-{ pkgs, lib, config, hosts, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, info, ... }:
let
domain = "sourcephile.fr";
- domainID = lib.replaceStrings ["."] ["_"] domain;
- inherit (config.security) gnupg;
- inherit (config.users) users groups;
+ domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
+ inherit (config.users) groups;
in
{
-networking.nftables.ruleset = ''
- # for lego to update ACME DNS-01 challenge
- add rule inet filter fw2net tcp dport 53 ip daddr ${hosts.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
- add rule inet filter fw2net udp dport 53 ip daddr ${hosts.mermet.extraArgs.ipv4} counter accept comment "ACME DNS-01"
- # for lego to check DNS propagation on ns6.gandi.net
- add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
- add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
- add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
- add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-'';
-security.acme.certs."${domain}" = {
- email = "root+letsencrypt@${domain}";
- extraDomainNames = [
- "*.${domain}"
- ];
- group = groups.acme.name;
- keyType = "rsa4096";
- dnsProvider = "rfc2136";
- # ns6.gandi.net takes roughly 5min to update
- # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
- #dnsPropagationCheck = false;
- credentialsFile = gnupg.secrets."lego/${domain}/rfc2136".path;
-};
-security.gnupg.secrets."lego/${domain}/rfc2136" = {
- pipe = ''
- cat - ${pkgs.writeText "env" ''
- RFC2136_NAMESERVER=ns.${domain}:53
- RFC2136_TSIG_ALGORITHM=hmac-sha256.
- RFC2136_TSIG_KEY=acme_${domainID}
- RFC2136_PROPAGATION_TIMEOUT=1000
- RFC2136_POLLING_INTERVAL=30
- RFC2136_SEQUENCE_INTERVAL=30
- RFC2136_DNS_TIMEOUT=1000
- RFC2136_TTL=1
- ''}
+ networking.nftables.ruleset = ''
+ table inet filter {
+ # ACME DNS-01 challenge and Gandi DNS
+ set output-net-lego-ipv4 {
+ type ipv4_addr
+ elements = {
+ ${hosts.mermet._module.args.ipv4},
+ ${info.gandi.dns.secondary.ns.ipv4}
+ }
+ }
+ set output-net-lego-ipv6 {
+ type ipv6_addr
+ elements = {
+ ${info.gandi.dns.secondary.ns.ipv6}
+ }
+ }
+ }
'';
-};
-systemd.services."acme-${domain}" = {
- after = [
- "unbound.service"
- gnupg.secrets."lego/${domain}/rfc2136".service
- ];
- wants = [
- "unbound.service"
- gnupg.secrets."lego/${domain}/rfc2136".service
- ];
-};
+ security.acme.certs."${domain}" = {
+ email = "root+letsencrypt@${domain}";
+ extraDomainNames = [
+ "*.${domain}"
+ ];
+ group = groups.acme.name;
+ keyType = "rsa4096";
+ dnsProvider = "rfc2136";
+ # ns6.gandi.net takes roughly 5min to update
+ # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
+ #dnsPropagationCheck = false;
+ credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+ RFC2136_NAMESERVER=ns.${domain}:53
+ RFC2136_TSIG_ALGORITHM=hmac-sha256.
+ RFC2136_TSIG_KEY=acme_${domainID}
+ RFC2136_PROPAGATION_TIMEOUT=1000
+ RFC2136_POLLING_INTERVAL=30
+ RFC2136_SEQUENCE_INTERVAL=30
+ RFC2136_DNS_TIMEOUT=1000
+ RFC2136_TTL=1
+ '';
+ };
+ systemd.services."acme-${domain}" = {
+ serviceConfig.LoadCredentialEncrypted = [
+ "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+ ];
+ environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
+ after = [ "unbound.service" ];
+ };
}