project-wide: RFC2136 DNS Certs

2026-02-09 12:29:19 -08:00 · 2021-04-26 00:35:40 +01:00 · 2021-04-26 00:35:40 +01:00 · 1645b38529
commit 1645b38529
parent 4b4c855d28
3 changed files with 26 additions and 1 deletions
--- a/hosts/athame/nixos/default.nix
+++ b/hosts/athame/nixos/default.nix
@ -29,6 +29,13 @@

  deploy.target = "infra";

+  security.acme.certs."athame.net.kittywit.ch" = {
+    domain = "athame.net.kittywit.ch";
+    dnsProvider = "rfc2136";
+    credentialsFile = config.secrets.files.dns_creds.path;
+    group = "nginx";
+  };
+
  networking = {
    hostName = "athame";
    domain = "kittywit.ch";
--- a/hosts/samhain/nixos/default.nix
+++ b/hosts/samhain/nixos/default.nix
@ -38,6 +38,14 @@ in {
    value.shellCommand = "bitw get infra/hexdns-dynamic -f hostname";
  };

+
+  security.acme.certs."samhain.net.kittywit.ch" = {
+    domain = "samhain.net.kittywit.ch";
+    dnsProvider = "rfc2136";
+    credentialsFile = config.secrets.files.dns_creds.path;
+    group = "nginx";
+  };
+
  fileSystems."/mnt/hex-corn" = {
    device = "storah.net.lilwit.ch:/data/cornbox";
    fsType = "nfs";
--- a/services/nginx.nix
+++ b/services/nginx.nix
@ -1,6 +1,16 @@
-{ config, pkgs, witch, ... }:
+{ config, pkgs, witch, tf, ... }:

 {
+  secrets.files.dns_creds = {
+     text = ''
+     RFC2136_NAMESERVER='ns1.as207960.net'
+     RFC2136_TSIG_ALGORITHM='hmac-sha512.'
+     RFC2136_TSIG_KEY='${tf.variables.glauca_key.ref}'
+     RFC2136_TSIG_SECRET='${tf.variables.glauca_secret.ref}'
+    '';
+  };
+
+
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;