ooklaserver: Cleanup

modules/ooklaserver/default.nix

@@ -3,13 +3,15 @@ let
   cfg = config.kyouma.ooklaserver;
 in {
   options = {
-    kyouma.ooklaserver = with lib; {
+    kyouma.ooklaserver = let 
-      enable = mkEnableOption "ookla speedtest server";
+      inherit (lib) mkOption types;
-      package = mkPackageOption pkgs "ooklaserver" {};
+    in {
+      enable = lib.mkEnableOption "ookla speedtest server";
+      package = lib.mkPackageOption pkgs "ooklaserver" {};
       domain = mkOption {
         description = "Domain to use.";
         default = null;
-        type = types.str;
+        type = with types; nullOr nonEmptyStr;
       };
       openFirewall = mkOption {
         description = "Whether to open the firewall for the specified ports.";
@@ -51,20 +53,19 @@ in {
     };
   };
   config = lib.mkIf cfg.enable {
-    users.users.ooklaserver = {
-      description = "OoklaServer User";
-      group = "ooklaserver";
-      createHome = false;
-      isSystemUser = true;
-    };
-    users.groups.ooklaserver = {};
     security.acme.certs.${cfg.domain} = {
-      group = "ooklaserver";
       reloadServices = [ "ooklaserver.service" ];
       webroot = "/var/lib/acme/acme-challenge";
     };
 
-    kyouma.ooklaserver.settings = with lib; {
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedUDPPorts = cfg.udpPorts;
+      allowedTCPPorts = cfg.tcpPorts;
+    };
+
+    kyouma.ooklaserver.settings = let
+      inherit (lib) mkDefault;
+    in {
       OoklaServer = {
         inherit (cfg) tcpPorts udpPorts;
         enableAutoUpdate = false;
@@ -89,8 +90,8 @@ in {
         http.maxHeadersSize = mkDefault 65536;
       };
       openSSL.server = {
-        certificateFile = "${config.security.acme.certs.${cfg.domain}.directory}/cert.pem";
+        certificateFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/cert.pem";
-        privateKeyFile = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
+        privateKeyFile = "/run/credentials/${config.systemd.services.ooklaserver.name}/key.pem";
         minimumTLSProtocol = mkDefault "1.2";
       };
       logging.loggers.app = {
@@ -102,10 +103,7 @@ in {
         level = mkDefault "information";
       };
     };
-    networking.firewall = lib.mkIf cfg.openFirewall {
+
-      allowedUDPPorts = cfg.udpPorts;
-      allowedTCPPorts = cfg.tcpPorts;
-    };
     systemd.services.ooklaserver = let 
       configFile = let
         anyToString = arg: if (lib.isBool arg) then
@@ -113,8 +111,8 @@ in {
         else if (lib.isList arg) then 
           lib.concatStringsSep "," (map (val: toString val) arg)
         else toString arg;
-
+      in
-      in with lib; lib.pipe cfg.settings [
+        with lib; lib.pipe cfg.settings [
         (mapAttrsRecursive (path: val: "${concatStringsSep "." path} = ${anyToString val}"))
         (collect isString)
         (concatLines)
@@ -132,9 +130,15 @@ in {
       serviceConfig = {
         Type = "simple";
         Restart = "always";
+
         User = "ooklaserver";
         Group = "ooklaserver";
+        DynamicUser = true;
 
+        LoadCredential = [
+          "cert.pem:${config.security.acme.certs.${cfg.domain}.directory}/cert.pem"
+          "key.pem:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
+        ];
         ExecStart = "${packageWithCfg}/bin/OoklaServer"; 
         WorkingDirectory = packageWithCfg;
         SyslogIdentifier = "ooklaserver";