From d05cccba95721f1aba3647a428977691a0ec92d6 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Fri, 14 Nov 2025 08:20:11 +0100
Subject: ...

---
 hosts/surtr/tls/default.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'hosts/surtr/tls')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index b25bd2ea..2c346baa 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -62,7 +62,7 @@ in {
           RFC2136_NAMESERVER=127.0.0.1:53
           RFC2136_TSIG_ALGORITHM=hmac-sha256.
           RFC2136_TSIG_KEY=${domain}_acme_key
-          RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-${domain}.service/${tsigSecretName domain}
+          RFC2136_TSIG_SECRET_FILE=/run/credentials/acme-order-renew-${domain}.service/${tsigSecretName domain}
           RFC2136_TTL=0
           RFC2136_PROPAGATION_TIMEOUT=60
           RFC2136_POLLING_INTERVAL=2
@@ -79,12 +79,12 @@ in {
     sops.secrets = mapAttrs' (domain: domainCfg: nameValuePair (tsigSecretName domain) {
       format = "binary";
       sopsFile = tsigKey domain;
-      restartUnits = [ "acme-${domain}.service" ];
+      restartUnits = [ "acme-order-renew${domain}.service" ];
     }) cfg.rfc2136Domains;
 
     # Provide appropriate `tsig_key/*` to systemd service performing
     # certificate provisioning
-    systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-${domain}" {
+    systemd.services = mapAttrs' (domain: domainCfg: nameValuePair "acme-order-renew-${domain}" {
       after = [ "knot.service" ];
       bindsTo = [ "knot.service" ];
       serviceConfig = {
-- 
cgit v1.2.3