nix: update switch from julm-nix
[sourcephile-nix.git] / hosts / losurdo / acme / autogeree.net.nix
index 52acc07fc3deed7bf6e2532edfad6320c418daff..80df8bdfac5c21d0695e5fcd39f496ed7dd7066f 100644 (file)
@@ -1,4 +1,4 @@
-{ lib, config, inputs, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
 let
   domain = "autogeree.net";
   domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
@@ -34,23 +34,22 @@ in
     # ns6.gandi.net takes roughly 5min to update
     # hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
     #dnsPropagationCheck = false;
-    credentialsFile = "/dev/null";
-    validMinDays = 10;
+    credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+      RFC2136_NAMESERVER=ns.${domain}:53
+      RFC2136_TSIG_ALGORITHM=hmac-sha256.
+      RFC2136_TSIG_KEY=acme_${domainID}
+      RFC2136_PROPAGATION_TIMEOUT=1000
+      RFC2136_POLLING_INTERVAL=30
+      RFC2136_SEQUENCE_INTERVAL=30
+      RFC2136_DNS_TIMEOUT=1000
+      RFC2136_TTL=1
+    '';
   };
   systemd.services."acme-${domain}" = {
-    serviceConfig.LoadCredentialEncrypted =
-      [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
-    environment = {
-      RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
-      RFC2136_NAMESERVER = "ns.${domain}:53";
-      RFC2136_TSIG_ALGORITHM = "hmac-sha256.";
-      RFC2136_TSIG_KEY = "acme_${domainID}";
-      RFC2136_PROPAGATION_TIMEOUT = "1000";
-      RFC2136_POLLING_INTERVAL = "30";
-      RFC2136_SEQUENCE_INTERVAL = "30";
-      RFC2136_DNS_TIMEOUT = "1000";
-      RFC2136_TTL = "1";
-    };
+    serviceConfig.LoadCredentialEncrypted = [
+      "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+    ];
+    environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
     after = [ "unbound.service" ];
   };
 }