]> Git — Sourcephile - sourcephile-nix.git/blob - machines/losurdo/networking/nsupdate.nix
unbound: no longer use nixos/profiles
[sourcephile-nix.git] / machines / losurdo / networking / nsupdate.nix
1 { pkgs, lib, config, machines, ... }:
2 let
3 inherit (config.security) gnupg;
4 inherit (config.users) users groups;
5 inherit (config.networking) domain;
6 in
7 {
8 systemd.services.nsupdate = {
9 after = [
10 "network-online.target"
11 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
12 ];
13 wants = [
14 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
15 ];
16 wantedBy = [ "multi-user.target" ];
17 startAt = "*:0/5"; # every 5 min
18 serviceConfig = {
19 Type = "simple";
20 ExecStart = pkgs.writeShellScript "nsupdate" ''
21 set -eux
22 publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr || true)
23 publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
24 privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
25 ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
26 server ns.sourcephile.fr
27 zone sourcephile.fr
28 origin sourcephile.fr
29 update delete bureau1 A
30 ''${publicIPv4:+update add bureau1 300 A $publicIPv4}
31 update delete bureau1 AAAA
32 ''${publicIPv6:+update add bureau1 300 AAAA $publicIPv6}
33 update delete lan.losurdo A
34 ''${privateIPv4:+update add lan.losurdo 300 A $privateIPv4}
35 show
36 send
37 EOF
38 '';
39 Restart = "on-failure";
40 RestartSec = "30s";
41 DynamicUser = true;
42 User = users."nsupdate".name;
43 };
44 };
45 users.users."nsupdate".isSystemUser = true;
46 users.users."nsupdate".extraGroups = [ groups."keys".name ];
47 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
48 user = users."nsupdate".name;
49 };
50 }