mermet: acme: disable dnsPropagationCheck (again)

[sourcephile-nix.git] / hosts / losurdo / acme / autogeree.net.nix

diff --git a/hosts/losurdo/acme/autogeree.net.nix b/hosts/losurdo/acme/autogeree.net.nix
index 9b9dba2b8d5ef8c22129a6f5f8897c50b475401e..80df8bdfac5c21d0695e5fcd39f496ed7dd7066f 100644 (file)
--- a/hosts/losurdo/acme/autogeree.net.nix
+++ b/hosts/losurdo/acme/autogeree.net.nix
@@ -1,64 +1,55 @@
-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   domain = "autogeree.net";
-  domainID = lib.replaceStrings ["."] ["_"] domain;
-  inherit (config.security) gnupg;
-  inherit (config.users) users groups;
+  domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
+  inherit (config.users) groups;
 in
 {
-networking.nftables.ruleset = ''
-  table inet filter {
-    # ACME DNS-01 challenge and Gandi DNS
-    set output-net-lego-ipv4 {
-      type ipv4_addr
-      elements = {
-        ${hosts.mermet._module.args.ipv4},
-        217.70.177.40
+  networking.nftables.ruleset = ''
+    table inet filter {
+      # ACME DNS-01 challenge and Gandi DNS
+      set output-net-lego-ipv4 {
+        type ipv4_addr
+        elements = {
+          ${hosts.mermet._module.args.ipv4},
+          217.70.177.40
+        }
       }
-    }
-    set output-net-lego-ipv6 {
-      type ipv6_addr
-      elements = {
-        2001:4b98:d:1::40
+      set output-net-lego-ipv6 {
+        type ipv6_addr
+        elements = {
+          2001:4b98:d:1::40
+        }
       }
     }
-  }
-'';
-security.acme.certs."${domain}" = {
-  email = "root+letsencrypt@${domain}";
-  extraDomainNames = [
-    "*.${domain}"
-  ];
-  group = groups.acme.name;
-  keyType = "rsa4096";
-  dnsProvider = "rfc2136";
-  # ns6.gandi.net takes roughly 5min to update
-  # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
-  #dnsPropagationCheck = false;
-  credentialsFile = gnupg.secrets."lego/${domain}/rfc2136".path;
-};
-security.gnupg.secrets."lego/${domain}/rfc2136" = {
-  pipe = ''
-    cat - ${pkgs.writeText "env" ''
-    RFC2136_NAMESERVER=ns.${domain}:53
-    RFC2136_TSIG_ALGORITHM=hmac-sha256.
-    RFC2136_TSIG_KEY=acme_${domainID}
-    RFC2136_PROPAGATION_TIMEOUT=1000
-    RFC2136_POLLING_INTERVAL=30
-    RFC2136_SEQUENCE_INTERVAL=30
-    RFC2136_DNS_TIMEOUT=1000
-    RFC2136_TTL=1
-    ''}
   '';
-};
-systemd.services."acme-${domain}" = {
-  after = [
-    "unbound.service"
-    gnupg.secrets."lego/${domain}/rfc2136".service
-  ];
-  wants = [
-    "unbound.service"
-    gnupg.secrets."lego/${domain}/rfc2136".service
-  ];
-};
+  security.acme.certs."${domain}" = {
+    email = "root+letsencrypt@${domain}";
+    extraDomainNames = [
+      "*.${domain}"
+    ];
+    group = groups.acme.name;
+    keyType = "rsa4096";
+    dnsProvider = "rfc2136";
+    # ns6.gandi.net takes roughly 5min to update
+    # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
+    #dnsPropagationCheck = false;
+    credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+      RFC2136_NAMESERVER=ns.${domain}:53
+      RFC2136_TSIG_ALGORITHM=hmac-sha256.
+      RFC2136_TSIG_KEY=acme_${domainID}
+      RFC2136_PROPAGATION_TIMEOUT=1000
+      RFC2136_POLLING_INTERVAL=30
+      RFC2136_SEQUENCE_INTERVAL=30
+      RFC2136_DNS_TIMEOUT=1000
+      RFC2136_TTL=1
+    '';
+  };
+  systemd.services."acme-${domain}" = {
+    serviceConfig.LoadCredentialEncrypted = [
+      "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+    ];
+    environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
+    after = [ "unbound.service" ];
+  };
 }