public-inbox: use custom module

[sourcephile-nix.git] / hosts / mermet / acme / autogeree.net.nix

diff --git a/hosts/mermet/acme/autogeree.net.nix b/hosts/mermet/acme/autogeree.net.nix
index 49f4e73c005bdbaf1d898a7f3f82458e362bed57..3b765bbbfea9b5778f86a496f568c2c90e05b5da 100644 (file)
--- a/hosts/mermet/acme/autogeree.net.nix
+++ b/hosts/mermet/acme/autogeree.net.nix
@@ -1,37 +1,44 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, config, info, ... }:
 let
   domain = "autogeree.net";
-  inherit (config.users) users groups;
+  inherit (config.users) groups;
 in
 {
-networking.nftables.ruleset = ''
-  # for lego to check DNS propagation on ns6.gandi.net
-  add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  # for lego to check DNS propagation on ns0.muarf.org
-  add rule inet filter fw2net ip daddr 78.192.65.63 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS muarf"
-  add rule inet filter fw2net ip daddr 78.192.65.63 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS muarf"
-'';
-systemd.services."acme-${domain}".after = [
-  "unbound.service"
-];
-security.acme.certs."${domain}" = {
-  email = "root+letsencrypt@${domain}";
-  extraDomainNames = [
-    "*.${domain}"
-  ];
-  group = groups."acme".name;
-  keyType = "rsa4096";
-  dnsProvider = "rfc2136";
-  credentialsFile = pkgs.writeText "credentials" ''
-    RFC2136_NAMESERVER=127.0.0.1:5353
-    RFC2136_PROPAGATION_TIMEOUT=1000
-    RFC2136_POLLING_INTERVAL=30
-    RFC2136_SEQUENCE_INTERVAL=30
-    RFC2136_DNS_TIMEOUT=1000
-    RFC2136_TTL=1
+  networking.nftables.ruleset = ''
+    table inet filter {
+      set output-net-lego-ipv4 {
+        type ipv4_addr
+        elements = {
+          ${info.gandi.dns.secondary.ns.ipv4}
+        }
+      }
+      set output-net-lego-ipv6 {
+        type ipv6_addr
+        elements = {
+          ${info.gandi.dns.secondary.ns.ipv6}
+        }
+      }
+    }
   '';
-};
+  systemd.services."acme-${domain}".after = [
+    "unbound.service"
+  ];
+  security.acme.certs.${domain} = {
+    email = "root+letsencrypt@${domain}";
+    extraDomainNames = [
+      "*.${domain}"
+    ];
+    group = groups."acme".name;
+    keyType = "rsa4096";
+    dnsProvider = "rfc2136";
+    #dnsPropagationCheck = false;
+    credentialsFile = pkgs.writeText "credentials" ''
+      RFC2136_NAMESERVER=127.0.0.1:5353
+      RFC2136_PROPAGATION_TIMEOUT=1000
+      RFC2136_POLLING_INTERVAL=30
+      RFC2136_SEQUENCE_INTERVAL=30
+      RFC2136_DNS_TIMEOUT=1000
+      RFC2136_TTL=1
+    '';
+  };
 }