colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

port ddns-he to sops secret

Browse Source
This commit is contained in:
Colin
2022-06-08 14:32:16 -07:00
parent 364f76b59e
commit bc9450a0fa
3 changed files with 17 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
machines/uninsane/services/ddns-he.nix
View File

@@ -1,20 +1,29 @@
{ pkgs, secrets, ... }: { config, pkgs, ... }:
{ {
systemd.services.ddns-he = { systemd.services.ddns-he = {
description = "update dynamic DNS entries for HurricaneElectric"; description = "update dynamic DNS entries for HurricaneElectric";
serviceConfig = {
EnvironmentFile = config.sops.secrets.ddns_he.path;
# TODO: ProtectSystem = "strict";
# TODO: ProtectHome = "full";
# TODO: PrivateTmp = true;
};
# HE DDNS API is documented: https://dns.he.net/docs.html # HE DDNS API is documented: https://dns.he.net/docs.html
script = let script = let
pass = secrets.ddns-he.password;
crl = "${pkgs.curl}/bin/curl -4"; crl = "${pkgs.curl}/bin/curl -4";
in '' in ''
${crl} "https://he.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=he.uninsane.org" ${crl} "https://he.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=he.uninsane.org"
${crl} "https://native.uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=native.uninsane.org" ${crl} "https://native.uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=native.uninsane.org"
${crl} "https://uninsane.org:${pass}@dyn.dns.he.net/nic/update?hostname=uninsane.org" ${crl} "https://uninsane.org:$HE_PASSPHRASE@dyn.dns.he.net/nic/update?hostname=uninsane.org"
''; '';
}; };
systemd.timers.ddns-he.timerConfig = { systemd.timers.ddns-he.timerConfig = {
OnStartupSec = "2min"; OnStartupSec = "2min";
OnUnitActiveSec = "10min"; OnUnitActiveSec = "10min";
}; };
sops.secrets."ddns_he" = {
sopsFile = ../../../secrets/uninsane.yaml;
};
} }

2
secrets/default.nix
View File

@@ -1,6 +1,4 @@
{ {
ddns-he.password = "<REPLACEME>";
# to generate: # to generate:
# wg genkey > wg0.private # wg genkey > wg0.private
# wg pubkey < wg0.private > wg0.public # wg pubkey < wg0.private > wg0.public

5
secrets/uninsane.yaml
View File

@@ -4,6 +4,7 @@
#ENC[AES256_GCM,data:mfjzNHS72mmkebXz8tqrBpiVbHLWG7RTFfPTsLphoc3E5jz/NOQLQ0q76pJLDXlZQ+BIc5TE2RqDH649opWAAiM/hd2QFr8=,iv:0bjh5bWwcYS2FLUr3O9Moh1YJW+Id1a2cEkkH98maMs=,tag:0r61r+/kpGHbK0ttVCPhow==,type:comment] #ENC[AES256_GCM,data:mfjzNHS72mmkebXz8tqrBpiVbHLWG7RTFfPTsLphoc3E5jz/NOQLQ0q76pJLDXlZQ+BIc5TE2RqDH649opWAAiM/hd2QFr8=,iv:0bjh5bWwcYS2FLUr3O9Moh1YJW+Id1a2cEkkH98maMs=,tag:0r61r+/kpGHbK0ttVCPhow==,type:comment]
#ENC[AES256_GCM,data:l5E8Ji9v6shdOjDsg+pvRmSgWz7Spbq1s4lO01WUSaGzmfJdr/nnVrIE6gQNImTKfW8McqY4ZHTFTUSZ5Fs8BkjpSQ+9N1OIJl7wmg6G168zSL2hgQtpM4DbECQNgfjCJxAG9TN/2wnQkhN0f5Lrqw==,iv:HyfnJKJQABwMj7X7fQxVcakBs1PBpWVWlr6PyVn1EvY=,tag:84aMXP8kCGVksYpw389klg==,type:comment] #ENC[AES256_GCM,data:l5E8Ji9v6shdOjDsg+pvRmSgWz7Spbq1s4lO01WUSaGzmfJdr/nnVrIE6gQNImTKfW8McqY4ZHTFTUSZ5Fs8BkjpSQ+9N1OIJl7wmg6G168zSL2hgQtpM4DbECQNgfjCJxAG9TN/2wnQkhN0f5Lrqw==,iv:HyfnJKJQABwMj7X7fQxVcakBs1PBpWVWlr6PyVn1EvY=,tag:84aMXP8kCGVksYpw389klg==,type:comment]
duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str] duplicity_passphrase: ENC[AES256_GCM,data:WAQE+xhfRg+4N9Q1P9U8Lt7sVwpcEZFPJzyHIA+FIcCcZZhv+QmvCT/eTRtAOIFvII5l9f0A4GRnSEagalyaZgTgq7t8qOhvvB+s8cIj7prM1psnKstpx3+BxsinGOsZcPqbBxph9gdGuIVP3qH7pYAT+6GMPLnxW21s0r26mZFZM8Mu15VGyuvTz2Pknw==,iv:hu+6w6TWQensA4y5wBz1vPgw8YlBk5TuxEm2rRjV6Ao=,tag:UJ2joJZNxr/+O5y0dx6q9g==,type:str]
ddns_he: ENC[AES256_GCM,data:zAKbEAIMIsENUctG9bNAAjAty6g+w3QW5VM=,iv:ncIjblXnTiU3TQcHJutz9lCl0wBdWs+FybY0sZcnaH0=,tag:7O6EIob2/if1fcVDVEkVzQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@@ -37,8 +38,8 @@ sops:
U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce U0ZlOUljcE9BL1lhcmIrVVl6eFdTUmMKBHmv96FmkL/oQw9//ATfem6HtORRjcce
xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A== xJNwnsdrEqrBS3sG6xDkmJYOjaFrg1pwxYZRG87zeLShgkXkMNvz2A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-07T09:30:04Z" lastmodified: "2022-06-08T21:27:38Z"
mac: ENC[AES256_GCM,data:B/Tsq5YNrLd7MziJASlv0urTOJRKn8LHvRZFK/2qJBDrbHODQMVzQL35Yw4AtdQSDYcFm4RxQzqQ2mVRabb2Np0Duft8bH3v3EhknP2Jokx+lzmo878UFzumu2BP7lMnNeeYL6vIMVqPmhOl1RIwlvLvczKEpzW/hUHIvsWGsis=,iv:+eWHnG2ijszBiROJuEhbdEtc0Vy026Bmf1Tj45fBy7g=,tag:MCQAQm132fBH8kh/wpf9fQ==,type:str] mac: ENC[AES256_GCM,data:p0f7zHU5u+1n38eUQ7YxyivM2PhUG508CxS8ImPC1XRpJ8TIRH7OaGxoUL43UqIGNeO76upjp7XgZ5LNyTXTD3uluaMB0szPBwpxn5EOvL5Zt+MY/lxmuLFS2QBUmS3j/Z5AiDk0G+JaRoWCSzjuNF/udxBnrQ8dI22I88/JvOc=,iv:JEV661y2gHbyh9W3HzeYK7Crbhja6Dos/1l+lmyRs+4=,tag:/7D69dm4UkNVuklVA4KmPA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.7.3 version: 3.7.3