sys/ns: enable acme-dns for DNS-01 challenges

3 files changed, 63 insertions, 12 deletions

diff --git a/sys/ns/ns.nix b/sys/ns/ns.nix
index a1b1605..1e74502 100644
--- a/sys/ns/ns.nix
+++ b/sys/ns/ns.nix
@@ -21,6 +21,11 @@ in
             options.localNS = {
               enable = mkEnableOption "local NS settings";
 
+              acme = mkOption {
+                default = { };
+                type = attrsOf str;
+              };
+
               ptrNet = {
                 v4 = mkOption {
                   type = nullOr str;
@@ -90,6 +95,13 @@ in
                 soa = mkIf ptrDomain {
                   authorityZone = mkDefault "${domain}.";
                 };
+
+                cname = mapAttrsToList
+                  (name: id: {
+                    name = "_acme-challenge" + optionalString (name != "@") ".${name}";
+                    target = "${id}.acme-challenge.${domain}.";
+                  })
+                  cfg.acme;
               };
           }));
   };
diff --git a/sys/ns/nsd.nix b/sys/ns/nsd.nix
index 74fa7dd..1dfa16b 100644
--- a/sys/ns/nsd.nix
+++ b/sys/ns/nsd.nix
@@ -1,15 +1,29 @@
 { config, lib, ... }:
 with lib; let
+  inherit (config.networking) domain;
+
   cfg = config.local.ns.server;
+
+  acmeChallengeDomain = "acme-challenge.${domain}";
 in
 {
-  options.local.ns.server = {
+  options. local. ns. server = {
     enable = mkEnableOption "nsd authoritative server";
 
     tsigName = mkOption {
       type = types.str;
       default = "NOKEY";
     };
+
+    acme = {
+      apiListen.v6 = mkOption {
+        type = types.str;
+      };
+
+      dnsListen.v6 = mkOption {
+        type = types.str;
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -29,19 +43,44 @@ in
         allowedUDPPorts = [ port ];
       };
 
-    services.nsd = {
-      enable = true;
+    services = {
+      acme-dns = {
+        enable = true;
+        settings = {
+          api = {
+            ip = "[${cfg.acme.apiListen.v6}]";
+            port = 80;
+          };
 
-      ipFreebind = true;
+          general = {
+            domain = acmeChallengeDomain;
+            nsname = acmeChallengeDomain;
+            nsadmin = "hostmaster.${domain}";
 
-      bind8Stats = true;
-      statistics = 3600;
+            listen = "[${cfg.acme.dnsListen.v6}]:53";
 
-      tcpCount = 128;
-      tcpTimeout = 30;
-      tcpQueryCount = 128;
+            records = [
+              "${acmeChallengeDomain}. NS ${acmeChallengeDomain}."
+              "${acmeChallengeDomain}. AAAA ${cfg.acme.dnsListen.v6}"
+            ];
+          };
+        };
+      };
+
+      nsd = {
+        enable = true;
+
+        ipFreebind = true;
 
-      zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones;
+        bind8Stats = true;
+        statistics = 3600;
+
+        tcpCount = 128;
+        tcpTimeout = 30;
+        tcpQueryCount = 128;
+
+        zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones;
+      };
     };
   };
 }
diff --git a/sys/ns/ptr/static-prefix-v6/serial.nix b/sys/ns/ptr/static-prefix-v6/serial.nix
index c09a24a..454b3dd 100644
--- a/sys/ns/ptr/static-prefix-v6/serial.nix
+++ b/sys/ns/ptr/static-prefix-v6/serial.nix
@@ -1,7 +1,7 @@
 {
   config = {
-    soa.serial = 2025042402;
-    nullSerialHash = "sha256-92c2046d390891a99618c5cf92efee1cda3549799ef26f1f0ca234e0a105aec8";
+    soa.serial = 2025042600;
+    nullSerialHash = "sha256-a5ce7781b014aa816998410db440dd40278d8b566d1de76e06776a83c9839b35";
   };
 }