{ config, lib, ... }: let cfg = config.bagel.services.ofborg; amqpHost = "amqp.forkos.org"; amqpPort = 5671; in { options.bagel.services.ofborg = with lib; { enable = mkEnableOption "ofborg coordinator"; }; config = lib.mkIf cfg.enable { services.rabbitmq = { enable = true; configItems = { "listeners.tcp" = "none"; "listeners.ssl.default" = builtins.toString amqpPort; "ssl_options.certfile" = "${config.security.acme.certs.${amqpHost}.directory}/cert.pem"; "ssl_options.keyfile" = "${config.security.acme.certs.${amqpHost}.directory}/key.pem"; }; }; security.acme.certs.${amqpHost} = { webroot = "/var/lib/acme/.challenges"; group = "rabbitmq"; }; services.nginx.enable = true; services.nginx.virtualHosts.${amqpHost}.locations."/.well-known/acme-challenge".root = "/var/lib/acme/.challenges"; systemd.services.rabbitmq.requires = ["acme-finished-${amqpHost}.target"]; networking.firewall.allowedTCPPorts = [ 80 443 amqpPort ]; }; }