From c3ff202b847205b396cb1bea454163e1a5b0a052 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 21 Sep 2023 12:52:53 +0800
Subject: [PATCH] hosts/plover: fix credentials permission for Bind service

---
 hosts/plover/modules/services/bind.nix | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/hosts/plover/modules/services/bind.nix b/hosts/plover/modules/services/bind.nix
index a30c0974..6212f5e6 100644
--- a/hosts/plover/modules/services/bind.nix
+++ b/hosts/plover/modules/services/bind.nix
@@ -79,7 +79,7 @@ in
     configFile =
       let
         cfg = config.services.bind;
-        certDir = path: "${config.security.acme.certs."${dnsSubdomain}".directory}/${path}";
+        certDir = path: "/run/credentials/bind.service/${path}";
         listenInterfaces = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOn;
         listenInterfacesIpv6 = lib.concatMapStrings (entry: " ${entry}; ") cfg.listenOnIpv6;
       in
@@ -196,6 +196,18 @@ in
       Group = config.users.users.named.group;
       UMask = "0037";
 
+      # Get the credentials into the service.
+      LoadCredential =
+        let
+          certDirectory = config.security.acme.certs."${dnsSubdomain}".directory;
+          certCredentialPath = path: "${path}:${certDirectory}/${path}";
+        in
+        [
+          (certCredentialPath "cert.pem")
+          (certCredentialPath "key.pem")
+          (certCredentialPath "fullchain.pem")
+        ];
+
       # Lock and protect various system components.
       LockPersonality = true;
       PrivateTmp = true;
@@ -300,9 +312,6 @@ in
     };
   };
 
-  # Setting up DNS-over-TLS by generating a certificate.
-  security.acme.certs."${dnsSubdomain}".group = config.users.users.named.group;
-
   # Then generate a DH parameter for the application.
   security.dhparams.params.bind.bits = 4096;