hosts/losurdo/networking/nsupdate.nix

   1 { pkgs, lib, config, hosts, ... }:
   2 let
   3   inherit (config.security) gnupg;
   4   inherit (config.users) users groups;
   5   inherit (config.networking) domain;
   6 in
   7 {
   8 # TODO: nsupdate in the initrd
   9 systemd.services.nsupdate = {
  10   after = [
  11     "network-online.target"
  12     gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
  13   ];
  14   wants = [
  15     gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
  16   ];
  17   wantedBy = [ "multi-user.target" ];
  18   startAt = "*:0/5"; # every 5 min
  19   serviceConfig = {
  20     Type = "simple";
  21     ExecStart = pkgs.writeShellScript "nsupdate" ''
  22       set -eux
  23       publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
  24         ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
  25       publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
  26       privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
  27       ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
  28       server ns.sourcephile.fr
  29       zone sourcephile.fr
  30       origin sourcephile.fr
  31       update delete bureau1 A
  32       ''${publicIPv4:+update add bureau1 300 A $publicIPv4}
  33       update delete bureau1 AAAA
  34       ''${publicIPv6:+update add bureau1 300 AAAA $publicIPv6}
  35       update delete lan.losurdo A
  36       ''${privateIPv4:+update add lan.losurdo 300 A $privateIPv4}
  37       show
  38       send
  39       EOF
  40     '';
  41     Restart = "on-failure";
  42     RestartSec = "30s";
  43     DynamicUser = true;
  44     User = users."nsupdate".name;
  45   };
  46 };
  47 users.users."nsupdate" = {
  48   isSystemUser = true;
  49   group = groups."nsupdate".name;
  50 };
  51 users.groups."nsupdate" = {};
  52 users.groups."keys".members = [users."nsupdate".name];
  53 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
  54   user = users."nsupdate".name;
  55 };
  56 networking.nftables.ruleset =
  57   lib.optionalString (config.services.upnpc.redirections != []) ''
  58   # Create a rule for accepting any SSDP packets going to a remembered port.
  59   add rule inet filter net2fw udp dport @ssdp_out \
  60     counter accept comment "SSDP answer"
  61   add rule inet filter fw2net \
  62     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  63     tcp dport 1900 \
  64     counter accept \
  65     comment "SSDP automatic opening"
  66   add rule inet filter fw2net \
  67     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  68     ip daddr 239.255.255.250 udp dport 1900 \
  69     set add udp sport @ssdp_out \
  70     comment "SSDP automatic opening"
  71   add rule inet filter fw2net \
  72     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  73     ip daddr 239.255.255.250 udp dport 1900 \
  74     counter accept comment "SSDP"
  75   '' + lib.optionalString config.networking.enableIPv6 ''
  76   add rule inet filter fw2net \
  77     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  78     ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
  79     set add udp sport @ssdp_out comment "SSDP automatic opening"
  80   add rule inet filter fw2net \
  81     skuid {${users.upnpc.name},${users.nsupdate.name}} \
  82     ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
  83     counter accept comment "SSDP"
  84   '';
  85 }