From 2bb4922f05c61da2eb3b0ee7c913da9f25a22ab3 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 19 May 2026 08:54:32 +0000
Subject: ...

---
 hosts/surtr/tls/default.nix | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'hosts/surtr/tls/default.nix')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index edec60b1..6621b06d 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -68,7 +68,7 @@ in {
           RFC2136_SEQUENCE_INTERVAL=1
         '';
         credentialFiles = {
-          RFC2136_TSIG_SECRET_FILE = "/run/credentials/acme-order-renew-${domain}.service/${tsigSecretName domain}";
+          RFC2136_TSIG_SECRET_FILE = config.sops.secrets.${tsigSecretName domain}.path;
         };
         dnsPropagationCheck = false;
         postRun = mkIf (domainCfg.restartUnits != []) ''
@@ -90,7 +90,6 @@ in {
       after = [ "knot.service" ];
       bindsTo = [ "knot.service" ];
       serviceConfig = {
-        LoadCredential = [ "${tsigSecretName domain}:${config.sops.secrets.${tsigSecretName domain}.path}" ];
         SystemCallFilter = mkForce [ "@system-service" "~@privileged" "@chown" ];
       };
     }) cfg.rfc2136Domains;
-- 
cgit v1.2.3