Add agenix, spigot-server and ionos-dyndns to gilgamesh config

Add ionos-dyndns module for the NixOS config
Add runtime dependencies to ionos-dyndns package
2023-11-19 03:09:42 +01:00 · 2023-11-19 03:05:31 +01:00 · 2023-11-19 03:04:52 +01:00 · 2023-11-19 03:04:01 +01:00 · 2023-11-19 02:59:34 +01:00
10 changed files with 284 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,47 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1696775529,
        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -18,7 +60,44 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682203081,
        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1677676435,
        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1686259070,
        "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
@ -35,8 +114,9 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -5,9 +5,10 @@
    # lib
    nixpkgs.url = github:nixos/nixpkgs;
    flake-utils.url = github:numtide/flake-utils;
    agenix.url = github:ryantm/agenix;
  };
-  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system:
+  outputs = { self, nixpkgs, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = nixpkgs.legacyPackages.${system};
    in
@ -16,6 +17,7 @@
          buildInputs = [
            pkgs.ansible
            pkgs.ansible-lint
            agenix.packages.${system}.default
          ];
          shellHook = ''
--- a/nix/gilgamesh/configuration.nix
+++ b/nix/gilgamesh/configuration.nix
@ -1,9 +1,16 @@
 { config, pkgs, lib, ... }:
-{
+let
  agenix = builtins.fetchTarball {
    url = "https://github.com/ryantm/agenix/archive/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4.tar.gz";
    sha256 = "0gbn01hi8dh7s9rc66yawnmixcasadf20zci4ijzpd143ph492ad";
  };
 in {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ./spigot.nix
+      "${agenix}/modules/age.nix"
      ../modules/spigot-server.nix
      ../modules/ionos-dyndns.nix
    ];
  # Use the GRUB 2 boot loader.
@ -77,13 +84,38 @@
    nssmdns = true;
  };
-  services.spigot = {
+  services.spigot-server = {
    enable = true;
    user = "spigot";
  };
  # Secrets management
  age.secrets = {
    ionos-prefix = {
      file = ../secrets/ionos-prefix.age;
      owner = "ionos-dyndns";
      group = "ionos-dyndns";
    };
    ionos-secret = {
      file = ../secrets/ionos-secret.age;
      owner = "ionos-dyndns";
      group = "ionos-dyndns";
    };
  };
  # DynDNS stuff. IONOS has a (proprietary?) API for this,
  # so we're using a Python script from the interwebs :shrug:
-  # TODO: Config using agenix
+  services.ionos-dyndns = {
    enable = true;
    # Must match the user owning the secrets below. See agenix config
    # above for more details.
    user = "ionos-dyndns";
    apiPrefixPath = config.age.secrets.ionos-prefix.path;
    apiSecretPath = config.age.secrets.ionos-secret.path;
    aaaa = true;
    fqdn = "blocks.beany.club";
    interface = "enp0s25";
  };
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 25565 ];
--- a/nix/modules/ionos-dyndns.nix
+++ b/nix/modules/ionos-dyndns.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.ionos-dyndns;
  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
  command = lib.concatStringsSep " " (
    [
      "${ionos-dyndns}/bin/ionos-dyndns"
      "--api-prefix"
      "$(cat ${cfg.apiPrefixPath})"
      "--api-secret"
      "$(cat ${cfg.apiSecretPath})"
      "--fqdn"
      cfg.fqdn
      "--interface"
      cfg.interface
    ]
    ++ lib.optionals cfg.a [ "--A" ]
    ++ lib.optionals cfg.aaaa [ "--AAAA" ]
  );
 in {
  options = {
    services.ionos-dyndns = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to turn on the IONOS DynDNS timer.
        '';
      };
      user = mkOption {
        type = types.str;
        default = "ionos-dyndns";
      };
      apiPrefixPath = mkOption {
        type = types.path;
        description = ''
          Path of a file holding the API prefix.
        '';
      };
      apiSecretPath = mkOption {
        type = types.path;
        description = ''
          Path of a file holding the API secret.
        '';
      };
      a = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to set the A record (IPv4).
        '';
      };
      aaaa = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to set the AAAA record (IPv6).
        '';
      };
      fqdn = mkOption {
        type = types.str;
        description = ''
          Fully qualified domain name for this host.
        '';
      };
      interface = mkOption {
        type = types.str;
        description = ''
          Interface to get the IP address from.
        '';
      };
      interval = mkOption {
        type = types.str;
        default = "14m";
        description = "How often to run the update script in systemd.timers notation.";
      };
      serviceName = mkOption {
        type = types.str;
        default = "ionos-dyndns";
      };
    };
  };
  config = mkIf cfg.enable {
    users = {
      users = {
        ${cfg.user} = {
          isSystemUser = true;
          group = cfg.user;
          description = "IONOS DynDNS user.";
        };
      };
      groups = {
        ${cfg.user} = {
        };
      };
    };
    systemd = {
      services.${cfg.serviceName} = {
        serviceConfig = {
          Type = "oneshot";
          User = cfg.user;
          # We assume that command doesn't contain any single quotes
          ExecStart = "${pkgs.bash}/bin/bash -c '${command}'";
        };
      };
      timers.${cfg.serviceName} = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          Unit = "${cfg.serviceName}.service";
          OnBootSec = "30s";
          OnActiveSec = cfg.interval;
        };
      };
    };
  };
 }
--- a/nix/modules/spigot-server.nix
+++ b/nix/modules/spigot-server.nix
@ -3,12 +3,11 @@ with lib;
 let
  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
  spigot-server = pkgs.callPackage ../packages/spigot-server.nix {};
-  cfg = config.services.spigot;
+  cfg = config.services.spigot-server;
  name = "spigot";
  StateDirectory = "spigot-server";
 in {
  options = {
-    services.spigot = {
+    services.spigot-server = {
      enable = mkOption {
        type = types.bool;
        default = false;
@ -19,9 +18,9 @@ in {
      user = mkOption {
        type = types.str;
-        default = name;
+        default = "spigot-server";
        description = ''
-           The user account and group that Spigot runs as.
+          The user account and group that Spigot runs as.
        '';
      };
    };
@ -29,14 +28,14 @@ in {
  config = mkIf cfg.enable {
    users.users = {
-      ${name} = {
+      ${cfg.user} = {
        isSystemUser = true;
-        group = name;
+        group = cfg.user;
        description = "Spigot Minecraft server user";
      };
    };
    users.groups = {
-      ${name} = {
+      ${cfg.user} = {
      };
    };
--- a/nix/packages/ionos-dyndns.nix
+++ b/nix/packages/ionos-dyndns.nix
@ -1,9 +1,16 @@
 {
  fetchFromGitHub,
  lib,
  makeWrapper,
  stdenv,
  # Runtime Dependencies
-  python3
+  python3,
  # grep
  gnugrep,
  # ip
  iproute2,
  # hostname
  hostname
 }:
 let
  pythonWithDeps = python3.withPackages (p: [p.requests]);
@ -24,6 +31,7 @@ in stdenv.mkDerivation rec {
    install -Dm755 $src/ionos_dyndns.py $out/lib/ionos_dyndns.py
    makeWrapper ${pythonWithDeps}/bin/python3 $out/bin/ionos-dyndns \
      --set PATH ${lib.makeBinPath [ iproute2 gnugrep hostname ]} \
      --add-flags $out/lib/ionos_dyndns.py
  '';
 }
--- a/nix/secrets/README.md
+++ b/nix/secrets/README.md
@ -0,0 +1,11 @@
 # secrets
 > Nix configuration secrets managed with [agenix](https://github.com/ryantm/agenix#tutorial).
 Use `nix develop` in the repository root to drop into a shell with `agenix`.
 ## Editing files
 ```
 agenix -e <thingamajig.age>
 ```
--- a/nix/secrets/ionos-prefix.age
+++ b/nix/secrets/ionos-prefix.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 9V3MUQ 7+lohnPlQALVPEGo2LwS2fj5r2RCKaVeEFmi6EYEyCE
 9U6eAthRVd5ry0ej79FEy3oRG3okJTwY6zSN1u68H1o
 -> ssh-ed25519 CcM6/g QQX9SsgKkk8YdUPRKj9Tda8mf6qRJ7ywtP6IIpN9fxo
 3Ml2+1+AQMwr5Lnv84pYOee/s5mzfVdsHRLaUIAKNFk
 -> i)!b3gaJ-grease 7|bwS ?k2JgF E-G 2HI
 0mFbZ22lqvLd
 --- 0+CwYGJlJC7bRbokHSlv+V4JKppBo+/ocfjp2NQBD3Q
 JDv<04>8ě ë<C2A0>¶ÚŤÄ÷8é V/Ă'O”M¸x×é!Č¸TÉA7ÍK5#É8©&•Ř-VqČ&}ů]ráÂ
--- a/nix/secrets/ionos-secret.age
+++ b/nix/secrets/ionos-secret.age
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -0,0 +1,10 @@
 let
  # Users
  paul = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ";
  # Systems
  gilgamesh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDmLWYK6/4/Fh+wsoiz9+PCHvNcP2/wu2GvfzrqXCGA";
 in {
  "ionos-prefix.age".publicKeys = [ paul gilgamesh ];
  "ionos-secret.age".publicKeys = [ paul gilgamesh ];
 }
Author	SHA1	Message	Date
Paul Brinkmeier	f2f12a2688	Add agenix, spigot-server and ionos-dyndns to gilgamesh config All checks were successful Check / Lint Ansible Files (push) Successful in 3m1s Details	2023-11-19 03:09:42 +01:00
Paul Brinkmeier	e61a07f8d3	Add ionos-dyndns module for the NixOS config	2023-11-19 03:05:31 +01:00
Paul Brinkmeier	ea38d94178	Add runtime dependencies to ionos-dyndns package	2023-11-19 03:04:52 +01:00
Paul Brinkmeier	81771725d0	Add agenix secrets for IONOS dyndns	2023-11-19 03:04:01 +01:00
Paul Brinkmeier	06345cd04c	Add agenix to dev flake	2023-11-19 02:59:34 +01:00