From d00d6619e904d837e9aef515a84579b7fa193ac6 Mon Sep 17 00:00:00 2001
From: tv <tv@krebsco.de>
Date: Wed, 31 Aug 2022 03:39:12 +0200
Subject: tv ejabberd: admit multiple certfiles

---
 tv/3modules/ejabberd/default.nix | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

(limited to 'tv/3modules/ejabberd/default.nix')

diff --git a/tv/3modules/ejabberd/default.nix b/tv/3modules/ejabberd/default.nix
index 15736e1..d6573ad 100644
--- a/tv/3modules/ejabberd/default.nix
+++ b/tv/3modules/ejabberd/default.nix
@@ -15,9 +15,19 @@
 in {
   options.tv.ejabberd = {
     enable = mkEnableOption "tv.ejabberd";
-    certfile = mkOption {
-      type = types.absolute-pathname;
-      default = toString <secrets> + "/ejabberd.pem";
+    certfiles = mkOption {
+      type = types.listOf types.absolute-pathname;
+      default = [
+        (toString <secrets> + "/ejabberd.pem")
+      ];
+    };
+    credentials.certfiles = mkOption {
+      internal = true;
+      readOnly = true;
+      default =
+        imap
+          (i: const /* yaml */ "/tmp/credentials/certfile${toJSON i}")
+          cfg.certfiles;
     };
     hosts = mkOption {
       type = with types; listOf str;
@@ -92,9 +102,11 @@ in {
           "${cfg.pkgs.ejabberd}/bin/ejabberdctl stopped"
         ];
         ExecReload = "${cfg.pkgs.ejabberd}/bin/ejabberdctl reload_config";
-        LoadCredential = [
-          "certfile:${cfg.certfile}"
-        ];
+        LoadCredential =
+          zipListsWith
+            (dst: src: "${baseNameOf dst}:${src}")
+            cfg.credentials.certfiles
+            cfg.certfiles;
         LimitNOFILE = 65536;
         PrivateDevices = true;
         PrivateTmp = true;
-- 
cgit v1.2.3