openvpn: add riseup in net namespace

[sourcephile-nix.git] / machines / mermet / knot / autogeree.net.nix

diff --git a/machines/mermet/knot/autogeree.net.nix b/machines/mermet/knot/autogeree.net.nix
index 018c7734f4febfd3c8f5ef6e5b53e8323b8084c5..051296982ddd2de8903f22bfda416ee8f4dee485 100644 (file)
--- a/machines/mermet/knot/autogeree.net.nix
+++ b/machines/mermet/knot/autogeree.net.nix
@@ -1,17 +1,12 @@
-{ pkgs, lib, config, machines, ... }:
+{ inputs, pkgs, lib, config, machines, ... }:
 let
   domain = "autogeree.net";
   domainID = lib.replaceStrings ["."] ["_"] domain;
   inherit (builtins) attrValues;
-  inherit (builtins.extraBuiltins) git;
   inherit (config) networking;
+  inherit (config.security) gnupg;
   inherit (config.services) knot;
-  inherit (config.security) pass;
-  inherit (config.users) users groups;
-  # Use the Git commit time of the ${domain}.nix file to set the serial number.
-  # WARNING: the ${domain}.nix must be committed into Git for this to work.
-  # WARNING: this does not take other .nix into account, though they may contribute to the zone's data.
-  serial = domain: toString (git ./. [ "log" "-1" "--format=%ct" "--" (domain + ".nix") ]);
+  inherit (config.users) users;
 in
 {
 services.knot.zones."${domain}" = {
@@ -22,15 +17,14 @@ services.knot.zones."${domain}" = {
         action: update
         update-owner: name
         update-owner-match: equal
-        update-owner-name: [_acme-challenge.${domain}]
+        update-owner-name: [_acme-challenge]
         update-type: [TXT]
       - id: acl_tsig_acme_${domainID}
-        address: ${machines.losurdo.extraArgs.ipv4}
         key: acme_${domainID}
         action: update
         update-owner: name
         update-owner-match: equal
-        update-owner-name: [_acme-challenge.${domain}]
+        update-owner-name: [_acme-challenge]
         update-type: [TXT]
 
     zone:
@@ -53,8 +47,8 @@ services.knot.zones."${domain}" = {
     $TTL 500
 
     ; SOA (Start Of Authority)
-    @ SOA ns admin (
-      ${serial domain} ; Serial number
+    @ SOA ns root (
+      ${toString inputs.self.lastModified} ; Serial number
       24h   ; Refresh
       15m   ; Retry
       1000h ; Expire (1000h)
@@ -97,16 +91,17 @@ services.knot.zones."${domain}" = {
     @ CAA 128 issue "letsencrypt.org"
   '';
 };
+users.groups.keys.members = [ users.knot.name ];
 services.knot = {
-  keyFiles = [ pass.secrets."knot/tsig/${domain}/acme.conf".path ];
+  keyFiles = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".path ];
 };
-security.pass.secrets."knot/tsig/${domain}/acme.conf" = {
+security.gnupg.secrets."knot/tsig/${domain}/acme.conf" = {
   # Generated with: keymgr -t acme_${domainID}
   user = users.knot.name;
 };
 systemd.services.knot = {
-  after = [ pass.secrets."knot/tsig/${domain}/acme.conf".service ];
-  wants = [ pass.secrets."knot/tsig/${domain}/acme.conf".service ];
+  after = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
+  wants = [ gnupg.secrets."knot/tsig/${domain}/acme.conf".service ];
 };
 /* Useless since the zone is public
 services.unbound.extraConfig = ''