fix(ops/modules/quassel): use systemd LoadCredential to read certs

This avoids permission issues with nginx vs. quassel

Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749
Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786
Reviewed-by: tazjin <tazjin@tvl.su>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2023-06-15 23:20:19 +03:00 committed by tazjin
parent e4fee75add
commit 2936a95efd

View file

@ -55,7 +55,7 @@ in
"--port=${toString cfg.port}" "--port=${toString cfg.port}"
"--configdir=/var/lib/quassel" "--configdir=/var/lib/quassel"
"--require-ssl" "--require-ssl"
"--ssl-cert=/var/lib/acme/${cfg.acmeHost}/full.pem" "--ssl-cert=$CREDENTIALS_DIRECTORY/quassel.pem"
"--loglevel=${cfg.logLevel}" "--loglevel=${cfg.logLevel}"
]; ];
@ -64,6 +64,10 @@ in
User = "quassel"; User = "quassel";
Group = "quassel"; Group = "quassel";
StateDirectory = "quassel"; StateDirectory = "quassel";
# Avoid trouble with the ACME file permissions by using the
# systemd credentials feature.
LoadCredential = "quassel.pem:/var/lib/acme/${cfg.acmeHost}/full.pem";
}; };
}; };