diff options
author | sefidel <contact@sefidel.net> | 2023-02-06 18:16:38 +0900 |
---|---|---|
committer | sefidel <contact@sefidel.net> | 2023-02-06 18:26:16 +0900 |
commit | 374f2f364a3a5de5438dd310f6cb50490eae6f1e (patch) | |
tree | c4a2f0dd33b61285606d894cc61353331c71f009 /nixos/cobalt/services | |
parent | 9d2566b5958943643d138186ebc57def41f68e51 (diff) | |
download | nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.tar.gz nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.zip |
feat: use sops for secret management
Diffstat (limited to 'nixos/cobalt/services')
-rw-r--r-- | nixos/cobalt/services/acme.nix | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix index d28bfc7..58a5c77 100644 --- a/nixos/cobalt/services/acme.nix +++ b/nixos/cobalt/services/acme.nix @@ -1,7 +1,13 @@ +{ config, ... }: + let poorObfuscation = y: x: "${x}@${y}"; in { + sops.secrets.hetzner-dns-key = { + owner = "acme"; + }; + security.acme = { acceptTerms = true; defaults.email = poorObfuscation "sefidel.com" "postmaster"; @@ -14,7 +20,7 @@ in ]; dnsProvider = "hetzner"; dnsPropagationCheck = true; - credentialsFile = "/persist/secrets/hetzner.key"; + credentialsFile = config.sops.secrets.hetzner-dns-key.path; }; }; }; @@ -22,9 +28,4 @@ in environment.persistence."/persist".directories = [ "/var/lib/acme" ]; - - deployment.keys."hetzner.key" = { - keyCommand = [ "pass" "show" "server/hetzner-dns" ]; - destDir = "/persist/secrets"; - }; } |