2 files changed, 17 insertions, 2 deletions

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index bf5e0335..0e9146c4 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -51,7 +51,7 @@
         "webdav.141.li" = {
           forceSSL = true;
           sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
-          sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
           locations."/" = {
             proxyPass = "http://webdav/";
           };
@@ -60,6 +60,17 @@
     };
     security.acme.domains."webdav.141.li" = {
       zone = "141.li";
+      certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    systemd.services.nginx = {
+      preStart = lib.mkForce config.services.nginx.preStart;
+      serviceConfig = {
+        LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" ];
+      };
     };
   };
 }
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 53fe1e5e..17de1319 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -60,6 +60,10 @@ let
         type = types.nullOr types.str;
         default = null;
       };
+      certCfg = mkOption {
+        type = types.attrs;
+        default = {};
+      };
     };
   };
 in {
@@ -93,7 +97,7 @@ in {
             credentialsFile = knotDNSCredentials domain;
             dnsResolver = "1.1.1.1:53";
             keyType = "rsa4096"; # we don't like NIST curves
-          };
+          } // cfg.domains.${domain}.certCfg;
         in genAttrs (attrNames cfg.domains) domainAttrset;
     };