{ inputs, povSelf, pkgs, lib, config, hostConfig, ... }: let inherit (lib) types; cfg = lib.getAttrFromPath povSelf config; in { options.enable = { type = types.bool; default = false; }; config = lib.mkIf cfg.enable { dns.zones."zaphyra.dn42".subdomains."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}" = { AAAA = [ hostConfig.networking.dn42Address ]; }; security.acme.certs."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = { server = "https://acme.burble.dn42/v1/dn42/acme/directory"; validMinDays = 20; keyType = "ec384"; dnsProvider = null; }; services.nginx = { enable = true; virtualHosts."${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42" = { enableACME = true; forceSSL = true; kTLS = true; }; }; services.resolved = { enable = true; fallbackDns = [ "8.8.8.8" "2001:4860:4860::8844" ]; }; systemd.network = { networks."20-dn42" = { matchConfig.Name = "dn42"; routes = [ { Destination = "fd00::/8"; } ]; networkConfig = { DNSDefaultRoute = false; DNS = [ "fd6b:6174:6a61::1" ]; Domains = [ "~dn42" "d.f.ip6.arpa" ]; }; }; }; modules.services.prometheusExporters.domain = "${lib.removeSuffix ".zaphyra.eu" config.networking.fqdn}.zaphyra.dn42"; security.pki.certificates = [ #dn42 root ca '' -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIFIBYBAAAwDQYJKoZIhvcNAQELBQAwYjELMAkGA1UEBhMC WEQxDTALBgNVBAoMBGRuNDIxIzAhBgNVBAsMGmRuNDIgQ2VydGlmaWNhdGUgQXV0 aG9yaXR5MR8wHQYDVQQDDBZkbjQyIFJvb3QgQXV0aG9yaXR5IENBMCAXDTE2MDEx NjAwMTIwNFoYDzIwMzAxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJYRDENMAsGA1UE CgwEZG40MjEjMCEGA1UECwwaZG40MiBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAd BgNVBAMMFmRuNDIgUm9vdCBBdXRob3JpdHkgQ0EwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDBGRDeAYYR8YIMsNTl/5rI46r0AAiCwM9/BXohl8G1i6PR VO76BA931VyYS9mIGMEXEJLlJPrvYetdexHlvrqJ8mDJO4IFOnRUYCNmGtjNKHvx 6lUlmowEoP+dSFRMnbwtoN9xrmRHDed1BfTFAirSDL6jY1RiK60p62oIpF6o6/FS FE7RXUEv0xm65II2etGj8oT2B7L2DDDb23bu6RQFx491tz/V1TVW0JJE3yYeAPqu y3rJUGddafj5/SWnHdtAsUK8RVfhyRxCummAHuolmRKfbyOj0i5KzRXkfEn50cDw GQwVUM6mUbuqFrKC7PRhRIwc3WVgBHewTZlnF/sJAgMBAAGjgaowgacwDgYDVR0P AQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFR2iLLAtTDQ/E/J bTv5jFURrBUVMB8GA1UdIwQYMBaAFFR2iLLAtTDQ/E/JbTv5jFURrBUVMEQGA1Ud HgQ9MDugOTAHggUuZG40MjAKhwisFAAA//wAADAihyD9QgAAAAAAAAAAAAAAAAAA //8AAAAAAAAAAAAAAAAAADANBgkqhkiG9w0BAQsFAAOCAQEAXKQ7QaCBaeJxmU11 S1ogDSrZ7Oq8jU+wbPMuQRqgdfPefjrgp7nbzfUW5GrL58wqj+5/FAqltflmSIHl aB4MpqM8pyvjlc/jYxUNFglj2WYxO0IufBrlKI5ePZ4omUjpR4YR4gQpYCuWlZmu P6v/P0WrfgdFTk0LGEA9OwKcTqkPpcI/SjB3rmZcs42yQWvimAF94GtScE09uKlI 9QLS2UBmtl5EJRFVrDEC12dyamq8dDRfddyaT4MoQOAq3D9BQ1pHByu3pz/QFaJC 1zAi8vbktPY7OMprTOc8pHDL3q8KFP8jJcoEzZ5Jw0vkCrULhLXvtFtjB0djzVxQ C0IKqQ== -----END CERTIFICATE----- '' ]; environment.etc."whois.conf".text = '' \.dn42$ whois.dn42 \-DN42$ whois.dn42 # dn42 range 64512-65534 ^as6(4(5(1[2-9]|[2-9][0-9])|[6-9][0-9]{2})|5([0-4][0-9]{2}|5([0-2][0-9]|3[0-4])))$ whois.dn42 # dn42 range 76100-76199 ^as761[0-9][0-9]$ whois.dn42 # dn42 range 4242420000-4242429999 ^as424242[0-9]{4}$ whois.dn42 # dn42 ipv4 address space ^172\.2[0-3]\.[0-9]{1,3}\.[0-9]{1,3}(/(1[56789]|2[0-9]|3[012]))?$ whois.dn42 # dn42 ula ipv6 address space ^fd**:****:****:****:****:****:****:**** whois.dn42 ''; }; }