feat: add updns
This commit is contained in:
96
hosts/web-arm/modules/updns.nix
Normal file
96
hosts/web-arm/modules/updns.nix
Normal file
@@ -0,0 +1,96 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
users.users.updns = {
|
||||
isSystemUser = true;
|
||||
group = "updns";
|
||||
home = "/var/lib/updns";
|
||||
createHome = true;
|
||||
description = "UpDNS service user";
|
||||
};
|
||||
users.groups.updns = { };
|
||||
|
||||
sops.secrets.updns-token = {
|
||||
owner = "updns";
|
||||
restartUnits = [ "updns.service" ];
|
||||
};
|
||||
|
||||
environment.etc."updns/config.yaml" = {
|
||||
mode = "0400";
|
||||
user = "updns";
|
||||
group = "updns";
|
||||
text = ''
|
||||
server:
|
||||
bind_address: ":9090"
|
||||
tls:
|
||||
enabled: false
|
||||
cert_file: "cert.pem"
|
||||
key_file: "key.pem"
|
||||
upstream:
|
||||
provider: hetzner
|
||||
hetzner:
|
||||
api_token_file: "${config.sops.secrets.updns-token.path}"
|
||||
clients:
|
||||
ghetto_at:
|
||||
secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu"
|
||||
exact:
|
||||
- "ghetto.smart.cloonar.com"
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.updns = {
|
||||
description = "UpDNS Service";
|
||||
after = [ "network-online.target" ];
|
||||
wants = [ "network-online.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "updns";
|
||||
Group = "updns";
|
||||
WorkingDirectory = "/var/lib/updns";
|
||||
ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml";
|
||||
Restart = "always";
|
||||
RestartSec = "10s";
|
||||
StateDirectory = "updns";
|
||||
LogsDirectory = "updns";
|
||||
RuntimeDirectory = "updns";
|
||||
|
||||
# Security settings
|
||||
NoNewPrivileges = true;
|
||||
ProtectSystem = "strict";
|
||||
ProtectHome = true;
|
||||
PrivateTmp = true;
|
||||
PrivateDevices = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectControlGroups = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
CapabilityBoundingSet = "";
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."updns.cloonar.com" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
acmeRoot = null;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:9090";
|
||||
proxyWebsockets = true;
|
||||
extraConfig =
|
||||
"proxy_set_header X-Forwarded-Proto 'https';" +
|
||||
"proxy_set_header X-Forwarded-Ssl on;" +
|
||||
"proxy_connect_timeout 300;" +
|
||||
"proxy_send_timeout 300;" +
|
||||
"proxy_read_timeout 300;" +
|
||||
"send_timeout 300;"
|
||||
;
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user