{ config, lib, pkgs, ... }: with lib; let cfg = config.security.acme; knotCfg = config.services.knot; knotDNSCredentials = domain: let zone = if cfg.domains.${domain}.zone == null then domain else cfg.domains.${domain}.zone; in pkgs.writeText "lego-credentials" '' EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh EXEC_PROPAGATION_TIMEOUT=300 EXEC_POLLING_INTERVAL=5 ''; knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' #!${pkgs.zsh}/bin/zsh -xe mode=$1 fqdn=$2 challenge=$3 owner=''${fqdn%".${zone}."} commited= function abort() { [[ -n "''${commited}" ]] || ${knotCfg.cliWrappers}/bin/knotc zone-abort "${zone}" } ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" trap abort EXIT case "''${mode}" in present) if ${knotCfg.cliWrappers}/bin/knotc zone-get ${zone} "''${owner}" TXT; then ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT '""' fi ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT "''${challenge}" ;; cleanup) ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 30 TXT '""' ;; *) exit 2 ;; esac ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" commited=yes ''; domainOptions = { options = { wildcard = mkOption { type = types.bool; default = false; }; zone = mkOption { type = types.nullOr types.str; default = null; }; certCfg = mkOption { type = types.attrs; default = {}; }; }; }; in { options = { security.acme = { domains = mkOption { type = types.attrsOf (types.submodule domainOptions); default = {}; }; }; }; config = { security.acme.domains = genAttrs ["dirty-haskell.org" "141.li" "xmpp.li" "yggdrasil.li" "praseodym.org" "rheperire.org" "kleen.li" "nights.email"] (domain: { wildcard = true; }); fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; }; security.acme = { acceptTerms = true; preliminarySelfsigned = true; # DNS challenge is slow defaults.email = "phikeebaogobaegh@141.li"; certs = let domainAttrset = domain: { inherit domain; extraDomainNames = optional cfg.domains.${domain}.wildcard "*.${domain}"; dnsProvider = "exec"; credentialsFile = knotDNSCredentials domain; dnsResolver = "1.1.1.1:53"; keyType = "rsa4096"; # we don't like NIST curves } // cfg.domains.${domain}.certCfg; in genAttrs (attrNames cfg.domains) domainAttrset; }; systemd.services = let serviceAttrset = domain: { after = [ "knot.service" ]; bindsTo = [ "knot.service" ]; serviceConfig = { ReadWritePaths = ["/run/knot/knot.sock"]; SupplementaryGroups = ["knot"]; RestrictAddressFamilies = ["AF_UNIX"]; }; }; in mapAttrs' (domain: nameValuePair "acme-${domain}") (genAttrs (attrNames config.security.acme.certs) serviceAttrset); }; }