]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/acme/sourcephile.fr.nix
security: no longer depend upon upstream's hardening
[sourcephile-nix.git] / machines / losurdo / acme / sourcephile.fr.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 domain = "sourcephile.fr";
4 domainID = lib.replaceStrings ["."] ["_"] domain;
5 inherit (config.security) gnupg;
6 inherit (config.users) users groups;
7 in
8 {
9 networking.nftables.ruleset = ''
10 # for lego to update ACME DNS-01 challenge
11 add rule inet filter fw2net tcp dport 53 ip daddr ${machines.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
12 add rule inet filter fw2net udp dport 53 ip daddr ${machines.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
13 # for lego to check DNS propagation on ns6.gandi.net
14 add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
15 add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
16 add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
17 add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
18 '';
19 security.acme.certs."${domain}" = {
20 email = "root+letsencrypt@${domain}";
21 extraDomainNames = [
22 "*.${domain}"
23 ];
24 group = groups.acme.name;
25 keyType = "rsa4096";
26 dnsProvider = "rfc2136";
27 # ns6.gandi.net takes roughly 5min to update
28 # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
29 #dnsPropagationCheck = false;
30 credentialsFile = gnupg.secrets."lego/${domain}/rfc2136".path;
31 };
32 security.gnupg.secrets."lego/${domain}/rfc2136" = {
33 pipe = ''
34 cat - ${pkgs.writeText "env" ''
35 RFC2136_NAMESERVER=ns.${domain}:53
36 RFC2136_TSIG_ALGORITHM=hmac-sha256.
37 RFC2136_TSIG_KEY=acme_${domainID}
38 RFC2136_PROPAGATION_TIMEOUT=1000
39 RFC2136_POLLING_INTERVAL=30
40 RFC2136_SEQUENCE_INTERVAL=30
41 RFC2136_DNS_TIMEOUT=1000
42 RFC2136_TTL=1
43 ''}
44 '';
45 };
46 systemd.services."acme-${domain}" = {
47 after = [
48 "unbound.service"
49 gnupg.secrets."lego/${domain}/rfc2136".service
50 ];
51 wants = [
52 "unbound.service"
53 gnupg.secrets."lego/${domain}/rfc2136".service
54 ];
55 };
56 }