From 36c609932792f2fba8c2a99b4e73625432749d73 Mon Sep 17 00:00:00 2001
From: Felix Buehler <account@buehler.rocks>
Date: Sat, 23 Jul 2022 20:10:49 +0200
Subject: [PATCH] enable mumble with correct certs

---
 nixos/modules/service/mumble-server.nix | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/service/mumble-server.nix b/nixos/modules/service/mumble-server.nix
index 4c39908..d2773fb 100644
--- a/nixos/modules/service/mumble-server.nix
+++ b/nixos/modules/service/mumble-server.nix
@@ -3,7 +3,22 @@
   services.murmur = {
     enable = true;
     welcometext = "Welcome to the Mumble-Server!";
-    #sslKey = "";
-    #sslCert = "";
+    sslCert = "/var/lib/acme/voice.buehler.rocks/fullchain.pem";
+    sslKey = "/var/lib/acme/voice.buehler.rocks/key.pem";
   };
+
+  services.nginx.virtualHosts."voice.buehler.rocks".enableACME = true;
+  security.acme.certs."voice.buehler.rocks" = {
+    group = "voice-buehler-rocks";
+    postRun = ''
+      if ${pkgs.systemd}/bin/systemctl is-active murmur.service; then
+        ${pkgs.systemd}/bin/systemctl kill -s SIGUSR1 murmur.service
+      fi
+    '';
+  };
+
+  users.groups."voice-buehler-rocks".members = [ "murmur" "nginx" ];
+
+  networking.firewall.allowedTCPPorts = [ config.services.murmur.port ];
+  networking.firewall.allowedUDPPorts = [ config.services.murmur.port ];
 }