diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix index 3663089..c653b61 100644 --- a/hosts/web-arm/configuration.nix +++ b/hosts/web-arm/configuration.nix @@ -16,6 +16,7 @@ ./modules/grafana.nix ./modules/loki.nix ./modules/victoriametrics.nix + ./modules/updns.nix ./utils/modules/autoupgrade.nix ./utils/modules/promtail @@ -50,6 +51,10 @@ ./sites/lena-schilling.at.nix ]; + nixpkgs.overlays = [ + (import ./overlays/packages.nix) + ]; + nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1v" "openssl-1.1.1w" diff --git a/hosts/web-arm/modules/updns.nix b/hosts/web-arm/modules/updns.nix new file mode 100644 index 0000000..c23b49a --- /dev/null +++ b/hosts/web-arm/modules/updns.nix @@ -0,0 +1,96 @@ +{ config, pkgs, ... }: + +{ + users.users.updns = { + isSystemUser = true; + group = "updns"; + home = "/var/lib/updns"; + createHome = true; + description = "UpDNS service user"; + }; + users.groups.updns = { }; + + sops.secrets.updns-token = { + owner = "updns"; + restartUnits = [ "updns.service" ]; + }; + + environment.etc."updns/config.yaml" = { + mode = "0400"; + user = "updns"; + group = "updns"; + text = '' + server: + bind_address: ":9090" + tls: + enabled: false + cert_file: "cert.pem" + key_file: "key.pem" + upstream: + provider: hetzner + hetzner: + api_token_file: "${config.sops.secrets.updns-token.path}" + clients: + ghetto_at: + secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu" + exact: + - "ghetto.smart.cloonar.com" + ''; + }; + + systemd.services.updns = { + description = "UpDNS Service"; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig = { + Type = "simple"; + User = "updns"; + Group = "updns"; + WorkingDirectory = "/var/lib/updns"; + ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml"; + Restart = "always"; + RestartSec = "10s"; + StateDirectory = "updns"; + LogsDirectory = "updns"; + RuntimeDirectory = "updns"; + + # Security settings + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + CapabilityBoundingSet = ""; + }; + }; + + services.nginx.virtualHosts."updns.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + + locations."/" = { + proxyPass = "http://127.0.0.1:9090"; + proxyWebsockets = true; + extraConfig = + "proxy_set_header X-Forwarded-Proto 'https';" + + "proxy_set_header X-Forwarded-Ssl on;" + + "proxy_connect_timeout 300;" + + "proxy_send_timeout 300;" + + "proxy_read_timeout 300;" + + "send_timeout 300;" + ; + }; + }; +} diff --git a/hosts/web-arm/overlays/packages.nix b/hosts/web-arm/overlays/packages.nix new file mode 100644 index 0000000..8b4c50d --- /dev/null +++ b/hosts/web-arm/overlays/packages.nix @@ -0,0 +1,5 @@ +self: super: { + updns = self.callPackage ../pkgs/updns.nix { }; + + # vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { }); +} diff --git a/hosts/web-arm/pkgs/updns.nix b/hosts/web-arm/pkgs/updns.nix new file mode 100644 index 0000000..932e52a --- /dev/null +++ b/hosts/web-arm/pkgs/updns.nix @@ -0,0 +1,23 @@ +{ lib, buildGoModule, fetchgit }: + +buildGoModule rec { + pname = "updns"; + version = "1.0.1"; + + src = fetchgit { + url = "https://git.cloonar.com/Cloonar/updns.git"; + rev = "100cad5acde8a174f2cc36b6af577a440c528865"; + sha256 = "sha256-nQU1CCbCw/8JjMErdfasyR4jyvONuEImUiqdbVut2FA="; + }; + + vendorHash = "sha256-PipUC/Sks7j/p9io/eHamfkbIKWsfKIDFZun2sKrWDY="; + + subPackages = [ "cmd/updns" ]; + + meta = with lib; { + description = "UpDNS - A simple ACME DNS Proxy"; + homepage = "https://git.cloonar.com/Cloonar/updns"; + license = licenses.mit; # Adjust based on your project's license + maintainers = [ ]; + }; +} diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml index 075ffee..a5d2fd6 100644 --- a/hosts/web-arm/secrets.yaml +++ b/hosts/web-arm/secrets.yaml @@ -22,6 +22,7 @@ pushover-api-token: ENC[AES256_GCM,data:itcWlyaJi+saBmhLabOOgbOej9yxQgCIiwU9uuOg pushover-user-key: ENC[AES256_GCM,data:swXKXMAeCyYbBQNAEEpDTJXjdNmFFVWnhExAqfnn,iv:AZd6phibpwEX97U/SzeiRoFFL3TviSONwOWkPsXdcKc=,tag:+mzfrxHpTWOzb3bEzN3D5Q==,type:str] zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str] zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str] +updns-token: ENC[AES256_GCM,data:ara0AMf87hw+oBdxwAaOBL0yTyxdbz1qmcA6NuUei1s=,iv:G3JLP4VYMcTszpP6LLl1ygz1LSrjUKM2HwKHtySz5ck=,tag:5E5Z/E790j7jUNDEr4u+dw==,type:str] sops: kms: [] gcp_kms: [] @@ -64,8 +65,8 @@ sops: elpYSDg2Y09Ia1VEaE9yUWRYMlk4V0UKcsiKxtTdtAT7odCCua7wV/3879QEp2YJ iIVgZIrTg34tEGj8VbACcGINZfid3SSkUM4hnydP72ZOOfijIN21Ew== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-31T15:45:49Z" - mac: ENC[AES256_GCM,data:BjoytvHEO/mvFUdAN/jf3EnwIjmWzSbY3TgCOjIp4zlVi+QrtwLD1G6fTN6q8tWOrYUBETS93q5FsCHKqCh58TEp/JZSnw2OhODBAn8LmdNvbvXX3dNFkVvjLsLH9rl4knMD5gr2fSc+YqHsTcb1sKBom7pFEsRppnnbU6h+FZo=,iv:ipoiDA2Er9gaqKg5bbjvVSC3RTiUV+t7J72ns5IEdac=,tag:1/4KRpnUnm14jGAdS6EoxA==,type:str] + lastmodified: "2025-04-25T20:27:51Z" + mac: ENC[AES256_GCM,data:63q8gzmWqAIrXaMSJHRNpGr68FL+2Mi87YJ96u9DSKXIFPY16+ProjBuN/A9A0nCXNQO1hrEdK5QcdKjPAPc9wT8wm0+l5QsikCS/xuuSAEINby+BifxHHkUkqJtDUuUHFIkovFrjiY0U/OxBHZnytOSFaIkYbyA2bIEHezs2g8=,iv:MmURwYSxmqG0RgaQrxvHSBdh3r+Y+h5GRLRssmpFAFU=,tag:Zy0imRn6+pPEsKhlvYMF4Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.4