From 61a809078058b09a4e39c2e941056b91323555c0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 22 Feb 2022 17:12:59 +0100
Subject: ymir: rfc2136

---
 ymir.nix | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'ymir.nix')

diff --git a/ymir.nix b/ymir.nix
index 8f01ad6b..b1ba6033 100644
--- a/ymir.nix
+++ b/ymir.nix
@@ -806,11 +806,22 @@ in rec {
     certs = {
       "yggdrasil.li" = {
         group = "ssl";
-        webroot = "/srv/www/acme";
         email = "phikeebaogobaegh@141.li";
+        keyType = "rsa4096";
+        dnsProvider = "rfc2136";
+        credentialsFile = pkgs.writeText "rfc2136-credentials.env" ''
+          RFC2136_NAMESERVER=202.61.241.61:53
+          RFC2136_TSIG_ALGORITHM=hmac-sha256.
+          RFC2136_TSIG_KEY=ymir_acme_key
+          RFC2136_TSIG_SECRET_FILE=/etc/acme_tsig_secret
+          RFC2136_TTL=0
+          RFC2136_PROPAGATION_TIMEOUT=60
+          RFC2136_POLLING_INTERVAL=2
+        '';
+        dnsResolver = "127.0.0.1";
         extraDomainNames = myDomains;
         postRun = ''
-          systemctl reload nginx.service dovecot2.service postfix.service ejabberd.service vsftpd.service infinoted.service
+          systemctl try-reload-or-restart nginx.service dovecot2.service postfix.service ejabberd.service vsftpd.service infinoted.service
         '';
       };
     };
-- 
cgit v1.2.3