hosts/mermet/acme/sourcephile.fr.nix

   1 { pkgs, lib, config, ... }:
   2 let
   3   domain = "sourcephile.fr";
   4   inherit (config.users) groups;
   5 in
   6 {
   7 networking.nftables.ruleset = ''
   8   table inet filter {
   9     set output-net-lego-ipv4 {
  10       type ipv4_addr
  11       elements = { 217.70.177.40 }
  12     }
  13     set output-net-lego-ipv6 {
  14       type ipv6_addr
  15       elements = { 2001:4b98:d:1::40 }
  16     }
  17   }
  18 '';
  19 systemd.services."acme-${domain}".after = [
  20   "unbound.service"
  21 ];
  22 security.acme.certs.${domain} = {
  23   email = "root@${domain}";
  24   extraDomainNames = [
  25     "*.${domain}"
  26     "*.hut.${domain}"
  27     "*.code.${domain}"
  28   ];
  29   group = groups."acme".name;
  30   keyType = "rsa4096";
  31   dnsProvider = "rfc2136";
  32   credentialsFile = pkgs.writeText "credentials" ''
  33     RFC2136_NAMESERVER=127.0.0.1:5353
  34     RFC2136_PROPAGATION_TIMEOUT=1000
  35     RFC2136_POLLING_INTERVAL=30
  36     RFC2136_SEQUENCE_INTERVAL=30
  37     RFC2136_DNS_TIMEOUT=1000
  38     RFC2136_TTL=1
  39   '';
  40 };
  41 }