]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/nsupdate.nix
carotte: prepare switch install
[sourcephile-nix.git] / hosts / losurdo / networking / nsupdate.nix
1 { pkgs, lib, config, hosts, ... }:
2 let
3 inherit (config.security) gnupg;
4 inherit (config.users) users groups;
5 inherit (config.networking) domain;
6 in
7 {
8 systemd.services.nsupdate = {
9 after = [
10 "network-online.target"
11 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
12 ];
13 wants = [
14 gnupg.secrets."knot/tsig/${domain}/bureau1.key".service
15 ];
16 wantedBy = [ "multi-user.target" ];
17 startAt = "*:0/5"; # every 5 min
18 serviceConfig = {
19 Type = "simple";
20 ExecStart = pkgs.writeShellScript "nsupdate" ''
21 set -eux
22 publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
23 ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
24 publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
25 privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
26 ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
27 server ns.sourcephile.fr
28 zone sourcephile.fr
29 origin sourcephile.fr
30 update delete bureau1 A
31 ''${publicIPv4:+update add bureau1 300 A $publicIPv4}
32 update delete bureau1 AAAA
33 ''${publicIPv6:+update add bureau1 300 AAAA $publicIPv6}
34 update delete lan.losurdo A
35 ''${privateIPv4:+update add lan.losurdo 300 A $privateIPv4}
36 show
37 send
38 EOF
39 '';
40 Restart = "on-failure";
41 RestartSec = "30s";
42 DynamicUser = true;
43 User = users."nsupdate".name;
44 };
45 };
46 users.users."nsupdate" = {
47 isSystemUser = true;
48 group = groups."nsupdate".name;
49 };
50 users.groups."nsupdate" = {};
51 users.groups."keys".members = [users."nsupdate".name];
52 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
53 user = users."nsupdate".name;
54 };
55 networking.nftables.ruleset =
56 lib.optionalString (config.services.upnpc.redirections != []) ''
57 # Create a rule for accepting any SSDP packets going to a remembered port.
58 add rule inet filter net2fw udp dport @ssdp_out \
59 counter accept comment "SSDP answer"
60 add rule inet filter fw2net \
61 skuid {${users.upnpc.name},${users.nsupdate.name}} \
62 tcp dport 1900 \
63 counter accept \
64 comment "SSDP automatic opening"
65 add rule inet filter fw2net \
66 skuid {${users.upnpc.name},${users.nsupdate.name}} \
67 ip daddr 239.255.255.250 udp dport 1900 \
68 set add udp sport @ssdp_out \
69 comment "SSDP automatic opening"
70 add rule inet filter fw2net \
71 skuid {${users.upnpc.name},${users.nsupdate.name}} \
72 ip daddr 239.255.255.250 udp dport 1900 \
73 counter accept comment "SSDP"
74 '' + lib.optionalString config.networking.enableIPv6 ''
75 add rule inet filter fw2net \
76 skuid {${users.upnpc.name},${users.nsupdate.name}} \
77 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
78 set add udp sport @ssdp_out comment "SSDP automatic opening"
79 add rule inet filter fw2net \
80 skuid {${users.upnpc.name},${users.nsupdate.name}} \
81 ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
82 counter accept comment "SSDP"
83 '';
84 }