1 files changed, 15 insertions, 17 deletions

diff --git a/modules/quassel/quassel.nix b/modules/quassel/quassel.nix
index e3eeac6..e8ef580 100644
--- a/modules/quassel/quassel.nix
+++ b/modules/quassel/quassel.nix
@@ -18,7 +18,7 @@ in
     services.quassel = {
       enable = mkEnableOption (lib.mdDoc "the Quassel IRC client daemon");
 
-      package = lib.mkPackageOptionMD pkgs "quasselDaemon" { };
+      package = lib.mkPackageOption pkgs "quasselDaemon" { };
 
       user = mkOption {
         type = types.str;
@@ -30,6 +30,15 @@ in
         '';
       };
 
+      extraGroups = mkOption {
+        type = types.listOf types.str;
+        default = [];
+        description = lib.mdDoc ''
+          Supplementary Groups that are assigned to the services DynamicUser.
+          Useful for e.g. access to acme certificates.
+        '';
+      };
+
       environmentFile = mkOption {
         type = types.nullOr types.path;
         default = null;
@@ -174,11 +183,7 @@ in
                     type = types.nullOr types.path;
                     default = null;
                     description = lib.mdDoc ''
-                      Specify the path to the SSL certificate. Passed to quassel using systemd's LoadCredential.
-
-                      ::: {.note}
-                      Since this file is read by systemd, it may have permission 0400 and be owned by root.
-                      :::
+                      Specify the path to the SSL certificate.
                     '';
                   };
 
@@ -186,11 +191,7 @@ in
                     type = types.nullOr types.path;
                     default = null;
                     description = lib.mdDoc ''
-                      Specify the path to the SSL key. Passed to quassel using systemd's LoadCredential.
-
-                      ::: {.note}
-                      Since this file is read by systemd, it may have permission 0400 and be owned by root.
-                      :::
+                      Specify the path to the SSL key.
                     '';
                   };
                 };
@@ -464,16 +465,13 @@ in
 
             # SSL
             ++ optional cfg.settings.ssl.required "--require-ssl"
-            ++ optional (cfg.settings.ssl.certFile != null) "--ssl-cert=%d/certfile"
-            ++ optional (cfg.settings.ssl.keyFile != null) "--ssl-key=%d/keyfile"
+            ++ optional (cfg.settings.ssl.certFile != null) "--ssl-cert=${cfg.settings.ssl.certFile}"
+            ++ optional (cfg.settings.ssl.keyFile != null) "--ssl-key=${cfg.settings.ssl.keyFile}"
             ));
 
-            LoadCredential =
-              optional (cfg.settings.ssl.certFile != null) "certfile:${cfg.settings.ssl.certFile}"
-              ++ optional (cfg.settings.ssl.keyFile != null) "keyfile:${cfg.settings.ssl.keyFile}";
-
             DynamicUser = true;
             User = cfg.user;
+            SupplementaryGroups = cfg.extraGroups;
             StateDirectory = "quassel";
 
             ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";