-{ pkgs, lib, config, ... }:
+{ pkgs, config, info, ... }:
let
domain = "sourcephile.fr";
inherit (config.users) groups;
in
{
-networking.nftables.ruleset = ''
- table inet filter {
- set output-net-lego-ipv4 {
- type ipv4_addr
- elements = { 217.70.177.40 }
+ networking.nftables.ruleset = ''
+ table inet filter {
+ set output-net-lego-ipv4 {
+ type ipv4_addr
+ elements = {
+ ${info.gandi.dns.secondary.ns.ipv4}
+ }
+ }
+ set output-net-lego-ipv6 {
+ type ipv6_addr
+ elements = {
+ ${info.gandi.dns.secondary.ns.ipv6}
+ }
+ }
}
- set output-net-lego-ipv6 {
- type ipv6_addr
- elements = { 2001:4b98:d:1::40 }
- }
- }
-'';
-systemd.services."acme-${domain}".after = [
- "unbound.service"
-];
-security.acme.certs.${domain} = {
- email = "root@${domain}";
- extraDomainNames = [
- "*.${domain}"
- "*.hut.${domain}"
- "*.code.${domain}"
- ];
- group = groups."acme".name;
- keyType = "rsa4096";
- dnsProvider = "rfc2136";
- credentialsFile = pkgs.writeText "credentials" ''
- RFC2136_NAMESERVER=127.0.0.1:5353
- RFC2136_PROPAGATION_TIMEOUT=1000
- RFC2136_POLLING_INTERVAL=30
- RFC2136_SEQUENCE_INTERVAL=30
- RFC2136_DNS_TIMEOUT=1000
- RFC2136_TTL=1
'';
-};
+ systemd.services."acme-${domain}".after = [
+ "unbound.service"
+ ];
+ security.acme.certs.${domain} = {
+ email = "root@${domain}";
+ extraDomainNames = [
+ "*.${domain}"
+ ];
+ group = groups."acme".name;
+ keyType = "rsa4096";
+ dnsProvider = "rfc2136";
+ #dnsPropagationCheck = false;
+ credentialsFile = pkgs.writeText "credentials" ''
+ RFC2136_NAMESERVER=127.0.0.1:5353
+ RFC2136_PROPAGATION_TIMEOUT=1000
+ RFC2136_POLLING_INTERVAL=30
+ RFC2136_SEQUENCE_INTERVAL=30
+ RFC2136_DNS_TIMEOUT=1000
+ RFC2136_TTL=1
+ '';
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff