1 { pkgs, lib, config, machines, ... }:
3 inherit (config.security) gnupg;
4 inherit (config.users) users groups;
5 inherit (config.networking) domain;
11 networking.nftables.ruleset = ''
12 # Create a set for remembering the port on which ssdp replies will be received
13 add set filter ssdp_out {type inet_service \; timeout 5s \;}
14 # Create a rule for accepting any ssdp packets going to a remembered port.
15 add rule filter net2fw udp dport @ssdp_out accept
16 # Create a rule for adding the ports to the set
17 add rule filter fw2net ip daddr 239.255.255.250 udp dport 1900 set add udp sport @ssdp_out
18 '' + lib.optionalString networking.enableIPv6 ''
20 add rule filter fw2net ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 set add udp sport @ssdp_out
24 systemd.services.nsupdate = {
26 "network-online.target"
27 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
30 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
32 wantedBy = [ "multi-user.target" ];
36 ExecStart = pkgs.writeShellScript "nsupdate" ''
38 ip=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr)
40 ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
41 server ns.sourcephile.fr
44 update delete bureau1 A
45 update add bureau1 300 A $ip
50 Restart = "on-failure";
53 User = users."nsupdate".name;
56 users.users."nsupdate".isSystemUser = true;
57 users.users."nsupdate".extraGroups = [ groups."keys".name ];
58 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
59 user = users."nsupdate".name;