nur/modules/servers/acme-dns.nix

{ config, pkgs, lib, ... }:

with lib;

let
  cfg = config.services.acme-dns;
  tomlFormat = pkgs.formats.toml;
  configFile = tomlFormat.generate "acme-dns.cfg" cfg.settings;
in
  {
    options.services.acme-dns = {
      package = mkOption {
        type = types.package;
        default = pkgs.rz.acme-dns;
        defaultText = "pkgs.rz.acme-dns";
      };
      stateDir = mkOption {
        type = types.str;
        default = "/var/lib/acme-dns";
      };
      domain = mkOption {
        type = types.str;
      };
      nsname = mkOption {
        type = types.str;
      };
      nsadmin = mkOption {
        type = types.str;
      };
      records = mkOption {
        type = types.listOf types.str;
      };
      api.port = mkOption {
        type = types.port;
        default = 8090;
      };
      api.listen = mkOption {
        type = types.str;
        default = "127.0.0.1";
      };
      dns.port = mkOption {
        type = types.port;
        default = 53;
      };
      dns.listen = mkOption {
        type = types.str;
        default = "127.0.0.1";
      };
      settings = mkOption {
        type = types.attrs;
        default = {
          general = {
            listen = "${cfg.dns.listen}:${toString cfg.dns.port}";
            protocol = "both";
            domain = cfg.domain;
            nsname = cfg.nsname;
            nsadmin = cfg.nsadmin;
            records = cfg.records;
            debug = false;
          };

          database = {
            engine = "sqlite";
            connection = "${cfg.stateDir}/acme-dns.db";
          };

          api = {
            ip = cfg.api.isten;
            disable_registration = false;
            port = cfg.api.port;
            tls = "none";
            notification_email = cfg.security.acme.email;
            corsorigins = [ "*" ];
            use_header = false;
            header_name = "X-Forwarded-For";
          };

          logconfig = {
            loglevel = "debug";
            logtype = "stdout";
            logformat = "text";
          };
        };
      };
    };

    config = {
      systemd.services.acme-dns = {
        description = "ACME-DNS name server for ACME DNS challenges";

        after = [ "network.target" ];
        wantedBy = [ "multi-user.target" ];

        DynamicUser = true;

        startLimitBurst = 4;
        startLimitIntervalSec = 5 * 60;  # 5 mins
        serviceConfig = {
          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
          DynamicUser = true;
          ExecStart = "${cfg.package}/bin/acme-dns -d -c ${configFile}";
          Restart = "always";
          RestartSec = "4s";
        };
      };
    };
  }
modules(acme-dns): init 2021-07-24 22:38:42 +02:00			`{ config, pkgs, lib, ... }:`

			`with lib;`

			`let`
			`cfg = config.services.acme-dns;`
			`tomlFormat = pkgs.formats.toml;`
			`configFile = tomlFormat.generate "acme-dns.cfg" cfg.settings;`
			`in`
			`{`
			`options.services.acme-dns = {`
			`package = mkOption {`
			`type = types.package;`
			`default = pkgs.rz.acme-dns;`
			`defaultText = "pkgs.rz.acme-dns";`
			`};`
			`stateDir = mkOption {`
			`type = types.str;`
			`default = "/var/lib/acme-dns";`
			`};`
			`domain = mkOption {`
			`type = types.str;`
			`};`
			`nsname = mkOption {`
			`type = types.str;`
			`};`
			`nsadmin = mkOption {`
			`type = types.str;`
			`};`
			`records = mkOption {`
			`type = types.listOf types.str;`
			`};`
			`api.port = mkOption {`
			`type = types.port;`
			`default = 8090;`
			`};`
			`api.listen = mkOption {`
			`type = types.str;`
			`default = "127.0.0.1";`
			`};`
			`dns.port = mkOption {`
			`type = types.port;`
			`default = 53;`
			`};`
			`dns.listen = mkOption {`
			`type = types.str;`
			`default = "127.0.0.1";`
			`};`
			`settings = mkOption {`
			`type = types.attrs;`
			`default = {`
			`general = {`
			`listen = "${cfg.dns.listen}:${toString cfg.dns.port}";`
			`protocol = "both";`
			`domain = cfg.domain;`
			`nsname = cfg.nsname;`
			`nsadmin = cfg.nsadmin;`
			`records = cfg.records;`
			`debug = false;`
			`};`

			`database = {`
			`engine = "sqlite";`
			`connection = "${cfg.stateDir}/acme-dns.db";`
			`};`

			`api = {`
			`ip = cfg.api.isten;`
			`disable_registration = false;`
			`port = cfg.api.port;`
			`tls = "none";`
			`notification_email = cfg.security.acme.email;`
			`corsorigins = [ "*" ];`
			`use_header = false;`
			`header_name = "X-Forwarded-For";`
			`};`

			`logconfig = {`
			`loglevel = "debug";`
			`logtype = "stdout";`
			`logformat = "text";`
			`};`
			`};`
			`};`
			`};`

			`config = {`
			`systemd.services.acme-dns = {`
			`description = "ACME-DNS name server for ACME DNS challenges";`

			`after = [ "network.target" ];`
			`wantedBy = [ "multi-user.target" ];`

			`DynamicUser = true;`

			`startLimitBurst = 4;`
			`startLimitIntervalSec = 5 * 60; # 5 mins`
			`serviceConfig = {`
			`AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];`
			`DynamicUser = true;`
			`ExecStart = "${cfg.package}/bin/acme-dns -d -c ${configFile}";`
			`Restart = "always";`
			`RestartSec = "4s";`
			`};`
			`};`
			`};`
			`}`