hosts/plover: update Wezterm mux server config

This should also fix the ACME certificate self-signed permissions error
since there is no `wezterm` group (or user). We're just using systemd's
dynamic user feature in our service.

hosts/plover/config/wezterm/config.lua

@@ -1,7 +1,7 @@
 return {
   tls_servers = {
-    pem_private_key = "@CERT_DIR@/key.pem",
+    pem_private_key = os.getenv("CREDENTIALS_DIRECTORY") .. "/key.pem",
-    pem_cert = "@CERT_DIR@/cert.pem",
+    pem_cert = os.getenv("CREDENTIALS_DIRECTORY") .. "/cert.pem",
-    pem_ca = "@CERT_DIR@/fullchain.pem",
+    pem_ca = os.getenv("CREDENTIALS_DIRECTORY") .. "/fullchain.pem",
   }
 }

hosts/plover/modules/services/wezterm-mux-server.nix

@@ -3,21 +3,26 @@
 # We're setting up Wezterm mux server with TLS domains.
 let
   weztermDomain = "mux.${config.networking.domain}";
-  configFile = pkgs.substituteAll {
-    src = ../../config/wezterm/config.lua;
-    CERT_DIR = config.security.acme.certs."${weztermDomain}".directory;
-  };
 in
 {
   services.wezterm-mux-server = {
-    inherit configFile;
     enable = true;
+    configFile = ../../config/wezterm/config.lua;
   };
 
-  security.acme.certs."${weztermDomain}" = {
+  systemd.services.wezterm-mux-server.serviceConfig = {
-    group = "wezterm";
+    LoadCredential = let
-    postRun = ''
+      certDir = config.security.acme.certs."${weztermDomain}".directory;
+      credentialCertPath = path: "${path}:${certDir}/${path}";
+    in
+    [
+      (credentialCertPath "key.pem")
+      (credentialCertPath "cert.pem")
+      (credentialCertPath "fullchain.pem")
+    ];
+  };
+
+  security.acme.certs."${weztermDomain}".postRun = ''
     systemctl restart wezterm-mux-server.service
   '';
-  };
 }