{ secrets, pkgs, ... }:
{
  systemd.services.update-dns = {
    serviceConfig.Type = "oneshot";
    description = "Update the leaf.ninja DNS records";
    path = with pkgs; [ curl jq ];
    script = ''
      public_ip=$(curl -s https://ifconfig.me/ip)
      endpoint="https://api.gandi.net/v5/livedns/domains/leaf.ninja/records"
      curl -s \
        -X PUT \
        -H "Authorization: Bearer ${secrets.gandi.token}" \
        -H "Content-Type: application/json" \
        -d "{\"rrset_values\":[\"$public_ip\"]}" \
        "$ENDPOINT/%2A/A" | jq
      curl -s \
        -X PUT \
        -H "Authorization: Bearer ${secrets.gandi.token}" \
        -H "Content-Type: application/json" \
        -d "{\"rrset_values\":[\"$public_ip\"]}" \
        "$ENDPOINT/%40/A" | jq
    '';
  };

  systemd.timers.update-dns = {
    wantedBy = [ "timers.target" ];
    partOf = [ "update-dns.service" ];
    timerConfig = {
      OnBootSec = "15m";
      OnUnitActiveSec = "15m";
      Unit = "update-dns.service";
    };
  };
}