coredump: keep a bit more dumps

[sourcephile-nix.git] / hosts / losurdo / networking / nsupdate.nix

diff --git a/hosts/losurdo/networking/nsupdate.nix b/hosts/losurdo/networking/nsupdate.nix
index 88f555574f5f5c150b591236b53e2c0105d01f0e..5b34f4df0216e108fae5b8aff7973a0475a00730 100644 (file)
--- a/hosts/losurdo/networking/nsupdate.nix
+++ b/hosts/losurdo/networking/nsupdate.nix
@@ -5,6 +5,7 @@ let
   inherit (config.networking) domain;
 in
 {
+# TODO: nsupdate in the initrd
 systemd.services.nsupdate = {
   after = [
     "network-online.target"
@@ -19,7 +20,8 @@ systemd.services.nsupdate = {
     Type = "simple";
     ExecStart = pkgs.writeShellScript "nsupdate" ''
       set -eux
-      publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr || true)
+      publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
+        ${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
       publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
       privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
       ${pkgs.knot-dns}/bin/knsupdate -k ${gnupg.secrets."knot/tsig/${domain}/bureau1.key".path} <<EOF
@@ -42,9 +44,42 @@ systemd.services.nsupdate = {
     User = users."nsupdate".name;
   };
 };
-users.users."nsupdate".isSystemUser = true;
-users.users."nsupdate".extraGroups = [ groups."keys".name ];
+users.users."nsupdate" = {
+  isSystemUser = true;
+  group = groups."nsupdate".name;
+};
+users.groups."nsupdate" = {};
+users.groups."keys".members = [users."nsupdate".name];
 security.gnupg.secrets."knot/tsig/${domain}/bureau1.key" = {
   user = users."nsupdate".name;
 };
+networking.nftables.ruleset =
+  lib.optionalString (config.services.upnpc.redirections != []) ''
+  # Create a rule for accepting any SSDP packets going to a remembered port.
+  add rule inet filter net2fw udp dport @ssdp_out \
+    counter accept comment "SSDP answer"
+  add rule inet filter fw2net \
+    skuid {${users.upnpc.name},${users.nsupdate.name}} \
+    tcp dport 1900 \
+    counter accept \
+    comment "SSDP automatic opening"
+  add rule inet filter fw2net \
+    skuid {${users.upnpc.name},${users.nsupdate.name}} \
+    ip daddr 239.255.255.250 udp dport 1900 \
+    set add udp sport @ssdp_out \
+    comment "SSDP automatic opening"
+  add rule inet filter fw2net \
+    skuid {${users.upnpc.name},${users.nsupdate.name}} \
+    ip daddr 239.255.255.250 udp dport 1900 \
+    counter accept comment "SSDP"
+  '' + lib.optionalString config.networking.enableIPv6 ''
+  add rule inet filter fw2net \
+    skuid {${users.upnpc.name},${users.nsupdate.name}} \
+    ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
+    set add udp sport @ssdp_out comment "SSDP automatic opening"
+  add rule inet filter fw2net \
+    skuid {${users.upnpc.name},${users.nsupdate.name}} \
+    ip6 daddr {FF02::C, FF05::C, FF08::C, FF0E::C} udp dport 1900 \
+    counter accept comment "SSDP"
+  '';
 }