about summary refs log tree commit diff
path: root/ops
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2023-06-15T20·20+0300
committertazjin <tazjin@tvl.su>2023-06-15T21·34+0000
commit2936a95efdc62d6dea053d57a56ad9206599db29 (patch)
tree70c566f8c2cca883403cfc11f47ff42bda6c706f /ops
parente4fee75add478176d3f535c5d301ab8f17ee4538 (diff)
fix(ops/modules/quassel): use systemd LoadCredential to read certs r/6317
This avoids permission issues with nginx vs. quassel

Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
Diffstat (limited to 'ops')
-rw-r--r--ops/modules/quassel.nix6
1 files changed, 5 insertions, 1 deletions
diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix
index 275e2809d793..6acb0615f4c0 100644
--- a/ops/modules/quassel.nix
+++ b/ops/modules/quassel.nix
@@ -55,7 +55,7 @@ in
         "--port=${toString cfg.port}"
         "--configdir=/var/lib/quassel"
         "--require-ssl"
-        "--ssl-cert=/var/lib/acme/${cfg.acmeHost}/full.pem"
+        "--ssl-cert=$CREDENTIALS_DIRECTORY/quassel.pem"
         "--loglevel=${cfg.logLevel}"
       ];
 
@@ -64,6 +64,10 @@ in
         User = "quassel";
         Group = "quassel";
         StateDirectory = "quassel";
+
+        # Avoid trouble with the ACME file permissions by using the
+        # systemd credentials feature.
+        LoadCredential = "quassel.pem:/var/lib/acme/${cfg.acmeHost}/full.pem";
       };
     };