From 21e6da21152e5a232247477d6c5422a6b0dddaea Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 19 Sep 2021 16:15:48 +0200 Subject: surtr(tls): allow access to knot --- hosts/surtr/tls.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'hosts/surtr/tls.nix') diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 773d9379..6e7fcabc 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix @@ -44,6 +44,8 @@ let ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" commited=yes ''; + + domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; in { config = { fileSystems."/var/lib/acme" = @@ -57,7 +59,6 @@ in { email = "phikeebaogobaegh@141.li"; certs = let - domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; domainAttrset = domain: { inherit domain; extraDomainNames = [ "*.${domain}" ]; @@ -68,6 +69,15 @@ in { in genAttrs domains domainAttrset; }; - users.groups."knot".members = [ "acme" ]; + systemd.services = + let + serviceAttrset = domain: { + bindsTo = [ "knot.service" ]; + serviceConfig = { + ReadWritePaths = ["/run/knot/knot.sock"]; + SupplementaryGroups = ["knot"]; + }; + }; + in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); }; } -- cgit v1.2.3