diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix index bd50c59..d42b3ab 100755 --- a/hosts/deertopia/configuration.nix +++ b/hosts/deertopia/configuration.nix @@ -50,6 +50,7 @@ syncthing.enable = true; cache.enable = true; mullvad.enable = true; + murmur.enable = true; servarr = { enable = true; prowlarr.enable = true; diff --git a/modules/nixos/deertopia/murmur.nix b/modules/nixos/deertopia/murmur.nix new file mode 100644 index 0000000..79d90b7 --- /dev/null +++ b/modules/nixos/deertopia/murmur.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.murmur; +in { + options = { + sydnix.deertopia.murmur = { + enable = lib.mkEnableOption "Deertopia's Murmur, a Mumble server"; + }; + }; + + config = lib.mkIf cfg.enable { + + sydnix.impermanence.directories = [ + "/var/lib/private/umurmur" + ]; + + # HACK: Allow uMurmur to use Nginx's certs. + systemd.services.umurmur.serviceConfig.SupplementaryGroups = [ "nginx" ]; + + services.umurmur = { + enable = true; + openFirewall = true; + + settings = { + password = "onlydeer"; + bindport = 64738; # Use default Murmur port, not uMurmur's. + welcometext = "🦌"; + + # Use files generated by Nix's Nginx module. + certificate = "/var/lib/acme/deertopia.net/fullchain.pem"; + private_key = "/var/lib/acme/deertopia.net/key.pem"; + }; + }; + }; +} diff --git a/modules/nixos/impermanence.nix b/modules/nixos/impermanence.nix index 286ce02..308b8b5 100755 --- a/modules/nixos/impermanence.nix +++ b/modules/nixos/impermanence.nix @@ -69,6 +69,14 @@ in { name = cfg.persistGroupName; }; + systemd.tmpfiles.settings."10-varlibprivate" = { + "/var/lib/private" = { + z.group = "root"; + z.user = "root"; + z.mode = "2700"; + }; + }; + # Permit members of `cfg.persistGroupName` to read, write, and execute # /persist. systemd.tmpfiles.settings."10-persist" = {