+dev/update(julm-nix): pin latest

[sourcephile-nix.git] / hosts / losurdo / acme / autogeree.net.nix

{
  pkgs,
  lib,
  config,
  inputs,
  hosts,
  hostName,
  info,
  ...
}:
let
  domain = "autogeree.net";
  domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
  inherit (config.users) groups;
in
{
  networking.nftables.ruleset = ''
    table inet filter {
      # ACME DNS-01 challenge and Gandi DNS
      set output-net-lego-ipv4 {
        type ipv4_addr
        elements = {
          ${hosts.mermet._module.args.ipv4},
          ${lib.concatMapStringsSep ", " ({ ipv4, ... }: ipv4) (
            lib.filter (args: args ? "ipv4") info.lebureau.dns.secondary.ns
          )}
        }
      }
      set output-net-lego-ipv6 {
        type ipv6_addr
        elements = {
          ${lib.concatMapStringsSep ", " ({ ipv6, ... }: ipv6) (
            lib.filter (args: args ? "ipv6") info.lebureau.dns.secondary.ns
          )}
        }
      }
    }
  '';
  security.acme.certs."${domain}" = {
    email = "root+letsencrypt@${domain}";
    extraDomainNames = [
      "*.${domain}"
    ];
    group = groups.acme.name;
    keyType = "rsa4096";
    dnsProvider = "rfc2136";
    # ns6.gandi.net takes roughly 5min to update
    # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
    #dnsPropagationCheck = false;
    credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
      RFC2136_NAMESERVER=ns.${domain}:53
      RFC2136_TSIG_ALGORITHM=hmac-sha256.
      RFC2136_TSIG_KEY=acme_${domainID}
      RFC2136_PROPAGATION_TIMEOUT=1000
      RFC2136_POLLING_INTERVAL=30
      RFC2136_SEQUENCE_INTERVAL=30
      RFC2136_DNS_TIMEOUT=1000
      RFC2136_TTL=1
    '';
  };
  systemd.services."acme-${domain}" = {
    serviceConfig.LoadCredentialEncrypted = [
      "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
    ];
    environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
    after = [ "unbound.service" ];
  };
}