diff --git a/.sops.yaml b/.sops.yaml index 6da789a..9e8aa75 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,4 +1,5 @@ keys: + - &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct - &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773 - &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64 - &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu @@ -12,10 +13,16 @@ creation_rules: - *user_felixalb # Host specific secrets - - path_regex: secrets/voyager/[^/]+\.yaml$ + - path_regex: secrets/burnham/[^/]+\.yaml$ key_groups: - age: - - *host_voyager + - *host_burnham + - *user_felixalb + + - path_regex: secrets/challenger/[^/]+\.yaml$ + key_groups: + - age: + - *host_challenger - *user_felixalb - path_regex: secrets/defiant/[^/]+\.yaml$ @@ -24,8 +31,8 @@ creation_rules: - *host_defiant - *user_felixalb - - path_regex: secrets/challenger/[^/]+\.yaml$ + - path_regex: secrets/voyager/[^/]+\.yaml$ key_groups: - age: - - *host_challenger + - *host_voyager - *user_felixalb diff --git a/common/domeneshop-dyndns.nix b/common/domeneshop-dyndns.nix new file mode 100644 index 0000000..d4cdd7c --- /dev/null +++ b/common/domeneshop-dyndns.nix @@ -0,0 +1,45 @@ +{ config, pkgs, lib, ... }: + +let + cfg = config.services.domeneshop-dyndns; +in { + options.services.domeneshop-dyndns = { + enable = lib.mkEnableOption "Domeneshop DynDNS"; + + domain = lib.mkOption { + type = lib.types.str; + description = "Domain name to configure"; + }; + + environmentFile = lib.mkOption { + type = lib.types.path; + description = "Path to the file that sets DDNS_TOKEN and DDNS_SERET from https://www.domeneshop.no/admin?view=api"; + }; + + startAt = lib.mkOption { + type = lib.types.str; + default = "*/10 * * * *"; + description = "Systemd onCalendar expression for when to run the timer"; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.domeneshop-dyndns = { + serviceConfig.EnvironmentFile = cfg.environmentFile; + startAt = cfg.startAt; + + script = '' + DNSNAME="${cfg.domain}" + NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)" + OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')" + + if [[ "$NEW_IP" != "$OLD_IP" ]]; then + echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..." + ${lib.getExe pkgs.curl} --silent "https://$DDNS_TOKEN:$DDNS_SECRET@api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP" + else + echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..." + fi + ''; + }; + }; +} diff --git a/flake.nix b/flake.nix index a25acfc..69da7a6 100644 --- a/flake.nix +++ b/flake.nix @@ -76,6 +76,7 @@ ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; }) ./hosts/defiant/configuration.nix + ./common/domeneshop-dyndns.nix sops-nix.nixosModules.sops matrix-synapse-next.nixosModules.default home-manager.nixosModules.home-manager { @@ -113,6 +114,7 @@ ({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; }) ./hosts/burnham/configuration.nix + ./common/domeneshop-dyndns.nix sops-nix.nixosModules.sops home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; diff --git a/hosts/burnham/configuration.nix b/hosts/burnham/configuration.nix index 39f55ba..a5796af 100644 --- a/hosts/burnham/configuration.nix +++ b/hosts/burnham/configuration.nix @@ -11,8 +11,9 @@ ./services/wireguard.nix # Other - ./services/thelounge.nix + ./services/dyndns.nix ./services/nginx.nix + ./services/thelounge.nix ]; boot.loader.systemd-boot.enable = lib.mkForce false; @@ -30,7 +31,7 @@ hostId = "8e24f235"; }; - # sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml; + sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml; environment.variables = { EDITOR = "vim"; }; diff --git a/hosts/burnham/services/dyndns.nix b/hosts/burnham/services/dyndns.nix new file mode 100644 index 0000000..6618417 --- /dev/null +++ b/hosts/burnham/services/dyndns.nix @@ -0,0 +1,11 @@ +{ config, pkgs, lib, ... }: + +{ + sops.secrets."domeneshop/env" = { }; + + services.domeneshop-dyndns = { + enable = true; + domain = "site2.feal.no"; + environmentFile = config.sops.secrets."domeneshop/env".path; + }; +} diff --git a/hosts/defiant/services/dyndns.nix b/hosts/defiant/services/dyndns.nix index 8bf401b..7ccb3af 100644 --- a/hosts/defiant/services/dyndns.nix +++ b/hosts/defiant/services/dyndns.nix @@ -1,26 +1,11 @@ { config, pkgs, lib, ... }: -let - dnsname = "site3.feal.no"; -in { - # Defines DDNS_TOKEN and DDNS_SECRET from https://domene.shop/admin?view=api +{ sops.secrets."domeneshop/env" = { }; - systemd.services.domeneshop-dyndns = { - serviceConfig.EnvironmentFile = config.sops.secrets."domeneshop/env".path; - startAt = "*/10 * * * *"; - - script = '' - DNSNAME="${dnsname}" - NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)" - OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')" - - if [[ "$NEW_IP" != "$OLD_IP" ]]; then - echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..." - ${lib.getExe pkgs.curl} --silent "https://$DDNS_TOKEN:$DDNS_SECRET@api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP" - else - echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..." - fi - ''; + services.domeneshop-dyndns = { + enable = true; + domain = "site3.feal.no"; + environmentFile = config.sops.secrets."domeneshop/env".path; }; } diff --git a/secrets/burnham/burnham.yaml b/secrets/burnham/burnham.yaml new file mode 100644 index 0000000..e67241d --- /dev/null +++ b/secrets/burnham/burnham.yaml @@ -0,0 +1,31 @@ +domeneshop: + env: ENC[AES256_GCM,data:MMzTECLowcUBvpXKKsqOTl03V244VcdO8ddXiboYJJtiPBlmBL4cVTSE3QzzWIlR0iNUlLtQlI9E8RIjys602tNMbWxqaJsyiRAFKS9pnOjhrIVH5dLaXLtxwk2Xp/Spg5aObwmgoP8=,iv:LMR1XBIT2x0RZ92hCTQAlHvOyX+ZXk0PrpGtNAWyLas=,tag:A6r1/+imJ7T4OwZcFIVKcQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ME5FZGNUYyttQ002ZEdk + MjZ5YkRGWVE3UTBNVzR6SjV3T01QSnRrcVVvClpiSHFIL3NoOUtjSG9NU3M3T0pS + N01DK2RLREFGV2Rnc2ZrR3prL2pRNmMKLS0tIFRzLzNzb2QwTFovOENpeW9LZFVT + UWc1ZFFibVBIckVRZWxvbGZVUG1YRUkKlSBUOi8E1D30qVnYoydMM/rmE5uOrbqG + MUBb8fk4OC4e8mDs/x/qBMMgMWLnma251Aehg+4SodemJi8RhKhR8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZN3lIMHNySFZLdUpTTXh0 + d0xDTlppY3V4ZGxsL3ZITzJmY2Joa2J6MzJJCmV1MmpSYVZ4OU4wNXlXN1ZmUGdp + RFNLcTlmNld4U1Y4VEJRTlZTdXg2ME0KLS0tIHJlQnFrQzFraGhkU0xEVFMxbGlj + QUlhZ3dsdkZYbWxyTkNMQSsxNEVocTQK2tugbp8JDQR3KxZoMn8fSVRBc4oBvrhy + 0Tz4vhejHbiQt0Xg8Im/1ucFGvbONExi4alu57noRqIoCe4AmNKQ+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-07T23:07:39Z" + mac: ENC[AES256_GCM,data:NM3a/DiyBZjsZvm+XXW8kyDOL1CpRsEt8Cya6TDJ/CY8259es+y6g9ImAtV1nF+/8X5qVInZ93xxRDWdoDeOG67TwYTgHHkGoz41S4Sf/YyGNzXj3+3eYZt2y4tW/BAWMxN1SiQjWKX4a3WVqs9X8EjmDC6yKFC7EX2DTXt+J1Y=,iv:LVbFCEg4NciZuongxrLTKTOWB1WoUvRfKuDaPxXxr3k=,tag:LSrOva26yn6jdkjP2kDYaA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1