From 93c2272889d661d4d732c8ed989fe907d96660d9 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 23 Jan 2022 17:04:32 +0100
Subject: ...

---
 hosts/vidhar/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index c5bdacdd..9905d1f8 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -125,7 +125,7 @@
         ${config.services.grafana.domain} = {
           forceSSL = true;
           sslCertificate = ./selfsigned.crt;
-          sslCertificateKey = config.sops.secrets."selfsigned.key".path;
+          sslCertificateKey = "/run/credentials/nginx.service/selfsigned.key";
           locations."/" = {
             proxyPass = "http://grafana/";
             proxyWebsockets = true;
@@ -155,10 +155,10 @@
     sops.secrets."selfsigned.key" = {
       format = "binary";
       sopsFile = ./selfsigned.key;
-      group = "ssl";
-      mode = "0440";
     };
-    users.groups.ssl.members = ["nginx"];
+    systemd.services.nginx.serviceConfig = {
+      LoadCredential = [ "selfsigned.key:${config.sops.secrets."selfsigned.key".path}" ];
+    };
 
     services.loki = {
       enable = true;
-- 
cgit v1.2.3