nixos/hosts/web-arm/modules/updns.nix

{ config, pkgs, ... }:

{
  users.users.updns = {
    isSystemUser = true;
    group = "updns";
    home = "/var/lib/updns";
    createHome = true;
    description = "UpDNS service user";
  };
  users.groups.updns = { };

  sops.secrets.updns-token = {
    owner = "updns";
    restartUnits = [ "updns.service" ];
  };

  environment.etc."updns/config.yaml" = {
    mode = "0400";
    user = "updns";
    group = "updns";
    text = ''
      server:
        bind_address: ":9090"
        tls:
          enabled: false
          cert_file: "cert.pem"
          key_file: "key.pem"
      upstream:
        provider: hetzner
        hetzner:
          api_token_file: "${config.sops.secrets.updns-token.path}"
      clients:
        test:
          secret_hash: "$2a$10$D/R6lX9CGXDb/4j5EV1UYu2GfyDO6hLk1FhpszeqSzME/mI4REsQO"
          exact:
            - "test.smart.cloonar.com"
        ghetto_at:
          secret_hash: "$2a$10$jzRYwqTQzSqMHnQNe.s8L.O2YcvzoPqgHkO1LklQhsD9UBLpI7Knu"
          exact:
            - "ghetto.smart.cloonar.com"
    '';
  };

  systemd.services.updns = {
    description = "UpDNS Service";
    after = [ "network-online.target" ];
    wants = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      Type = "simple";
      User = "updns";
      Group = "updns";
      WorkingDirectory = "/var/lib/updns";
      ExecStart = "${pkgs.updns}/bin/updns -config /etc/updns/config.yaml";
      Restart = "always";
      RestartSec = "10s";
      StateDirectory = "updns";
      LogsDirectory = "updns";
      RuntimeDirectory = "updns";

      # Security settings
      NoNewPrivileges = true;
      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateTmp = true;
      PrivateDevices = true;
      ProtectKernelTunables = true;
      ProtectKernelModules = true;
      ProtectControlGroups = true;
      RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
      RestrictNamespaces = true;
      LockPersonality = true;
      MemoryDenyWriteExecute = true;
      RestrictRealtime = true;
      RestrictSUIDSGID = true;
      CapabilityBoundingSet = "";
    };
  };

  services.nginx.virtualHosts."updns.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;

    locations."/" = {
      proxyPass = "http://127.0.0.1:9090";
      proxyWebsockets = true;
      extraConfig =
        "proxy_set_header X-Forwarded-Proto 'https';" +
        "proxy_set_header X-Forwarded-Ssl on;" +
        "proxy_connect_timeout  300;" +
        "proxy_send_timeout     300;" +
        "proxy_read_timeout     300;" +
        "send_timeout           300;"
      ;
    };
  };
}