# WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
mermetIPv4 = "80.67.180.129";
+ losurdoIPv4 = "80.67.180.251";
domain = "sourcephile.fr";
in
{
-environment.systemPackages = [
- pkgs.lego
+systemd.services."acme-${domain}".after = [
+ "unbound.service"
];
-users = {
- groups = {
- acme = {
- members = [ users.users.nginx.name ];
- };
- };
-};
security.acme.certs."${domain}" = {
email = "root@${domain}";
extraDomains = {
};
services.knot.zones."${domain}" = {
conf = ''
+ acl:
+ - id: acl_acme_challenge_sourcephile_fr
+ address: 127.0.0.1
+ action: update
+ update-owner: name
+ update-owner-match: equal
+ update-owner-name: [_acme-challenge.${domain}]
+ update-type: [TXT]
+
zone:
- domain: ${domain}
file: ${domain}.zone
semantic-checks: on
notify: secondary_gandi
acl: acl_gandi
- acl: acl_lego
- acl: acl_localhost
+ acl: acl_acme_challenge_sourcephile_fr
dnssec-signing: on
dnssec-policy: rsa
'';
@ NS ns6.gandi.net.
; A (DNS -> IPv4)
- @ A ${mermetIPv4}
+ @ A ${mermetIPv4}
mermet A ${mermetIPv4}
+ losurdo A ${losurdoIPv4}
autoconfig A ${mermetIPv4}
+ doc A ${mermetIPv4}
code A ${mermetIPv4}
git A ${mermetIPv4}
imap A ${mermetIPv4}
; SRV (SeRVice)
_git._tcp.git 18000 IN SRV 0 0 9418 git
+
+ ; CAA (Certificate Authority Authorization)
+ ; DOC: https://blog.qualys.com/ssllabs/2017/03/13/caa-mandated-by-cabrowser-forum
+ @ CAA 128 issue "letsencrypt.org"
'';
};
+/* Useless since the zone is public
+services.unbound.extraConfig = ''
+ stub-zone:
+ name: "sourcephile.fr"
+ stub-addr: 127.0.0.1@5353
+'';
+*/
}
sourcephile / git / sourcephile-nix.git / blobdiff