feat: add updns

hosts/web-arm/configuration.nix

@@ -16,6 +16,7 @@
     ./modules/grafana.nix
     ./modules/loki.nix
     ./modules/victoriametrics.nix
+    ./modules/updns.nix
 
     ./utils/modules/autoupgrade.nix
     ./utils/modules/promtail
@@ -50,6 +51,10 @@
     ./sites/lena-schilling.at.nix
   ];
 
+  nixpkgs.overlays = [
+    (import ./overlays/packages.nix)
+  ];
+
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1v"
     "openssl-1.1.1w"

hosts/web-arm/modules/updns.nix

@@ -0,0 +1,96 @@
+{ config, pkgs, ... }:
+
+{
+  users.users.updns = {
+    isSystemUser = true;
+    group = "updns";
+    home = "/var/lib/updns";
+    createHome = true;
+    description = "UpDNS service user";
+  };
+  users.groups.updns = { };
+
+  sops.secrets.updns-token = {
+    owner = "updns";
+    restartUnits = [ "updns.service" ];
+  };
+
+  environment.etc."updns/config.yaml" = {
+    mode = "0400";
+    user = "updns";
+    group = "updns";
+    text = ''
+      server:
+        bind_address: ":9090"
+        tls:
+          enabled: false
+          cert_file: "cert.pem"
+          key_file: "key.pem"
+      upstream:
+        provider: hetzner
+        hetzner:
+          api_token_file: "${config.sops.secrets.updns-token.path}"
+      clients:
+        ghetto_at:
+          secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu"
+          exact:
+            - "ghetto.smart.cloonar.com"
+    '';
+  };
+
+  systemd.services.updns = {
+    description = "UpDNS Service";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = "updns";
+      Group = "updns";
+      WorkingDirectory = "/var/lib/updns";
+      ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml";
+      Restart = "always";
+      RestartSec = "10s";
+      StateDirectory = "updns";
+      LogsDirectory = "updns";
+      RuntimeDirectory = "updns";
+
+      # Security settings
+      NoNewPrivileges = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      PrivateTmp = true;
+      PrivateDevices = true;
+      ProtectKernelTunables = true;
+      ProtectKernelModules = true;
+      ProtectControlGroups = true;
+      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+      RestrictNamespaces = true;
+      LockPersonality = true;
+      MemoryDenyWriteExecute = true;
+      RestrictRealtime = true;
+      RestrictSUIDSGID = true;
+      CapabilityBoundingSet = "";
+    };
+  };
+
+  services.nginx.virtualHosts."updns.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:9090";
+      proxyWebsockets = true;
+      extraConfig =
+        "proxy_set_header X-Forwarded-Proto 'https';" +
+        "proxy_set_header X-Forwarded-Ssl on;" +
+        "proxy_connect_timeout  300;" +
+        "proxy_send_timeout     300;" +
+        "proxy_read_timeout     300;" +
+        "send_timeout           300;"
+      ;
+    };
+  };
+}

hosts/web-arm/overlays/packages.nix

@@ -0,0 +1,5 @@
+self: super: {
+  updns = self.callPackage ../pkgs/updns.nix { };
+
+  # vscode-insiders = (super.callPackage ../pkgs/vscode-insiders.nix { });
+}

hosts/web-arm/pkgs/updns.nix

@@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchgit }:
+
+buildGoModule rec {
+  pname = "updns";
+  version = "1.0.1";
+
+  src = fetchgit {
+    url = "https://git.cloonar.com/Cloonar/updns.git";
+    rev = "100cad5acde8a174f2cc36b6af577a440c528865";
+    sha256 = "sha256-nQU1CCbCw/8JjMErdfasyR4jyvONuEImUiqdbVut2FA=";
+  };
+
+  vendorHash = "sha256-PipUC/Sks7j/p9io/eHamfkbIKWsfKIDFZun2sKrWDY=";
+  
+  subPackages = [ "cmd/updns" ];
+
+  meta = with lib; {
+    description = "UpDNS - A simple ACME DNS Proxy";
+    homepage = "https://git.cloonar.com/Cloonar/updns";
+    license = licenses.mit;  # Adjust based on your project's license
+    maintainers = [ ];
+  };
+}

hosts/web-arm/secrets.yaml

@@ -22,6 +22,7 @@ pushover-api-token: ENC[AES256_GCM,data:itcWlyaJi+saBmhLabOOgbOej9yxQgCIiwU9uuOg
 pushover-user-key: ENC[AES256_GCM,data:swXKXMAeCyYbBQNAEEpDTJXjdNmFFVWnhExAqfnn,iv:AZd6phibpwEX97U/SzeiRoFFL3TviSONwOWkPsXdcKc=,tag:+mzfrxHpTWOzb3bEzN3D5Q==,type:str]
 zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str]
 zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str]
+updns-token: ENC[AES256_GCM,data:ara0AMf87hw+oBdxwAaOBL0yTyxdbz1qmcA6NuUei1s=,iv:G3JLP4VYMcTszpP6LLl1ygz1LSrjUKM2HwKHtySz5ck=,tag:5E5Z/E790j7jUNDEr4u+dw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -64,8 +65,8 @@ sops:
             elpYSDg2Y09Ia1VEaE9yUWRYMlk4V0UKcsiKxtTdtAT7odCCua7wV/3879QEp2YJ
             iIVgZIrTg34tEGj8VbACcGINZfid3SSkUM4hnydP72ZOOfijIN21Ew==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-31T15:45:49Z"
-    mac: ENC[AES256_GCM,data:BjoytvHEO/mvFUdAN/jf3EnwIjmWzSbY3TgCOjIp4zlVi+QrtwLD1G6fTN6q8tWOrYUBETS93q5FsCHKqCh58TEp/JZSnw2OhODBAn8LmdNvbvXX3dNFkVvjLsLH9rl4knMD5gr2fSc+YqHsTcb1sKBom7pFEsRppnnbU6h+FZo=,iv:ipoiDA2Er9gaqKg5bbjvVSC3RTiUV+t7J72ns5IEdac=,tag:1/4KRpnUnm14jGAdS6EoxA==,type:str]
+    lastmodified: "2025-04-25T20:27:51Z"
+    mac: ENC[AES256_GCM,data:63q8gzmWqAIrXaMSJHRNpGr68FL+2Mi87YJ96u9DSKXIFPY16+ProjBuN/A9A0nCXNQO1hrEdK5QcdKjPAPc9wT8wm0+l5QsikCS/xuuSAEINby+BifxHHkUkqJtDUuUHFIkovFrjiY0U/OxBHZnytOSFaIkYbyA2bIEHezs2g8=,iv:MmURwYSxmqG0RgaQrxvHSBdh3r+Y+h5GRLRssmpFAFU=,tag:Zy0imRn6+pPEsKhlvYMF4Q==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4