sys/ns: enable acme-dns for DNS-01 challenges

1 files changed, 49 insertions, 10 deletions

diff --git a/sys/ns/nsd.nix b/sys/ns/nsd.nix
index 74fa7dd..1dfa16b 100644
--- a/sys/ns/nsd.nix
+++ b/sys/ns/nsd.nix
@@ -1,15 +1,29 @@
 { config, lib, ... }:
 with lib; let
+  inherit (config.networking) domain;
+
   cfg = config.local.ns.server;
+
+  acmeChallengeDomain = "acme-challenge.${domain}";
 in
 {
-  options.local.ns.server = {
+  options. local. ns. server = {
     enable = mkEnableOption "nsd authoritative server";
 
     tsigName = mkOption {
       type = types.str;
       default = "NOKEY";
     };
+
+    acme = {
+      apiListen.v6 = mkOption {
+        type = types.str;
+      };
+
+      dnsListen.v6 = mkOption {
+        type = types.str;
+      };
+    };
   };
 
   config = mkIf cfg.enable {
@@ -29,19 +43,44 @@ in
         allowedUDPPorts = [ port ];
       };
 
-    services.nsd = {
-      enable = true;
+    services = {
+      acme-dns = {
+        enable = true;
+        settings = {
+          api = {
+            ip = "[${cfg.acme.apiListen.v6}]";
+            port = 80;
+          };
 
-      ipFreebind = true;
+          general = {
+            domain = acmeChallengeDomain;
+            nsname = acmeChallengeDomain;
+            nsadmin = "hostmaster.${domain}";
 
-      bind8Stats = true;
-      statistics = 3600;
+            listen = "[${cfg.acme.dnsListen.v6}]:53";
 
-      tcpCount = 128;
-      tcpTimeout = 30;
-      tcpQueryCount = 128;
+            records = [
+              "${acmeChallengeDomain}. NS ${acmeChallengeDomain}."
+              "${acmeChallengeDomain}. AAAA ${cfg.acme.dnsListen.v6}"
+            ];
+          };
+        };
+      };
+
+      nsd = {
+        enable = true;
+
+        ipFreebind = true;
 
-      zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones;
+        bind8Stats = true;
+        statistics = 3600;
+
+        tcpCount = 128;
+        tcpTimeout = 30;
+        tcpQueryCount = 128;
+
+        zones = mapAttrs' (name: zone: nameValuePair "${name}." zone.nsdConfig) config.local.ns.zones;
+      };
     };
   };
 }