feat(murmur): Add Mumble server

hosts/deertopia/configuration.nix

@@ -50,6 +50,7 @@
       syncthing.enable = true;
       cache.enable = true;
       mullvad.enable = true;
+      murmur.enable = true;
       servarr = {
         enable = true;
         prowlarr.enable = true;

modules/nixos/deertopia/murmur.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.murmur;
+in {
+  options = {
+    sydnix.deertopia.murmur = {
+      enable = lib.mkEnableOption "Deertopia's Murmur, a Mumble server";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    sydnix.impermanence.directories = [
+      "/var/lib/private/umurmur"
+    ];
+
+    # HACK: Allow uMurmur to use Nginx's certs.
+    systemd.services.umurmur.serviceConfig.SupplementaryGroups = [ "nginx" ];
+
+    services.umurmur = {
+      enable = true;
+      openFirewall = true;
+
+      settings = {
+        password = "onlydeer";
+        bindport = 64738; # Use default Murmur port, not uMurmur's.
+        welcometext = "🦌";
+
+        # Use files generated by Nix's Nginx module.
+        certificate = "/var/lib/acme/deertopia.net/fullchain.pem";
+        private_key = "/var/lib/acme/deertopia.net/key.pem";
+      };
+    };
+  };
+}

modules/nixos/impermanence.nix

@@ -69,6 +69,14 @@ in {
       name = cfg.persistGroupName;
     };
 
+    systemd.tmpfiles.settings."10-varlibprivate" = {
+      "/var/lib/private" = {
+        z.group = "root";
+        z.user = "root";
+        z.mode = "2700";
+      };
+    };
+
     # Permit members of `cfg.persistGroupName` to read, write, and execute
     # /persist.
     systemd.tmpfiles.settings."10-persist" = {