]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/acme.nix
sourcephile / git / sourcephile-nix.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
nix: update input julm-nix
[sourcephile-nix.git] / hosts / mermet / acme.nix
1 { pkgs, lib, config, ... }:
2 let
3 inherit (config.users) users;
4 in
5 {
6 imports = [
7 acme/autogeree.net.nix
8 acme/sourcephile.fr.nix
9 ];
10 networking.nftables.ruleset = ''
11 table inet filter {
12 set output-net-lego-ipv4 { type ipv4_addr; }
13 set output-net-lego-ipv6 { type ipv6_addr; }
14 chain output-net {
15 skuid ${users.acme.name} \
16 meta l4proto { udp, tcp } th dport domain \
17 ip daddr @output-net-lego-ipv4 \
18 counter accept \
19 comment "lego: DNS"
20 skuid ${users.acme.name} \
21 meta l4proto { udp, tcp } th dport domain \
22 ip6 daddr @output-net-lego-ipv6 \
23 counter accept \
24 comment "lego: DNS"
25 }
26 }
27 '';
28 security.acme = {
29 acceptTerms = true;
30 };
31 environment.systemPackages = [
32 pkgs.lego
33 ];
34 users.groups = {
35 acme = {};
36 };
37 }
NixOS configurations for Sourcephile's infrastructure