# Shared TSIG secret for the dedicated acme_web01 key.
#
# This key lets web01 — and only web01 — write _acme-challenge.cnx.network TXT
# records on ns1 to obtain its wildcard (*.cnx.network) TLS cert via ACME DNS-01.
# ns1 scopes it with acl_acme_web01 (attached only to the cnx.network zone) so the
# credential can touch nothing else. ns1 renders this secret into a Knot key file;
# web01 into a lego rfc2136 env file; both must carry the same secret, hence one
# shared generator with a per-host renderer that depends on it. Imported by ns1
# and (via web-proxy.nix) web01.
{ pkgs, ... }:
{
  clan.core.vars.generators.dns-acme-web01-secret = {
    share = true;
    files."secret".secret = true;
    runtimeInputs = [ pkgs.openssl ];
    # 32 random bytes, base64 — a valid hmac-sha256 TSIG secret.
    script = ''openssl rand -base64 32 | tr -d '\n' > "$out"/secret'';
  };
}