From a7255ba16633d70c22e8bed75ae52c49f08e1c18 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 22 Feb 2022 15:48:59 +0100
Subject: surtr: dns/tls: rfc2136

---
 hosts/surtr/tls/default.nix | 51 +--------------------------------------------
 1 file changed, 1 insertion(+), 50 deletions(-)

(limited to 'hosts/surtr/tls/default.nix')

diff --git a/hosts/surtr/tls/default.nix b/hosts/surtr/tls/default.nix
index 01c9050e..b28d33e9 100644
--- a/hosts/surtr/tls/default.nix
+++ b/hosts/surtr/tls/default.nix
@@ -8,51 +8,6 @@ let
   tsigSecretName = domain: "${domain}_tsig-secret";
 
   cfg = config.security.acme;
-  knotCfg = config.services.knot;
-  
-  knotDNSCredentials = domain: let
-    zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone;
-  in pkgs.writeText "lego-credentials" ''
-    EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh
-    EXEC_PROPAGATION_TIMEOUT=300
-    EXEC_POLLING_INTERVAL=5
-  '';
-  knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" ''
-    #!${pkgs.zsh}/bin/zsh -xe
-
-    mode=$1
-    fqdn=$2
-    challenge=$3
-
-    owner=''${fqdn%".${zone}."}
-
-    commited=
-    function abort() {
-      [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}"
-    }
-
-    ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}"
-    trap abort EXIT
-
-    case "''${mode}" in
-      present)
-        if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then
-          ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""'
-        fi
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}"
-        ;;
-      cleanup)
-        ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}"
-        ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""'
-        ;;
-      *)
-        exit 2
-        ;;
-    esac
-
-    ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}"
-    commited=yes
-  '';
   
   domainOptions = {
     options = {
@@ -111,10 +66,6 @@ in {
               extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}";
               dnsResolver = "127.0.0.1:5353";
             };
-            mkKnotc = shared // {
-              dnsProvider = "exec";
-              credentialsFile = knotDNSCredentials domain;
-            };
             mkRFC2136 = let
               tsigInfo = readYaml tsigPath;
             in shared // {
@@ -129,7 +80,7 @@ in {
                 RFC2136_POLLING_INTERVAL=2
               '';
             };
-          in (if isTsig then mkRFC2136 else mkKnotc) // cfg.domains.${domain}.certCfg;
+          in assert isTsig; mkRFC2136 // cfg.domains.${domain}.certCfg;
         in genAttrs (attrNames cfg.domains) domainAttrset;
     };
 
-- 
cgit v1.2.3