forked from the-distro/infra
37 lines
1 KiB
Nix
37 lines
1 KiB
Nix
{ config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.bagel.services.ofborg;
|
|
|
|
amqpHost = "amqp.forkos.org";
|
|
amqpPort = 5671;
|
|
in {
|
|
options.bagel.services.ofborg = with lib; {
|
|
enable = mkEnableOption "ofborg coordinator";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
services.rabbitmq = {
|
|
enable = true;
|
|
configItems = {
|
|
"listeners.tcp" = "none";
|
|
"listeners.ssl.default" = builtins.toString amqpPort;
|
|
|
|
"ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem";
|
|
"ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem";
|
|
};
|
|
};
|
|
|
|
security.acme.certs.${amqpHost} = {
|
|
webroot = "/var/lib/acme/.challenges";
|
|
group = "rabbitmq";
|
|
};
|
|
|
|
services.nginx.enable = true;
|
|
services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root =
|
|
"/var/lib/acme/.challenges";
|
|
systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"];
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ];
|
|
};
|
|
}
|