rm step-ca and coredns

hosts/rx4/services/nginx.nix

@@ -7,6 +7,8 @@
 
 let
   cfg = config.services.nginx;
+
+  inherit (constants) domain;
 in
 {
   imports = [
@@ -34,4 +36,21 @@ in
       };
     };
   };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "admin@${domain}";
+      dnsProvider = "hetzner";
+      credentialFiles = {
+        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
+      };
+    };
+  };
+
+  sops.secrets.hetzner-api-key = {
+    mode = "0400";
+    owner = "acme";
+    group = "acme";
+  };
 }

hosts/rx4/services/vaultwarden.nix

@@ -62,18 +62,10 @@ in
     };
   };
 
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "admin@${domain}";
-    certs."pw-custom" = {
-      domain = fqdn;
-      dnsProvider = "hetzner";
-      dnsResolver = "1.1.1.1:53";
-      credentialFiles = {
-        HETZNER_API_TOKEN_FILE = config.sops.secrets.hetzner-api-key.path;
-      };
-      group = "nginx";
-    };
+  security.acme.certs."pw-custom" = {
+    domain = fqdn;
+    postRun = "systemctl restart vaultwarden.service";
+    group = "nginx";
   };
 
   sops =
@@ -90,11 +82,6 @@ in
         "vaultwarden/smtp-password" = {
           inherit owner group mode;
         };
-        hetzner-api-key = {
-          inherit mode;
-          owner = "acme";
-          group = "acme";
-        };
       };
       templates = {
         "vaultwarden/env-file" = {