diff options
-rw-r--r-- | third_party/ddclient/default.nix | 12 | ||||
-rw-r--r-- | third_party/ddclient/module.nix | 230 | ||||
-rw-r--r-- | third_party/ddclient/pkg.nix | 45 | ||||
-rw-r--r-- | users/aspen/secrets/bbbg.age | bin | 733 -> 598 bytes | |||
-rw-r--r-- | users/aspen/secrets/buildkite-ssh-key.age | bin | 3883 -> 3833 bytes | |||
-rw-r--r-- | users/aspen/secrets/buildkite-token.age | bin | 623 -> 483 bytes | |||
-rw-r--r-- | users/aspen/secrets/cloudflare.age | bin | 450 -> 409 bytes | |||
-rw-r--r-- | users/aspen/secrets/ddclient-password.age | bin | 429 -> 360 bytes | |||
-rw-r--r-- | users/aspen/secrets/secrets.nix | 2 | ||||
-rw-r--r-- | users/aspen/secrets/windtunnel-bot-github-token.age | 18 | ||||
-rw-r--r-- | users/aspen/system/system/machines/mugwump.nix | 14 | ||||
-rw-r--r-- | users/aspen/system/system/machines/ogopogo.nix | 24 |
12 files changed, 33 insertions, 312 deletions
diff --git a/third_party/ddclient/default.nix b/third_party/ddclient/default.nix deleted file mode 100644 index 28b036ea66fc..000000000000 --- a/third_party/ddclient/default.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Users of this package & module should replace it with something like -# inadyn, after https://github.com/NixOS/nixpkgs/issues/242330 is -# landed. -# -# TODO(aspen): replace ddclient with inadyn or something else. -{ pkgs, ... }: - -(pkgs.callPackage ./pkg.nix { }).overrideAttrs (old: { - passthru = old.passthru // { - module = ./module.nix; - }; -}) diff --git a/third_party/ddclient/module.nix b/third_party/ddclient/module.nix deleted file mode 100644 index c8d68f9be932..000000000000 --- a/third_party/ddclient/module.nix +++ /dev/null @@ -1,230 +0,0 @@ -# SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: Copyright (c) 2003-2023 The Nixpkgs/NixOS contributors -{ config, pkgs, lib, ... }: - -let - cfg = config.services.deprecated-ddclient; - boolToStr = bool: if bool then "yes" else "no"; - dataDir = "/var/lib/ddclient"; - StateDirectory = builtins.baseNameOf dataDir; - RuntimeDirectory = StateDirectory; - - configFile' = pkgs.writeText "ddclient.conf" '' - # This file can be used as a template for configFile or is automatically generated by Nix options. - cache=${dataDir}/ddclient.cache - foreground=YES - use=${cfg.use} - login=${cfg.username} - password=${if cfg.protocol == "nsupdate" then "/run/${RuntimeDirectory}/ddclient.key" else "@password_placeholder@"} - protocol=${cfg.protocol} - ${lib.optionalString (cfg.script != "") "script=${cfg.script}"} - ${lib.optionalString (cfg.server != "") "server=${cfg.server}"} - ${lib.optionalString (cfg.zone != "") "zone=${cfg.zone}"} - ssl=${boolToStr cfg.ssl} - wildcard=YES - quiet=${boolToStr cfg.quiet} - verbose=${boolToStr cfg.verbose} - ${cfg.extraConfig} - ${lib.concatStringsSep "," cfg.domains} - ''; - configFile = if (cfg.configFile != null) then cfg.configFile else configFile'; - - preStart = '' - install --mode=600 --owner=$USER ${configFile} /run/${RuntimeDirectory}/ddclient.conf - ${lib.optionalString (cfg.configFile == null) (if (cfg.protocol == "nsupdate") then '' - install --mode=600 --owner=$USER ${cfg.passwordFile} /run/${RuntimeDirectory}/ddclient.key - '' else if (cfg.passwordFile != null) then '' - "${pkgs.replace-secret}/bin/replace-secret" "@password_placeholder@" "${cfg.passwordFile}" "/run/${RuntimeDirectory}/ddclient.conf" - '' else '' - sed -i '/^password=@password_placeholder@$/d' /run/${RuntimeDirectory}/ddclient.conf - '')} - ''; - -in - -with lib; - -{ - ###### interface - - options = { - - services.deprecated-ddclient = with lib.types; { - - enable = mkOption { - default = false; - type = bool; - description = lib.mdDoc '' - Whether to synchronise your machine's IP address with a dynamic DNS provider (e.g. dyndns.org). - ''; - }; - - package = mkOption { - type = package; - default = pkgs.ddclient; - defaultText = lib.literalExpression "pkgs.ddclient"; - description = lib.mdDoc '' - The ddclient executable package run by the service. - ''; - }; - - domains = mkOption { - default = [ "" ]; - type = listOf str; - description = lib.mdDoc '' - Domain name(s) to synchronize. - ''; - }; - - username = mkOption { - # For `nsupdate` username contains the path to the nsupdate executable - default = lib.optionalString (cfg.protocol == "nsupdate") "${pkgs.bind.dnsutils}/bin/nsupdate"; - defaultText = ""; - type = str; - description = lib.mdDoc '' - User name. - ''; - }; - - passwordFile = mkOption { - default = null; - type = nullOr str; - description = lib.mdDoc '' - A file containing the password or a TSIG key in named format when using the nsupdate protocol. - ''; - }; - - interval = mkOption { - default = "10min"; - type = str; - description = lib.mdDoc '' - The interval at which to run the check and update. - See {command}`man 7 systemd.time` for the format. - ''; - }; - - configFile = mkOption { - default = null; - type = nullOr path; - description = lib.mdDoc '' - Path to configuration file. - When set this overrides the generated configuration from module options. - ''; - example = "/root/nixos/secrets/ddclient.conf"; - }; - - protocol = mkOption { - default = "dyndns2"; - type = str; - description = lib.mdDoc '' - Protocol to use with dynamic DNS provider (see https://sourceforge.net/p/ddclient/wiki/protocols). - ''; - }; - - server = mkOption { - default = ""; - type = str; - description = lib.mdDoc '' - Server address. - ''; - }; - - ssl = mkOption { - default = true; - type = bool; - description = lib.mdDoc '' - Whether to use SSL/TLS to connect to dynamic DNS provider. - ''; - }; - - quiet = mkOption { - default = false; - type = bool; - description = lib.mdDoc '' - Print no messages for unnecessary updates. - ''; - }; - - script = mkOption { - default = ""; - type = str; - description = lib.mdDoc '' - script as required by some providers. - ''; - }; - - use = mkOption { - default = "web, web=checkip.dyndns.com/, web-skip='Current IP Address: '"; - type = str; - description = lib.mdDoc '' - Method to determine the IP address to send to the dynamic DNS provider. - ''; - }; - - verbose = mkOption { - default = false; - type = bool; - description = lib.mdDoc '' - Print verbose information. - ''; - }; - - zone = mkOption { - default = ""; - type = str; - description = lib.mdDoc '' - zone as required by some providers. - ''; - }; - - extraConfig = mkOption { - default = ""; - type = lines; - description = lib.mdDoc '' - Extra configuration. Contents will be added verbatim to the configuration file. - ::: {.note} - `daemon` should not be added here because it does not work great with the systemd-timer approach the service uses. - ::: - ''; - }; - }; - }; - - - ###### implementation - - config = mkMerge [ - (mkIf cfg.enable { - systemd.services.ddclient = { - description = "Dynamic DNS Client"; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - restartTriggers = optional (cfg.configFile != null) cfg.configFile; - path = lib.optional (lib.hasPrefix "if," cfg.use) pkgs.iproute2; - - serviceConfig = { - DynamicUser = true; - RuntimeDirectoryMode = "0700"; - inherit RuntimeDirectory; - inherit StateDirectory; - Type = "oneshot"; - ExecStartPre = "!${pkgs.writeShellScript "ddclient-prestart" preStart}"; - ExecStart = "${lib.getBin cfg.package}/bin/ddclient -file /run/${RuntimeDirectory}/ddclient.conf"; - }; - }; - - systemd.timers.ddclient = { - description = "Run ddclient"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = cfg.interval; - OnUnitInactiveSec = cfg.interval; - }; - }; - }) - { - ids.uids.ddclient = 30; - ids.gids.ddclient = 30; - } - ]; -} diff --git a/third_party/ddclient/pkg.nix b/third_party/ddclient/pkg.nix deleted file mode 100644 index 586f3891ac96..000000000000 --- a/third_party/ddclient/pkg.nix +++ /dev/null @@ -1,45 +0,0 @@ -# SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: Copyright (c) 2003-2023 The Nixpkgs/NixOS contributors -{ lib, fetchFromGitHub, perlPackages, autoreconfHook, iproute2, perl }: - -perlPackages.buildPerlPackage rec { - pname = "ddclient"; - version = "3.10.0"; - - outputs = [ "out" ]; - - src = fetchFromGitHub { - owner = "ddclient"; - repo = "ddclient"; - rev = "v${version}"; - sha256 = "sha256-wWUkjXwVNZRJR1rXPn3IkDRi9is9vsRuNC/zq8RpB1E="; - }; - - postPatch = '' - touch Makefile.PL - ''; - - nativeBuildInputs = [ autoreconfHook ]; - - buildInputs = with perlPackages; [ IOSocketINET6 IOSocketSSL JSONPP ]; - - installPhase = '' - runHook preInstall - # patch sheebang ddclient script which only exists after buildPhase - preConfigure - install -Dm755 ddclient $out/bin/ddclient - install -Dm644 -t $out/share/doc/ddclient COP* README.* ChangeLog.md - runHook postInstall - ''; - - # TODO: run upstream tests - doCheck = false; - - meta = with lib; { - description = "Client for updating dynamic DNS service entries"; - homepage = "https://ddclient.net/"; - license = licenses.gpl2Plus; - platforms = platforms.linux; - maintainers = with maintainers; [ SuperSandro2000 ]; - }; -} diff --git a/users/aspen/secrets/bbbg.age b/users/aspen/secrets/bbbg.age index ebc0df233898..d8294b047191 100644 --- a/users/aspen/secrets/bbbg.age +++ b/users/aspen/secrets/bbbg.age Binary files differdiff --git a/users/aspen/secrets/buildkite-ssh-key.age b/users/aspen/secrets/buildkite-ssh-key.age index d9587f11df4b..062be3b9bd98 100644 --- a/users/aspen/secrets/buildkite-ssh-key.age +++ b/users/aspen/secrets/buildkite-ssh-key.age Binary files differdiff --git a/users/aspen/secrets/buildkite-token.age b/users/aspen/secrets/buildkite-token.age index 320ee06c0937..f55b31fb08ed 100644 --- a/users/aspen/secrets/buildkite-token.age +++ b/users/aspen/secrets/buildkite-token.age Binary files differdiff --git a/users/aspen/secrets/cloudflare.age b/users/aspen/secrets/cloudflare.age index 4f42ee782165..6b3974ec7ab6 100644 --- a/users/aspen/secrets/cloudflare.age +++ b/users/aspen/secrets/cloudflare.age Binary files differdiff --git a/users/aspen/secrets/ddclient-password.age b/users/aspen/secrets/ddclient-password.age index 8d25e3b539bd..bc82063c3a28 100644 --- a/users/aspen/secrets/ddclient-password.age +++ b/users/aspen/secrets/ddclient-password.age Binary files differdiff --git a/users/aspen/secrets/secrets.nix b/users/aspen/secrets/secrets.nix index 5bfb1c3eb08c..778b8ebd6e0a 100644 --- a/users/aspen/secrets/secrets.nix +++ b/users/aspen/secrets/secrets.nix @@ -8,7 +8,7 @@ in { "bbbg.age".publicKeys = [ grfn mugwump bbbg ]; "cloudflare.age".publicKeys = [ grfn mugwump ]; - "ddclient-password.age".publicKeys = [ grfn mugwump ]; + "ddclient-password.age".publicKeys = [ grfn ogopogo ]; "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ]; "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ]; "windtunnel-bot-github-token.age".publicKeys = [ grfn mugwump ogopogo ]; diff --git a/users/aspen/secrets/windtunnel-bot-github-token.age b/users/aspen/secrets/windtunnel-bot-github-token.age index daae99958276..84e852f4c1f1 100644 --- a/users/aspen/secrets/windtunnel-bot-github-token.age +++ b/users/aspen/secrets/windtunnel-bot-github-token.age @@ -1,11 +1,9 @@ age-encryption.org/v1 --> ssh-ed25519 CpJBgQ YaZ2VHyXofn2qnxRrOYO4yPPu77BEPFq/cbnfa+5WAA -VgJQoyJVxirvASD0aDsuzmbNJdIP0kpHa5b72Ri7kr8 --> ssh-ed25519 LfBFbQ cXXW3kQzZL7sU4heujIJGzvfpbX0toL2AgsJl5AZPEg -mhkKn69c/QeCJhYAFgx/MsHrIrXim3OcjkZ/rrckVLs --> ssh-ed25519 GeE7sQ /XcP3pWg+aKF1F0sPu6RpYv3Rfj2J/QI0yjg3Wgfjm0 -d+rsgbMlDJx0VrjD4/nO4UcM10hcrLxcPA3QlY1t7sQ --> "0?-grease k}d?h6 |v -7mV6AFUdCMCrkmLVQaWJPQ ---- I9Ls9AWMkSFCKw7y4pLoTkeGw7h5iROwXLuUm0nfuj8 -~v8&3\.%$ɺtQ͜},BEh w96?U \ No newline at end of file +-> ssh-ed25519 CpJBgQ qVlQpHyewtBSfFIdU8GihXC7JhGbcvQ61ZsJC20wSH4 +mZXwiTICzrG+3aCL67cO6cTWMgHkxhDyBi7tZ8l+QMA +-> ssh-ed25519 LfBFbQ 78NQxflRkRMW5vSP1BEvASSQU2pZAfMwd7T2+6W7NQs +u0x986pFtnD9ZqfL3KnRrdYS5z9LRUPJhcmc8FQOuGo +-> ssh-ed25519 GeE7sQ aqFQGCywSimHNbN5si0PzmESUXwROjrpTe/5UdTyYw4 +X2thEJIyOnNUsA746VwqZhH+44XBfCTvh7VOEg/zew0 +--- ndSgjJv5Tel6ovKl+SBdDHZHlszgsEhOY1HHpNDvf1s +Iʵu*1t(/X˕3ȒVGT|@K<})se9`*z \ No newline at end of file diff --git a/users/aspen/system/system/machines/mugwump.nix b/users/aspen/system/system/machines/mugwump.nix index 4cfa11713495..1daa92f25f42 100644 --- a/users/aspen/system/system/machines/mugwump.nix +++ b/users/aspen/system/system/machines/mugwump.nix @@ -9,7 +9,6 @@ with lib; (depot.path.origSrc + "/ops/modules/prometheus-fail2ban-exporter.nix") (depot.path.origSrc + "/users/aspen/xanthous/server/module.nix") (depot.third_party.agenix.src + "/modules/age.nix") - depot.third_party.ddclient.module ]; networking.hostName = "mugwump"; @@ -83,7 +82,6 @@ with lib; in { cloudflare.file = secret "cloudflare"; - ddclient-password.file = secret "ddclient-password"; buildkite-ssh-key = { file = secret "buildkite-ssh-key"; @@ -164,18 +162,6 @@ with lib; }; }; - services.deprecated-ddclient = { - package = depot.third_party.ddclient; - enable = true; - domains = [ "home.gws.fyi" ]; - interval = "1d"; - zone = "gws.fyi"; - protocol = "cloudflare"; - username = "root@gws.fyi"; - passwordFile = config.age.secretsDir + "/ddclient-password"; - quiet = true; - }; - security.acme.certs."metrics.gws.fyi" = { dnsProvider = "cloudflare"; credentialsFile = config.age.secretsDir + "/cloudflare"; diff --git a/users/aspen/system/system/machines/ogopogo.nix b/users/aspen/system/system/machines/ogopogo.nix index 4b425246034d..4dbb3d14e6ce 100644 --- a/users/aspen/system/system/machines/ogopogo.nix +++ b/users/aspen/system/system/machines/ogopogo.nix @@ -96,4 +96,28 @@ wal_level = "logical"; }; }; + + # ddclient + age.secrets = + let + secret = name: depot.users.aspen.secrets."${name}.age"; + in + { + ddclient-password.file = secret "ddclient-password"; + }; + + services.ddclient = { + enable = true; + domains = [ "home.gws.fyi" ]; + interval = "1d"; + zone = "gws.fyi"; + protocol = "cloudflare"; + username = "root@gws.fyi"; + passwordFile = config.age.secretsDir + "/ddclient-password"; + quiet = true; + } + # TODO(aspen): Remove when upgrading past 4.0.0 + // lib.optionalAttrs (lib.versionOlder pkgs.ddclient.version "4.0.0") { + ssl = false; + }; } |