Fix ionos-dyndns timer interval

systemd uses min, not m for minutes.
Remove unused leftover variable
2023-11-20 21:45:13 +01:00 · 2023-11-19 03:38:50 +01:00 · 2023-11-19 03:09:42 +01:00 · 2023-11-19 03:05:31 +01:00 · 2023-11-19 03:04:52 +01:00 · 2023-11-19 03:04:01 +01:00
16 changed files with 582 additions and 2 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,47 @@
 {
  "nodes": {
    "agenix": {
      "inputs": {
        "darwin": "darwin",
        "home-manager": "home-manager",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1696775529,
        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
        "owner": "ryantm",
        "repo": "agenix",
        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
        "type": "github"
      },
      "original": {
        "owner": "ryantm",
        "repo": "agenix",
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1673295039,
        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
        "owner": "lnl7",
        "repo": "nix-darwin",
        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
        "type": "github"
      },
      "original": {
        "owner": "lnl7",
        "ref": "master",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
@ -18,7 +60,44 @@
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
          "agenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1682203081,
        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1677676435,
        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1686259070,
        "narHash": "sha256-bJ2TqJHMdU27o3+AlYzsDooUzneFHwvK5LaRv5JYit4=",
@ -35,8 +114,9 @@
    },
    "root": {
      "inputs": {
        "agenix": "agenix",
        "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@ -5,9 +5,10 @@
    # lib
    nixpkgs.url = github:nixos/nixpkgs;
    flake-utils.url = github:numtide/flake-utils;
    agenix.url = github:ryantm/agenix;
  };
-  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system:
+  outputs = { self, nixpkgs, flake-utils, agenix }: flake-utils.lib.eachDefaultSystem (system:
    let
      pkgs = nixpkgs.legacyPackages.${system};
    in
@ -16,6 +17,7 @@
          buildInputs = [
            pkgs.ansible
            pkgs.ansible-lint
            agenix.packages.${system}.default
          ];
          shellHook = ''
--- a/nix/gilgamesh/README.md
+++ b/nix/gilgamesh/README.md
@ -0,0 +1,12 @@
 # `gilgamesh`
 > Old Thinkpad running a Minecraft server.
 ## TODO
 - Figure out if there's some more powersaving options
 - Add some doc for initial setup
    - Install NixOS according to the official guide
    - Check out this repo, build this `configuration.nix`
    - Afterwards: Just build it locally then deploy
 - Use Flakes, add doc for `./deploy.sh`
--- a/nix/gilgamesh/configuration.nix
+++ b/nix/gilgamesh/configuration.nix
@ -0,0 +1,146 @@
 { config, pkgs, lib, ... }:
 let
  agenix = builtins.fetchTarball {
    url = "https://github.com/ryantm/agenix/archive/daf42cb35b2dc614d1551e37f96406e4c4a2d3e4.tar.gz";
    sha256 = "0gbn01hi8dh7s9rc66yawnmixcasadf20zci4ijzpd143ph492ad";
  };
 in {
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
      "${agenix}/modules/age.nix"
      ../modules/spigot-server.nix
      ../modules/ionos-dyndns.nix
    ];
  # Use the GRUB 2 boot loader.
  boot.loader.grub.enable = true;
  # boot.loader.grub.efiSupport = true;
  # boot.loader.grub.efiInstallAsRemovable = true;
  # boot.loader.efi.efiSysMountPoint = "/boot/efi";
  # Define on which hard drive you want to install Grub.
  boot.loader.grub.device = "/dev/sda";
  networking.hostName = "gilgamesh"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  # Set your time zone.
  time.timeZone = "Europe/Berlin";
  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";
  console = {
    font = "Lat2-Terminus16";
    keyMap = "de-latin1";
  };
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.paul = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ paul"
    ];
    # packages = with pkgs; [];
  };
  # Users in group wheel may sudo without password
  security.sudo.wheelNeedsPassword = false;
  # Users in group wheel are special friends of the Nix daemon
  nix.settings.trusted-users = [
    "@wheel"
  ];
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim
    tmux
    bottom
    (pkgs.callPackage ../packages/ionos-dyndns.nix {})
  ];
  # List services that you want to enable:
  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = false;
      KbdInteractiveAuthentication = false;
    };
  };
  # Enable Avahi for mDNS (advertise hostname in LAN)
  services.avahi = {
    enable = true;
    nssmdns = true;
  };
  services.spigot-server = {
    enable = true;
    user = "spigot";
  };
  # Secrets management
  age.secrets = {
    ionos-prefix = {
      file = ../secrets/ionos-prefix.age;
      owner = "ionos-dyndns";
      group = "ionos-dyndns";
    };
    ionos-secret = {
      file = ../secrets/ionos-secret.age;
      owner = "ionos-dyndns";
      group = "ionos-dyndns";
    };
  };
  # DynDNS stuff. IONOS has a (proprietary?) API for this,
  # so we're using a Python script from the interwebs :shrug:
  services.ionos-dyndns = {
    enable = true;
    # Must match the user owning the secrets below. See agenix config
    # above for more details.
    user = "ionos-dyndns";
    apiPrefixPath = config.age.secrets.ionos-prefix.path;
    apiSecretPath = config.age.secrets.ionos-secret.path;
    aaaa = true;
    fqdn = "blocks.beany.club";
    interface = "enp0s25";
  };
  # Open ports in the firewall.
  networking.firewall.allowedTCPPorts = [ 25565 ];
  networking.firewall.allowedUDPPorts = [ 25565 ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;
  # TODO: Backups
  # Practical hardware options
  services.logind.lidSwitch = "ignore";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It's perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
 }
--- a/nix/gilgamesh/deploy.sh
+++ b/nix/gilgamesh/deploy.sh
@ -0,0 +1,3 @@
 #!/usr/bin/env bash
 nixos-rebuild -I nixos-config=configuration.nix --target-host gilgamesh --use-remote-sudo switch
--- a/nix/gilgamesh/hardware-configuration.nix
+++ b/nix/gilgamesh/hardware-configuration.nix
@ -0,0 +1,33 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 {
  imports =
    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "ehci_pci" "ahci" "usb_storage" "sd_mod" "sdhci_pci" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-label/NIXROOT";
      fsType = "ext4";
    };
  swapDevices = [ ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
  # networking.interfaces.enp0s25.useDHCP = lib.mkDefault true;
  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/nix/modules/ionos-dyndns.nix
+++ b/nix/modules/ionos-dyndns.nix
@ -0,0 +1,118 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.services.ionos-dyndns;
  ionos-dyndns = pkgs.callPackage ../packages/ionos-dyndns.nix {};
  command = lib.concatStringsSep " " (
    [
      "${ionos-dyndns}/bin/ionos-dyndns"
      "--api-prefix"
      "$(cat ${cfg.apiPrefixPath})"
      "--api-secret"
      "$(cat ${cfg.apiSecretPath})"
      "--fqdn"
      cfg.fqdn
      "--interface"
      cfg.interface
    ]
    ++ lib.optionals cfg.a [ "--A" ]
    ++ lib.optionals cfg.aaaa [ "--AAAA" ]
  );
 in {
  options = {
    services.ionos-dyndns = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to turn on the IONOS DynDNS timer.
        '';
      };
      user = mkOption {
        type = types.str;
        default = "ionos-dyndns";
      };
      apiPrefixPath = mkOption {
        type = types.path;
        description = ''
          Path of a file holding the API prefix.
        '';
      };
      apiSecretPath = mkOption {
        type = types.path;
        description = ''
          Path of a file holding the API secret.
        '';
      };
      a = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to set the A record (IPv4).
        '';
      };
      aaaa = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to set the AAAA record (IPv6).
        '';
      };
      fqdn = mkOption {
        type = types.str;
        description = ''
          Fully qualified domain name for this host.
        '';
      };
      interface = mkOption {
        type = types.str;
        description = ''
          Interface to get the IP address from.
        '';
      };
      interval = mkOption {
        type = types.str;
        default = "14min";
        description = "How often to run the update script in systemd.timers notation.";
      };
      serviceName = mkOption {
        type = types.str;
        default = "ionos-dyndns";
      };
    };
  };
  config = mkIf cfg.enable {
    users = {
      users = {
        ${cfg.user} = {
          isSystemUser = true;
          group = cfg.user;
          description = "IONOS DynDNS user.";
        };
      };
      groups = {
        ${cfg.user} = {
        };
      };
    };
    systemd = {
      services.${cfg.serviceName} = {
        serviceConfig = {
          Type = "oneshot";
          User = cfg.user;
          # We assume that command doesn't contain any single quotes
          ExecStart = "${pkgs.bash}/bin/bash -c '${command}'";
        };
      };
      timers.${cfg.serviceName} = {
        wantedBy = [ "timers.target" ];
        timerConfig = {
          Unit = "${cfg.serviceName}.service";
          OnBootSec = "30s";
          OnActiveSec = cfg.interval;
        };
      };
    };
  };
 }
--- a/nix/modules/spigot-server.nix
+++ b/nix/modules/spigot-server.nix
@ -0,0 +1,81 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  spigot-server = pkgs.callPackage ../packages/spigot-server.nix {};
  cfg = config.services.spigot-server;
  StateDirectory = "spigot-server";
 in {
  options = {
    services.spigot-server = {
      enable = mkOption {
        type = types.bool;
        default = false;
        description = ''
          Whether to turn on the Spigot Minecraft server.
        '';
      };
      user = mkOption {
        type = types.str;
        default = "spigot-server";
        description = ''
          The user account and group that Spigot runs as.
        '';
      };
    };
  };
  config = mkIf cfg.enable {
    users.users = {
      ${cfg.user} = {
        isSystemUser = true;
        group = cfg.user;
        description = "Spigot Minecraft server user";
      };
    };
    users.groups = {
      ${cfg.user} = {
      };
    };
    systemd = {
      services.spigot-server = {
        description = "Spigot Minecraft server";
        wantedBy = [ "multi-user.target" ];
        after = [ "network.target" ];
        serviceConfig = {
          User = "${cfg.user}";
          Sockets = "spigot-server.socket";
          StandardInput = "socket";
          StandardOutput = "journal";
          StandardError = "journal";
          inherit StateDirectory;
          WorkingDirectory = "/var/lib/${StateDirectory}";
          ExecStart = "${spigot-server}/bin/spigot-server -nogui";
          ExecStop = [
            "${pkgs.bash}/bin/bash -c '${pkgs.coreutils}/bin/echo save-all > /run/spigot-server.stdin'"
            "${pkgs.bash}/bin/bash -c '${pkgs.coreutils}/bin/echo stop > /run/spigot-server.stdin'"
            # Wait for the main process to exit
            # If we don't do this systemd tries to nudge Java to stop, causing a race condition
            # that leads to an ungraceful shutdown
            "${pkgs.coreutils}/bin/echo \"Waiting for \${MAINPID} to exit...\""
            "${pkgs.bash}/bin/bash -c 'while ${pkgs.coreutils}/bin/kill -s 0 $MAINPID 2>/dev/null; do sleep 0.5; done'"
          ];
        };
      };
      sockets.spigot-server = {
        description = "Spigot Minecraft server socket for commands and stuff";
        unitConfig = {
          # Automatically start and stop socket along with the service
          PartOf = "spigot-server.service";
        };
        socketConfig = {
          ListenFIFO = "/run/spigot-server.stdin";
        };
      };
    };
  };
 }
--- a/nix/packages/.gitignore
+++ b/nix/packages/.gitignore
@ -0,0 +1 @@
 spigot-1.20.1.jar
--- a/nix/packages/README.md
+++ b/nix/packages/README.md
@ -0,0 +1,11 @@
 # Packages
 ## `spigot-server`
 In order to build `spigot-server.nix` you'll need a copy of the Spigot JAR.
 For licensing reasons I won't check it into Git.
 Just drop `spigot-${version}.jar` into this folder and change the `version = ` line in `spigot-server.nix` accordingly.
 ## TODO
 - Make some more stuff in `spigot-server.nix` configurable
--- a/nix/packages/ionos-dyndns.nix
+++ b/nix/packages/ionos-dyndns.nix
@ -0,0 +1,37 @@
 {
  fetchFromGitHub,
  lib,
  makeWrapper,
  stdenv,
  # Runtime Dependencies
  python3,
  # grep
  gnugrep,
  # ip
  iproute2,
  # hostname
  hostname
 }:
 let
  pythonWithDeps = python3.withPackages (p: [p.requests]);
 in stdenv.mkDerivation rec {
  pname = "ionos-dyndns";
  # Packaging time, not commit time
  version = "20231118";
  src = fetchFromGitHub {
    owner = "lazaroblanc";
    repo = "IONOS-DynDNS";
    rev = "6c090ab928ce8d6eaa28b09614995b036ad60027";
    hash = "sha256-rabDuKuPvzcMltnCSvc5kDjcDhv7sXxbDLWw3/hdSmk=";
  };
  nativeBuildInputs = [ makeWrapper ];
  buildCommand = ''
    install -Dm755 $src/ionos_dyndns.py $out/lib/ionos_dyndns.py
    makeWrapper ${pythonWithDeps}/bin/python3 $out/bin/ionos-dyndns \
      --set PATH ${lib.makeBinPath [ iproute2 gnugrep hostname ]} \
      --add-flags $out/lib/ionos_dyndns.py
  '';
 }
--- a/nix/packages/spigot-server.nix
+++ b/nix/packages/spigot-server.nix
@ -0,0 +1,26 @@
 {
  makeWrapper,
  stdenv,
  # Runtime Dependencies
  jre
 }:
 let
  # Copied from some forum thread without much thought.
  # Let's see if they work out.
  javaFlags = "-Xmx5G -XX:+UseG1GC -XX:+UnlockExperimentalVMOptions -XX:MaxGCPauseMillis=50 -XX:+DisableExplicitGC -XX:TargetSurvivorRatio=90 -XX:G1NewSizePercent=50 -XX:G1MaxNewSizePercent=80 -XX:InitiatingHeapOccupancyPercent=10 -XX:G1MixedGCLiveThresholdPercent=50";
 in stdenv.mkDerivation rec {
  pname = "spigot-server";
  version = "1.20.1";
  src = ./spigot-${version}.jar;
  nativeBuildInputs = [ makeWrapper ];
  buildCommand = ''
    install -Dm644 $src $out/lib/spigot-${version}.jar
    makeWrapper ${jre}/bin/java $out/bin/spigot-server \
      --argv0 spigot-server \
      --add-flags "${javaFlags}" \
      --add-flags "-jar $out/lib/spigot-${version}.jar"
  '';
 }
--- a/nix/secrets/README.md
+++ b/nix/secrets/README.md
@ -0,0 +1,11 @@
 # secrets
 > Nix configuration secrets managed with [agenix](https://github.com/ryantm/agenix#tutorial).
 Use `nix develop` in the repository root to drop into a shell with `agenix`.
 ## Editing files
 ```
 agenix -e <thingamajig.age>
 ```
--- a/nix/secrets/ionos-prefix.age
+++ b/nix/secrets/ionos-prefix.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 9V3MUQ 7+lohnPlQALVPEGo2LwS2fj5r2RCKaVeEFmi6EYEyCE
 9U6eAthRVd5ry0ej79FEy3oRG3okJTwY6zSN1u68H1o
 -> ssh-ed25519 CcM6/g QQX9SsgKkk8YdUPRKj9Tda8mf6qRJ7ywtP6IIpN9fxo
 3Ml2+1+AQMwr5Lnv84pYOee/s5mzfVdsHRLaUIAKNFk
 -> i)!b3gaJ-grease 7|bwS ?k2JgF E-G 2HI
 0mFbZ22lqvLd
 --- 0+CwYGJlJC7bRbokHSlv+V4JKppBo+/ocfjp2NQBD3Q
 JDv<04>8ě ë<C2A0>¶ÚŤÄ÷8é V/Ă'O”M¸x×é!Č¸TÉA7ÍK5#É8©&•Ř-VqČ&}ů]ráÂ
--- a/nix/secrets/ionos-secret.age
+++ b/nix/secrets/ionos-secret.age
--- a/nix/secrets/secrets.nix
+++ b/nix/secrets/secrets.nix
@ -0,0 +1,10 @@
 let
  # Users
  paul = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMFqREiw3EareYXntIrm1/numKDo113zx1WMOFO69LJ";
  # Systems
  gilgamesh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDmLWYK6/4/Fh+wsoiz9+PCHvNcP2/wu2GvfzrqXCGA";
 in {
  "ionos-prefix.age".publicKeys = [ paul gilgamesh ];
  "ionos-secret.age".publicKeys = [ paul gilgamesh ];
 }
Author	SHA1	Message	Date
Paul Brinkmeier	03c7277692	Fix ionos-dyndns timer interval All checks were successful Check / Lint Ansible Files (push) Successful in 2m29s Details systemd uses min, not m for minutes.	2023-11-20 21:45:13 +01:00
Paul Brinkmeier	de16857570	Remove unused leftover variable	2023-11-19 03:38:50 +01:00
Paul Brinkmeier	f2f12a2688	Add agenix, spigot-server and ionos-dyndns to gilgamesh config All checks were successful Check / Lint Ansible Files (push) Successful in 3m1s Details	2023-11-19 03:09:42 +01:00
Paul Brinkmeier	e61a07f8d3	Add ionos-dyndns module for the NixOS config	2023-11-19 03:05:31 +01:00
Paul Brinkmeier	ea38d94178	Add runtime dependencies to ionos-dyndns package	2023-11-19 03:04:52 +01:00
Paul Brinkmeier	81771725d0	Add agenix secrets for IONOS dyndns	2023-11-19 03:04:01 +01:00
Paul Brinkmeier	06345cd04c	Add agenix to dev flake	2023-11-19 02:59:34 +01:00
Paul Brinkmeier	9b622e6e3e	Number of fixes All checks were successful Check / Lint Ansible Files (push) Successful in 1m40s Details Package IONOS-DynDNS repository Fix spigot-server's ExecStop Enable Firewall but allow port 25565	2023-11-18 13:44:10 +01:00
Paul Brinkmeier	8e0c6266af	Add gilgamesh NixOS config and spigot-server package All checks were successful Check / Lint Ansible Files (push) Successful in 2m18s Details	2023-11-18 05:28:33 +01:00
		`@ -0,0 +1,3 @@`
							`#!/usr/bin/env bash`

							`nixos-rebuild -I nixos-config=configuration.nix --target-host gilgamesh --use-remote-sudo switch`