hosts/mermet/acme/sourcephile.fr.nix

   1 { pkgs, config, info, lib, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   inherit (config.users) groups;
   5 in
   6 {
   7   networking.nftables.ruleset = ''
   8     table inet filter {
   9       set output-net-lego-ipv4 {
  10         type ipv4_addr
  11         elements = {
  12           ${lib.concatStringsSep ", " info.lebureau.dns.secondary.ns.ipv4}
  13         }
  14       }
  15       set output-net-lego-ipv6 {
  16         type ipv6_addr
  17         elements = {
  18           ${lib.concatStringsSep ", " info.lebureau.dns.secondary.ns.ipv6}
  19         }
  20       }
  21     }
  22   '';
  23   systemd.services."acme-${domain}".after = [
  24     "unbound.service"
  25   ];
  26   security.acme.certs.${domain} = {
  27     email = "root@${domain}";
  28     extraDomainNames = [
  29       "*.${domain}"
  30     ];
  31     group = groups."acme".name;
  32     keyType = "rsa4096";
  33     dnsProvider = "rfc2136";
  34     #dnsPropagationCheck = false;
  35     credentialsFile = pkgs.writeText "credentials" ''
  36       RFC2136_NAMESERVER=127.0.0.1:5353
  37       RFC2136_PROPAGATION_TIMEOUT=1000
  38       RFC2136_POLLING_INTERVAL=30
  39       RFC2136_SEQUENCE_INTERVAL=30
  40       RFC2136_DNS_TIMEOUT=1000
  41       RFC2136_TTL=1
  42     '';
  43   };
  44 }