summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Kleen <gkleen@yggdrasil.li>2026-05-19 08:54:32 +0000
committerGregor Kleen <gkleen@yggdrasil.li>2026-05-19 08:54:32 +0000
commit2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3 (patch)
tree42366e46e49f2f22e2a3e12a4b840cdc2537d715
parent4aefb662379cc0b4da0b4818bf6820c77dde9ec8 (diff)
downloadnixos-2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3.tar
nixos-2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3.tar.gz
nixos-2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3.tar.bz2
nixos-2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3.tar.xz
nixos-2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3.zip
...
Diffstat
-rw-r--r--hosts/surtr/tls/default.nix3
1 files changed, 1 insertions, 2 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index edec60b1..6621b06d 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -68,7 +68,7 @@ in {
68 RFC2136_SEQUENCE_INTERVAL=1 68 RFC2136_SEQUENCE_INTERVAL=1
69 ''; 69 '';
70 credentialFiles = { 70 credentialFiles = {
71 RFC2136_TSIG_SECRET_FILE = "/run/credentials/acme-order-renew-${domain}.service/${tsigSecretName domain}"; 71 RFC2136_TSIG_SECRET_FILE = config.sops.secrets.${tsigSecretName domain}.path;
72 }; 72 };
73 dnsPropagationCheck = false; 73 dnsPropagationCheck = false;
74 postRun = mkIf (domainCfg.restartUnits != []) '' 74 postRun = mkIf (domainCfg.restartUnits != []) ''
@@ -90,7 +90,6 @@ in {
90 after = [ "knot.service" ]; 90 after = [ "knot.service" ];
91 bindsTo = [ "knot.service" ]; 91 bindsTo = [ "knot.service" ];
92 serviceConfig = { 92 serviceConfig = {
93 LoadCredential = [ "${tsigSecretName domain}:${config.sops.secrets.${tsigSecretName domain}.path}" ];
94 SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ]; 93 SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
95 }; 94 };
96 }) cfg.rfc2136Domains; 95 }) cfg.rfc2136Domains;
generated by cgit v1.2.3 (git 2.25.1) at 2026-05-28 21:28:31 +0000