{ config, pkgs, ... }: { users.users.updns = { isSystemUser = true; group = "updns"; home = "/var/lib/updns"; createHome = true; description = "UpDNS service user"; }; users.groups.updns = { }; sops.secrets.updns-token = { owner = "updns"; restartUnits = [ "updns.service" ]; }; environment.etc."updns/config.yaml" = { mode = "0400"; user = "updns"; group = "updns"; text = '' server: bind_address: ":9090" tls: enabled: false cert_file: "cert.pem" key_file: "key.pem" upstream: provider: hetzner hetzner: api_token_file: "${config.sops.secrets.updns-token.path}" clients: ghetto_at: secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu" exact: - "ghetto.smart.cloonar.com" ''; }; systemd.services.updns = { description = "UpDNS Service"; after = [ "network-online.target" ]; wants = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; User = "updns"; Group = "updns"; WorkingDirectory = "/var/lib/updns"; ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml"; Restart = "always"; RestartSec = "10s"; StateDirectory = "updns"; LogsDirectory = "updns"; RuntimeDirectory = "updns"; # Security settings NoNewPrivileges = true; ProtectSystem = "strict"; ProtectHome = true; PrivateTmp = true; PrivateDevices = true; ProtectKernelTunables = true; ProtectKernelModules = true; ProtectControlGroups = true; RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; RestrictNamespaces = true; LockPersonality = true; MemoryDenyWriteExecute = true; RestrictRealtime = true; RestrictSUIDSGID = true; CapabilityBoundingSet = ""; }; }; services.nginx.virtualHosts."updns.cloonar.com" = { forceSSL = true; enableACME = true; acmeRoot = null; locations."/" = { proxyPass = "http://127.0.0.1:9090"; proxyWebsockets = true; extraConfig = "proxy_set_header X-Forwarded-Proto 'https';" + "proxy_set_header X-Forwarded-Ssl on;" + "proxy_connect_timeout 300;" + "proxy_send_timeout 300;" + "proxy_read_timeout 300;" + "send_timeout 300;" ; }; }; }