Add agenix, spigot-server and ionos-dyndns to gilgamesh config

Add ionos-dyndns module for the NixOS config
Add runtime dependencies to ionos-dyndns package
2023-11-19 03:09:42 +01:00 · 2023-11-19 03:05:31 +01:00 · 2023-11-19 03:04:52 +01:00 · 2023-11-19 03:04:01 +01:00 · 2023-11-19 02:59:34 +01:00
10 changed files with 284 additions and 15 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,47 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -18,7 +60,44 @@
        "type": "github"
      }
    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682203081,
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1677676435,
+        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1686259070,
        "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
@ -35,8 +114,9 @@
    },
    "root": {
      "inputs": {
+        "agenix": "agenix",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -5,9 +5,10 @@
    # lib
    nixpkgs.url = github:nixos/nixpkgs;
    flake-utils.url = github:numtide/flake-utils;
+    agenix.url = github:ryantm/agenix;
  };

-  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system:
+  outputs = { self, nixpkgs, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = nixpkgs.legacyPackages.${system};
    in
@ -16,6 +17,7 @@
          buildInputs = [
            pkgs.ansible
            pkgs.ansible-lint
+            agenix.packages.${system}.default
          ];

          shellHook = ''
--- a/nix/gilgamesh/configuration.nix
+++ b/nix/gilgamesh/configuration.nix
@ -1,9 +1,16 @@
 { config, pkgs, lib, ... }:
-{
+let
+  agenix = builtins.fetchTarball {
+    url = "https://github.com/ryantm/agenix/archive/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4.tar.gz";
+    sha256 = "0gbn01hi8dh7s9rc66yawnmixcasadf20zci4ijzpd143ph492ad";
+  };
+in {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
-      ./spigot.nix
+      "${agenix}/modules/age.nix"
+      ../modules/spigot-server.nix
+      ../modules/ionos-dyndns.nix
    ];

  # Use the GRUB 2 boot loader.
@ -77,13 +84,38 @@
    nssmdns = true;
  };

-  services.spigot = {
+  services.spigot-server = {
    enable = true;
+    user = "spigot";
+  };
+
+  # Secrets management
+  age.secrets = {
+    ionos-prefix = {
+      file = ../secrets/ionos-prefix.age;
+      owner = "ionos-dyndns";
+      group = "ionos-dyndns";
+    };
+    ionos-secret = {
+      file = ../secrets/ionos-secret.age;
+      owner = "ionos-dyndns";
+      group = "ionos-dyndns";
+    };
  };

  # DynDNS stuff. IONOS has a (proprietary?) API for this,
  # so we're using a Python script from the interwebs :shrug:
-  # TODO: Config using agenix
+  services.ionos-dyndns = {
+    enable = true;
+    # Must match the user owning the secrets below. See agenix config
+    # above for more details.
+    user = "ionos-dyndns";
+    apiPrefixPath = config.age.secrets.ionos-prefix.path;
+    apiSecretPath = config.age.secrets.ionos-secret.path;
+    aaaa = true;
+    fqdn = "blocks.beany.club";
+    interface = "enp0s25";
+  };

  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 25565 ];
--- a/nix/modules/ionos-dyndns.nix
+++ b/nix/modules/ionos-dyndns.nix
@ -0,0 +1,118 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.ionos-dyndns;
+  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
+
+  command = lib.concatStringsSep " " (
+    [
+      "${ionos-dyndns}/bin/ionos-dyndns"
+      "--api-prefix"
+      "$(cat ${cfg.apiPrefixPath})"
+      "--api-secret"
+      "$(cat ${cfg.apiSecretPath})"
+      "--fqdn"
+      cfg.fqdn
+      "--interface"
+      cfg.interface
+    ]
+    ++ lib.optionals cfg.a [ "--A" ]
+    ++ lib.optionals cfg.aaaa [ "--AAAA" ]
+  );
+in {
+  options = {
+    services.ionos-dyndns = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to turn on the IONOS DynDNS timer.
+        '';
+      };
+      user = mkOption {
+        type = types.str;
+        default = "ionos-dyndns";
+      };
+      apiPrefixPath = mkOption {
+        type = types.path;
+        description = ''
+          Path of a file holding the API prefix.
+        '';
+      };
+      apiSecretPath = mkOption {
+        type = types.path;
+        description = ''
+          Path of a file holding the API secret.
+        '';
+      };
+      a = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to set the A record (IPv4).
+        '';
+      };
+      aaaa = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to set the AAAA record (IPv6).
+        '';
+      };
+      fqdn = mkOption {
+        type = types.str;
+        description = ''
+          Fully qualified domain name for this host.
+        '';
+      };
+      interface = mkOption {
+        type = types.str;
+        description = ''
+          Interface to get the IP address from.
+        '';
+      };
+      interval = mkOption {
+        type = types.str;
+        default = "14m";
+        description = "How often to run the update script in systemd.timers notation.";
+      };
+      serviceName = mkOption {
+        type = types.str;
+        default = "ionos-dyndns";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        ${cfg.user} = {
+          isSystemUser = true;
+          group = cfg.user;
+          description = "IONOS DynDNS user.";
+        };
+      };
+      groups = {
+        ${cfg.user} = {
+        };
+      };
+    };
+    systemd = {
+      services.${cfg.serviceName} = {
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          # We assume that command doesn't contain any single quotes
+          ExecStart = "${pkgs.bash}/bin/bash -c '${command}'";
+        };
+      };
+      timers.${cfg.serviceName} = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          Unit = "${cfg.serviceName}.service";
+          OnBootSec = "30s";
+          OnActiveSec = cfg.interval;
+        };
+      };
+    };
+  };
+}
--- a/nix/modules/spigot-server.nix
+++ b/nix/modules/spigot-server.nix
@ -3,12 +3,11 @@ with lib;
 let
  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
  spigot-server = pkgs.callPackage ../packages/spigot-server.nix {};
-  cfg = config.services.spigot;
-  name = "spigot";
+  cfg = config.services.spigot-server;
  StateDirectory = "spigot-server";
 in {
  options = {
-    services.spigot = {
+    services.spigot-server = {
      enable = mkOption {
        type = types.bool;
        default = false;
@ -19,9 +18,9 @@ in {

      user = mkOption {
        type = types.str;
-        default = name;
+        default = "spigot-server";
        description = ''
-           The user account and group that Spigot runs as.
+          The user account and group that Spigot runs as.
        '';
      };
    };
@ -29,14 +28,14 @@ in {

  config = mkIf cfg.enable {
    users.users = {
-      ${name} = {
+      ${cfg.user} = {
        isSystemUser = true;
-        group = name;
+        group = cfg.user;
        description = "Spigot Minecraft server user";
      };
    };
    users.groups = {
-      ${name} = {
+      ${cfg.user} = {
      };
    };

--- a/nix/packages/ionos-dyndns.nix
+++ b/nix/packages/ionos-dyndns.nix
@ -1,9 +1,16 @@
 {
  fetchFromGitHub,
+  lib,
  makeWrapper,
  stdenv,
  # Runtime Dependencies
-  python3
+  python3,
+  # grep
+  gnugrep,
+  # ip
+  iproute2,
+  # hostname
+  hostname
 }:
 let
  pythonWithDeps = python3.withPackages (p: [p.requests]);
@ -24,6 +31,7 @@ in stdenv.mkDerivation rec {
    install -Dm755 $src/ionos_dyndns.py $out/lib/ionos_dyndns.py

    makeWrapper ${pythonWithDeps}/bin/python3 $out/bin/ionos-dyndns \
+      --set PATH ${lib.makeBinPath [ iproute2 gnugrep hostname ]} \
      --add-flags $out/lib/ionos_dyndns.py
  '';
 }
--- a/nix/secrets/README.md
+++ b/nix/secrets/README.md
@ -0,0 +1,11 @@
+# secrets
+
+> Nix configuration secrets managed with [agenix](https://github.com/ryantm/agenix#tutorial).
+
+Use `nix develop` in the repository root to drop into a shell with `agenix`.
+
+## Editing files
+
+```
+agenix -e <thingamajig.age>
+```
--- a/nix/secrets/ionos-prefix.age
+++ b/nix/secrets/ionos-prefix.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 9V3MUQ 7+lohnPlQALVPEGo2LwS2fj5r2RCKaVeEFmi6EYEyCE
+9U6eAthRVd5ry0ej79FEy3oRG3okJTwY6zSN1u68H1o
+-> ssh-ed25519 CcM6/g QQX9SsgKkk8YdUPRKj9Tda8mf6qRJ7ywtP6IIpN9fxo
+3Ml2+1+AQMwr5Lnv84pYOee/s5mzfVdsHRLaUIAKNFk
+-> i)!b3gaJ-grease 7|bwS ?k2JgF E-G 2HI
+0mFbZ22lqvLd
+--- 0+CwYGJlJC7bRbokHSlv+V4JKppBo+/ocfjp2NQBD3Q
+JDv<04>8ě ë<C2A0>¶ÚŤÄ÷8é V/Ă'O”M¸x×é!Č¸TÉA7ÍK5#É8©&•Ř-VqČ&}ů]ráÂ
--- a/nix/secrets/ionos-secret.age
+++ b/nix/secrets/ionos-secret.age
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -0,0 +1,10 @@
+let
+  # Users
+  paul = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ";
+
+  # Systems
+  gilgamesh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDmLWYK6/4/Fh+wsoiz9+PCHvNcP2/wu2GvfzrqXCGA";
+in {
+  "ionos-prefix.age".publicKeys = [ paul gilgamesh ];
+  "ionos-secret.age".publicKeys = [ paul gilgamesh ];
+}
Author	SHA1	Message	Date
Paul Brinkmeier	f2f12a2688	Add agenix, spigot-server and ionos-dyndns to gilgamesh config All checks were successful Check / Lint Ansible Files (push) Successful in 3m1s Details	2023-11-19 03:09:42 +01:00
Paul Brinkmeier	e61a07f8d3	Add ionos-dyndns module for the NixOS config	2023-11-19 03:05:31 +01:00
Paul Brinkmeier	ea38d94178	Add runtime dependencies to ionos-dyndns package	2023-11-19 03:04:52 +01:00
Paul Brinkmeier	81771725d0	Add agenix secrets for IONOS dyndns	2023-11-19 03:04:01 +01:00
Paul Brinkmeier	06345cd04c	Add agenix to dev flake	2023-11-19 02:59:34 +01:00