nixos/doc: fix acme dns-01 example

[JasonWoof]

Summary: fix errors with example code in the manual that shows how to set up DNS-01 verification via the acme protocol, e.g. for those who want to get wildcard certificates from Let's Encrypt.

Fix syntax error in nix arrays (there should not be commas.)

Fix permissions on /var/lib/secrets so it can be read by bind daemon. Without this fix bind won't start.

Add the missing feature: put the generated secret into certs.secret

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[JasonWoof]

@winterqt We good to go on this? I'm hoping we can get it merged before it bit-rots.

[ck3d]

LGTM

[m1cr0man]

Thanks for updating this. I have one syntax fix but that's it, I'll approve now. I might revamp this entire section of the acme doc since it's still more complex than I think it needs to be.

[m1cr0man]

Slight change: Should be using double quotes here since you want the var from the shell

Suggested change

	RFC2136_TSIG_SECRET='$secret'
	RFC2136_TSIG_SECRET="$secret"

[winterqt]

Yes, this would not work at all due to this -- single quotes don't expand anything.

@JasonWoof Did you test this at all? I ask since it shouldn't work without double quotes here.

Happy to merge once you fix this.

[JasonWoof]

It works with single quotes. That's how it is in the version I'm using.

The single quotes don't interfere with $secret expanding. bash expands variables in that whole line because it's within a <<EOF section

[m1cr0man]

Ah I totally missed that!

[JasonWoof]

I thought you had found a bug until I looked at my in-production working version, and saw that it was working with single quotes. Then I figured out why it works this way :)

[JasonWoof]

anything I can do to help this along?