aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Audron <audron@cocaine.farm>2025-07-30 14:00:11 +0200
committerMax Audron <audron@cocaine.farm>2025-07-30 14:00:11 +0200
commit6d651b164f1e01be16c9120efd1bccdeceab34a8 (patch)
tree27da981f0fc9c219046009beb6172fb6ada0a154
parent4g ram for mc server (diff)
fix quassel ssl cert reload
Diffstat
-rw-r--r--modules/quassel/default.nix3
-rw-r--r--modules/quassel/quassel.nix32
2 files changed, 16 insertions, 19 deletions
diff --git a/modules/quassel/default.nix b/modules/quassel/default.nix
index 8961546..52880c8 100644
--- a/modules/quassel/default.nix
+++ b/modules/quassel/default.nix
@@ -19,6 +19,7 @@ in
services.quassel = {
enable = true;
package = quassel;
+ extraGroups = [ "acme" ];
settings = {
listen = [ "178.63.224.10" "2a01:4f8:231:56a::10" ];
dataDir = "/var/lib/quassel";
@@ -53,8 +54,6 @@ in
};
};
- # users.users.quassel.extraGroups = [ "acme" ];
-
security.acme.certs = {
"cocaine.farm" = {
reloadServices = [ "quassel" ];
diff --git a/modules/quassel/quassel.nix b/modules/quassel/quassel.nix
index e3eeac6..e8ef580 100644
--- a/modules/quassel/quassel.nix
+++ b/modules/quassel/quassel.nix
@@ -18,7 +18,7 @@ in
services.quassel = {
enable = mkEnableOption (lib.mdDoc "the Quassel IRC client daemon");
- package = lib.mkPackageOptionMD pkgs "quasselDaemon" { };
+ package = lib.mkPackageOption pkgs "quasselDaemon" { };
user = mkOption {
type = types.str;
@@ -30,6 +30,15 @@ in
'';
};
+ extraGroups = mkOption {
+ type = types.listOf types.str;
+ default = [];
+ description = lib.mdDoc ''
+ Supplementary Groups that are assigned to the services DynamicUser.
+ Useful for e.g. access to acme certificates.
+ '';
+ };
+
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
@@ -174,11 +183,7 @@ in
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
- Specify the path to the SSL certificate. Passed to quassel using systemd's LoadCredential.
-
- ::: {.note}
- Since this file is read by systemd, it may have permission 0400 and be owned by root.
- :::
+ Specify the path to the SSL certificate.
'';
};
@@ -186,11 +191,7 @@ in
type = types.nullOr types.path;
default = null;
description = lib.mdDoc ''
- Specify the path to the SSL key. Passed to quassel using systemd's LoadCredential.
-
- ::: {.note}
- Since this file is read by systemd, it may have permission 0400 and be owned by root.
- :::
+ Specify the path to the SSL key.
'';
};
};
@@ -464,16 +465,13 @@ in
# SSL
++ optional cfg.settings.ssl.required "--require-ssl"
- ++ optional (cfg.settings.ssl.certFile != null) "--ssl-cert=%d/certfile"
- ++ optional (cfg.settings.ssl.keyFile != null) "--ssl-key=%d/keyfile"
+ ++ optional (cfg.settings.ssl.certFile != null) "--ssl-cert=${cfg.settings.ssl.certFile}"
+ ++ optional (cfg.settings.ssl.keyFile != null) "--ssl-key=${cfg.settings.ssl.keyFile}"
));
- LoadCredential =
- optional (cfg.settings.ssl.certFile != null) "certfile:${cfg.settings.ssl.certFile}"
- ++ optional (cfg.settings.ssl.keyFile != null) "keyfile:${cfg.settings.ssl.keyFile}";
-
DynamicUser = true;
User = cfg.user;
+ SupplementaryGroups = cfg.extraGroups;
StateDirectory = "quassel";
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
generated by cgit v1.2.3 (git 2.46.0) at 2026-02-14 13:36:58 +0000