hosts/mermet/acme/autogeree.net.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   domain = "autogeree.net";
   4   inherit (config.users) groups;
   5 in
   6 {
   7 networking.nftables.ruleset = ''
   8   table inet filter {
   9     set output-net-lego-ipv4 {
  10       type ipv4_addr
  11       elements = { 217.70.177.40 }
  12     }
  13     set output-net-lego-ipv6 {
  14       type ipv6_addr
  15       elements = { 2001:4b98:d:1::40 }
  16     }
  17   }
  18 '';
  19 systemd.services."acme-${domain}".after = [
  20   "unbound.service"
  21 ];
  22 security.acme.certs.${domain} = {
  23   email = "root+letsencrypt@${domain}";
  24   extraDomainNames = [
  25     "*.${domain}"
  26   ];
  27   group = groups."acme".name;
  28   keyType = "rsa4096";
  29   dnsProvider = "rfc2136";
  30   credentialsFile = pkgs.writeText "credentials" ''
  31     RFC2136_NAMESERVER=127.0.0.1:5353
  32     RFC2136_PROPAGATION_TIMEOUT=1000
  33     RFC2136_POLLING_INTERVAL=30
  34     RFC2136_SEQUENCE_INTERVAL=30
  35     RFC2136_DNS_TIMEOUT=1000
  36     RFC2136_TTL=1
  37   '';
  38 };
  39 }