]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/acme/sourcephile.fr.nix
nix: update julm-nix
[sourcephile-nix.git] / hosts / mermet / acme / sourcephile.fr.nix
1 { pkgs, config, ... }:
2 let
3 domain = "sourcephile.fr";
4 inherit (config.users) groups;
5 in
6 {
7 networking.nftables.ruleset = ''
8 table inet filter {
9 set output-net-lego-ipv4 {
10 type ipv4_addr
11 elements = { 217.70.177.40 }
12 }
13 set output-net-lego-ipv6 {
14 type ipv6_addr
15 elements = { 2001:4b98:d:1::40 }
16 }
17 }
18 '';
19 systemd.services."acme-${domain}".after = [
20 "unbound.service"
21 ];
22 security.acme.certs.${domain} = {
23 email = "root@${domain}";
24 extraDomainNames = [
25 "*.${domain}"
26 ];
27 group = groups."acme".name;
28 keyType = "rsa4096";
29 dnsProvider = "rfc2136";
30 #dnsPropagationCheck = false;
31 credentialsFile = pkgs.writeText "credentials" ''
32 RFC2136_NAMESERVER=127.0.0.1:5353
33 RFC2136_PROPAGATION_TIMEOUT=1000
34 RFC2136_POLLING_INTERVAL=30
35 RFC2136_SEQUENCE_INTERVAL=30
36 RFC2136_DNS_TIMEOUT=1000
37 RFC2136_TTL=1
38 '';
39 };
40 }