modules(acme-dns): init

2021-07-24 22:38:42 +02:00 · 2021-07-24 22:38:42 +02:00 · e8305b7435
commit e8305b7435
parent 80c1d3e124
2 changed files with 109 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,2 +1,3 @@
 {
+  acme-dns = ./servers/acme-dns.nix;
 }
--- a/modules/servers/acme-dns.nix
+++ b/modules/servers/acme-dns.nix
@ -0,0 +1,108 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.services.acme-dns;
+  tomlFormat = pkgs.formats.toml;
+  configFile = tomlFormat.generate "acme-dns.cfg" cfg.settings;
+in
+  {
+    options.services.acme-dns = {
+      package = mkOption {
+        type = types.package;
+        default = pkgs.rz.acme-dns;
+        defaultText = "pkgs.rz.acme-dns";
+      };
+      stateDir = mkOption {
+        type = types.str;
+        default = "/var/lib/acme-dns";
+      };
+      domain = mkOption {
+        type = types.str;
+      };
+      nsname = mkOption {
+        type = types.str;
+      };
+      nsadmin = mkOption {
+        type = types.str;
+      };
+      records = mkOption {
+        type = types.listOf types.str;
+      };
+      api.port = mkOption {
+        type = types.port;
+        default = 8090;
+      };
+      api.listen = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+      };
+      dns.port = mkOption {
+        type = types.port;
+        default = 53;
+      };
+      dns.listen = mkOption {
+        type = types.str;
+        default = "127.0.0.1";
+      };
+      settings = mkOption {
+        type = types.attrs;
+        default = {
+          general = {
+            listen = "${cfg.dns.listen}:${toString cfg.dns.port}";
+            protocol = "both";
+            domain = cfg.domain;
+            nsname = cfg.nsname;
+            nsadmin = cfg.nsadmin;
+            records = cfg.records;
+            debug = false;
+          };
+
+          database = {
+            engine = "sqlite";
+            connection = "${cfg.stateDir}/acme-dns.db";
+          };
+
+          api = {
+            ip = cfg.api.isten;
+            disable_registration = false;
+            port = cfg.api.port;
+            tls = "none";
+            notification_email = cfg.security.acme.email;
+            corsorigins = [ "*" ];
+            use_header = false;
+            header_name = "X-Forwarded-For";
+          };
+
+          logconfig = {
+            loglevel = "debug";
+            logtype = "stdout";
+            logformat = "text";
+          };
+        };
+      };
+    };
+
+    config = {
+      systemd.services.acme-dns = {
+        description = "ACME-DNS name server for ACME DNS challenges";
+
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+
+        DynamicUser = true;
+
+        startLimitBurst = 4;
+        startLimitIntervalSec = 5 * 60;  # 5 mins
+        serviceConfig = {
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
+          DynamicUser = true;
+          ExecStart = "${cfg.package}/bin/acme-dns -d -c ${configFile}";
+          Restart = "always";
+          RestartSec = "4s";
+        };
+      };
+    };
+  }
+