{ pkgs, lib, config, ... }: let domain = "sourcephile.fr"; inherit (config.users) users groups; in { networking.nftables.ruleset = '' # for lego to check DNS propagation on ns6.gandi.net add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi" add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi" add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi" add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi" ''; systemd.services."acme-${domain}".after = [ "unbound.service" ]; security.acme.certs."${domain}" = { email = "root@${domain}"; extraDomainNames = [ "*.${domain}" "*.hut.${domain}" ]; group = groups."acme".name; keyType = "rsa4096"; dnsProvider = "rfc2136"; credentialsFile = pkgs.writeText "credentials" '' RFC2136_NAMESERVER=127.0.0.1:5353 RFC2136_PROPAGATION_TIMEOUT=1000 RFC2136_POLLING_INTERVAL=30 RFC2136_SEQUENCE_INTERVAL=30 RFC2136_DNS_TIMEOUT=1000 RFC2136_TTL=1 ''; }; }