cluster/services/acme-client/client.nix

@@ -1,10 +1,45 @@
-{ cluster, config, pkgs, ... }:
+{ cluster, config, depot, lib, pkgs, ... }:
+
+let
+  authoritativeServers = map
+    (node: cluster.config.hostLinks.${node}.dnsAuthoritative.tuple)
+    cluster.config.services.dns.nodes.authoritative;
+
+  execScript = pkgs.writeShellScript "acme-dns-exec" ''
+    action="$1"
+    subdomain="''${2%.${depot.lib.meta.domain}.}"
+    key="$3"
+    umask 77
+    source "$EXEC_ENV_FILE"
+    headersFile="$(mktemp)"
+    echo "X-Direct-Key: $ACME_DNS_DIRECT_STATIC_KEY" > "$headersFile"
+    case "$action" in
+      present)
+        for i in {1..5}; do
+          ${pkgs.curl}/bin/curl -X POST -s -f -H "@$headersFile" \
+            "${cluster.config.links.acmeDnsApi.url}/update" \
+            --data '{"subdomain":"'"$subdomain"'","txt":"'"$key"'"}' && break
+          sleep 5
+        done
+        ;;
+    esac
+  '';
+in
 
 {
-  age.secrets.pdns-api-key-acme = cluster.config.vars.pdns-api-key-secret // { owner = "acme"; };
+  age.secrets.acmeDnsApiKey = {
+    file = ../dns/acme-dns-direct-key.age;
+    owner = "acme";
+  };
 
-  security.acme.defaults.credentialsFile = pkgs.writeText "acme-pdns-credentials" ''
-    PDNS_API_URL=${cluster.config.links.powerdns-api.url}
-    PDNS_API_KEY_FILE=${config.age.secrets.pdns-api-key-acme.path}
-  '';
+  security.acme.defaults = {
+    extraLegoFlags = lib.flatten [
+      (map (x: [ "--dns.resolvers" x ]) authoritativeServers)
+      "--dns-timeout" "30"
+    ];
+    credentialsFile = pkgs.writeText "acme-exec-config" ''
+      EXEC_PATH=${execScript}
+      EXEC_ENV_FILE=${config.age.secrets.acmeDnsApiKey.path}
+    '';
+  };
 }