1 { pkgs, lib, config, machines, ... }:
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config.security) gnupg;
6 inherit (config.users) users groups;
9 networking.nftables.ruleset = ''
10 # for lego to update ACME DNS-01 challenge
11 add rule inet filter fw2net tcp dport 53 ip daddr ${machines.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
12 add rule inet filter fw2net udp dport 53 ip daddr ${machines.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
13 # for lego to check DNS propagation on ns6.gandi.net
14 add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
15 add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
16 add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
17 add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
19 security.acme.certs."${domain}" = {
20 email = "root+letsencrypt@${domain}";
24 group = groups.acme.name;
26 dnsProvider = "rfc2136";
27 # ns6.gandi.net takes roughly 5min to update
28 # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
29 #dnsPropagationCheck = false;
30 credentialsFile = gnupg.secrets."lego/${domain}/rfc2136".path;
32 security.gnupg.secrets."lego/${domain}/rfc2136" = {
34 cat - ${pkgs.writeText "env" ''
35 RFC2136_NAMESERVER=ns.${domain}:53
36 RFC2136_TSIG_ALGORITHM=hmac-sha256.
37 RFC2136_TSIG_KEY=acme_${domainID}
38 RFC2136_PROPAGATION_TIMEOUT=1000
39 RFC2136_POLLING_INTERVAL=30
40 RFC2136_SEQUENCE_INTERVAL=30
41 RFC2136_DNS_TIMEOUT=1000
46 systemd.services."acme-${domain}" = {
49 gnupg.secrets."lego/${domain}/rfc2136".service
53 gnupg.secrets."lego/${domain}/rfc2136".service
sourcephile / git / sourcephile-nix.git / blob