all repos — nixfiles @ 2c98316c8667e46b6e0f2f40d60514239cee8be0

System and user configuration, managed by nix and home-manager

enable acme-dns
Alan Pearce alan@alanpearce.eu
Sun, 30 Jun 2024 13:37:45 +0200
commit

2c98316c8667e46b6e0f2f40d60514239cee8be0

parent

31ddf8bb60d93594fad1e708154638e3a2f6b93f

2 files changed, 31 insertions(+), 2 deletions(-)

jump to
M secrets/acme.agesecrets/acme.age

Not showing binary file.

M system/linde.nixsystem/linde.nix
@@ -13,6 +13,7 @@ net-mask4 = "32";   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
+  net-acmeip = "2a01:4f8:c012:23a4::715";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -170,6 +171,7 @@ hosts = lib.mkForce {       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
+      ${net-acmeip} = [ "acme" ];
     };
     firewall = {
       enable = true;
@@ -227,6 +229,7 @@ ];         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
+          "${net-acmeip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -614,11 +617,37 @@ WorkingDirectory = config.services.paperless.dataDir;     };
   };
 
+  services.acme-dns = {
+    enable = true;
+    settings =
+      let
+        me = "acme.${domain}";
+      in
+      {
+        general = {
+          listen = "[${net-acmeip}]:53";
+          protocol = "both6";
+          domain = me;
+          nsname = me;
+          nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email;
+          records = [
+            "${me}. AAAA ${net-acmeip}"
+            "${me}. NS ${me}."
+          ];
+        };
+        api = {
+          ip = "[${net-acmeip}]";
+          tls = "letsencrypt";
+          port = 443;
+          notification-email = config.security.acme.defaults.email;
+        };
+      };
+  };
+
   security.acme = {
     defaults = {
       email = "alan@alanpearce.eu";
-      dnsProvider = "pdns";
-      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "acme-dns";
       credentialsFile = config.age.secrets.acme.path;
       reloadServices = [ "caddy" ];
       validMinDays = 32;