feat(gs/mugwump): Set up ddclient r/2386

The way this loads the api key is a hack, but also... I don't care!

Change-Id: I4d417b1a824007620661188b60b21a1f73867dca
Reviewed-on: https://cl.tvl.fyi/c/depot/+/2747
Reviewed-by: glittershark <grfn@gws.fyi>
Tested-by: BuildkiteCI

1 files changed, 26 insertions, 0 deletions

diff --git a/users/glittershark/system/system/machines/mugwump.nix b/users/glittershark/system/system/machines/mugwump.nix
index 22d9e7cd06bd..12524ffeb93f 100644
--- a/users/glittershark/system/system/machines/mugwump.nix
+++ b/users/glittershark/system/system/machines/mugwump.nix
@@ -114,6 +114,32 @@ with lib;
     };
   };
 
+  services.ddclient = {
+    enable = true;
+    domains = [ "home.gws.fyi" ];
+    interval = "1d";
+    zone = "gws.fyi";
+    protocol = "cloudflare";
+    username = "root@gws.fyi";
+    quiet = true;
+  };
+
+  systemd.services.ddclient.serviceConfig = {
+    EnvironmentFile = "/etc/secrets/cloudflare.env";
+    DynamicUser = lib.mkForce false;
+    ExecStart = lib.mkForce (
+      let runtimeDir =
+            config.systemd.services.ddclient.serviceConfig.RuntimeDirectory;
+      in pkgs.writeShellScript "ddclient" ''
+        set -eo pipefail
+
+        ${pkgs.gnused}/bin/sed -i -s s/password=/password=$CLOUDFLARE_API_KEY/ /run/${runtimeDir}/ddclient.conf
+        exec ${pkgs.ddclient}/bin/ddclient \
+          -file /run/${runtimeDir}/ddclient.conf \
+          -login=$CLOUDFLARE_EMAIL \
+      '');
+  };
+
   security.acme.certs."metrics.gws.fyi" = {
     dnsProvider = "namecheap";
     credentialsFile = "/etc/secrets/namecheap.env";