diff options
Diffstat (limited to 'hosts/surtr/dns/default.nix')
| -rw-r--r-- | hosts/surtr/dns/default.nix | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/hosts/surtr/dns/default.nix b/hosts/surtr/dns/default.nix index 57146d67..dc991b66 100644 --- a/hosts/surtr/dns/default.nix +++ b/hosts/surtr/dns/default.nix | |||
| @@ -23,7 +23,9 @@ let | |||
| 23 | 23 | ||
| 24 | indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); | 24 | indentString = indentation: str: concatMapStringsSep "\n" (str: " ${str}") (splitString "\n" (removeSuffix "\n" str)); |
| 25 | 25 | ||
| 26 | mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain]}: indentString " " '' | 26 | mkZone = {domain, path ? (./zones + "/${reverseDomain domain}.soa"), acmeDomains ? [domain], addACLs ? {}}: indentString " " (let |
| 27 | keys = acmeDomain: [(assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl")] ++ (addACLs.${acmeDomain} or []); | ||
| 28 | in '' | ||
| 27 | - domain: ${domain} | 29 | - domain: ${domain} |
| 28 | template: inwx_zone | 30 | template: inwx_zone |
| 29 | ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} | 31 | ${optionalString (acmeDomains != []) "acl: [local_acl, inwx_acl]"} |
| @@ -31,10 +33,10 @@ let | |||
| 31 | ${concatMapStringsSep "\n" (acmeDomain: '' | 33 | ${concatMapStringsSep "\n" (acmeDomain: '' |
| 32 | - domain: _acme-challenge.${acmeDomain} | 34 | - domain: _acme-challenge.${acmeDomain} |
| 33 | template: acme_zone | 35 | template: acme_zone |
| 34 | acl: [${assert (config.sops.secrets ? "${acmeDomain}_acme.yaml"); "${acmeDomain}_acme_acl"}] | 36 | acl: [${concatStringsSep ", " (keys acmeDomain)}] |
| 35 | file: ${acmeChallengeZonefile acmeDomain} | 37 | file: ${acmeChallengeZonefile acmeDomain} |
| 36 | '') acmeDomains} | 38 | '') acmeDomains} |
| 37 | ''; | 39 | ''); |
| 38 | in { | 40 | in { |
| 39 | config = { | 41 | config = { |
| 40 | fileSystems."/var/lib/knot" = | 42 | fileSystems."/var/lib/knot" = |
| @@ -152,21 +154,29 @@ in { | |||
| 152 | zone: | 154 | zone: |
| 153 | ${concatMapStringsSep "\n" mkZone [ | 155 | ${concatMapStringsSep "\n" mkZone [ |
| 154 | { domain = "yggdrasil.li"; | 156 | { domain = "yggdrasil.li"; |
| 157 | addACLs = { "yggdrasil.li" = ["ymir_acme_acl"]; }; | ||
| 155 | } | 158 | } |
| 156 | { domain = "nights.email"; | 159 | { domain = "nights.email"; |
| 160 | addACLs = { "nights.email" = ["ymir_acme_acl"]; }; | ||
| 157 | } | 161 | } |
| 158 | { domain = "141.li"; | 162 | { domain = "141.li"; |
| 159 | acmeDomains = ["webdav.141.li" "141.li"]; | 163 | acmeDomains = ["webdav.141.li" "141.li"]; |
| 164 | addACLs = { "141.li" = ["ymir_acme_acl"]; }; | ||
| 160 | } | 165 | } |
| 161 | { domain = "kleen.li"; | 166 | { domain = "kleen.li"; |
| 167 | addACLs = { "kleen.li" = ["ymir_acme_acl"]; }; | ||
| 162 | } | 168 | } |
| 163 | { domain = "xmpp.li"; | 169 | { domain = "xmpp.li"; |
| 170 | addACLs = { "xmpp.li" = ["ymir_acme_acl"]; }; | ||
| 164 | } | 171 | } |
| 165 | { domain = "dirty-haskell.org"; | 172 | { domain = "dirty-haskell.org"; |
| 173 | addACLs = { "dirty-haskell.org" = ["ymir_acme_acl"]; }; | ||
| 166 | } | 174 | } |
| 167 | { domain = "praseodym.org"; | 175 | { domain = "praseodym.org"; |
| 176 | addACLs = { "praseodym.org" = ["ymir_acme_acl"]; }; | ||
| 168 | } | 177 | } |
| 169 | { domain = "rheperire.org"; | 178 | { domain = "rheperire.org"; |
| 179 | addACLs = { "rheperire.org" = ["ymir_acme_acl"]; }; | ||
| 170 | } | 180 | } |
| 171 | ]} | 181 | ]} |
| 172 | ''; | 182 | ''; |