From 7a0ff48340e221994ba799087cadfb89f5ce0b03 Mon Sep 17 00:00:00 2001 From: truxnell <19149206+truxnell@users.noreply.github.com> Date: Sun, 17 Mar 2024 13:31:36 +1100 Subject: [PATCH] feat: enable cloudflareddns --- .../hosts/common/optional/cloudflare-ddns.nix | 6 ---- .../common/optional/cloudflare-dyndns.nix | 32 +++++++++++++++++ .../optional/cloudflare-dyndns.sops.yaml | 34 +++++++++++++++++++ nixos/hosts/common/optional/maddy.nix | 16 +++++++++ nixos/hosts/nixosvm/default.nix | 2 ++ 5 files changed, 84 insertions(+), 6 deletions(-) delete mode 100644 nixos/hosts/common/optional/cloudflare-ddns.nix create mode 100644 nixos/hosts/common/optional/cloudflare-dyndns.nix create mode 100644 nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml create mode 100644 nixos/hosts/common/optional/maddy.nix diff --git a/nixos/hosts/common/optional/cloudflare-ddns.nix b/nixos/hosts/common/optional/cloudflare-ddns.nix deleted file mode 100644 index 15646d4..0000000 --- a/nixos/hosts/common/optional/cloudflare-ddns.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ inputs, outputs, config, ... }: { - - # Cloudflare dynamic dns to keep my DNS records pointed at home - services.cloudflare-dyndns.enable = true; - -} \ No newline at end of file diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.nix b/nixos/hosts/common/optional/cloudflare-dyndns.nix new file mode 100644 index 0000000..4cba325 --- /dev/null +++ b/nixos/hosts/common/optional/cloudflare-dyndns.nix @@ -0,0 +1,32 @@ +{ config, lib, ... }: { + + # Current nixpkgs cf-ddns only supports using a env file for the apitoken + # but not for domains, which makes them hard to find. + # To circumvent this, I put both in the 'apiTokenFile' var + # so my secret is: + + # apiTokenFile: |- + # CLOUDFLARE_API_TOKEN=derp + # CLOUDFLARE_DOMAINS=derp.herp.xyz derp1.herp.xyz + + # init secret + config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; + + # Restart when secret changes + config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".restartUnits = [ "cloudflare-dyndns" ]; + + + # Cloudflare dynamic dns to keep my DNS records pointed at home + config.services.cloudflare-dyndns = { + enable = true; + ipv6 = false; + proxied = true; + apiTokenFile = config.sops.secrets."system/networking/cloudflare-dyndns/apiTokenFile".path; + domains = [ ]; + }; + +} + + + + diff --git a/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml b/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml new file mode 100644 index 0000000..591acb9 --- /dev/null +++ b/nixos/hosts/common/optional/cloudflare-dyndns.sops.yaml @@ -0,0 +1,34 @@ +system: + networking: + #ENC[AES256_GCM,data:mU+kgvyXcQOPDFGWPVRboq7tCov3OW4qJwm97luuX3aHpjaRI8A4lDoYh02TNqALbl8NHZQgftPVub6jIe7YMjF9WA9IubQLcGLfmg==,iv:vIpxXv16H+qQ4SEZ1B5JHcsmR1CDHWB5Snc6gtTNF5Q=,tag:+556McyfqNS22DQzMLvUWQ==,type:comment] + cloudflare-dyndns: + apiTokenFile: ENC[AES256_GCM,data:FNN3ljYlryQva4ZiQZW62n34Oy9vVN75LYbtEvMpxDgi5uD+hb7TCLSLQenHspY7li/OMLVfg1TWKBoWbqqXaG01WdcqFZxu0bMN0iweDXpLRhYam0nzB/NRwx5qE1tkF74j+uF4Po78WQqH3wFcHDTGKg==,iv:OzRyWTR/JTfXqYVI+cFzMOdvtqSYr3Q7bIY/Rg4CR2A=,tag:uVF26IMjKAJQOFVFXerW0A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d3qtnwd73k0npgwhqwpwysdpqa2zyyjyyzs463f5rak9swmw45gsxdyjyn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvcjFtSXBpYi9CaFJDaXlk + cjFGS1kvdWhneXV5YmZQdFRyN1ZXbmJ1V2k4CkNkcWtEdnFsV3dkbEtZU2huaG5u + YWVKelhzL3lMOVJzcTNYWmk5VGJKaGsKLS0tIHhERHl2Zis1RHdaTnQ5ZXJJUUFJ + NlU4d0xqZSs2bHliWEdGUUorTnFQTmcKXxNOvzEMnC2vxPewwWvsgR9Tm29auBU4 + YjH1UrVzAmETPcKyZg83EEt2iDmkKLevez5Swy7ezgci85kTXOn4sg== + -----END AGE ENCRYPTED FILE----- + - recipient: age16mwx76r29pa9lnmagujw9adxrpujxmxu38hjfastf6pgw6v66gjs5ugewz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzcVA4M01nL3pvOERERFkx + K0ptYnBDN1RaTGNnSm9Pc2dSVEx5Y0RyYVJZCm15RUp5ajd5SzJrZitneGJ1VEc5 + bEJHMDFtSTYxUHk1MGNtYThTQ2FnZUkKLS0tIGJRVUU0UnlpRWhvSjJlanc1R3lZ + cEZkRTdDTlV6LytXYkNRVnNnbWRDSEEKhr3E8RmBLjDkC1F74pvsnutVvWAIp61q + HtLLHnZdRb40xDO4fnCi04CN57L3VMlFPaL1Xp3t/jHq1jcMjYr1+w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-17T02:30:32Z" + mac: ENC[AES256_GCM,data:dc/i4ORaMyS3oBHrEiDk/ccXZpa89UizyaW+4gkxVKq0uUBAiOK7fqNrJ4QLV9huq89xxuguvu49PHUYlw3pqTMEtMGuxw18FC7nSdfUt/fTyXoZJTMz1WrzkpEDwigNh/rWJ3Pj7vgsPmhl6tYvxJ33XfK1qQbcb2FhfPSBlvE=,iv:LyNAjRYyU18akw1a9j731crbo3jwH0qPAtVFUKKAKHk=,tag:nE8/m9/t93msfibHFA+tcw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/nixos/hosts/common/optional/maddy.nix b/nixos/hosts/common/optional/maddy.nix new file mode 100644 index 0000000..dc6c309 --- /dev/null +++ b/nixos/hosts/common/optional/maddy.nix @@ -0,0 +1,16 @@ +{ inputs, outputs, config, ... }: { + + # init secret + config.sops.secrets."system/networking/dcloudflare-dyndns/apiTokenFile".sopsFile = ./cloudflare-dyndns.sops.yaml; + config.sops.secrets."system/networking/dcloudflare-dyndns/domains".sopsFile = ./cloudflare-dyndns.sops.yaml; + + # Cloudflare dynamic dns to keep my DNS records pointed at home + services.maddy = { + enable = true; + ipv6 = false; + proxied = true; + apiTokenFile = config.secret.sops."system/networking/dcloudflare-dyndns/apiTokenFile".path; + domains = config.secret.sops."system/networking/dcloudflare-dyndns/domains".path; + }; + +} diff --git a/nixos/hosts/nixosvm/default.nix b/nixos/hosts/nixosvm/default.nix index e062ff2..d99683d 100644 --- a/nixos/hosts/nixosvm/default.nix +++ b/nixos/hosts/nixosvm/default.nix @@ -21,6 +21,8 @@ ../common/optional/editors/vscode ../common/optional/firefox.nix ../common/optional/sops-nix.nix + ../common/optional/cloudflare-dyndns.nix + ];