Fix ionos-dyndns timer interval

systemd uses min, not m for minutes.

flake.lock

@@ -1,5 +1,47 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -18,7 +60,44 @@
         "type": "github"
       }
     },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682203081,
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1677676435,
+        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1686259070,
         "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
@@ -35,8 +114,9 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
       }
     },
     "systems": {

flake.nix

@@ -5,9 +5,10 @@
     # lib
     nixpkgs.url = github:nixos/nixpkgs;
     flake-utils.url = github:numtide/flake-utils;
+    agenix.url = github:ryantm/agenix;
   };
 
-  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system:
+  outputs = { self, nixpkgs, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
     let
       pkgs = nixpkgs.legacyPackages.${system};
     in
@@ -16,6 +17,7 @@
           buildInputs = [
             pkgs.ansible
             pkgs.ansible-lint
+            agenix.packages.${system}.default
           ];
 
           shellHook = ''

nix/gilgamesh/README.md

@@ -0,0 +1,12 @@
+# `gilgamesh`
+
+> Old Thinkpad running a Minecraft server.
+
+## TODO
+
+- Figure out if there's some more powersaving options
+- Add some doc for initial setup
+    - Install NixOS according to the official guide
+    - Check out this repo, build this `configuration.nix`
+    - Afterwards: Just build it locally then deploy
+- Use Flakes, add doc for `./deploy.sh`

nix/gilgamesh/configuration.nix

@@ -0,0 +1,146 @@
+{ config, pkgs, lib, ... }:
+let
+  agenix = builtins.fetchTarball {
+    url = "https://github.com/ryantm/agenix/archive/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4.tar.gz";
+    sha256 = "0gbn01hi8dh7s9rc66yawnmixcasadf20zci4ijzpd143ph492ad";
+  };
+in {
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      "${agenix}/modules/age.nix"
+      ../modules/spigot-server.nix
+      ../modules/ionos-dyndns.nix
+    ];
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  # boot.loader.grub.efiSupport = true;
+  # boot.loader.grub.efiInstallAsRemovable = true;
+  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
+  # Define on which hard drive you want to install Grub.
+  boot.loader.grub.device = "/dev/sda";
+
+  networking.hostName = "gilgamesh"; # Define your hostname.
+  # Pick only one of the below networking options.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_US.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de-latin1";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.paul = {
+    isNormalUser = true;
+    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ paul"
+    ];
+    # packages = with pkgs; [];
+  };
+
+  # Users in group wheel may sudo without password
+  security.sudo.wheelNeedsPassword = false;
+
+  # Users in group wheel are special friends of the Nix daemon
+  nix.settings.trusted-users = [
+    "@wheel"
+  ];
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim
+    tmux
+    bottom
+    (pkgs.callPackage ../packages/ionos-dyndns.nix {})
+  ];
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  # Enable Avahi for mDNS (advertise hostname in LAN)
+  services.avahi = {
+    enable = true;
+    nssmdns = true;
+  };
+
+  services.spigot-server = {
+    enable = true;
+    user = "spigot";
+  };
+
+  # Secrets management
+  age.secrets = {
+    ionos-prefix = {
+      file = ../secrets/ionos-prefix.age;
+      owner = "ionos-dyndns";
+      group = "ionos-dyndns";
+    };
+    ionos-secret = {
+      file = ../secrets/ionos-secret.age;
+      owner = "ionos-dyndns";
+      group = "ionos-dyndns";
+    };
+  };
+
+  # DynDNS stuff. IONOS has a (proprietary?) API for this,
+  # so we're using a Python script from the interwebs :shrug:
+  services.ionos-dyndns = {
+    enable = true;
+    # Must match the user owning the secrets below. See agenix config
+    # above for more details.
+    user = "ionos-dyndns";
+    apiPrefixPath = config.age.secrets.ionos-prefix.path;
+    apiSecretPath = config.age.secrets.ionos-secret.path;
+    aaaa = true;
+    fqdn = "blocks.beany.club";
+    interface = "enp0s25";
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+  networking.firewall.allowedUDPPorts = [ 25565 ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # TODO: Backups
+
+  # Practical hardware options
+  services.logind.lidSwitch = "ignore";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  # system.copySystemConfiguration = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05"; # Did you read the comment?
+
+}
+

nix/gilgamesh/deploy.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+nixos-rebuild -I nixos-config=configuration.nix --target-host gilgamesh --use-remote-sudo switch

nix/gilgamesh/hardware-configuration.nix

@@ -0,0 +1,33 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-label/NIXROOT";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/modules/ionos-dyndns.nix

@@ -0,0 +1,118 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  cfg = config.services.ionos-dyndns;
+  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
+
+  command = lib.concatStringsSep " " (
+    [
+      "${ionos-dyndns}/bin/ionos-dyndns"
+      "--api-prefix"
+      "$(cat ${cfg.apiPrefixPath})"
+      "--api-secret"
+      "$(cat ${cfg.apiSecretPath})"
+      "--fqdn"
+      cfg.fqdn
+      "--interface"
+      cfg.interface
+    ]
+    ++ lib.optionals cfg.a [ "--A" ]
+    ++ lib.optionals cfg.aaaa [ "--AAAA" ]
+  );
+in {
+  options = {
+    services.ionos-dyndns = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to turn on the IONOS DynDNS timer.
+        '';
+      };
+      user = mkOption {
+        type = types.str;
+        default = "ionos-dyndns";
+      };
+      apiPrefixPath = mkOption {
+        type = types.path;
+        description = ''
+          Path of a file holding the API prefix.
+        '';
+      };
+      apiSecretPath = mkOption {
+        type = types.path;
+        description = ''
+          Path of a file holding the API secret.
+        '';
+      };
+      a = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to set the A record (IPv4).
+        '';
+      };
+      aaaa = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to set the AAAA record (IPv6).
+        '';
+      };
+      fqdn = mkOption {
+        type = types.str;
+        description = ''
+          Fully qualified domain name for this host.
+        '';
+      };
+      interface = mkOption {
+        type = types.str;
+        description = ''
+          Interface to get the IP address from.
+        '';
+      };
+      interval = mkOption {
+        type = types.str;
+        default = "14min";
+        description = "How often to run the update script in systemd.timers notation.";
+      };
+      serviceName = mkOption {
+        type = types.str;
+        default = "ionos-dyndns";
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        ${cfg.user} = {
+          isSystemUser = true;
+          group = cfg.user;
+          description = "IONOS DynDNS user.";
+        };
+      };
+      groups = {
+        ${cfg.user} = {
+        };
+      };
+    };
+    systemd = {
+      services.${cfg.serviceName} = {
+        serviceConfig = {
+          Type = "oneshot";
+          User = cfg.user;
+          # We assume that command doesn't contain any single quotes
+          ExecStart = "${pkgs.bash}/bin/bash -c '${command}'";
+        };
+      };
+      timers.${cfg.serviceName} = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          Unit = "${cfg.serviceName}.service";
+          OnBootSec = "30s";
+          OnActiveSec = cfg.interval;
+        };
+      };
+    };
+  };
+}

nix/modules/spigot-server.nix

@@ -0,0 +1,81 @@
+{ config, lib, pkgs, ... }:
+with lib;
+let
+  spigot-server = pkgs.callPackage ../packages/spigot-server.nix {};
+  cfg = config.services.spigot-server;
+  StateDirectory = "spigot-server";
+in {
+  options = {
+    services.spigot-server = {
+      enable = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          Whether to turn on the Spigot Minecraft server.
+        '';
+      };
+
+      user = mkOption {
+        type = types.str;
+        default = "spigot-server";
+        description = ''
+          The user account and group that Spigot runs as.
+        '';
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users = {
+      ${cfg.user} = {
+        isSystemUser = true;
+        group = cfg.user;
+        description = "Spigot Minecraft server user";
+      };
+    };
+    users.groups = {
+      ${cfg.user} = {
+      };
+    };
+
+    systemd = {
+      services.spigot-server = {
+        description = "Spigot Minecraft server";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          User = "${cfg.user}";
+
+          Sockets = "spigot-server.socket";
+          StandardInput = "socket";
+          StandardOutput = "journal";
+          StandardError = "journal";
+
+          inherit StateDirectory;
+          WorkingDirectory = "/var/lib/${StateDirectory}";
+          ExecStart = "${spigot-server}/bin/spigot-server -nogui";
+          ExecStop = [
+            "${pkgs.bash}/bin/bash -c '${pkgs.coreutils}/bin/echo save-all > /run/spigot-server.stdin'"
+            "${pkgs.bash}/bin/bash -c '${pkgs.coreutils}/bin/echo stop > /run/spigot-server.stdin'"
+            # Wait for the main process to exit
+            # If we don't do this systemd tries to nudge Java to stop, causing a race condition
+            # that leads to an ungraceful shutdown
+            "${pkgs.coreutils}/bin/echo \"Waiting for \${MAINPID} to exit...\""
+            "${pkgs.bash}/bin/bash -c 'while ${pkgs.coreutils}/bin/kill -s 0 $MAINPID 2>/dev/null; do sleep 0.5; done'"
+          ];
+        };
+      };
+
+      sockets.spigot-server = {
+        description = "Spigot Minecraft server socket for commands and stuff";
+        unitConfig = {
+          # Automatically start and stop socket along with the service
+          PartOf = "spigot-server.service";
+        };
+        socketConfig = {
+          ListenFIFO = "/run/spigot-server.stdin";
+        };
+      };
+    };
+  };
+}

nix/packages/.gitignore

@@ -0,0 +1 @@
+spigot-1.20.1.jar

nix/packages/README.md

@@ -0,0 +1,11 @@
+# Packages
+
+## `spigot-server`
+
+In order to build `spigot-server.nix` you'll need a copy of the Spigot JAR.
+For licensing reasons I won't check it into Git.
+Just drop `spigot-${version}.jar` into this folder and change the `version = ` line in `spigot-server.nix` accordingly.
+
+## TODO
+
+- Make some more stuff in `spigot-server.nix` configurable

nix/packages/ionos-dyndns.nix

@@ -0,0 +1,37 @@
+{
+  fetchFromGitHub,
+  lib,
+  makeWrapper,
+  stdenv,
+  # Runtime Dependencies
+  python3,
+  # grep
+  gnugrep,
+  # ip
+  iproute2,
+  # hostname
+  hostname
+}:
+let
+  pythonWithDeps = python3.withPackages (p: [p.requests]);
+in stdenv.mkDerivation rec {
+  pname = "ionos-dyndns";
+  # Packaging time, not commit time
+  version = "20231118";
+  src = fetchFromGitHub {
+    owner = "lazaroblanc";
+    repo = "IONOS-DynDNS";
+    rev = "6c090ab928ce8d6eaa28b09614995b036ad60027";
+    hash = "sha256-rabDuKuPvzcMltnCSvc5kDjcDhv7sXxbDLWw3/hdSmk=";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  buildCommand = ''
+    install -Dm755 $src/ionos_dyndns.py $out/lib/ionos_dyndns.py
+
+    makeWrapper ${pythonWithDeps}/bin/python3 $out/bin/ionos-dyndns \
+      --set PATH ${lib.makeBinPath [ iproute2 gnugrep hostname ]} \
+      --add-flags $out/lib/ionos_dyndns.py
+  '';
+}

nix/packages/spigot-server.nix

@@ -0,0 +1,26 @@
+{
+  makeWrapper,
+  stdenv,
+  # Runtime Dependencies
+  jre
+}:
+let
+  # Copied from some forum thread without much thought.
+  # Let's see if they work out.
+  javaFlags = "-Xmx5G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:MaxGCPauseMillis=50 -XX:+DisableExplicitGC -XX:TargetSurvivorRatio=90 -XX:G1NewSizePercent=50 -XX:G1MaxNewSizePercent=80 -XX:InitiatingHeapOccupancyPercent=10 -XX:G1MixedGCLiveThresholdPercent=50";
+in stdenv.mkDerivation rec {
+  pname = "spigot-server";
+  version = "1.20.1";
+  src = ./spigot-${version}.jar;
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  buildCommand = ''
+    install -Dm644 $src $out/lib/spigot-${version}.jar
+
+    makeWrapper ${jre}/bin/java $out/bin/spigot-server \
+      --argv0 spigot-server \
+      --add-flags "${javaFlags}" \
+      --add-flags "-jar $out/lib/spigot-${version}.jar"
+  '';
+}

nix/secrets/README.md

@@ -0,0 +1,11 @@
+# secrets
+
+> Nix configuration secrets managed with [agenix](https://github.com/ryantm/agenix#tutorial).
+
+Use `nix develop` in the repository root to drop into a shell with `agenix`.
+
+## Editing files
+
+```
+agenix -e <thingamajig.age>
+```

nix/secrets/ionos-prefix.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 9V3MUQ 7+lohnPlQALVPEGo2LwS2fj5r2RCKaVeEFmi6EYEyCE
+9U6eAthRVd5ry0ej79FEy3oRG3okJTwY6zSN1u68H1o
+-> ssh-ed25519 CcM6/g QQX9SsgKkk8YdUPRKj9Tda8mf6qRJ7ywtP6IIpN9fxo
+3Ml2+1+AQMwr5Lnv84pYOee/s5mzfVdsHRLaUIAKNFk
+-> i)!b3gaJ-grease 7|bwS ?k2JgF E-G 2HI
+0mFbZ22lqvLd
+--- 0+CwYGJlJC7bRbokHSlv+V4JKppBo+/ocfjp2NQBD3Q
+JDv<04>8ě ë<C2A0>¶ÚŤÄ÷8é V/Ă'O”M¸x
×é!ȸTÉA7ÍK5#É8©&•Ř-VqČ&}ů]ráÂ

nix/secrets/secrets.nix

@@ -0,0 +1,10 @@
+let
+  # Users
+  paul = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ";
+
+  # Systems
+  gilgamesh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDmLWYK6/4/Fh+wsoiz9+PCHvNcP2/wu2GvfzrqXCGA";
+in {
+  "ionos-prefix.age".publicKeys = [ paul gilgamesh ];
+  "ionos-secret.age".publicKeys = [ paul gilgamesh ];
+}