{ config, pkgs, lib, ... }: with lib; let name = "acme"; cfg = config.services.skynet."${name}"; in { imports = []; options.services.skynet."${name}" = { domains = lib.mkOption { default = []; type = lib.types.listOf lib.types.str; description = '' A list of domains to use for this server. ''; }; }; config = { # group that will own the certificates users.groups.acme = {}; age.secrets.acme.file = ../secrets/dns_certs.secret.age; security.acme = { preliminarySelfsigned = false; acceptTerms = true; defaults = { email = "admin_acme@skynet.ie"; credentialsFile = config.age.secrets.acme.path; # we use our own dns authorative server for verifying we own the domain. dnsProvider = "rfc2136"; }; certs = { "skynet" = { domain = "skynet.ie"; extraDomainNames = lists.naturalSort cfg.domains; }; }; }; }; }