add rule inet filter fw2net ip daddr ${machines.mermet.extraArgs.ipv4} tcp dport 53 counter accept comment "ACME DNS-01"
add rule inet filter fw2net ip daddr ${machines.mermet.extraArgs.ipv4} udp dport 53 counter accept comment "ACME DNS-01"
# for lego to check DNS propagation on ns6.gandi.net
- add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.root.name} counter accept comment "DNS gandi"
- add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.root.name} counter accept comment "DNS gandi"
+ add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
+ add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
+ add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
+ add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
# for lego to check DNS propagation on ns0.muarf.org
- add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 skuid ${users.root.name} counter accept comment "DNS muarf"
- add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 skuid ${users.root.name} counter accept comment "DNS muarf"
+ add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS muarf"
+ add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS muarf"
'';
security.acme.certs."${domain}" = {
email = "root+letsencrypt@${domain}";
- extraDomains = {
- "*.${domain}" = null;
- };
- user = users.root.name;
+ extraDomainNames = [
+ "*.${domain}"
+ ];
group = groups.acme.name;
- allowKeysForGroup = true;
keyType = "rsa4096";
dnsProvider = "rfc2136";
# ns6.gandi.net takes roughly 5min to update