{ config, pkgs, ... }: let knotCfg = config.services.knot; knotDNSCredentials = zone: pkgs.writeText "lego-credentials" '' EXEC_PATH=${knotDNSExec zone}/bin/update-dns.sh EXEC_PROPAGATION_TIMEOUT=600 ''; knotDNSExec = zone: pkgs.writeScriptBin "update-dns.sh" '' #!${pkgs.zsh}/bin/zsh -xe mode=$1 fqdn=$2 challenge=$3 owner=''${fqdn%".${zone}."} ${knotCfg.cliWrappers}/bin/knotc zone-begin "${zone}" case "''${mode}" in present) ${knotCfg.cliWrappers}/bin/knotc zone-set ${zone} "''${owner}" 300 TXT "''${challenge}" ;; cleanup) ${knotCfg.cliWrappers}/bin/knotc zone-unset ${zone} "''${owner}" TXT "''${challenge}" ;; *) exit 2 ;; esac ${knotCfg.cliWrappers}/bin/knotc zone-commit "${zone}" ''; in { config = { fileSystems."/var/lib/acme" = { device = "surtr/safe/var-lib-acme"; fsType = "zfs"; }; security.acme = { server = "https://acme-staging-v02.api.letsencrypt.org/directory"; acceptTerms = true; preliminarySelfsigned = false; email = "phikeebaogobaegh@141.li"; certs = { "rheperire.org" = { domain = "rheperire.org"; extraDomainNames = [ "*.rheperire.org" ]; dnsProvider = "exec"; credentialsFile = knotDNSCredentials "rheperire.org"; }; }; }; users.groups."knot".members = [ "acme" ]; }; }