From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 9 Aug 2022 11:23:00 +0300
Subject: ...

---
 hosts/surtr/dns/default.nix | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'hosts/surtr/dns')

diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix
index 808c56da..026111be 100644
--- a/hosts/surtr/dns/default.nix
+++ b/hosts/surtr/dns/default.nix
@@ -44,11 +44,14 @@ in {
         fsType = "zfs";
       };
 
-    systemd.services.knot.unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+    systemd.services.knot = {
+      unitConfig.RequiresMountsFor = [ "/var/lib/knot" ];
+      serviceConfig.LoadCredential = map ({name, ...}: "${name}:config.sops.secrets.${name}.path") knotKeys;
+    };
     
     services.knot = {
       enable = true;
-      keyFiles = map ({name, ...}: config.sops.secrets.${name}.path) knotKeys;
+      keyFiles = map ({name, ...}: "/run/credentials/knot.service/${name}") knotKeys;
       extraConfig = ''
         server:
           listen: 127.0.0.1@53
@@ -192,7 +195,6 @@ in {
 
     sops.secrets = listToAttrs (map ({name, path}: nameValuePair name {
       format = "binary";
-      owner = "knot";
       sopsFile = path;
     }) knotKeys);
 
-- 
cgit v1.2.3