{ pkgs, lib, config, ... }: let domain = "sourcephile.fr"; inherit (config.users) users groups; in { networking.nftables.ruleset = '' # for lego to check DNS propagation on ns6.gandi.net add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.root.name} counter accept comment "DNS gandi" add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.root.name} counter accept comment "DNS gandi" ''; systemd.services."acme-${domain}".after = [ "unbound.service" ]; security.acme.certs."${domain}" = { email = "root@${domain}"; extraDomains = { "*.${domain}" = null; }; group = groups."acme".name; allowKeysForGroup = true; keyType = "rsa4096"; dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 RFC2136_POLLING_INTERVAL=30 RFC2136_SEQUENCE_INTERVAL=30 RFC2136_DNS_TIMEOUT=1000 RFC2136_TTL=1 ''; }; }