hosts/losurdo/acme.nix

   1 { pkgs, config, ... }:
   2 let
   3   inherit (config.users) users groups;
   4 in
   5 {
   6   imports = [
   7     acme/autogeree.net.nix
   8     acme/sourcephile.fr.nix
   9   ];
  10   networking.nftables.ruleset = ''
  11     table inet filter {
  12       set output-net-lego-ipv4 { type ipv4_addr; }
  13       set output-net-lego-ipv6 { type ipv6_addr; }
  14       chain output-net {
  15         skuid ${users.acme.name} \
  16           meta l4proto { udp, tcp } th dport domain \
  17           ip daddr @output-net-lego-ipv4 \
  18           counter accept \
  19           comment "lego: DNS"
  20         skuid ${users.acme.name} \
  21           meta l4proto { udp, tcp } th dport domain \
  22           ip6 daddr @output-net-lego-ipv6 \
  23           counter accept \
  24           comment "lego: DNS"
  25       }
  26     }
  27   '';
  28   security.acme = {
  29     acceptTerms = true;
  30   };
  31   environment.systemPackages = [
  32     pkgs.lego
  33   ];
  34   /*
  35     users.users.acme = {
  36     home = "/var/lib/acme";
  37     group = groups."acme".name;
  38     # Set a static UID to install the credentialFile
  39     # with acme:root perms before the system switch
  40     uid = 14;
  41     isSystemUser = true;
  42     };
  43     assertions = [
  44     { assertion = ! elem users.acme.uid (attrValues config.ids.uids);
  45     message = ''
  46       Unix user ID ${toString users.acme.uid} is already taken in config.ids.uids: change for a free UID.
  47     '';
  48     }
  49     ];
  50   */
  51   users.groups = {
  52     acme = { };
  53   };
  54
  55 }