hosts/losurdo/networking/nsupdate.nix

   1 { pkgs, lib, config, inputs, hosts, hostName, ... }:
   2 let
   3   inherit (config.users) users groups;
   4   inherit (hosts.mermet.config.networking) domain;
   5 in
   6 {
   7   # TODO: nsupdate in the initrd
   8   systemd.services.nsupdate = {
   9     wantedBy = [ "multi-user.target" ];
  10     startAt = "*:0/5"; # every 5 min
  11     serviceConfig = {
  12       Type = "simple";
  13       LoadCredentialEncrypted = [
  14         "${hostName}.${domain}.tsig:${./nsupdate +"/${domain}/tsig.cred"}"
  15       ];
  16       ExecStart = pkgs.writeShellScript "nsupdate" ''
  17         set -eux
  18         publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
  19           ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
  20         publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
  21         privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
  22         ${pkgs.knot-dns}/bin/knsupdate -k $CREDENTIALS_DIRECTORY/${hostName}.${domain}.tsig <<EOF
  23         server ns.${domain}
  24         zone ${domain}
  25         origin ${domain}
  26         update delete ${hostName} A
  27         ''${publicIPv4:+update add ${hostName} 300 A $publicIPv4}
  28         update delete ${hostName} AAAA
  29         ''${publicIPv6:+update add ${hostName} 300 AAAA $publicIPv6}
  30         update delete lan.${hostName} A
  31         ''${privateIPv4:+update add lan.${hostName} 300 A $privateIPv4}
  32         show
  33         send
  34         EOF
  35       '';
  36       Restart = "on-failure";
  37       RestartSec = "30s";
  38       DynamicUser = true;
  39       User = users."nsupdate".name;
  40     };
  41   };
  42   users.users."nsupdate" = {
  43     isSystemUser = true;
  44     group = groups."nsupdate".name;
  45   };
  46   users.groups."nsupdate" = { };
  47   networking.nftables.ruleset = ''
  48     table inet filter {
  49       set nsupdate-ssdp {
  50         type inet_service
  51         timeout 5s
  52       }
  53       chain input-net {
  54         udp dport @nsupdate-ssdp counter accept comment "SSDP answer"
  55       }
  56       chain output-net {
  57         skuid ${users.nsupdate.name} \
  58           ip daddr ${hosts.mermet._module.args.ipv4} \
  59           meta l4proto { udp, tcp } th dport domain \
  60           counter accept comment "nsupdate: DNS"
  61         skuid ${users.nsupdate.name} \
  62           tcp dport ssdp \
  63           counter accept \
  64           comment "SSDP automatic opening"
  65         skuid ${users.nsupdate.name} \
  66           ip daddr 239.255.255.250 udp dport ssdp \
  67           set add udp sport @nsupdate-ssdp \
  68           comment "SSDP automatic opening"
  69         skuid ${users.nsupdate.name} \
  70           ip daddr 239.255.255.250 udp dport ssdp \
  71           counter accept comment "SSDP"
  72       }
  73     }
  74   '' + lib.optionalString config.networking.enableIPv6 ''
  75     table inet filter {
  76       chain output-net {
  77         skuid ${users.nsupdate.name} \
  78           ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
  79           udp dport ssdp \
  80           set add udp sport @nsupdate-ssdp \
  81           comment "SSDP automatic opening"
  82         skuid ${users.nsupdate.name} \
  83           ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
  84           udp dport ssdp \
  85           counter accept comment "SSDP"
  86       }
  87     }
  88   '';
  89 }