-{ pkgs, lib, config, ... }:
+{ pkgs, config, ... }:
+let
+ inherit (config.users) users;
+in
{
-imports = [
- acme/autogeree.net.nix
- acme/sourcephile.fr.nix
-];
-security.acme = {
- acceptTerms = true;
-};
-environment.systemPackages = [
- pkgs.lego
-];
-users.groups = {
- acme = {};
-};
+ imports = [
+ acme/autogeree.net.nix
+ acme/sourcephile.fr.nix
+ ];
+ networking.nftables.ruleset = ''
+ table inet filter {
+ set output-net-lego-ipv4 { type ipv4_addr; }
+ set output-net-lego-ipv6 { type ipv6_addr; }
+ chain output-net {
+ skuid ${users.acme.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip daddr @output-net-lego-ipv4 \
+ counter accept \
+ comment "lego: DNS"
+ skuid ${users.acme.name} \
+ meta l4proto { udp, tcp } th dport domain \
+ ip6 daddr @output-net-lego-ipv6 \
+ counter accept \
+ comment "lego: DNS"
+ }
+ }
+ '';
+ security.acme = {
+ acceptTerms = true;
+ };
+ environment.systemPackages = [
+ pkgs.lego
+ ];
+ users.groups = {
+ acme = { };
+ };
}
sourcephile / git / sourcephile-nix.git / blobdiff