From 3bffd7b8f564fcb39e8fe7cfa60429cc55eadbf0 Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 10 May 2026 18:23:21 +0200
Subject: [PATCH] bind-acme: guard against letsencrypt clients without internal
 LAN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The acme_zone reactor's first ACL branch iterates nodes that have
letsencrypt/domains and reads their network/internal/ipv4. Until now
that crashed for any node with letsencrypt but no internal LAN — the
node had to either fake a network/internal/ipv4 or skip TLS.

Add a `metadata.get(..., None)` guard to filter such nodes out of this
branch. The wireguard branch below already covers them (any node with
the wireguard bundle gets its wireguard/my_ip into the ACL), so ACME
DNS-01 reachability still works for cross-Internet nodes that join the
fleet via wireguard.

Surfaced by ovh.left4me: dedicated server with no Hetzner/internal
network, reachable from the bind-acme node only via wireguard.
---
 bundles/bind-acme/metadata.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py
index eae945f..25e1f68 100644
--- a/bundles/bind-acme/metadata.py
+++ b/bundles/bind-acme/metadata.py
@@ -33,6 +33,7 @@ def acme_zone(metadata):
             str(ip_interface(other_node.metadata.get('network/internal/ipv4')).ip)
                 for other_node in repo.nodes
                 if other_node.metadata.get('letsencrypt/domains', {})
+                and other_node.metadata.get('network/internal/ipv4', None)
         },
         *{
             str(ip_interface(other_node.metadata.get('wireguard/my_ip')).ip)