]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/nsupdate.nix
syncoid: fix localTargetAllow
[sourcephile-nix.git] / hosts / losurdo / networking / nsupdate.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (config.security) gnupg;
4 inherit (config.users) users groups;
5 inherit (config.networking) domain;
6 in
7 {
8 # TODO: nsupdate in the initrd
9 systemd.services.nsupdate = {
10 after = [
11 "network-online.target"
12 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
13 ];
14 wants = [
15 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
16 ];
17 wantedBy = [ "multi-user.target" ];
18 startAt = "*:0/5"; # every 5 min
19 serviceConfig = {
20 Type = "simple";
21 ExecStart = pkgs.writeShellScript "nsupdate" ''
22 set -eux
23 publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
24 ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
25 publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
26 privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
27 ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
28 server ns.sourcephile.fr
29 zone sourcephile.fr
30 origin sourcephile.fr
31 update delete bureau1 A
32 ''${publicIPv4:+update add bureau1 300 A $publicIPv4}
33 update delete bureau1 AAAA
34 ''${publicIPv6:+update add bureau1 300 AAAA $publicIPv6}
35 update delete lan.losurdo A
36 ''${privateIPv4:+update add lan.losurdo 300 A $privateIPv4}
37 show
38 send
39 EOF
40 '';
41 Restart = "on-failure";
42 RestartSec = "30s";
43 DynamicUser = true;
44 User = users."nsupdate".name;
45 };
46 };
47 users.users."nsupdate" = {
48 isSystemUser = true;
49 group = groups."nsupdate".name;
50 };
51 users.groups."nsupdate" = {};
52 users.groups."keys".members = [users."nsupdate".name];
53 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
54 user = users."nsupdate".name;
55 };
56 networking.nftables.ruleset =
57 lib.optionalString (config.services.upnpc.redirections != []) ''
58 # Create a rule for accepting any SSDP packets going to a remembered port.
59 add rule inet filter net2fw udp dport @ssdp_out \
60 counter accept comment "SSDP answer"
61 add rule inet filter fw2net \
62 skuid {${users.upnpc.name},${users.nsupdate.name}} \
63 tcp dport 1900 \
64 counter accept \
65 comment "SSDP automatic opening"
66 add rule inet filter fw2net \
67 skuid {${users.upnpc.name},${users.nsupdate.name}} \
68 ip daddr 239.255.255.250 udp dport 1900 \
69 set add udp sport @ssdp_out \
70 comment "SSDP automatic opening"
71 add rule inet filter fw2net \
72 skuid {${users.upnpc.name},${users.nsupdate.name}} \
73 ip daddr 239.255.255.250 udp dport 1900 \
74 counter accept comment "SSDP"
75 '' + lib.optionalString config.networking.enableIPv6 ''
76 add rule inet filter fw2net \
77 skuid {${users.upnpc.name},${users.nsupdate.name}} \
78 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
79 set add udp sport @ssdp_out comment "SSDP automatic opening"
80 add rule inet filter fw2net \
81 skuid {${users.upnpc.name},${users.nsupdate.name}} \
82 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
83 counter accept comment "SSDP"
84 '';
85 }