mirror of
https://git.feal.no/felixalb/nixos-config.git
synced 2024-12-22 20:17:31 +01:00
Compare commits
2 Commits
162134d951
...
50dbcfeceb
Author | SHA1 | Date | |
---|---|---|---|
50dbcfeceb | |||
7cd7596d66 |
15
.sops.yaml
15
.sops.yaml
@ -1,4 +1,5 @@
|
||||
keys:
|
||||
- &host_burnham age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
|
||||
- &host_challenger age1j43eqpnq5hy6zt3gmdtzdnne2yfvccd832kpt69qavst44leec6sj2l773
|
||||
- &host_defiant age128md9emufxu35kgww3a90sw40vvc60f5xul9n9ndvw4lfnj3ndaqq44u64
|
||||
- &host_voyager age14jzavfeg47pgnrstea6yzvh3s3a578nj8hkk8g79vxyzpn86gslscp23qu
|
||||
@ -12,10 +13,16 @@ creation_rules:
|
||||
- *user_felixalb
|
||||
|
||||
# Host specific secrets
|
||||
- path_regex: secrets/voyager/[^/]+\.yaml$
|
||||
- path_regex: secrets/burnham/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *host_voyager
|
||||
- *host_burnham
|
||||
- *user_felixalb
|
||||
|
||||
- path_regex: secrets/challenger/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *host_challenger
|
||||
- *user_felixalb
|
||||
|
||||
- path_regex: secrets/defiant/[^/]+\.yaml$
|
||||
@ -24,8 +31,8 @@ creation_rules:
|
||||
- *host_defiant
|
||||
- *user_felixalb
|
||||
|
||||
- path_regex: secrets/challenger/[^/]+\.yaml$
|
||||
- path_regex: secrets/voyager/[^/]+\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *host_challenger
|
||||
- *host_voyager
|
||||
- *user_felixalb
|
||||
|
45
common/domeneshop-dyndns.nix
Normal file
45
common/domeneshop-dyndns.nix
Normal file
@ -0,0 +1,45 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.services.domeneshop-dyndns;
|
||||
in {
|
||||
options.services.domeneshop-dyndns = {
|
||||
enable = lib.mkEnableOption "Domeneshop DynDNS";
|
||||
|
||||
domain = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
description = "Domain name to configure";
|
||||
};
|
||||
|
||||
netrcFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "Path to the file that contains `machine api.domeneshop.no login <DDNS_TOKEN> password <DDNS_SECRET>` from https://domene.shop/admin?view=api";
|
||||
};
|
||||
|
||||
startAt = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "*/10 * * * *";
|
||||
description = "Systemd onCalendar expression for when to run the timer";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
systemd.services.domeneshop-dyndns = {
|
||||
serviceConfig.LoadCredential = "netrc:${cfg.netrcFile}";
|
||||
startAt = cfg.startAt;
|
||||
|
||||
script = ''
|
||||
DNSNAME="${cfg.domain}"
|
||||
NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
|
||||
OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
|
||||
|
||||
if [[ "$NEW_IP" != "$OLD_IP" ]]; then
|
||||
echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
|
||||
${lib.getExe pkgs.curl} --silent --netrc-file "$CREDENTIALS_DIRECTORY/netrc" "https://api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
|
||||
else
|
||||
echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
|
||||
fi
|
||||
'';
|
||||
};
|
||||
};
|
||||
}
|
@ -76,6 +76,7 @@
|
||||
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
|
||||
|
||||
./hosts/defiant/configuration.nix
|
||||
./common/domeneshop-dyndns.nix
|
||||
sops-nix.nixosModules.sops
|
||||
matrix-synapse-next.nixosModules.default
|
||||
home-manager.nixosModules.home-manager {
|
||||
@ -113,6 +114,7 @@
|
||||
({ config, pkgs, ... }: { nixpkgs.overlays = [ pkgs-overlay ]; })
|
||||
|
||||
./hosts/burnham/configuration.nix
|
||||
./common/domeneshop-dyndns.nix
|
||||
sops-nix.nixosModules.sops
|
||||
home-manager.nixosModules.home-manager {
|
||||
home-manager.useGlobalPkgs = true;
|
||||
|
@ -11,8 +11,9 @@
|
||||
./services/wireguard.nix
|
||||
|
||||
# Other
|
||||
./services/thelounge.nix
|
||||
./services/dyndns.nix
|
||||
./services/nginx.nix
|
||||
./services/thelounge.nix
|
||||
];
|
||||
|
||||
boot.loader.systemd-boot.enable = lib.mkForce false;
|
||||
@ -30,7 +31,7 @@
|
||||
hostId = "8e24f235";
|
||||
};
|
||||
|
||||
# sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
|
||||
sops.defaultSopsFile = ../../secrets/burnham/burnham.yaml;
|
||||
|
||||
environment.variables = { EDITOR = "vim"; };
|
||||
|
||||
|
11
hosts/burnham/services/dyndns.nix
Normal file
11
hosts/burnham/services/dyndns.nix
Normal file
@ -0,0 +1,11 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
sops.secrets."domeneshop/netrc" = { };
|
||||
|
||||
services.domeneshop-dyndns = {
|
||||
enable = true;
|
||||
domain = "site2.feal.no";
|
||||
netrcFile = config.sops.secrets."domeneshop/netrc".path;
|
||||
};
|
||||
}
|
@ -1,26 +1,11 @@
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
dnsname = "site3.feal.no";
|
||||
in {
|
||||
# Defines DDNS_TOKEN and DDNS_SECRET from https://domene.shop/admin?view=api
|
||||
sops.secrets."domeneshop/env" = { };
|
||||
{
|
||||
sops.secrets."domeneshop/netrc" = { };
|
||||
|
||||
systemd.services.domeneshop-dyndns = {
|
||||
serviceConfig.EnvironmentFile = config.sops.secrets."domeneshop/env".path;
|
||||
startAt = "*/10 * * * *";
|
||||
|
||||
script = ''
|
||||
DNSNAME="${dnsname}"
|
||||
NEW_IP="$(${lib.getExe pkgs.curl} --silent https://ipinfo.io/ip)"
|
||||
OLD_IP="$(${lib.getExe pkgs.getent} hosts "$DNSNAME" | ${lib.getExe pkgs.gawk} '{ print $1 }')"
|
||||
|
||||
if [[ "$NEW_IP" != "$OLD_IP" ]]; then
|
||||
echo "Old IP ($OLD_IP) does not match new IP ($NEW_IP), updating..."
|
||||
${lib.getExe pkgs.curl} --silent "https://$DDNS_TOKEN:$DDNS_SECRET@api.domeneshop.no/v0/dyndns/update?hostname=$DNSNAME&myip=$NEW_IP"
|
||||
else
|
||||
echo "Old IP ($OLD_IP) matches new IP ($NEW_IP), exiting..."
|
||||
fi
|
||||
'';
|
||||
services.domeneshop-dyndns = {
|
||||
enable = true;
|
||||
domain = "site3.feal.no";
|
||||
netrcFile = config.sops.secrets."domeneshop/netrc".path;
|
||||
};
|
||||
}
|
||||
|
32
secrets/burnham/burnham.yaml
Normal file
32
secrets/burnham/burnham.yaml
Normal file
@ -0,0 +1,32 @@
|
||||
domeneshop:
|
||||
netrc: ENC[AES256_GCM,data:iN9TEMRQpEUbq5kQRXKNG1pFr2rtQtCBXuK1w/7Wn6FAiWkGmCu8GIjPSDnMkZ4+l3kxJhNSix3AzIQwp6oayV1hIoFTWgz/OHKrq2TtQIFy5gs0u0Ump2tmQZFP3GgxSEagfp+c6MbQkjCh0t/PKiPE5MRJJnOJ4/0D,iv:Ta7T5lnQQpMwO+zYgFE9izs78+gtleolk6l7DDnrMoo=,tag:UXeoR+tW5t4DMazb26FsHw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age12cgkgx8xac77q0rwakp6zrfrzp45mhk7wj6t3y8s0xurt3k879usnm66ct
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ME5FZGNUYyttQ002ZEdk
|
||||
MjZ5YkRGWVE3UTBNVzR6SjV3T01QSnRrcVVvClpiSHFIL3NoOUtjSG9NU3M3T0pS
|
||||
N01DK2RLREFGV2Rnc2ZrR3prL2pRNmMKLS0tIFRzLzNzb2QwTFovOENpeW9LZFVT
|
||||
UWc1ZFFibVBIckVRZWxvbGZVUG1YRUkKlSBUOi8E1D30qVnYoydMM/rmE5uOrbqG
|
||||
MUBb8fk4OC4e8mDs/x/qBMMgMWLnma251Aehg+4SodemJi8RhKhR8g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nj7ju6f3jfvzw4c0sxywthjmztwp7rwqceun8xw2tlfrt7qymatser4vqf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZN3lIMHNySFZLdUpTTXh0
|
||||
d0xDTlppY3V4ZGxsL3ZITzJmY2Joa2J6MzJJCmV1MmpSYVZ4OU4wNXlXN1ZmUGdp
|
||||
RFNLcTlmNld4U1Y4VEJRTlZTdXg2ME0KLS0tIHJlQnFrQzFraGhkU0xEVFMxbGlj
|
||||
QUlhZ3dsdkZYbWxyTkNMQSsxNEVocTQK2tugbp8JDQR3KxZoMn8fSVRBc4oBvrhy
|
||||
0Tz4vhejHbiQt0Xg8Im/1ucFGvbONExi4alu57noRqIoCe4AmNKQ+g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-08T00:11:46Z"
|
||||
mac: ENC[AES256_GCM,data:/LgohCkIf5CSHdKVsBWzVbTwul7+HtFeG5a+qA9gjhTzdBaV985IeVPB0Vithmwu+h7BgsL3AGy2EADxGy7UtyhB7+UbcdDoPxHOFtiqv0Rjp4mNMirwjHcMSk42DWMw6+Wgfdy0FZlRkz4pOutZ2bRgehpQP2IYqlm8pjs9TiE=,iv:21wgEwUVRZvqW7uNjeANK8MJLbzy6LOb+iBXcHsp/H4=,tag:lV2qPE6gMNQsS1zom54sgg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
@ -3,7 +3,7 @@ matrix:
|
||||
registrationsecret: ENC[AES256_GCM,data:bWxzNB3c7GL6A4evVMoYJ2/q5TKyeSZzk05lUTMMDLBf3w/ks028oKjntGWbAvpSbnYPAO5wGPPKrvh8TnMVfjuBVrBtL8Vmt10t7YU/e15Xo0WvtwuAtjF6AWiGbV8=,iv:/KW9n2wuVua6zsmMZ/tq7J3wgmtrkLsh6aOWX0Z+fqo=,tag:aoIpD0JgsVnhlyDcsjx1eg==,type:str]
|
||||
oidcsecret: ENC[AES256_GCM,data:AKUTKQStFwioRaRYnrFbL/kJM0ZO/ZPLumG+770+A7U=,iv:jSpL6dY27zwctra5w56loVR9rRETWe5eIeMnAn9f6S0=,tag:IoEP8UzoZK7B5LtTu9Ebsw==,type:str]
|
||||
domeneshop:
|
||||
env: ENC[AES256_GCM,data:IBEWzGjXPTCxc2yBZxs2TnhrwTUjCey9qgprfmYlRMfoYjbSQDRzFoY3EXWfrRC8O/wt5/noar/XY5C6Krob6LynSHitaudXD/mPegR5u313tO9QwLOpScaA+lGyqUkUkddiI52cARJP,iv:dvMdW4o9ByUO5rl/1TXnwsnxd97UJqtv9UmERXdno2I=,tag:iNLGLF7aT2rLuDdwGfn2EA==,type:str]
|
||||
netrc: ENC[AES256_GCM,data:35HTN/L7FfKTdsnu73Vqcf9NEc/ybV9CtEYVh/3VFuge5LEviubcqR2ljkdh22HzMjzbzO9WZVTLo0K8oqrR+8zCbKmi4+4n8ZsnGrqdnx2/Bl2KGdNXTbvfkIqZMD7xRBJtSB2IVyXcB1u7JYd9jvr2xVek3IC8C1Zf,iv:XeqZZYWHD9Sww+IUoRs5+BEKZK80cDF1o4zdUlztA94=,tag:dHQe6Rqst75VTmXSiqTeTw==,type:str]
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:30kDNwJA/nL2/l1gSVPWgFYIrrxnhKbsQPaS1MqeaggjDpPxyNOhSLf5/p5Z5S/jDuJapevpQR70hfAM8g3gLRNIFtP38V/8w0lUngpuz6MzL7THdNfbabOKsHpNht+nxwGXE1YSd0D4OuX5ll5pLWT8nQtNhhOzuYmDIJ/Xc01lmcGc2ThsA0GlkWZxUw==,iv:ht6BiCYJReWFoR1zpo/X0bcgMV9tYfXUM7Re2ngEk4M=,tag:XrlYHyhVujhhWul3czSTDg==,type:str]
|
||||
vaultwarden:
|
||||
@ -39,8 +39,9 @@ sops:
|
||||
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
|
||||
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-09-07T21:42:51Z"
|
||||
mac: ENC[AES256_GCM,data:vxl36zjB978nOMO49YFYSyoKM9rX5NT0kJh5nruGU7a0RxcvQrN3sSHZCfes7uFAvEGiFO4YG3LCiMDuUCZYCTV3nMLnu7aAjqDhcSQqcCYieBx4V9wYSdFqebP9asvArOVUN3hL9xze++q+IvxYYISL1EPlWpAF+SdGVMykGDE=,iv:1wW/OHd+A0qupzXn11est/nPGcGJSg8YxyU0hKzTT1k=,tag:YHgeE0ycLRIqAPv4HNpSjg==,type:str]
|
||||
lastmodified: "2024-09-08T00:14:52Z"
|
||||
mac: ENC[AES256_GCM,data:sWrspq+LTJfKUqdE7HZTdqw9jCR3uDkDmv9pz4Sh698QsUqXX3qFsDqQfCs3OLCClUmIYkvQqWgE7QNglhZcz+HMNGLKihpHmGl8Go/ltQCj4s/KM4mt7PAYSUPKag/uO7HTA7JIs2cwzCVLIjttkDUzyFwsff52pqX71np2qFE=,iv:GHPcsjxDtNBb3zvku5+VOXepwpGMjqaFt4qaNGcGKV8=,tag:Xy1MAUJo9IA04w8+/ECyiQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user