From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 9 Aug 2022 11:23:00 +0300
Subject: ...

---
 hosts/surtr/tls/default.nix | 15 +++------------
 1 file changed, 3 insertions(+), 12 deletions(-)

(limited to 'hosts/surtr/tls/default.nix')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 0f3a7fec..9b1fd1f3 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -59,22 +59,19 @@ in {
         let
           domainAttrset = domain: let
             tsigPath = ./tsig_keys + "/${domain}";
-            tsigSecret = config.sops.secrets.${tsigSecretName domain};
             isTsig = pathExists tsigPath;
             shared = {
               inherit domain;
               extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
               dnsResolver = "127.0.0.1:5353";
             };
-            mkRFC2136 = let
-              tsigInfo = readYaml tsigPath;
-            in shared // {
+            mkRFC2136 = shared // {
               dnsProvider = "rfc2136";
               credentialsFile = pkgs.writeText "${domain}_credentials.env" ''
                 RFC2136_NAMESERVER=127.0.0.1:53
                 RFC2136_TSIG_ALGORITHM=hmac-sha256.
                 RFC2136_TSIG_KEY=${domain}_acme_key
-                RFC2136_TSIG_SECRET_FILE=${tsigSecret.path}
+                RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/tsig_secret
                 RFC2136_TTL=0
                 RFC2136_PROPAGATION_TIMEOUT=60
                 RFC2136_POLLING_INTERVAL=2
@@ -90,8 +87,6 @@ in {
         if v == "regular" || v == "symlink"
         then nameValuePair (tsigSecretName n) {
           format = "binary";
-          owner = if config.security.acme.useRoot then "root" else "acme";
-          group = "acme";
           sopsFile = ./tsig_keys + "/${n}";
         } else null;
     in mapFilterAttrs (_: v: v != null) toTSIGSecret (builtins.readDir ./tsig_keys);
@@ -101,11 +96,7 @@ in {
         serviceAttrset = domain: {
           after = [ "knot.service" ];
           bindsTo = [ "knot.service" ];
-          serviceConfig = {
-            ReadWritePaths = ["/run/knot/knot.sock"];
-            SupplementaryGroups = ["knot"];
-            RestrictAddressFamilies = ["AF_UNIX"];
-          };
+          serviceConfig.LoadCredential = ["tsig_secret:${config.sops.secrets.${tsigSecretName domain}.path}"];
         };
       in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset);
 
-- 
cgit v1.2.3