Platform 23.11 #96
1 changed files with 41 additions and 6 deletions
|
@ -1,10 +1,45 @@
|
||||||
{ cluster, config, pkgs, ... }:
|
{ cluster, config, depot, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
authoritativeServers = map
|
||||||
|
(node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
|
||||||
|
cluster.config.services.dns.nodes.authoritative;
|
||||||
|
|
||||||
|
execScript = pkgs.writeShellScript "acme-dns-exec" ''
|
||||||
|
action="$1"
|
||||||
|
subdomain="''${2%.${depot.lib.meta.domain}.}"
|
||||||
|
key="$3"
|
||||||
|
umask 77
|
||||||
|
source "$EXEC_ENV_FILE"
|
||||||
|
headersFile="$(mktemp)"
|
||||||
|
echo "X-Direct-Key: $ACME_DNS_DIRECT_STATIC_KEY" > "$headersFile"
|
||||||
|
case "$action" in
|
||||||
|
present)
|
||||||
|
for i in {1..5}; do
|
||||||
|
${pkgs.curl}/bin/curl -X POST -s -f -H "@$headersFile" \
|
||||||
|
"${cluster.config.links.acmeDnsApi.url}/update" \
|
||||||
|
--data '{"subdomain":"'"$subdomain"'","txt":"'"$key"'"}' && break
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; };
|
age.secrets.acmeDnsApiKey = {
|
||||||
|
file = ../dns/acme-dns-direct-key.age;
|
||||||
|
owner = "acme";
|
||||||
|
};
|
||||||
|
|
||||||
security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" ''
|
security.acme.defaults = {
|
||||||
PDNS_API_URL=${cluster.config.links.powerdns-api.url}
|
extraLegoFlags = lib.flatten [
|
||||||
PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path}
|
(map (x: [ "--dns.resolvers" x ]) authoritativeServers)
|
||||||
'';
|
"--dns-timeout" "30"
|
||||||
|
];
|
||||||
|
credentialsFile = pkgs.writeText "acme-exec-config" ''
|
||||||
|
EXEC_PATH=${execScript}
|
||||||
|
EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
|
||||||
|
'';
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue