summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorAlan Pearce2024-06-30 13:37:45 +0200
committerAlan Pearce2024-06-30 13:39:47 +0200
commit2c98316c8667e46b6e0f2f40d60514239cee8be0 (patch)
treedb1d017194612408eec7958b558d461bc649af47
parent31ddf8bb60d93594fad1e708154638e3a2f6b93f (diff)
downloadnixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.tar.lz
nixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.tar.zst
nixfiles-2c98316c8667e46b6e0f2f40d60514239cee8be0.zip
enable acme-dns
-rw-r--r--secrets/acme.agebin641 -> 708 bytes
-rw-r--r--system/linde.nix33
2 files changed, 31 insertions, 2 deletions
diff --git a/secrets/acme.age b/secrets/acme.age
index 0a7be3b7..efd8bf3a 100644
--- a/secrets/acme.age
+++ b/secrets/acme.age
Binary files differdiff --git a/system/linde.nix b/system/linde.nix
index 03edc328..c0af9144 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -13,6 +13,7 @@ let
   net-gw = "172.31.1.1";
   net-ip6 = "2a01:4f8:c012:23a4::1";
   net-rdnsip = "2a01:4f8:c012:23a4::53";
+  net-acmeip = "2a01:4f8:c012:23a4::715";
   net-mask6 = "64";
   net-gw6 = "fe80::1";
   domain = "alanpearce.eu";
@@ -170,6 +171,7 @@ in
       ${net-ip4} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-ip6} = [ "${hostname}.alanpearce.eu" hostname ];
       ${net-rdnsip} = [ "dns" ];
+      ${net-acmeip} = [ "acme" ];
     };
     firewall = {
       enable = true;
@@ -227,6 +229,7 @@ in
         address = [
           "${net-ip6}/${net-mask6}"
           "${net-rdnsip}/${net-mask6}"
+          "${net-acmeip}/${net-mask6}"
         ];
         addresses = [{
           Address = "${net-ip4}/${net-mask4}";
@@ -614,11 +617,37 @@ in
     };
   };
 
+  services.acme-dns = {
+    enable = true;
+    settings =
+      let
+        me = "acme.${domain}";
+      in
+      {
+        general = {
+          listen = "[${net-acmeip}]:53";
+          protocol = "both6";
+          domain = me;
+          nsname = me;
+          nsadmin = builtins.replaceStrings [ "@" ] [ "." ] config.security.acme.defaults.email;
+          records = [
+            "${me}. AAAA ${net-acmeip}"
+            "${me}. NS ${me}."
+          ];
+        };
+        api = {
+          ip = "[${net-acmeip}]";
+          tls = "letsencrypt";
+          port = 443;
+          notification-email = config.security.acme.defaults.email;
+        };
+      };
+  };
+
   security.acme = {
     defaults = {
       email = "alan@alanpearce.eu";
-      dnsProvider = "pdns";
-      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "acme-dns";
       credentialsFile = config.age.secrets.acme.path;
       reloadServices = [ "caddy" ];
       validMinDays = 32;