fix(ops/modules/quassel): use systemd LoadCredential to read certs r/6317

This avoids permission issues with nginx vs. quassel Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
author: Vincent Ambo <mail@tazj.in> 2023-06-15T20·20+0300
committer: tazjin <tazjin@tvl.su> 2023-06-15T21·34+0000
commit: 2936a95efdc62d6dea053d57a56ad9206599db29 (patch)
tree: 70c566f8c2cca883403cfc11f47ff42bda6c706f /ops
parent: e4fee75add478176d3f535c5d301ab8f17ee4538 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/ops/modules/quassel.nix b/ops/modules/quassel.nix
index 275e2809d793..6acb0615f4c0 100644
--- a/ops/modules/quassel.nix
+++ b/ops/modules/quassel.nix
@@ -55,7 +55,7 @@ in
         "--port=${toString cfg.port}"
         "--configdir=/var/lib/quassel"
         "--require-ssl"
-        "--ssl-cert=/var/lib/acme/${cfg.acmeHost}/full.pem"
+        "--ssl-cert=$CREDENTIALS_DIRECTORY/quassel.pem"
         "--loglevel=${cfg.logLevel}"
       ];
 
@@ -64,6 +64,10 @@ in
         User = "quassel";
         Group = "quassel";
         StateDirectory = "quassel";
+
+        # Avoid trouble with the ACME file permissions by using the
+        # systemd credentials feature.
+        LoadCredential = "quassel.pem:/var/lib/acme/${cfg.acmeHost}/full.pem";
       };
     };
author	Vincent Ambo <mail@tazj.in>	2023-06-15T20·20+0300
committer	tazjin <tazjin@tvl.su>	2023-06-15T21·34+0000
commit	2936a95efdc62d6dea053d57a56ad9206599db29 (patch)
tree	70c566f8c2cca883403cfc11f47ff42bda6c706f /ops
parent	e4fee75add478176d3f535c5d301ab8f17ee4538 (diff)