diff options
Diffstat (limited to 'hosts/surtr/tls/default.nix')
-rw-r--r-- | hosts/surtr/tls/default.nix | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 9b1fd1f3..d4eb1fb0 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix | |||
@@ -96,7 +96,10 @@ in { | |||
96 | serviceAttrset = domain: { | 96 | serviceAttrset = domain: { |
97 | after = [ "knot.service" ]; | 97 | after = [ "knot.service" ]; |
98 | bindsTo = [ "knot.service" ]; | 98 | bindsTo = [ "knot.service" ]; |
99 | serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; | 99 | serviceConfig = { |
100 | LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"]; | ||
101 | SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ]; | ||
102 | }; | ||
100 | }; | 103 | }; |
101 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); | 104 | in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); |
102 | 105 | ||