about summary refs log tree commit diff
path: root/nixos/cobalt/services
diff options
context:
space:
mode:
authorsefidel <contact@sefidel.net>2023-02-06 18:16:38 +0900
committersefidel <contact@sefidel.net>2023-02-06 18:26:16 +0900
commit374f2f364a3a5de5438dd310f6cb50490eae6f1e (patch)
treec4a2f0dd33b61285606d894cc61353331c71f009 /nixos/cobalt/services
parent9d2566b5958943643d138186ebc57def41f68e51 (diff)
downloadnixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.tar.gz
nixrc-374f2f364a3a5de5438dd310f6cb50490eae6f1e.zip
feat: use sops for secret management
Diffstat (limited to 'nixos/cobalt/services')
-rw-r--r--nixos/cobalt/services/acme.nix13
1 files changed, 7 insertions, 6 deletions
diff --git a/nixos/cobalt/services/acme.nix b/nixos/cobalt/services/acme.nix
index d28bfc7..58a5c77 100644
--- a/nixos/cobalt/services/acme.nix
+++ b/nixos/cobalt/services/acme.nix
@@ -1,7 +1,13 @@
+{ config, ... }:
+
 let
   poorObfuscation = y: x: "${x}@${y}";
 in
 {
+  sops.secrets.hetzner-dns-key = {
+    owner = "acme";
+  };
+
   security.acme = {
     acceptTerms = true;
     defaults.email = poorObfuscation "sefidel.com" "postmaster";
@@ -14,7 +20,7 @@ in
         ];
         dnsProvider = "hetzner";
         dnsPropagationCheck = true;
-        credentialsFile = "/persist/secrets/hetzner.key";
+        credentialsFile = config.sops.secrets.hetzner-dns-key.path;
       };
     };
   };
@@ -22,9 +28,4 @@ in
   environment.persistence."/persist".directories = [
     "/var/lib/acme"
   ];
-
-  deployment.keys."hetzner.key" = {
-    keyCommand = [ "pass" "show" "server/hetzner-dns" ];
-    destDir = "/persist/secrets";
-  };
 }