hosts/losurdo/networking/nsupdate.nix

   1 { pkgs, lib, config, hostName, credentials, ... }:
   2 let
   3   inherit (config.users) users groups;
   4   inherit (config.networking) domain;
   5 in
   6 {
   7 # TODO: nsupdate in the initrd
   8 systemd.services.nsupdate = {
   9   wantedBy = [ "multi-user.target" ];
  10   startAt = "*:0/5"; # every 5 min
  11   serviceConfig = {
  12     Type = "simple";
  13     LoadCredentialEncrypted = "${hostName}.key:${credentials}/knot/tsig/sourcephile.fr/${hostName}.key";
  14     ExecStart = pkgs.writeShellScript "nsupdate" ''
  15       set -eux
  16       publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
  17         ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
  18       publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
  19       privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
  20       ${pkgs.knot-dns}/bin/knsupdate -k $CREDENTIALS_DIRECTORY/${hostName}.key <<EOF
  21       server ns.sourcephile.fr
  22       zone sourcephile.fr
  23       origin sourcephile.fr
  24       update delete ${hostName} A
  25       ''${publicIPv4:+update add ${hostName} 300 A $publicIPv4}
  26       update delete ${hostName} AAAA
  27       ''${publicIPv6:+update add ${hostName} 300 AAAA $publicIPv6}
  28       update delete lan.losurdo A
  29       ''${privateIPv4:+update add lan.${hostName} 300 A $privateIPv4}
  30       show
  31       send
  32       EOF
  33     '';
  34     Restart = "on-failure";
  35     RestartSec = "30s";
  36     DynamicUser = true;
  37     User = users."nsupdate".name;
  38   };
  39 };
  40 users.users."nsupdate" = {
  41   isSystemUser = true;
  42   group = groups."nsupdate".name;
  43 };
  44 users.groups."nsupdate" = {};
  45 networking.nftables.ruleset =
  46   lib.optionalString (config.services.upnpc.redirections != []) ''
  47   table inet filter {
  48     # A set containing the udp port(s) to which SSDP replies are allowed.
  49     set ssdp_out {
  50       type inet_service
  51       timeout 5s
  52     }
  53     chain input-net {
  54       # Create a rule for accepting any SSDP packets going to a remembered port.
  55       udp dport @ssdp_out counter accept comment "SSDP answer"
  56     }
  57     chain output-net {
  58       skuid {${users.upnpc.name},${users.nsupdate.name}} \
  59         tcp dport ssdp \
  60         counter accept \
  61         comment "SSDP automatic opening"
  62       skuid {${users.upnpc.name},${users.nsupdate.name}} \
  63         ip daddr 239.255.255.250 udp dport ssdp \
  64         set add udp sport @ssdp_out \
  65         comment "SSDP automatic opening"
  66       skuid {${users.upnpc.name},${users.nsupdate.name}} \
  67         ip daddr 239.255.255.250 udp dport ssdp \
  68         counter accept comment "SSDP"
  69     }
  70   }
  71   '' + lib.optionalString config.networking.enableIPv6 ''
  72   table inet filter {
  73     chain output-net {
  74       skuid {${users.upnpc.name},${users.nsupdate.name}} \
  75         ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } udp dport ssdp \
  76         set add udp sport @ssdp_out comment "SSDP automatic opening"
  77       skuid {${users.upnpc.name},${users.nsupdate.name}} \
  78         ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } udp dport ssdp \
  79         counter accept comment "SSDP"
  80     }
  81   }
  82   '';
  83 }