]> Git — Sourcephile - sourcephile-nix.git/blob - hosts/losurdo/networking/nsupdate.nix
acme: enable dnsPropagationCheck :s
[sourcephile-nix.git] / hosts / losurdo / networking / nsupdate.nix
1 { pkgs, lib, config, inputs, hosts, hostName, ... }:
2 let
3 inherit (config.users) users groups;
4 inherit (hosts.mermet.config.networking) domain;
5 in
6 {
7 # TODO: nsupdate in the initrd
8 systemd.services.nsupdate = {
9 wantedBy = [ "multi-user.target" ];
10 startAt = "*:0/5"; # every 5 min
11 serviceConfig = {
12 Type = "simple";
13 LoadCredentialEncrypted = [ "${hostName}.${domain}.tsig:${inputs.self}/hosts/${hostName}/networking/nsupdate/${domain}/tsig.cred" ];
14 ExecStart = pkgs.writeShellScript "nsupdate" ''
15 set -eux
16 publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
17 ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
18 publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
19 privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
20 ${pkgs.knot-dns}/bin/knsupdate -k $CREDENTIALS_DIRECTORY/${hostName}.${domain}.tsig <<EOF
21 server ns.${domain}
22 zone ${domain}
23 origin ${domain}
24 update delete ${hostName} A
25 ''${publicIPv4:+update add ${hostName} 300 A $publicIPv4}
26 update delete ${hostName} AAAA
27 ''${publicIPv6:+update add ${hostName} 300 AAAA $publicIPv6}
28 update delete lan.${hostName} A
29 ''${privateIPv4:+update add lan.${hostName} 300 A $privateIPv4}
30 show
31 send
32 EOF
33 '';
34 Restart = "on-failure";
35 RestartSec = "30s";
36 DynamicUser = true;
37 User = users."nsupdate".name;
38 };
39 };
40 users.users."nsupdate" = {
41 isSystemUser = true;
42 group = groups."nsupdate".name;
43 };
44 users.groups."nsupdate" = { };
45 networking.nftables.ruleset = ''
46 table inet filter {
47 set nsupdate-ssdp {
48 type inet_service
49 timeout 5s
50 }
51 chain input-net {
52 udp dport @nsupdate-ssdp counter accept comment "SSDP answer"
53 }
54 chain output-net {
55 skuid ${users.nsupdate.name} \
56 ip daddr ${hosts.mermet._module.args.ipv4} \
57 meta l4proto { udp, tcp } th dport domain \
58 counter accept comment "nsupdate: DNS"
59 skuid ${users.nsupdate.name} \
60 tcp dport ssdp \
61 counter accept \
62 comment "SSDP automatic opening"
63 skuid ${users.nsupdate.name} \
64 ip daddr 239.255.255.250 udp dport ssdp \
65 set add udp sport @nsupdate-ssdp \
66 comment "SSDP automatic opening"
67 skuid ${users.nsupdate.name} \
68 ip daddr 239.255.255.250 udp dport ssdp \
69 counter accept comment "SSDP"
70 }
71 }
72 '' + lib.optionalString config.networking.enableIPv6 ''
73 table inet filter {
74 chain output-net {
75 skuid ${users.nsupdate.name} \
76 ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
77 udp dport ssdp \
78 set add udp sport @nsupdate-ssdp \
79 comment "SSDP automatic opening"
80 skuid ${users.nsupdate.name} \
81 ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
82 udp dport ssdp \
83 counter accept comment "SSDP"
84 }
85 }
86 '';
87 }