From f3ae9ae928204a74d5736083cddad7a122779acf Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 20 Sep 2021 15:18:10 +0200
Subject: surtr(tls): ...

---
 hosts/surtr/tls.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix
index 9a531930..7c62366a 100644
--- a/hosts/surtr/tls.nix
+++ b/hosts/surtr/tls.nix
@@ -24,6 +24,10 @@ let
       [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
     }
 
+    ${pkgs.coreutils}/bin/stat /run/knot/knot.sock
+    ${pkgs.coreutils}/bin/ls -lhaFR /run/knot /run/knot/knot.sock
+    ${pkgs.coreutils}/bin/groups
+
     ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
     trap abort EXIT
 
@@ -75,8 +79,9 @@ in {
           after = [ "knot.service" ];
           bindsTo = [ "knot.service" ];
           serviceConfig = {
-            BindPaths = ["/run/knot:/run/knot"];
+            ReadWritePaths = ["/run/knot/knot.sock"];
             SupplementaryGroups = ["knot"];
+            RestrictAddressFamilies = ["AF_UNIX"];
           };
         };
       in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset);
-- 
cgit v1.2.3