{ config, lib, pkgs, ... }: with lib; let knotCfg = config.services.knot; knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh EXEC_PROPAGATION_TIMEOUT=300 EXEC_POLLING_INTERVAL=5 ''; knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' #!${pkgs.zsh}/bin/zsh -xe mode=$1 fqdn=$2 challenge=$3 owner=''${fqdn%".${zone}."} commited= function abort() { [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" } ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" trap abort EXIT case "''${mode}" in present) ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" ;; cleanup) ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' ;; *) exit 2 ;; esac ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" commited=yes ''; domains = ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"]; in { config = { fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # DNS challenge is slow defaults.email = "phikeebaogobaegh@141.li"; certs = let domainAttrset = domain: { inherit domain; extraDomainNames = [ "*.${domain}" ]; dnsProvider = "exec"; credentialsFile = knotDNSCredentials domain; dnsResolver = "1.1.1.1:53"; keyType = "rsa4096"; # we don't like NIST curves }; in genAttrs domains domainAttrset; }; systemd.services = let serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; serviceConfig = { ReadWritePaths = ["/run/knot/knot.sock"]; SupplementaryGroups = ["knot"]; RestrictAddressFamilies = ["AF_UNIX"]; }; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs domains serviceAttrset); }; }