fix(system/services/murmur): Allow murmur's user to read certs

1 files changed, 22 insertions, 4 deletions

diff --git a/system/services/murmur/default.nix b/system/services/murmur/default.nix
index 9c04db0..1dcd781 100644
--- a/system/services/murmur/default.nix
+++ b/system/services/murmur/default.nix
@@ -1,23 +1,41 @@
-{config, ...}: {
+{...}: let
+  murmurStore = "/var/lib/murmur";
+in {
   services.murmur = {
     enable = true;
     openFirewall = true;
     welcometext = ''
-      <b>You never get a second chance to make a first impression</b>
+      <b>You never get a second chance to make a first impression</b><br>
 
       The entire team of [name of the company] is thrilled to welcome you on board. We hope you’ll do some amazing work here!
     '';
-    sslKey = "${config.security.acme.certs.murmur.directory}/key.pem";
-    sslCert = "${config.security.acme.certs.murmur.directory}/fullchain.pem";
+    sslKey = "${murmurStore}/key.pem";
+    sslCert = "${murmurStore}/fullchain.pem";
 
     registerUrl = "vhack.eu";
     registerName = "vhack";
     registerHostname = "mumble.vhack.eu";
     hostName = "mumble.vhack.eu";
     clientCertRequired = true;
+    bandwidth = 7200000;
   };
 
   security.acme.certs.murmur = {
     domain = "mumble.vhack.eu";
+    postRun =
+      /*
+      bash
+      */
+      ''
+        set -x
+        rm "${murmurStore}/key.pem"
+        rm "${murmurStore}/fullchain.pem"
+
+        cp key.pem "${murmurStore}";
+        cp fullchain.pem "${murmurStore}";
+
+        chown murmur:murmur "${murmurStore}/key.pem"
+        chown murmur:murmur "${murmurStore}/fullchain.pem"
+      '';
   };
 }