From 0eacd61dfbda6aed732e0d196fd8fe3d97bdcf63 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Mon, 31 Jan 2022 17:52:33 +0100
Subject: ...

---
 hosts/surtr/http.nix | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

(limited to 'hosts/surtr/http.nix')

diff --git a/hosts/surtr/http.nix b/hosts/surtr/http.nix
index bf5e0335..0e9146c4 100644
--- a/hosts/surtr/http.nix
+++ b/hosts/surtr/http.nix
@@ -51,7 +51,7 @@
         "webdav.141.li" = {
           forceSSL = true;
           sslCertificate = "${config.security.acme.certs."webdav.141.li".directory}/fullchain.pem";
-          sslCertificateKey = "${config.security.acme.certs."webdav.141.li".directory}/key.pem";
+          sslCertificateKey = "/run/credentials/nginx.service/webdav.141.li.key.pem";
           locations."/" = {
             proxyPass = "http://webdav/";
           };
@@ -60,6 +60,17 @@
     };
     security.acme.domains."webdav.141.li" = {
       zone = "141.li";
+      certCfg = {
+        postRun = ''
+          ${pkgs.systemd}/bin/systemctl try-restart nginx.service
+        '';
+      };
+    };
+    systemd.services.nginx = {
+      preStart = lib.mkForce config.services.nginx.preStart;
+      serviceConfig = {
+        LoadCredential = [ "webdav.141.li.key.pem:${config.security.acme.certs."webdav.141.li".directory}/key.pem" ];
+      };
     };
   };
 }
-- 
cgit v1.2.3