]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/mermet/acme/autogeree.net.nix
losurdo: docker: enable service
[sourcephile-nix.git] / hosts / mermet / acme / autogeree.net.nix
1 { pkgs, config, info, ... }:
2 let
3 domain = "autogeree.net";
4 inherit (config.users) groups;
5 in
6 {
7 networking.nftables.ruleset = ''
8 table inet filter {
9 set output-net-lego-ipv4 {
10 type ipv4_addr
11 elements = {
12 ${info.gandi.dns.secondary.ns.ipv4}
13 }
14 }
15 set output-net-lego-ipv6 {
16 type ipv6_addr
17 elements = {
18 ${info.gandi.dns.secondary.ns.ipv6}
19 }
20 }
21 }
22 '';
23 systemd.services."acme-${domain}".after = [
24 "unbound.service"
25 ];
26 security.acme.certs.${domain} = {
27 email = "root+letsencrypt@${domain}";
28 extraDomainNames = [
29 "*.${domain}"
30 ];
31 group = groups."acme".name;
32 keyType = "rsa4096";
33 dnsProvider = "rfc2136";
34 #dnsPropagationCheck = false;
35 credentialsFile = pkgs.writeText "credentials" ''
36 RFC2136_NAMESERVER=127.0.0.1:5353
37 RFC2136_PROPAGATION_TIMEOUT=1000
38 RFC2136_POLLING_INTERVAL=30
39 RFC2136_SEQUENCE_INTERVAL=30
40 RFC2136_DNS_TIMEOUT=1000
41 RFC2136_TTL=1
42 '';
43 };
44 }