fix(ops/modules/quassel): use systemd LoadCredential to read certs
This avoids permission issues with nginx vs. quassel Change-Id: I770f8284d8fd8fc6d38add93c1681f9daebe8749 Reviewed-on: https://cl.tvl.fyi/c/depot/+/8786 Reviewed-by: tazjin <tazjin@tvl.su> Tested-by: BuildkiteCI
This commit is contained in:
parent
e4fee75add
commit
2936a95efd
1 changed files with 5 additions and 1 deletions
|
@ -55,7 +55,7 @@ in
|
||||||
"--port=${toString cfg.port}"
|
"--port=${toString cfg.port}"
|
||||||
"--configdir=/var/lib/quassel"
|
"--configdir=/var/lib/quassel"
|
||||||
"--require-ssl"
|
"--require-ssl"
|
||||||
"--ssl-cert=/var/lib/acme/${cfg.acmeHost}/full.pem"
|
"--ssl-cert=$CREDENTIALS_DIRECTORY/quassel.pem"
|
||||||
"--loglevel=${cfg.logLevel}"
|
"--loglevel=${cfg.logLevel}"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -64,6 +64,10 @@ in
|
||||||
User = "quassel";
|
User = "quassel";
|
||||||
Group = "quassel";
|
Group = "quassel";
|
||||||
StateDirectory = "quassel";
|
StateDirectory = "quassel";
|
||||||
|
|
||||||
|
# Avoid trouble with the ACME file permissions by using the
|
||||||
|
# systemd credentials feature.
|
||||||
|
LoadCredential = "quassel.pem:/var/lib/acme/${cfg.acmeHost}/full.pem";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue