From 6c9fd17e00d3cec0e1df9c0afc156481ea5d477f Mon Sep 17 00:00:00 2001
From: sid <sid@sid.ovh>
Date: Fri, 3 Apr 2026 16:42:33 +0200
Subject: [PATCH] acme ownership for hetzner api key

---
 hosts/sid/services/nginx.nix | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index 4ee8c2b..0cbeb6c 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -51,8 +51,6 @@ in
       credentialsFile = config.sops.templates.hetzner-dns-api-key.path;
     };
   };
-  sops.secrets.hetzner-dns-api-key = { };
-  sops.templates.hetzner-dns-api-key.content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
 
   services.nginx = {
     enable = true;
@@ -114,4 +112,18 @@ in
     #   };
     # };
   };
+
+  sops =
+    let
+      owner = "acme";
+      group = "acme";
+      mode = "0400";
+    in
+    {
+      secrets.hetzner-dns-api-key = { inherit owner group mode; };
+      templates.hetzner-dns-api-key = {
+        inherit owner group mode;
+        content = "HETZNER_API_TOKEN=${config.sops.placeholder.hetzner-dns-api-key}";
+      };
+    };
 }