97 lines
2.4 KiB
Nix
97 lines
2.4 KiB
Nix
{ config, pkgs, ... }:
|
|
|
|
{
|
|
users.users.updns = {
|
|
isSystemUser = true;
|
|
group = "updns";
|
|
home = "/var/lib/updns";
|
|
createHome = true;
|
|
description = "UpDNS service user";
|
|
};
|
|
users.groups.updns = { };
|
|
|
|
sops.secrets.updns-token = {
|
|
owner = "updns";
|
|
restartUnits = [ "updns.service" ];
|
|
};
|
|
|
|
environment.etc."updns/config.yaml" = {
|
|
mode = "0400";
|
|
user = "updns";
|
|
group = "updns";
|
|
text = ''
|
|
server:
|
|
bind_address: ":9090"
|
|
tls:
|
|
enabled: false
|
|
cert_file: "cert.pem"
|
|
key_file: "key.pem"
|
|
upstream:
|
|
provider: hetzner
|
|
hetzner:
|
|
api_token_file: "${config.sops.secrets.updns-token.path}"
|
|
clients:
|
|
ghetto_at:
|
|
secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu"
|
|
exact:
|
|
- "ghetto.smart.cloonar.com"
|
|
'';
|
|
};
|
|
|
|
systemd.services.updns = {
|
|
description = "UpDNS Service";
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
User = "updns";
|
|
Group = "updns";
|
|
WorkingDirectory = "/var/lib/updns";
|
|
ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml";
|
|
Restart = "always";
|
|
RestartSec = "10s";
|
|
StateDirectory = "updns";
|
|
LogsDirectory = "updns";
|
|
RuntimeDirectory = "updns";
|
|
|
|
# Security settings
|
|
NoNewPrivileges = true;
|
|
ProtectSystem = "strict";
|
|
ProtectHome = true;
|
|
PrivateTmp = true;
|
|
PrivateDevices = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectKernelModules = true;
|
|
ProtectControlGroups = true;
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
|
RestrictNamespaces = true;
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
CapabilityBoundingSet = "";
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."updns.cloonar.com" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
acmeRoot = null;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:9090";
|
|
proxyWebsockets = true;
|
|
extraConfig =
|
|
"proxy_set_header X-Forwarded-Proto 'https';" +
|
|
"proxy_set_header X-Forwarded-Ssl on;" +
|
|
"proxy_connect_timeout 300;" +
|
|
"proxy_send_timeout 300;" +
|
|
"proxy_read_timeout 300;" +
|
|
"send_timeout 300;"
|
|
;
|
|
};
|
|
};
|
|
}
|