From 187b32e7bb81e485e3d9806011faee494ac9fdaa Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 27 Jul 2023 13:36:05 +0800
Subject: [PATCH] hosts/plover: update Wezterm mux server config

This should also fix the ACME certificate self-signed permissions error
since there is no `wezterm` group (or user). We're just using systemd's
dynamic user feature in our service.
---
 hosts/plover/config/wezterm/config.lua        |  6 ++---
 .../modules/services/wezterm-mux-server.nix   | 25 +++++++++++--------
 2 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/hosts/plover/config/wezterm/config.lua b/hosts/plover/config/wezterm/config.lua
index 6c475549..cb00a9fd 100644
--- a/hosts/plover/config/wezterm/config.lua
+++ b/hosts/plover/config/wezterm/config.lua
@@ -1,7 +1,7 @@
 return {
   tls_servers = {
-    pem_private_key = "@CERT_DIR@/key.pem",
-    pem_cert = "@CERT_DIR@/cert.pem",
-    pem_ca = "@CERT_DIR@/fullchain.pem",
+    pem_private_key = os.getenv("CREDENTIALS_DIRECTORY") .. "/key.pem",
+    pem_cert = os.getenv("CREDENTIALS_DIRECTORY") .. "/cert.pem",
+    pem_ca = os.getenv("CREDENTIALS_DIRECTORY") .. "/fullchain.pem",
   }
 }
diff --git a/hosts/plover/modules/services/wezterm-mux-server.nix b/hosts/plover/modules/services/wezterm-mux-server.nix
index 8f7a7d3e..0d61f969 100644
--- a/hosts/plover/modules/services/wezterm-mux-server.nix
+++ b/hosts/plover/modules/services/wezterm-mux-server.nix
@@ -3,21 +3,26 @@
 # We're setting up Wezterm mux server with TLS domains.
 let
   weztermDomain = "mux.${config.networking.domain}";
-  configFile = pkgs.substituteAll {
-    src = ../../config/wezterm/config.lua;
-    CERT_DIR = config.security.acme.certs."${weztermDomain}".directory;
-  };
 in
 {
   services.wezterm-mux-server = {
-    inherit configFile;
     enable = true;
+    configFile = ../../config/wezterm/config.lua;
   };
 
-  security.acme.certs."${weztermDomain}" = {
-    group = "wezterm";
-    postRun = ''
-      systemctl restart wezterm-mux-server.service
-    '';
+  systemd.services.wezterm-mux-server.serviceConfig = {
+    LoadCredential = let
+      certDir = config.security.acme.certs."${weztermDomain}".directory;
+      credentialCertPath = path: "${path}:${certDir}/${path}";
+    in
+    [
+      (credentialCertPath "key.pem")
+      (credentialCertPath "cert.pem")
+      (credentialCertPath "fullchain.pem")
+    ];
   };
+
+  security.acme.certs."${weztermDomain}".postRun = ''
+    systemctl restart wezterm-mux-server.service
+  '';
 }