cluster/services/acme-client: move acme config, wait for authoritative DNS to work

2024-08-10 13:35:21 +02:00 · 2024-08-10 13:35:21 +02:00 · d59abfb678
commit d59abfb678
parent a285c57d5b
1 changed files with 37 additions and 0 deletions
--- a/cluster/services/acme-client/client.nix
+++ b/cluster/services/acme-client/client.nix
@ -32,7 +32,10 @@ in
    owner = "acme";
  };

+  security.acme.acceptTerms = true;
+  security.acme.maxConcurrentRenewals = 0;
  security.acme.defaults = {
+    email = depot.lib.meta.adminEmail;
    extraLegoFlags = lib.flatten [
      (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
      "--dns-timeout" "30"
@ -42,4 +45,38 @@ in
      EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
    '';
  };
+
+  systemd.services = lib.mapAttrs' (name: value: {
+    name = "acme-${name}";
+    value = {
+      distributed.enable = value.dnsProvider != null;
+      preStart = let
+        serverList = lib.pipe authoritativeServers [
+          (map (x: "@${x}"))
+          (map (lib.replaceStrings [":53"] [""]))
+          lib.escapeShellArgs
+        ];
+        domainList = lib.pipe ([ value.domain ] ++ value.extraDomainNames) [
+          (map (x: "${x}."))
+          (map (lib.replaceStrings ["*"] ["x"]))
+          lib.unique
+          lib.escapeShellArgs
+        ];
+      in ''
+        echo Testing availability of authoritative DNS servers
+        for i in {1..60}; do
+          ${pkgs.dig}/bin/dig +short ${serverList} ${domainList} >/dev/null && break
+          echo Retry [$i/60]
+          sleep 10
+        done
+        echo Available
+      '';
+      serviceConfig = {
+        Restart = "on-failure";
+        RestartMaxDelaySec = 30;
+        RestartStesp = 5;
+        RestartMode = "direct";
+      };
+    };
+  }) config.security.acme.certs;
 }