cluster/services/dns: use patroni incandescence

2024-08-10 13:06:59 +02:00 · 2024-08-10 13:06:59 +02:00 · 5d9ff62afe
commit 5d9ff62afe
parent 6d78b69601
2 changed files with 15 additions and 4 deletions
--- a/cluster/services/dns/authoritative.nix
+++ b/cluster/services/dns/authoritative.nix
@ -43,9 +43,6 @@ in {
  links.localAuthoritativeDNS = {};

  age.secrets = {
-    acmeDnsDbCredentials = {
-      file = ./acme-dns-db-credentials.age;
-    };
    acmeDnsDirectKey = {
      file = ./acme-dns-direct-key.age;
    };
@ -78,8 +75,12 @@ in {
    };
  };

+  services.locksmith.waitForSecrets.acme-dns = [
+    "patroni-acmedns"
+  ];
+
  systemd.services.acme-dns.serviceConfig.EnvironmentFile = with config.age.secrets; [
-    acmeDnsDbCredentials.path
+    "/run/locksmith/patroni-acmedns"
    acmeDnsDirectKey.path
  ];

--- a/cluster/services/dns/default.nix
+++ b/cluster/services/dns/default.nix
@ -58,6 +58,16 @@ in
    };
  };

+  patroni = {
+    databases.acmedns = {};
+    users.acmedns = {
+      locksmith = {
+        nodes = config.services.dns.nodes.authoritative;
+        format = "envFile";
+      };
+    };
+  };
+
  dns.records = {
    securedns.consulService = "securedns";
    "acme-dns-challenge.internal".consulService = "acme-dns";