-{ lib, config, inputs, hosts, hostName, ... }:
+{ pkgs, lib, config, inputs, hosts, hostName, ... }:
let
domain = "autogeree.net";
domainID = lib.replaceStrings [ "." ] [ "_" ] domain;
# ns6.gandi.net takes roughly 5min to update
# hence lego's RFC2136_PROPAGATION_TIMEOUT=1000
#dnsPropagationCheck = false;
- credentialsFile = "/dev/null";
- validMinDays = 10;
+ credentialsFile = pkgs.writeText "acme-credentials-${domain}" ''
+ RFC2136_NAMESERVER=ns.${domain}:53
+ RFC2136_TSIG_ALGORITHM=hmac-sha256.
+ RFC2136_TSIG_KEY=acme_${domainID}
+ RFC2136_PROPAGATION_TIMEOUT=1000
+ RFC2136_POLLING_INTERVAL=30
+ RFC2136_SEQUENCE_INTERVAL=30
+ RFC2136_DNS_TIMEOUT=1000
+ RFC2136_TTL=1
+ '';
};
systemd.services."acme-${domain}" = {
- serviceConfig.LoadCredentialEncrypted =
- [ "${domain}.tsig:${inputs.self}/hosts/${hostName}/acme/${domain}.tsig.cred" ];
- environment = {
- RFC2136_TSIG_SECRET = "%d/${domain}.tsig";
- RFC2136_NAMESERVER = "ns.${domain}:53";
- RFC2136_TSIG_ALGORITHM = "hmac-sha256.";
- RFC2136_TSIG_KEY = "acme_${domainID}";
- RFC2136_PROPAGATION_TIMEOUT = "1000";
- RFC2136_POLLING_INTERVAL = "30";
- RFC2136_SEQUENCE_INTERVAL = "30";
- RFC2136_DNS_TIMEOUT = "1000";
- RFC2136_TTL = "1";
- };
+ serviceConfig.LoadCredentialEncrypted = [
+ "${domain}.tsig:${./. + "/${domain}.tsig.cred"}"
+ ];
+ environment.RFC2136_TSIG_SECRET_FILE = "%d/${domain}.tsig";
after = [ "unbound.service" ];
};
}