diff options
-rw-r--r-- | hosts/surtr/tls.nix | 63 |
1 files changed, 31 insertions, 32 deletions
diff --git a/hosts/surtr/tls.nix b/hosts/surtr/tls.nix index 97a9649d..d99e832c 100644 --- a/hosts/surtr/tls.nix +++ b/hosts/surtr/tls.nix | |||
@@ -6,48 +6,47 @@ let | |||
6 | cfg = config.security.acme; | 6 | cfg = config.security.acme; |
7 | knotCfg = config.services.knot; | 7 | knotCfg = config.services.knot; |
8 | 8 | ||
9 | knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' | 9 | knotDNSCredentials = domain: let |
10 | zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone; | ||
11 | in pkgs.writeText "lego-credentials" '' | ||
10 | EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh | 12 | EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh |
11 | EXEC_PROPAGATION_TIMEOUT=300 | 13 | EXEC_PROPAGATION_TIMEOUT=300 |
12 | EXEC_POLLING_INTERVAL=5 | 14 | EXEC_POLLING_INTERVAL=5 |
13 | ''; | 15 | ''; |
14 | knotDNSExec = domain: | 16 | knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' |
15 | let | 17 | #!${pkgs.zsh}/bin/zsh -xe |
16 | zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone; | ||
17 | in pkgs.writeScriptBin "update-dns.sh" '' | ||
18 | #!${pkgs.zsh}/bin/zsh -xe | ||
19 | 18 | ||
20 | mode=$1 | 19 | mode=$1 |
21 | fqdn=$2 | 20 | fqdn=$2 |
22 | challenge=$3 | 21 | challenge=$3 |
23 | 22 | ||
24 | owner=''${fqdn%".${domain}."} | 23 | owner=''${fqdn%".${zone}."} |
25 | 24 | ||
26 | commited= | 25 | commited= |
27 | function abort() { | 26 | function abort() { |
28 | [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" | 27 | [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" |
29 | } | 28 | } |
30 | 29 | ||
31 | ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" | 30 | ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" |
32 | trap abort EXIT | 31 | trap abort EXIT |
33 | 32 | ||
34 | case "''${mode}" in | 33 | case "''${mode}" in |
35 | present) | 34 | present) |
36 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' | 35 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' |
37 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" | 36 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" |
38 | ;; | 37 | ;; |
39 | cleanup) | 38 | cleanup) |
40 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" | 39 | ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" |
41 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' | 40 | ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' |
42 | ;; | 41 | ;; |
43 | *) | 42 | *) |
44 | exit 2 | 43 | exit 2 |
45 | ;; | 44 | ;; |
46 | esac | 45 | esac |
47 | 46 | ||
48 | ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" | 47 | ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" |
49 | commited=yes | 48 | commited=yes |
50 | ''; | 49 | ''; |
51 | 50 | ||
52 | domainOptions = { | 51 | domainOptions = { |
53 | options = { | 52 | options = { |