1 files changed, 1 insertions, 50 deletions
diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 01c9050e..b28d33e9 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -8,51 +8,6 @@ let
  tsigSecretName = domain: "${domain}_tsig-secret";
  cfg = config.security.acme;
-  knotCfg = config.services.knot;
-  
-  knotDNSCredentials = domain: let
-    zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
-  in pkgs.writeText "lego-credentials" ''
-    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
-    EXEC_PROPAGATION_TIMEOUT=300
-    EXEC_POLLING_INTERVAL=5
-  '';
-  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
-    #!${pkgs.zsh}/bin/zsh -xe
-    mode=$1
-    fqdn=$2
-    challenge=$3
-    owner=''${fqdn%".${zone}."}
-    commited=
-    function abort() {
-      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
-    }
-    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
-    trap abort EXIT
-    case "''${mode}" in
-      present)
-        if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
-          ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
-        fi
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
-        ;;
-      cleanup)
-        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
-        ;;
-      *)
-        exit 2
-        ;;
-    esac
-    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
-    commited=yes
-  '';
  
  domainOptions = {
    options = {
@@ -111,10 +66,6 @@ in {
              extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
              dnsResolver = "127.0.0.1:5353";
            };
-            mkKnotc = shared // {
-              dnsProvider = "exec";
-              credentialsFile = knotDNSCredentials domain;
-            };
            mkRFC2136 = let
              tsigInfo = readYaml tsigPath;
            in shared // {
@@ -129,7 +80,7 @@ in {
                RFC2136_POLLING_INTERVAL=2
              '';
            };
-          in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg;
+          in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
        in genAttrs (attrNames cfg.domains) domainAttrset;
    };

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix index 01c9050e..b28d33e9 100644 --- a/hosts/surtr/tls/default.nix +++ b/hosts/surtr/tls/default.nix
@@ -8,51 +8,6 @@ let
8	tsigSecretName = domain: "${domain}_tsig-secret";	8	tsigSecretName = domain: "${domain}_tsig-secret";
9		9
10	cfg = config.security.acme;	10	cfg = config.security.acme;
11	knotCfg = config.services.knot;
12
13	knotDNSCredentials = domain: let
14	zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
15	in pkgs.writeText "lego-credentials" ''
16	EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
17	EXEC_PROPAGATION_TIMEOUT=300
18	EXEC_POLLING_INTERVAL=5
19	'';
20	knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
21	#!${pkgs.zsh}/bin/zsh -xe
22
23	mode=$1
24	fqdn=$2
25	challenge=$3
26
27	owner=''${fqdn%".${zone}."}
28
29	commited=
30	function abort() {
31	[[ -n "''${commited}" ]] \|\| ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
32	}
33
34	${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
35	trap abort EXIT
36
37	case "''${mode}" in
38	present)
39	if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
40	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
41	fi
42	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
43	;;
44	cleanup)
45	${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
46	${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
47	;;
48	*)
49	exit 2
50	;;
51	esac
52
53	${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
54	commited=yes
55	'';
56		11
57	domainOptions = {	12	domainOptions = {
58	options = {	13	options = {
@@ -111,10 +66,6 @@ in {
111	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";	66	extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
112	dnsResolver = "127.0.0.1:5353";	67	dnsResolver = "127.0.0.1:5353";
113	};	68	};
114	mkKnotc = shared // {
115	dnsProvider = "exec";
116	credentialsFile = knotDNSCredentials domain;
117	};
118	mkRFC2136 = let	69	mkRFC2136 = let
119	tsigInfo = readYaml tsigPath;	70	tsigInfo = readYaml tsigPath;
120	in shared // {	71	in shared // {
@@ -129,7 +80,7 @@ in {
129	RFC2136_POLLING_INTERVAL=2	80	RFC2136_POLLING_INTERVAL=2
130	'';	81	'';
131	};	82	};
132	in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg;	83	in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
133	in genAttrs (attrNames cfg.domains) domainAttrset;	84	in genAttrs (attrNames cfg.domains) domainAttrset;
134	};	85	};
135		86