-{ pkgs, lib, config, hostName, credentials, ... }:
+{ pkgs, lib, config, hosts, hostName, credentials, ... }:
let
inherit (config.users) users groups;
inherit (config.networking) domain;
startAt = "*:0/5"; # every 5 min
serviceConfig = {
Type = "simple";
- LoadCredentialEncrypted = "${hostName}.key:${credentials}/knot/tsig/sourcephile.fr/${hostName}.key";
+ LoadCredentialEncrypted = "${hostName}.tsig:${credentials}/nsupdate/sourcephile.fr/${hostName}.tsig.secret";
ExecStart = pkgs.writeShellScript "nsupdate" ''
set -eux
publicIPv4=$(${pkgs.curl}/bin/curl -s4 https://whoami.sourcephile.fr/addr ||
${pkgs.curl}/bin/curl -s4L https://icanhazip.com || true)
publicIPv6=$(${pkgs.curl}/bin/curl -s6L https://icanhazip.com || true)
privateIPv4=$(${pkgs.miniupnpc}/bin/upnpc -s | sed -ne 's/^Local LAN ip address : //p')
- ${pkgs.knot-dns}/bin/knsupdate -k $CREDENTIALS_DIRECTORY/${hostName}.key <<EOF
+ ${pkgs.knot-dns}/bin/knsupdate -k $CREDENTIALS_DIRECTORY/${hostName}.tsig <<EOF
server ns.sourcephile.fr
zone sourcephile.fr
origin sourcephile.fr
''${publicIPv4:+update add ${hostName} 300 A $publicIPv4}
update delete ${hostName} AAAA
''${publicIPv6:+update add ${hostName} 300 AAAA $publicIPv6}
- update delete lan.losurdo A
+ update delete lan.${hostName} A
''${privateIPv4:+update add lan.${hostName} 300 A $privateIPv4}
show
send
group = groups."nsupdate".name;
};
users.groups."nsupdate" = {};
-networking.nftables.ruleset =
- lib.optionalString (config.services.upnpc.redirections != []) ''
+networking.nftables.ruleset = ''
table inet filter {
- # A set containing the udp port(s) to which SSDP replies are allowed.
- set ssdp_out {
+ set nsupdate-ssdp {
type inet_service
timeout 5s
}
chain input-net {
- # Create a rule for accepting any SSDP packets going to a remembered port.
- udp dport @ssdp_out counter accept comment "SSDP answer"
+ udp dport @nsupdate-ssdp counter accept comment "SSDP answer"
}
chain output-net {
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
+ skuid ${users.nsupdate.name} \
+ ip daddr ${hosts.mermet._module.args.ipv4} \
+ meta l4proto { udp, tcp } th dport domain \
+ counter accept comment "nsupdate: DNS"
+ skuid ${users.nsupdate.name} \
tcp dport ssdp \
counter accept \
comment "SSDP automatic opening"
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
+ skuid ${users.nsupdate.name} \
ip daddr 239.255.255.250 udp dport ssdp \
- set add udp sport @ssdp_out \
+ set add udp sport @nsupdate-ssdp \
comment "SSDP automatic opening"
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
+ skuid ${users.nsupdate.name} \
ip daddr 239.255.255.250 udp dport ssdp \
counter accept comment "SSDP"
}
'' + lib.optionalString config.networking.enableIPv6 ''
table inet filter {
chain output-net {
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } udp dport ssdp \
- set add udp sport @ssdp_out comment "SSDP automatic opening"
- skuid {${users.upnpc.name},${users.nsupdate.name}} \
- ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } udp dport ssdp \
+ skuid ${users.nsupdate.name} \
+ ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
+ udp dport ssdp \
+ set add udp sport @nsupdate-ssdp \
+ comment "SSDP automatic opening"
+ skuid ${users.nsupdate.name} \
+ ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
+ udp dport ssdp \
counter accept comment "SSDP"
}
}
group = groups."upnpc".name;
};
users.groups."upnpc" = {};
+ networking.nftables.ruleset =
+ lib.optionalString (cfg.redirections != []) ''
+ table inet filter {
+ # A set containing the udp port(s) to which SSDP replies are allowed.
+ set upnpc-ssdp {
+ type inet_service
+ timeout 5s
+ }
+ chain input-net {
+ # Create a rule for accepting any SSDP packets going to a remembered port.
+ udp dport @upnpc-ssdp counter accept comment "SSDP answer"
+ }
+ chain output-net {
+ skuid ${users.upnpc.name} \
+ tcp dport ssdp \
+ counter accept \
+ comment "SSDP automatic opening"
+ skuid ${users.upnpc.name} \
+ ip daddr 239.255.255.250 udp dport ssdp \
+ set add udp sport @upnpc-ssdp \
+ comment "SSDP automatic opening"
+ skuid ${users.upnpc.name} \
+ ip daddr 239.255.255.250 udp dport ssdp \
+ counter accept \
+ comment "SSDP"
+ }
+ }
+ '' + lib.optionalString config.networking.enableIPv6 ''
+ table inet filter {
+ chain output-net {
+ skuid ${users.upnpc.name} \
+ ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
+ udp dport ssdp \
+ set add udp sport @upnpc-ssdp \
+ comment "SSDP automatic opening"
+ skuid ${users.upnpc.name} \
+ ip6 daddr { FF02::C, FF05::C, FF08::C, FF0E::C } \
+ udp dport ssdp \
+ counter accept comment "SSDP"
+ }
+ }
+ '';
};
meta.maintainers = with maintainers; [ julm ];
}
sourcephile / git / sourcephile-nix.git / commitdiff