From 21040b6bca7be6cbacc8961cabd2ddaef9e47d28 Mon Sep 17 00:00:00 2001 From: Max Date: Sat, 10 Aug 2024 13:35:21 +0200 Subject: [PATCH] cluster/services/acme-client: move acme config, wait for authoritative DNS to work --- cluster/services/acme-client/client.nix | 37 +++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/cluster/services/acme-client/client.nix b/cluster/services/acme-client/client.nix index ecc92c1..98c49d9 100644 --- a/cluster/services/acme-client/client.nix +++ b/cluster/services/acme-client/client.nix @@ -32,7 +32,10 @@ in owner = "acme"; }; + security.acme.acceptTerms = true; + security.acme.maxConcurrentRenewals = 0; security.acme.defaults = { + email = depot.lib.meta.adminEmail; extraLegoFlags = lib.flatten [ (map (x: [ "--dns.resolvers" x ]) authoritativeServers) "--dns-timeout" "30" @@ -42,4 +45,38 @@ in EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path} ''; }; + + systemd.services = lib.mapAttrs' (name: value: { + name = "acme-${name}"; + value = { + distributed.enable = value.dnsProvider != null; + preStart = let + serverList = lib.pipe authoritativeServers [ + (map (x: "@${x}")) + (map (lib.replaceStrings [":53"] [""])) + lib.escapeShellArgs + ]; + domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [ + (map (x: "${x}.")) + (map (lib.replaceStrings ["*"] ["x"])) + lib.unique + lib.escapeShellArgs + ]; + in '' + echo Testing availability of authoritative DNS servers + for i in {1..60}; do + ${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break + echo Retry [$i/60] + sleep 10 + done + echo Available + ''; + serviceConfig = { + Restart = "on-failure"; + RestartMaxDelaySec = 30; + RestartStesp = 5; + RestartMode = "direct"; + }; + }; + }) config.security.acme.certs; }