{ pkgs, config, info, ... }: let domain = "sourcephile.fr"; inherit (config.users) groups; in { networking.nftables.ruleset = '' table inet filter { set output-net-lego-ipv4 { type ipv4_addr elements = { ${info.gandi.dns.secondary.ns.ipv4} } } set output-net-lego-ipv6 { type ipv6_addr elements = { ${info.gandi.dns.secondary.ns.ipv6} } } } ''; systemd.services."acme-${domain}".after = [ "unbound.service" ]; security.acme.certs.${domain} = { email = "root@${domain}"; extraDomainNames = [ "*.${domain}" ]; group = groups."acme".name; keyType = "rsa4096"; dnsProvider = "rfc2136"; #dnsPropagationCheck = false; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 RFC2136_POLLING_INTERVAL=30 RFC2136_SEQUENCE_INTERVAL=30 RFC2136_DNS_TIMEOUT=1000 RFC2136_TTL=1 ''; }; }