diff options
author | Alan Pearce | 2024-06-30 13:37:45 +0200 |
---|---|---|
committer | Alan Pearce | 2024-06-30 13:39:47 +0200 |
commit | 2c98316c8667e46b6e0f2f40d60514239cee8be0 (patch) | |
tree | db1d017194612408eec7958b558d461bc649af47 | |
parent | 31ddf8bb60d93594fad1e708154638e3a2f6b93f (diff) | |
download | nixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.tar.lz nixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.tar.zst nixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.zip |
enable acme-dns
-rw-r--r-- | secrets/acme.age | bin | 641 -> 708 bytes | |||
-rw-r--r-- | system/linde.nix | 33 |
2 files changed, 31 insertions, 2 deletions
diff --git a/secrets/acme.age b/secrets/acme.age index 0a7be3b7..efd8bf3a 100644 --- a/secrets/acme.age +++ b/secrets/acme.age Binary files differdiff --git a/system/linde.nix b/system/linde.nix index 03edc328..c0af9144 100644 --- a/system/linde.nix +++ b/system/linde.nix @@ -13,6 +13,7 @@ let net-gw = "172.31.1.1"; net-ip6 = "2a01:4f8:c012:23a4::1"; net-rdnsip = "2a01:4f8:c012:23a4::53"; + net-acmeip = "2a01:4f8:c012:23a4::715"; net-mask6 = "64"; net-gw6 = "fe80::1"; domain = "alanpearce.eu"; @@ -170,6 +171,7 @@ in ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ]; ${net-rdnsip} = [ "dns" ]; + ${net-acmeip} = [ "acme" ]; }; firewall = { enable = true; @@ -227,6 +229,7 @@ in address = [ "${net-ip6}/${net-mask6}" "${net-rdnsip}/${net-mask6}" + "${net-acmeip}/${net-mask6}" ]; addresses = [{ Address = "${net-ip4}/${net-mask4}"; @@ -614,11 +617,37 @@ in }; }; + services.acme-dns = { + enable = true; + settings = + let + me = "acme.${domain}"; + in + { + general = { + listen = "[${net-acmeip}]:53"; + protocol = "both6"; + domain = me; + nsname = me; + nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email; + records = [ + "${me}. AAAA ${net-acmeip}" + "${me}. NS ${me}." + ]; + }; + api = { + ip = "[${net-acmeip}]"; + tls = "letsencrypt"; + port = 443; + notification-email = config.security.acme.defaults.email; + }; + }; + }; + security.acme = { defaults = { email = "alan@alanpearce.eu"; - dnsProvider = "pdns"; - dnsResolver = "1.1.1.1:53"; + dnsProvider = "acme-dns"; credentialsFile = config.age.secrets.acme.path; reloadServices = [ "caddy" ]; validMinDays = 32; |