1 files changed, 27 insertions, 10 deletions

diff --git a/services/murmur.nix b/services/murmur.nix
index a0a5d80..fb338e3 100644
--- a/services/murmur.nix
+++ b/services/murmur.nix
@@ -13,16 +13,27 @@ in
   };
 
   systemd.services.create-murmur-database = {
-    description = "Create cache directory for cgit";
+    description = "Create database directory for mumble";
     enable = true;
     wantedBy = [ "murmur.service" ];
     serviceConfig = {
       type = "oneshot";
     };
     script = ''
-      mkdir -p /persist/replicable/murmur/
-      chmod -R 755 /persist/replicable/murmur/
-      chown -R murmur:murmur /persist/replicable/murmur/
+      mkdir -p /persist/replicable/murmur
+          chown -R murmur:murmur /persist/replicable/murmur
+          chmod 755 /persist/replicable/murmur
+
+          # Critical: parent dir must allow murmur to create WAL/SHM files
+          mkdir -p /persist/replicable
+          chown murmur:murmur /persist/replicable
+          chmod 755 /persist/replicable
+
+          DB="/persist/replicable/murmur/murmur.sqlite"
+          if [ -f "$DB" ]; then
+            chown murmur:murmur "$DB"
+            chmod 640 "$DB"
+          fi
     '';
   };
 
@@ -38,18 +49,24 @@ in
     hostName = "10.0.1.30";
     #    registerHostname = "${fqdn}";
     #registerName = "crashoverburn.com";
-    sslCert = "${certDirectory}/fullchain.pem";
-    sslKey = "${certDirectory}/key.pem";
-    sslCa = "${certDirectory}/chain.pem";
+    sslCert = "${certDirectory}/cert.pem"; # ← leaf certificate only
+    sslKey = "${certDirectory}/key.pem"; # private key
+    sslCa = "${certDirectory}/chain.pem"; # intermediates (optional but recommended)
     extraConfig = ''
       database=${dbfolder}
     '';
   };
 
 
-  systemd.services.murmur.postStart = ''
-    ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
-  '';
+  systemd.services.murmur =
+    {
+      postStart = ''
+        ${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -supw "$(cat ${config.secrix.services.murmur.secrets.murmursupass.decrypted.path})"
+      '';
+      serviceConfig.ReadWritePaths = [
+        "/persist/replicable/murmur"
+      ];
+    };
   security.acme.certs.${fqdn} = {
     #useACMEHost = "crashoverburn.com";
     group = "murmur-cert";