...

author: Gregor Kleen <gkleen@yggdrasil.li> 2025-11-14 08:20:11 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2025-11-14 08:20:11 +0100
commit: d05cccba95721f1aba3647a428977691a0ec92d6 (patch)
tree: 0d5d2bd0001a66ea084780960ebe3c89f10f8faf /hosts
parent: f8a9228baa4f68c7639ef703e15f97bf146c53ee (diff)
download: nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar
nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.gz
nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.bz2
nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.xz
nixos-d05cccba95721f1aba3647a428977691a0ec92d6.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index b25bd2ea..2c346baa 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -62,7 +62,7 @@ in {
          RFC2136_NAMESERVER=127.0.0.1:53
          RFC2136_TSIG_ALGORITHM=hmac-sha256.
          RFC2136_TSIG_KEY=${domain}_acme_key
-          RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/${tsigSecretName domain}
+          RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-order-renew-${domain}.service/${tsigSecretName domain}
          RFC2136_TTL=0
          RFC2136_PROPAGATION_TIMEOUT=60
          RFC2136_POLLING_INTERVAL=2
@@ -79,12 +79,12 @@ in {
    sops.secrets = mapAttrs' (domain: domainCfg: nameValuePair (tsigSecretName domain) {
      format = "binary";
      sopsFile = tsigKey domain;
-      restartUnits = [ "acme-${domain}.service" ];
+      restartUnits = [ "acme-order-renew${domain}.service" ];
    }) cfg.rfc2136Domains;
    # Provide appropriate `tsig_key/*` to systemd service performing
    # certificate provisioning
-    systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-${domain}" {
+    systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-order-renew-${domain}" {
      after = [ "knot.service" ];
      bindsTo = [ "knot.service" ];
      serviceConfig = {
author	Gregor Kleen <gkleen@yggdrasil.li>	2025-11-14 08:20:11 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2025-11-14 08:20:11 +0100
commit	d05cccba95721f1aba3647a428977691a0ec92d6 (patch)
tree	0d5d2bd0001a66ea084780960ebe3c89f10f8faf /hosts
parent	f8a9228baa4f68c7639ef703e15f97bf146c53ee (diff)
download	nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.gz nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.bz2 nixos-d05cccba95721f1aba3647a428977691a0ec92d6.tar.xz nixos-d05cccba95721f1aba3647a428977691a0ec92d6.zip

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index b25bd2ea..2c346baa 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix
@@ -62,7 +62,7 @@ in {
62	RFC2136_NAMESERVER=127.0.0.1:53	62	RFC2136_NAMESERVER=127.0.0.1:53
63	RFC2136_TSIG_ALGORITHM=hmac-sha256.	63	RFC2136_TSIG_ALGORITHM=hmac-sha256.
64	RFC2136_TSIG_KEY=${domain}_acme_key	64	RFC2136_TSIG_KEY=${domain}_acme_key
65	RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/${tsigSecretName domain}	65	RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-order-renew-${domain}.service/${tsigSecretName domain}
66	RFC2136_TTL=0	66	RFC2136_TTL=0
67	RFC2136_PROPAGATION_TIMEOUT=60	67	RFC2136_PROPAGATION_TIMEOUT=60
68	RFC2136_POLLING_INTERVAL=2	68	RFC2136_POLLING_INTERVAL=2
@@ -79,12 +79,12 @@ in {
79	sops.secrets = mapAttrs' (domain: domainCfg: nameValuePair (tsigSecretName domain) {	79	sops.secrets = mapAttrs' (domain: domainCfg: nameValuePair (tsigSecretName domain) {
80	format = "binary";	80	format = "binary";
81	sopsFile = tsigKey domain;	81	sopsFile = tsigKey domain;
82	restartUnits = [ "acme-${domain}.service" ];	82	restartUnits = [ "acme-order-renew${domain}.service" ];
83	}) cfg.rfc2136Domains;	83	}) cfg.rfc2136Domains;
84		84
85	# Provide appropriate `tsig_key/*` to systemd service performing	85	# Provide appropriate `tsig_key/*` to systemd service performing
86	# certificate provisioning	86	# certificate provisioning
87	systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-${domain}" {	87	systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-order-renew-${domain}" {
88	after = [ "knot.service" ];	88	after = [ "knot.service" ];
89	bindsTo = [ "knot.service" ];	89	bindsTo = [ "knot.service" ];
90	serviceConfig = {	90	serviceConfig = {