From bfd7a4214c7ba6881d80845115bc9f3953524d3f Mon Sep 17 00:00:00 2001 From: Max Date: Mon, 4 Dec 2023 19:23:31 +0100 Subject: [PATCH] cluster/services/acme-client: switch to acme-dns with custom script --- cluster/services/acme-client/client.nix | 47 +++++++++++++++++++++---- 1 file changed, 41 insertions(+), 6 deletions(-) diff --git a/cluster/services/acme-client/client.nix b/cluster/services/acme-client/client.nix index 53cae09..ecc92c1 100644 --- a/cluster/services/acme-client/client.nix +++ b/cluster/services/acme-client/client.nix @@ -1,10 +1,45 @@ -{ cluster, config, pkgs, ... }: +{ cluster, config, depot, lib, pkgs, ... }: + +let + authoritativeServers = map + (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple) + cluster.config.services.dns.nodes.authoritative; + + execScript = pkgs.writeShellScript "acme-dns-exec" '' + action="$1" + subdomain="''${2%.${depot.lib.meta.domain}.}" + key="$3" + umask 77 + source "$EXEC_ENV_FILE" + headersFile="$(mktemp)" + echo "X-Direct-Key: $ACME_DNS_DIRECT_STATIC_KEY" > "$headersFile" + case "$action" in + present) + for i in {1..5}; do + ${pkgs.curl}/bin/curl -X POST -s -f -H "@$headersFile" \ + "${cluster.config.links.acmeDnsApi.url}/update" \ + --data '{"subdomain":"'"$subdomain"'","txt":"'"$key"'"}' && break + sleep 5 + done + ;; + esac + ''; +in { - age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; }; + age.secrets.acmeDnsApiKey = { + file = ../dns/acme-dns-direct-key.age; + owner = "acme"; + }; - security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" '' - PDNS_API_URL=${cluster.config.links.powerdns-api.url} - PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path} - ''; + security.acme.defaults = { + extraLegoFlags = lib.flatten [ + (map (x: [ "--dns.resolvers" x ]) authoritativeServers) + "--dns-timeout" "30" + ]; + credentialsFile = pkgs.writeText "acme-exec-config" '' + EXEC_PATH=${execScript} + EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path} + ''; + }; }