From f9d0bcc2d27fb7c6802fa68a9a44f00b64e1a207 Mon Sep 17 00:00:00 2001 From: oluceps Date: Tue, 15 Oct 2024 06:41:08 +0800 Subject: [PATCH] = --- hosts/hastur/caddy.nix | 52 +++++++++++++++++++++--------------------- repack/reuse-cert.nix | 9 +++----- 2 files changed, 29 insertions(+), 32 deletions(-) diff --git a/hosts/hastur/caddy.nix b/hosts/hastur/caddy.nix index 2ff0d236..92241ce9 100644 --- a/hosts/hastur/caddy.nix +++ b/hosts/hastur/caddy.nix @@ -146,35 +146,35 @@ }; }; tls = { - automation.policies = [ - { - subjects = [ - "*.nyaw.xyz" - "nyaw.xyz" - ]; - issuers = [ - { - module = "acme"; - challenges = { - dns = { - provider = { - name = "porkbun"; - api_key = "{env.PORKBUN_API_KEY}"; - api_secret_key = "{env.PORKBUN_API_SECRET_KEY}"; - }; - }; - }; - } - ]; - } - ]; - # certificates.load_files = [ + # automation.policies = [ # { - # certificate = "/run/credentials/caddy.service/nyaw.cert"; - # key = "/run/credentials/caddy.service/nyaw.key"; - # tags = [ "cert0" ]; + # subjects = [ + # "*.nyaw.xyz" + # "nyaw.xyz" + # ]; + # issuers = [ + # { + # module = "acme"; + # challenges = { + # dns = { + # provider = { + # name = "porkbun"; + # api_key = "{env.PORKBUN_API_KEY}"; + # api_secret_key = "{env.PORKBUN_API_SECRET_KEY}"; + # }; + # }; + # }; + # } + # ]; # } # ]; + certificates.load_files = [ + { + certificate = "/run/credentials/caddy.service/nyaw.cert"; + key = "/run/credentials/caddy.service/nyaw.key"; + tags = [ "cert0" ]; + } + ]; }; }; }; diff --git a/repack/reuse-cert.nix b/repack/reuse-cert.nix index 3399d4a4..92a1998f 100644 --- a/repack/reuse-cert.nix +++ b/repack/reuse-cert.nix @@ -26,12 +26,9 @@ reIf ( acc // { ${i.name} = { - serviceConfig.LoadCredential = lib.mkIf i.cond ( - (map (lib.genCredPath config)) [ - "nyaw.cert" - "nyaw.key" - ] - ); + serviceConfig.BindReadOnlyPaths = lib.mkIf i.cond [ + "-/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/" + ]; }; } ) { } nameCondPair)