{ config, lib, ... }: let svc_domain = config.mine.shared.settings.domain; in { services.murmur = let certLocation = config.security.acme.certs."${svc_domain}".directory; in { enable = true; openFirewall = true; sslCert = certLocation + "/fullchain.pem"; sslKey = certLocation + "/key.pem"; environmentFile = config.age.secrets.murmur-env.path; password = "$MURMUR_PASSWORD"; welcometext = "Welcome to Friclouds Mumble server!"; }; # set superpassword on start from secrets systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}''; # automatically reload service security.acme.certs."${svc_domain}".reloadServices = [ config.systemd.services.murmur.name ]; # add murmur user to domain group to access cert users.groups.main-domain.members = [ config.users.groups.murmur.name ]; age.secrets = { murmur-env.owner = config.users.users.murmur.name; murmur-superpassword.owner = config.users.users.murmur.name; }; environment.persistence.root.directories = [ "/var/lib/murmur" ]; }