09-26 14:45:00 +00:00
parent 1341bfca95 4f4777389b
commit 09c5850ae3
2 changed files with 23 additions and 10 deletions
--- a/checks/mumble/default.nix
+++ b/checks/mumble/default.nix
@@ -11,8 +11,6 @@
          {
            clan.core.clanDir = ./.;
            environment.systemPackages = [ pkgs.killall ];
-            services.murmur.sslKey = "/etc/mumble-key";
-            services.murmur.sslCert = "/etc/mumble-cert";
            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
          }
@@ -37,14 +35,14 @@
              "mumble-cert".source = ./peer_1/peer_1_test_cert;
            };
            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/mumble-key" = {
+              "/var/lib/murmur/sslKey" = {
                C.argument = "${./peer_1/peer_1_test_key}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
-              "/etc/secrets/mumble-cert" = {
+              "/var/lib/murmur/sslCert" = {
                C.argument = "${./peer_1/peer_1_test_cert}";
                z = {
                  mode = "0400";
@@ -52,8 +50,6 @@
                };
              };
            };
-            services.murmur.sslKey = "/etc/mumble-key";
-            services.murmur.sslCert = "/etc/mumble-cert";
            clan.core.facts.services.mumble.secret."mumble-key".path = "/etc/mumble-key";
            clan.core.facts.services.mumble.public."mumble-cert".path = "/etc/mumble-cert";
          }
@@ -71,14 +67,14 @@
              "mumble-cert".source = ./peer_2/peer_2_test_cert;
            };
            systemd.tmpfiles.settings."vmsecrets" = {
-              "/etc/secrets/mumble-key" = {
+              "/var/lib/murmur/sslKey" = {
                C.argument = "${./peer_2/peer_2_test_key}";
                z = {
                  mode = "0400";
                  user = "murmur";
                };
              };
-              "/etc/secrets/mumble-cert" = {
+              "/var/lib/murmur/sslCert" = {
                C.argument = "${./peer_2/peer_2_test_cert}";
                z = {
                  mode = "0400";
--- a/clanModules/mumble/default.nix
+++ b/clanModules/mumble/default.nix
@@ -41,8 +41,8 @@ in
      registerName = config.clan.core.machineName;
      openFirewall = true;
      bonjour = true;
-      sslKey = config.clan.core.facts.services.mumble.secret.mumble-key.path;
-      sslCert = config.clan.core.facts.services.mumble.public.mumble-cert.path;
+      sslKey = "/var/lib/murmur/sslKey";
+      sslCert = "/var/lib/murmur/sslCert";
    };

    clan.core.state.mumble.folders = [
@@ -54,6 +54,23 @@ in
      "d '/var/lib/mumble' 0770 '${config.clan.services.mumble.user}' 'users' - -"
    ];

+    systemd.tmpfiles.settings."murmur" = {
+      "/var/lib/murmur/sslKey" = {
+        C.argument = config.clan.core.facts.services.mumble.secret.mumble-key.path;
+        Z = {
+          mode = "0400";
+          user = "murmur";
+        };
+      };
+      "/var/lib/murmur/sslCert" = {
+        C.argument = config.clan.core.facts.services.mumble.public.mumble-cert.path;
+        Z = {
+          mode = "0400";
+          user = "murmur";
+        };
+      };
+    };
+
    environment.systemPackages =
      let
        mumbleCfgDir = "/var/lib/mumble";