nix: add envvar NO_NIXOS_FALLBACK

[sourcephile-nix.git] / hosts / mermet / acme / sourcephile.fr.nix

diff --git a/hosts/mermet/acme/sourcephile.fr.nix b/hosts/mermet/acme/sourcephile.fr.nix
index 4ac3aa3ba43adf9457795a5b71a9ad990930c5c7..6f15b4b96881450bb31d6538120f7ba7311edd7d 100644 (file)
--- a/hosts/mermet/acme/sourcephile.fr.nix
+++ b/hosts/mermet/acme/sourcephile.fr.nix
@@ -1,36 +1,39 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, config, ... }:
 let
   domain = "sourcephile.fr";
-  inherit (config.users) users groups;
+  inherit (config.users) groups;
 in
 {
-networking.nftables.ruleset = ''
-  # for lego to check DNS propagation on ns6.gandi.net
-  add rule inet filter fw2net ip daddr 217.70.177.40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip daddr 217.70.177.40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 tcp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-  add rule inet filter fw2net ip6 daddr 2001:4b98:d:1::40 udp dport 53 skuid ${users.acme.name} counter accept comment "DNS gandi"
-'';
-systemd.services."acme-${domain}".after = [
-  "unbound.service"
-];
-security.acme.certs."${domain}" = {
-  email = "root@${domain}";
-  extraDomainNames = [
-    "*.${domain}"
-    "*.hut.${domain}"
-    "*.code.${domain}"
-  ];
-  group = groups."acme".name;
-  keyType = "rsa4096";
-  dnsProvider = "rfc2136";
-  credentialsFile = pkgs.writeText "credentials" ''
-    RFC2136_NAMESERVER=127.0.0.1:5353
-    RFC2136_PROPAGATION_TIMEOUT=1000
-    RFC2136_POLLING_INTERVAL=30
-    RFC2136_SEQUENCE_INTERVAL=30
-    RFC2136_DNS_TIMEOUT=1000
-    RFC2136_TTL=1
+  networking.nftables.ruleset = ''
+    table inet filter {
+      set output-net-lego-ipv4 {
+        type ipv4_addr
+        elements = { 217.70.177.40 }
+      }
+      set output-net-lego-ipv6 {
+        type ipv6_addr
+        elements = { 2001:4b98:d:1::40 }
+      }
+    }
   '';
-};
+  systemd.services."acme-${domain}".after = [
+    "unbound.service"
+  ];
+  security.acme.certs.${domain} = {
+    email = "root@${domain}";
+    extraDomainNames = [
+      "*.${domain}"
+    ];
+    group = groups."acme".name;
+    keyType = "rsa4096";
+    dnsProvider = "rfc2136";
+    credentialsFile = pkgs.writeText "credentials" ''
+      RFC2136_NAMESERVER=127.0.0.1:5353
+      RFC2136_PROPAGATION_TIMEOUT=1000
+      RFC2136_POLLING_INTERVAL=30
+      RFC2136_SEQUENCE_INTERVAL=30
+      RFC2136_DNS_TIMEOUT=1000
+      RFC2136_TTL=1
+    '';
+  };
 }